This research addresses the problem of deceptive patterns (DPs) in digital interfaces that trick users into unwanted actions. They introduce AutoBot, a tool that uses machine learning to automatically detect these patterns in websites in real-time. AutoBot analyzes website screenshots to identify potentially deceptive elements and uses a language model to understand the context. It’s implemented as a Chrome extension that works locally to protect user privacy. This tool aims to empower users to make informed decisions and help regulators enforce compliance with DP regulations.

Google now requires developers to implement Data Safety Sections (DSS) for improved transparency in data collection and sharing. A research paper analyzes Google’s DSS through quantitative and qualitative methods, examining a large number of apps (1.1 million) from the Android Play store. The study identifies inconsistencies and instances of both over and under-reporting practices in DSS content. A longitudinal analysis indicates that developers are still adapting their practices over time. The research also delves into the challenges developers face when working with DSS, highlighting the need for better resources and guidelines to ensure accurate and reliable privacy labels, which are crucial for their effectiveness.

This paper presents an empirical study of security risks posed by browser extensions. The researchers found that extensions can easily access and steal sensitive user information, even passing the Chrome Webstore review process. They also found a significant number of websites, including popular ones, do not adequately protect password fields, and many Chrome extensions have permissions to access sensitive fields. The researchers propose countermeasures like a JavaScript package and a browser-level solution to address these risks. Overall, the research highlights the critical need for enhanced security measures to protect sensitive user information online.

This study examined privacy labels on mobile apps in both the Android and Apple app stores. They found that while privacy labels can provide users with information about data collection practices, there are often discrepancies between the labels on the two platforms. In fact, at least 60% of apps have different practices reported on each platform. This suggests that the current system of privacy labels may not be accurate or reliable, and could even give users a false sense of security. The authors highlight the need for better mechanisms to ensure consistency and accuracy in privacy labels.

The study investigates text input field security in web browsers, revealing that browsers’ permission model breaches security principles. Two vulnerabilities are found, including passwords exposed as plaintext in HTML source code. A proof-of-concept extension demonstrates the impact, bypassing review processes. The vulnerabilities are widespread, affecting major sites like Google. Around 12.5% of extensions could exploit these flaws, with 190 extensions accessing passwords directly. The study proposes remedies: a JavaScript package for developers to safeguard input fields and a browser-level alert for sensitive field access. The research underscores the demand for enhanced online user information protection.

Privacy nutrition labels provide a way to understand an app’s key data practices without reading the long and hard-to-read privacy policies. Recently, the app distribution platforms for iOS(Apple) and Android(Google) have implemented mandates requiring app developers to fill privacy nutrition labels highlighting their privacy practices such as data collection, data sharing, and security practices. These privacy labels contain very fine-grained information about the apps’ data practices such as the data types and purposes associated with each data type. This provides us with a unique vantage point from which we can understand apps’ data practices at scale.

Online websites often use cookie notices to gain user consent for data collection, but these notices frequently employ dark patterns that compromise user privacy. To counter this, the authors introduce CookieEnforcer, a system designed to automatically detect cookie notices and select options that disable all non-essential cookies. CookieEnforcer identifies cookie notices through HTML rendering patterns and models the selection process as a sequence-to-sequence task, predicting the necessary actions to minimize data collection. Achieving 91% accuracy in tests, CookieEnforcer also reduces user effort and enables large-scale analysis of cookie practices on popular websites, offering insights into consent management patterns.

Online services utilize privacy settings to provide users with control over their data. However, these privacy settings are often hard to locate, causing the user to rely on provider-chosen default values. In this work, we train privacy settings centric encoders and leverage them to create an interface that allows users to search for privacy settings using free-form queries. To achieve this, we create a custom Semantic Similarity dataset, which consists of real user queries covering various privacy settings. We then use this dataset to fine-tune the state of the art encoders. Using these fine-tuned encoders, we perform semantic matching between the user queries and the privacy settings to retrieve the most relevant setting. Finally, we also use these encoders to generate embeddings of privacy settings from the top 100 websites and perform unsupervised clustering to learn about the online privacy settings types.