Empirical analysis of privacy-preserving technologies for web and mobile platform

Users are increasingly concerned about their privacy and security. Thus they opt for more secure and privacy-preserving systems to ensure the security and privacy of their sensitive data. These systems are employed to block privacy-intrusive ads, actions, and prevent malicious activities. Currently, websites often employ third-party ad and tracking services leveraging cookies and JavaScript code to deliver ads and track users’ behavior. This raises privacy concerns. Many “ad-blocking” blacklists comprise of URLs and domains of ads and tracking services to limit online tracking and block advertisements. Are the ad-blocking tools and compliance of mobile applications (apps) with their privacy policy getting better or worse over time? In this dissertation, we answer this question by conducting a longitudinal study of popular websites and apps, spanning eight years. We investigate the evolution of ads and tracking services and subsequently evaluate the effectiveness of these ad-blocking blacklists. The results show that ad and tracking domains in websites change over time, and some blacklists are more effective in blocking ad and tracking domains. This research shows that ad-blocking blacklists (or filter-lists) are updated by prioritizing ads and tracking domains reported in the top or popular websites of the United States, Canada, and the United Kingdom. Ad-blocking lists operate in a crowd-sourcing manner, where privacy activists continuously add new tracking domains (or rules) and discard the redundant domains from the filter-list. Longitudinally over time, the number of rules added can outgrow the number of rules omitted, making the managing of filter-lists a challenge. This research work empirically observes that the filter-lists mostly detect different ad and tracking domains. Ad-blocking blacklists can be bulky (long); however, there is a tiny percentage of ad and tracking domains found on popular websites. This suggests the need to curate an optimized filter-list that provides high coverage and faster response time to scan and block a given domain on mobile devices. This research develops a technique to create an aggregated and filtered blacklist that is reduced several times; thus, far less bulky. Our aim in this research is to create a new shorter (lean) filter-list that provides the same coverage as the union of the blacklists on top websites. The research also develops an update mechanism to integrate new ad and tracking domains in the aggregated and filtered blacklist in a resource-efficient manner. Furthermore, we investigate the Android apps and compare the users’ personally identifiable information (PII) as disclosed in the privacy policies of those apps with the PII leaks detected in the static and dynamic analysis. One of the prime conclusions of this research is that newer app versions leak more PII while disclosing fewer PII collections in their privacy policies. In summary, users are unaware that apps are collecting sensitive information. Additionally, the companies to which this information is leaked, are not disclosed in the privacy policies. By noticing the non-compliance between the actual and purported data practices, this study observes that many apps go contrary to the “notice and choice” principle when users install the app.