Inria and the CNIL award the 2022 Privacy Protection prize

26 May 2023

During the 16th international conference Computers, Privacy and Data Protection (CPDP), the CNIL and Inria (French National Institute for Research in Digital Science and Technology) have awarded the 2022 Privacy Protection prize to a European research team for its article on tracking via email forms.

On 25th May, 2023 Nataliia Bielova, Researcher at of Inria and François Pellegrini, Vice-president of the CNIL, presented the CNIL-Inria Prize at the CPDP conference which takes place in Brussels. This European prize, created by the CNIL and Inria in 2016 as part of the partnership between the two institutions, aims to encourage research in the field of data protection and privacy. Papers were mainly selected on the two criteria of scientific excellence and societal impact.

The awarded article

This prize is an opportunity to raise the scientific community's awareness of data protection stakes and the need to develop research projects in this field.

The awarded paper, entitled “Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission”. The paper was published at the conference Usenix Security 2022.

The awarded team is composed of:

  • Asuman Senol: Privacy and Identity Management Group at COSIC - KU Leuven, Belgium
  • Gunes Acar: Digital Security group of Radboud University, Nijmegen, Netherlands
  • Mathias Humbert: Department of Information Systems, Faculty of Business and Economics, University of Lausanne, Switzerland
  • Frederik Zuiderveen Borgesius: Digital Security group of Radboud University, Nijmegen, Netherlands

In this study, the authors build a tool for 100,000 websites, detecting email forms and automatically filling email addresses and, by analyzing network feeds, detecting when these addresses were transmitted to third parties before any user action. In many cases, the email addresses were transmitted to third parties.

Their results show differences, depending on whether the IPs used to visit the sites are located in Europe or in the United States. The type of device used (computer or phone) also affects the results. The authors have put the entire code of their tool online. They have also developed an extension to detect these email address transmissions.

The award jury has also highlighted the runner-up article that was recognized by the jury as exceptional research in privacy protection that show highlights reidentification risks:

“A Run a DayWon’t Keep the Hacker Away: Inference Attacks on Endpoint Privacy Zones in Fitness Tracking Social Networks” by Karel Dhondt, Victor Le Pochat, Alexios Voulimeneas, Wouter Joosen, Stijn Volckaert from imec-DistriNet, KU Leuven, Leuven (Belgium) and published at 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS) conference.

Acknowledgements

The prize was awarded by the jury members, renowned researchers in the privacy field of computer science and data protection authorities experts :

  • Mário S. Alvim (Federal University of Minas Gerais – Brazil)
  • Nicolas Anciaux (Inria, PETRUS team – France)
  • Aurélien Bellet (Inria  –  France)
  • Zinaida Benenson (University of Erlangen-Nuremberg, Germany)
  • Olivier Blazy (École Polytechnique – France)
  • Joe Calandrino (Federal Trade Commission – USA)
  • Mathieu Cunche (INSA-Lyon, Inria PRIVATICS – France)
  • Giuseppe D’Acquisto  (Garante per la protezione dei dati personali  – Italy)
  • Josep Domingo-Ferrer (University Rovira i Virgil, UNESCO Chair in Data Privacy – Spain)
  • Simone Fischer-Hübner (Karlstad University – Sweden)
  • Sébastien Gambs (University of Québec in Montréal – Canada)
  • Oana Goga (Laboratoire d'informatique de l'École polytechnique – France)
  • Marit Hansen (State Data Protection Commissioner of Land Schleswig-Holstein and Landeszentrum für Datenschutz – Germany)
  • Jaap-Henk Hoepman ( Radboud University Nijmegen – Netherlands)
  • Amandine Jambert (CNIL – France)
  • Veelasha Moonsamy (Ruhr University Bochum – Germany)
  • Benjamin Nguyen (INSA-CVL – France)
  • Rishab Nithyanand (University of Iowa – USA)
  • Carmela Troncoso (EPFL – Switzerland)
  • Narseo Vallina (IMDEA Networks Institute and ICSI, University of California, Berkeley – Spain and USA)
  • Kim Wuyts  (Katholieke Universiteit Leuven – Belgium)
  • as well as two CNIL members: François Pellegrini (co-president) and Vincent Toubiana (vice-president), and two Inria researchers: Nataliia Bielova (co- president) and Pierre Laperdrix (vice-president).