The ODIO coordinated project aims at addressing the challenge posed by the widespread access, dissemination and abuse of users personal attributes and behavioral data in Internet services. The risks of such practices go beyond privacy issues and include identity theft, discrimination, fraud, extortion, and manipulation. The MOOSE subproject focuses on assessing the privacy and security risks associated to the use and abuse of end-users digital identity in the web and mobile devices. The project aims to develop transparency tools to perform a multi-dimensional characterization of the online tracking industry present in these services, and the dynamics and relationships between companies for the creation and dissemination of user profiles and identities for advertising purposes and data brokerage.
Studying privacy and security risks of mobile applications and their regulatory compliance constitutes a challenging environment because of its market dynamics, organizations capacity to track users across platforms, and the large number of mobile applications and SDKs available in the market. Additionally, most privacy research has been conducted either at a technical or ar a regulatory level. Yet, performing a comprehensive and multi-disciplinary analysis of the role of digital identities in todays mobile and web technologies, and to study the influence of strict regulatory frameworks in protecting users identity, is critical to understand the Internet economy, identify poor development practices, develop new privacy-aware solutions, and, ultimately, to inform standardization bodies and regulators about the privacy and societal risks of these technologies and industry abuses.
In the MOOSE subproject, we will create scalable and reproducible methods for auditing the behavior of mobile and web services from a privacy and regulatory perspective based on static and dynamic analysis, and generate datasets with intelligence and evidence of abuse of digital identities in web and mobile technologies, including SDKs. For that, we will develop novel heuristics and analysis methods to overcome the limitations of existing tools, which are security-oriented rather than privacy-oriented. These empirical insights will be fundamental to inform the regulatory debate, while encouraging best development practices in mobile developers. We will analyze evidence of abusive personal data collection, obscure privacy policies, and the connections between organizations for collecting, processing and sharing personal data while improving attribution. Finally, we will develop solutions to facility transparency assessment, regulatory compliance, improve traceability and accountability of mobile and web technologies, developing user-centric business models, and enhancing the capabilities of current privacy enhancing tools so that they can effectively protect users identity across platforms.