Enabling Crowd - sourcing based privacy protection for smartphone applications, websites and Internet of Things deployment (Privacy Flag) GRANT AGREEMENT NO.653426 Privacy Flag Project Enabling Crowd - sourcing based privacy protection for smartphone applications, websites and Internet of Things deployments Grant Agreement No.653426 Topic: DS - 01 - 2014 (Privacy) Innovation Action Deliverable D 4 . 1 First year report on Technical enablers development Document Number: D 4.1 Contractual Date of Delivery: 3 0. 04 . 2016 Editor: CTI Work - package: WP4 Distribution / Type: Public (PU) / Report (R) Version: v 1.0 Total Number of Pages: 6 0 This deliverable has been written in the context of the Privacy Flag Horizon 2020 European research p roject, which is supported by the European Commission and the Swiss State Secretariat for Education, Research and Innovation. The opinions expressed and arguments employed do not engage the supporting parties. Deliverable D4.1 “ First ye ar report on Technical enablers development ” Enabling Crowd - sourcing based pri vacy protection for smartphone applications, websites and Internet of Things deployment (Privacy Flag) GRANT AGREEMENT N o .653426 Abstract Privacy Flag (PF) combines crowd sourcing, ICT technology and legal expertise to protect citizen privacy when visiting websites, using smart - phone applications, or living in a smart city leveraging user friendly solution s provided as a smart phone application, a web browser add - on and a public website. It will: 1. Develop a highly scalable privacy monitoring and protection solution with : - Crowd sourcing mechanisms to identify, monitor and assess privacy - related risks; - Privacy monitoring agents to identify suspicious activities and application s ; - Universal Privacy Risk Area Assessment Tool and methodology tailored to European nor ms on personal data protection; - Personal Data Valuation mechanism; - Privacy enablers against traffic monitoring and finger printing; - User friendly interface informing about the privacy risks when us ing an application or website. 2. Develop a gl obal knowledge database of identified privacy risks, together with online services to support companies and other stakeholders in becoming privacy - friendly, including: - In - depth privacy risk analytical tool and services; - Voluntary legally binding me chanism for companies located outside of Europe to align with and abide to European standards in terms of personal data protection; - Services for companies interested in being privacy friendly; - Labell ing and certification process. 3. Collaborate wi th standardization bodies and actively disseminate towards the public and specialized communities, such as ICT lawyers, policy makers and academics. Eleven ( - 11 - ) European partners, including SMEs and a large telco operator (OTE) , bring their complementary technical, legal, societal and business expertise; Privacy - Flag intends to establish strong links with standardization bodies and international fora and it also intends to assess and incorporate outcomes from over 20 related res earch projects. It will build and ensure long term sustainability and growth. Deliverable D4.1 “ First ye ar report on Technical enablers development ” 2 Enabling Crowd - sourcing based privacy protection for smartphone applications, websites and Internet of Things deployment (Privacy Flag) GRANT AGREEMENT N o .653426 Executive Summary This document presents the work under the Work Package (WP ) 4 – Technical Enablers. The a im of this WP is to research and develop the required technical enablers and tools for security and privacy that will provide protection mechanisms for users, contribute towards the improvement of privacy protection and risk detection through collective us er activities . These will help infuse privacy risk awareness as well as privacy risk detection knowledge to users in order to make them take a more active role in handling their own privacy. Section 1 describes the purpose of this document and a general d escription of WP4. Section 2 offers a brief introductory overview of the work package context. It identifies the most common and dangerous threats against user privacy. These are divided into three main categories: Cookies HTML5 threats General IP threats In addition, it provides a brief description of the most common and severe among these threats that will be encountered by the Privacy Flag platform . Moreover, in subsection 2.2 the most popular browser add - ons are presented along with a brief description. It also discusses the current limitations of the available solutions and the reason a new solution is needed. Section 3 presents the architecture design for the Privacy Flag web browser add - on. Additionally, it describes the functionality scenarios, as well as the two levels of evaluation (the automated and the integration of UPRAAM). Section 4 presents the architecture design for the Privacy Flag s martphone application. Moreover, functionality scenarios are described and the two levels of evaluation (the automated and the integration of UPRAAM). Section 5 offers a description of the Privacy Flag Automatic Analysis Tool (the distributed agents). Sect ion 6 provides the database and server implementation progress. It analyzes the procedure followed when setting up the server that will support the WP4 components , as well as a first design and implementation of the database. In section 7 the development o f the architecture and functionality for the website and backend management platform are described. It also describes the key features for assessment of the risk using the in - depth evaluation tools. Deliverable D4.1 “ First ye ar report on Technical enablers development ” 3 Enabling Crowd - sourcing based privacy protection for smartphone applications, websites and Internet of Things deployment (Privacy Flag) GRANT AGREEMENT N o .653426 Contributors First name Last name Partner E - mail S otiris Nikoletseas CTI [email protected] Vasileios Vlachos CTI [email protected] Stamatiou Ioannis CTI [email protected] Madhja Adelina CTI [email protected] Tsolovos Dimitrios CTI [email protected] Tzamalis Pantelis CTI [email protected] Vasileios Barekas Velti [email protected] Andreas Daskalopoulos Velti [email protected] Andreas Drakos Velti [email protected] Daniel Forster UL Daniel.Forster@rwth - aachen.de Nenad Gligoric DNET [email protected] Evangelos Sfakianakis OTE [email protected] Ioannis Chochliouros OTE [email protected] Deliverable D4.1 “ First ye ar report on Technical enablers development ” 4 Enabling Crowd - sourcing based privacy protection for smartphone applications, websites and Internet of Things deployment (Privacy Flag) GRANT AGREEMENT N o .653426 Glossary ACRONYMS MEANING AAT Automatic Analysis Tool ACT Allied Command Transformation AI Artificial Intelligence AIA Authority Information Access AJAX Asynchronous JavaScript and XML API Application Programing Interface ASP Active Server Pages BEAST Browser Exploit Against SSL/TLS B SD Berkeley Software Distribution CA Certificate Authority CBC Cipher Block Chaining CLI Command - Line Interface CMS Content Management System COM Component Object Model CSRF Cross - Site Request Forgery DA Distributed Agent DARPA Defense Advanced Research Projects Agency DNS Domain Name System DNT Do Not Track DOM Document Object Model EC European Commission ECMA European Computer Manufacturers Association EWS Early Wa rning System EU European Union GA Grand Agreement GPS Global Positioning System HPKP HTTP Public Key Pinning HSTS HTTP Strict Transport Security HTML HyperText Markup Language HTTP Hypertext Transfer Protocol HTTP D Hypertext Transfer Protocol Dae mon HTTPS Hypertext Transfer Protocol Secur e I2P Invisible Internet Project ICT Information and Communication Technologies ID Identifier IIS Internet Information Service IoT Internet of Things IP Internet Protocol ISP Internet Service Provider IT Information Technology JAP Java Anon Proxy JRE Java Runtime Environment JSON JavaScript Object Notation LSO Local Shared Object LTS Long term Support Deliverable D4.1 “ First ye ar report on Technical enablers development ” 5 Enabling Crowd - sourcing based privacy protection for smartphone applications, websites and Internet of Things deployment (Privacy Flag) GRANT AGREEMENT N o .653426 MA Monitoring Agent OLE Object Linking and Embedding OS Operating System OSN Online Social Network P3P Platform for Privacy Preferences Project PEWS Privacy Early Warning System PDF Portable Document Format PET Privacy Enhancing Technology PF Privacy Flag PFAAT Privacy Flag Automatic Analysis Tool PHP Hypertext Pre - processor PKP Public Key Pinning PRAAT Privacy Risk Area Assessment Tool QoS Quality of Service RFC Request For Comments RTC Real - Time Communications SDK Software Development Kit SHA Secure Hash Algorithm SME Small Medium Enterprise SMS Short Message Service SOCKS Socket Secure SQL Structured Query Language SSH Secure Shell SSL Secure Sockets Layer TCP Transmission Control Protocol TLS Transport Layer Security Tor The Onion Router UI User Interface UPRAA M Universal Privacy Risk Area Assessment Model UPRAAT Universal Privacy Risk Area Assessment Tool URL Uniform Resource Locator USEMP User Empowerment for Enhanced Online Presence UX User Experience VE Virtual Entity VM Virtual Machine VPN Virtual Private Network W3C World Wide Web Consortium WoT Web of Trust WP Work Package WWW World Wide Web XML Extensible Markup Language XSS Cross - Site Scripting