Measuring the brussels effect through access requests: Has the European General Data Protection Regulation Influenced the Data Protection Rights of Canadian Citizens?

We investigate empirically whether the introduction of the General Data Protection Regulation (GDPR) improved compliance with data protection rights of people who are not formally protected under GDPR. By measuring compliance with the right of access for European Union (EU) and Canadian residents, we find that this is indeed the case. We...

More Than a Suspect: An Investigation into the Connection Between Data Breaches, Identity Theft, and Data Breach Notification Laws

This article investigates the relationship between data breaches and identity theft, including the impact of Data Breach Notification Laws (DBNL) on these incidents (using empirical data and Bayesian modeling). We collected incident data on breaches and identity thefts over a 13-year timespan (2005–2017) in the United States. Our analysis shows...

The Impact of User Location on Cookie Notices: (Inside and Outside of the European Union)

The web is global, but privacy laws differ by country. Which set of privacy rules do websites follow? We empirically study this question by detecting and analyzing cookie notices in an automated way. We crawl 1,500 European, American,and Canadian websites from each of 18 countries. We detect cookie notices on 40% of websites in our sample. We...

Micro-Targeting and ICT media in the Dutch Parliamentary system: Technological changes in Dutch Democracy

For the period surrounding the 2018 Dutch municipal elections, a team of researchers from the Delft University of Technology investigated the effect of the digital environment on parliamentary democracy. An interdisciplinary group of researchers combined expertise on digital ethics, political theory, big data analytics, the economics of privacy...

Time-use in Automated Vehicles and Daily Activity Schedules: A Focus Group Study

Collectively exercising the right of access: individual effort, societal effect

The debate about how to govern personal data has intensified in recent years. The European Union’s General Data Protection Regulation, which came into effect in May 2018, relies on transparency mechanisms codified through obligations for organisations and citizen rights. While some of these rights have existed for decades, their effectiveness is...

Using Crowdsourcing Marketplaces for Network Measurements: The Case of Spoofer

Internet measurement tools are used to make inferences about network policies and practices across the Internet, such as censorship, traffic manipulation, bandwidth, and security measures. Some tools must be run from vantage points within individual networks, so are dependent on volunteer recruitment. A small pool of volunteers limits the...

Estimating the size of the iceberg from its tip: An investigation into unreported data breach notifications

The Right of Access as a Tool for Privacy Governance: Findings from Individual Requests & Proposal for a Crowd-sourced Dataset of Privacy Practices

Cybersecurity via Intermediaries: Analyzing Security Measurements to Understand Intermediary Incentives and Inform Public Policy

Research in the field of information security economics has clarified how attacker and defender incentives affect cybersecurity. It has also highlighted the role of intermediaries in strengthening cybersecurity. Intermediaries are organizations and firms that provide the Internet’s infrastructure and platforms. This dissertation looks at how...

Evaluating the Impact of AbuseHUB on Botnet Mitigation

This documents presents the final report of a two-year project to evaluate the impact of AbuseHUB, a Dutch clearinghouse for acquiring and processing abuse data on infected machines. The report was commissioned by the Netherlands Ministry of Economic Affairs, a co-funder of the development of AbuseHUB. AbuseHUB is the initiative of 9 Internet...

Post-mortem of a Zombie: Conficker cleanup after six years

Research on botnet mitigation has focused predominantly on methods to technically disrupt the commandand-control infrastructure. Much less is known about the effectiveness of large-scale efforts to clean up infected machines. We analyze longitudinal data from the sinkhole of Conficker, one the largest botnets ever seen, to assess the impact of...

How Dynamic is the ISPs Address Space? Towards Internet-Wide DHCP Churn Estimation

IP address counts are typically used as a surrogate metric for the number of hosts in a network, as in the case of ISP rankings based on botnet infected addresses. However, due to effects of dynamic IP address allocation, such counts tend to overestimate the number of hosts, sometimes by an order of magnitude. In the literature, the rate at...

Why them? Extracting intelligence about target selection from Zeus financial malware

Internet Measurements and Public Policy: Mind the Gap

Large and impressive data collection efforts often fail to make their data useful for answering policy questions. In this paper, we argue that this is due to a systematic gap between the ways measurement engineers think about their data, and how other disciplines typically make use of data. We recap our own efforts to use the data generated by a...

Security economics in the HTTPS value chain

Even though we increasingly rely on HTTPS to secure Internet communications, several landmark incidents in recent years have illustrated that its security is deeply flawed. We present an extensive multi-disciplinary analysis that examines how the systemic vulnerabilities of the HTTPS authentication model could be addressed. We conceptualize the...

Dimensioning the Elephant: An Empirical Analysis of the IPv4 Number Market

One of the most important but least-studied aspects of Internet policy is the emergence of a trading market for previously allocated Internet number blocks. Without unique Internet protocol numbers for the networks and devices attached, the Internet simply doesn’t work. The original Internet Protocol standard, known as IPv4, specified a 32-bit...