We investigate empirically whether the introduction of the General Data Protection Regulation (GDPR) improved compliance with data protection rights of people who are not formally protected under GDPR. By measuring compliance with the right of access for European Union (EU) and Canadian residents, we find that this is indeed the case. We argue this is likely caused by the Brussels Effect, a mechanism whereby policy diffuses primarily through market mechanisms. We suggest that a willingness to back up its rules with strong enforcement, as it did with the introduction of the GDPR, was the primary driver in allowing the EU to unilaterally affect companies' global behavior.

This article investigates the relationship between data breaches and identity theft, including the impact of Data Breach Notification Laws (DBNL) on these incidents (using empirical data and Bayesian modeling). We collected incident data on breaches and identity thefts over a 13-year timespan (2005–2017) in the United States. Our analysis shows that the correlation is driven by the size of a state. Enacting a DBNL still slightly reduces rates of identity theft; while publishing breaches notifications by Attorney Generals helps the broader security community learning about them. We conclude with an in-depth discussion on what the European Union can learn from the US experience.

The web is global, but privacy laws differ by country. Which set of privacy rules do websites follow? We empirically study this question by detecting and analyzing cookie notices in an automated way. We crawl 1,500 European, American,and Canadian websites from each of 18 countries. We detect cookie notices on 40% of websites in our sample. We treat the presence or absence of cookie notices, as well as visual differences,as proxies for differences in privacy rules. Using a series of regression models, we find that the website’s Top Level Domain explains a substantial portion of the variance in cookie notice metrics, but the users vantage point does not. This suggests that websites follow one set of privacy rules for all their users. There is one exception to this finding: cookie notices differ when accessing.com domains from inside versus outside of the EU. We highlight ways in which future research could build on our preliminary findings.

The debate about how to govern personal data has intensified in recent years. The European Union’s General Data Protection Regulation, which came into effect in May 2018, relies on transparency mechanisms codified through obligations for organisations and citizen rights. While some of these rights have existed for decades, their effectiveness is rarely tested in practice. This paper reports on the exercise of the so-called right of access, which gives citizens the right to get access to their personal data. We study this by working with articipants—citizens for whom the law is written—who collectively sent over a hundred data access requests and shared the responses with us. We analyse the replies to the access requests, as well as the participant's evaluation of them. We find that non-compliance with the law's obligations is widespread. Participants were critical of many responses, though they also reported a large variation in quality. They did not find them effective for getting transparency into the processing of their own personal data. We did find a way forward emerging from their responses, namely by looking at the requests as a collective endeavour, rather than an individual one. Comparing the responses to similar access requests creates a context to judge the quality of a reply and the lawfulness of the data practices it reveals. Moreover, collective use of the right of access can help shift the power imbalance between individual citizens and organisations in favour of the citizen, which may incentivise organisations to deal with data in a more transparent way.

For the period surrounding the 2018 Dutch municipal elections, a team of researchers from the Delft University of Technology investigated the effect of the digital environment on parliamentary democracy. An interdisciplinary group of researchers combined expertise on digital ethics, political theory, big data analytics, the economics of privacy and security, epistemology, media studies and computer science. This report presents the main findings, which are grouped around two main themes: political micro-targeting and ICT media. Societal themes that came to prominence over the research period, such as the debate over ‘fake news’ and the leaks of personal information that were used for political purposes by Facebook, as well as the implementation of new EU privacy regulation helped to put the research in a larger political context. The main findings provide a qualified picture. The influence of the digital revolution on democratic politics is already revolutionary, and the weaknesses of online platforms provide ample opportunities for derailing liberal democracy. Digital platforms are too closed-off, not mindful enough of individual digital rights, and biased in their (re)presentation of political pluralism. But the Netherlands has proven to be one of the few democracies that is relatively resilient, with an open multi-party system receptive to the political fragmentation that ICT developments encourage, and relatively high trust between citizens, in shared media organizations, and between political parties. In order not to be complacent in the face of fundamental challenges, the report provides several urgent recommendations. Next to several ‘reactive’ recommendations, which seek to remedy the weaknesses and dangers the digital environment poses to democracy, it also outlines an example of how the digital environment might be proactively redesigned in order to positively enhance the quality of the Dutch parliamentary system.

Internet measurement tools are used to make inferences about network policies and practices across the Internet, such as censorship, traffic manipulation, bandwidth, and security measures. Some tools must be run from vantage points within individual networks, so are dependent on volunteer recruitment. A small pool of volunteers limits the impact of these tools. Crowdsourcing marketplaces can potentially recruit workers to run tools from networks not covered by the volunteer pool. We design an infrastructure to collect and synchronize measurements from five crowdsourcing platforms, and use that infrastructure to collect data on network source address validation policies for CAIDA's Spoofer project. In six weeks we increased the coverage of Spoofer measurements by recruiting 1519 workers from within 91 countries and 784 unique ASes for 2,000 Euro; 342 of these ASes were not previously covered, and represent a 15% increase in ASes over the prior 12 months. We describe lessons learned in recruiting and renumerating workers; in particular, strategies to address worker behavior when workers are screened because of overlap in the volunteer pool.

This documents presents the final report of a two-year project to evaluate the impact of AbuseHUB, a Dutch clearinghouse for acquiring and processing abuse data on infected machines. The report was commissioned by the Netherlands Ministry of Economic Affairs, a co-funder of the development of AbuseHUB. AbuseHUB is the initiative of 9 Internet Service Providers, SIDN (the registry for the .nl top-level domain) and Surfnet (the national research and education network operator). The key objective of AbuseHUB is to improve the mitigation of botnets by its members. We set out to assess whether this objective is being reached by analyzing malware infection levels in the networks of AbuseHUB members and comparing them to those of other Internet Service Providers (ISPs). Since AbuseHUB members together comprise over 90 percent of the broadband market in the Netherlands, it also makes sense to compare how the country as a whole has performed compared to other countries. This report complements the baseline measurement report produced in December 2013 and the interim report from March 2015. We are using the same data sources as in the interim report, which is an expanded set compared to the earlier baseline report and to our 2011 study into botnet mitigation in the Netherlands.

Epidemic models like the SIS or SIR model enable us to describe simple spreading processes over networks but are often not sufficient to accurately capture more complex network dynamics as exhibited by sophisticated and malicious computer worms. Many of the common assumptions behind epidemic models do not necessary hold if the process under investigation spans big networks or large scales of time.We extend the standard SIS network model by dropping the assumption of a constant curing rate in favour of a time-dependent curing rate function, which enables us to reflect changes in the effectiveness of the active worm removal process over time. The resulting time-dependent mean-field SIS model allows us to study the evolution of the size of computer worm bot-nets. We exemplify the complete procedure, including data-processing, needed to obtain a reliable model on data from Conficker, an extremely resilient computer worm. Using empirical data obtained from the Conficker sinkhole, we fit long time periods of up to 6 years on multiple scales and different levels of noise. We end by reflecting on the limits of epidemic models in empirical analysis of malware threats.

The Internet has enabled tremendous economic and social innovation yet the underlying systems, networks and services sometimes fail miserably to protect the security of communications and data. Security incidents occur in many forms, including but not limited to the leaking and theft of private information, unauthorized access to information, malicious alteration of data, or software and service unavailability. Given the complexity of the problem, it seems improbable that security can be attained by eliminating all vulnerabilities. Moreover, preventative security measures are costly. Some level of uncertainty will therefore have to be accepted and choices need to be made, trading off competing objectives and limited resources. Recent research has developed approaches to better explain why certain security failures occur and others do not. These contributions clarified that security is not merely a technical problem that can be fixed with engineering solutions but that is also has important economic and behavioral dimensions that need to be addressed. Examining the incentives of players in the information and communication technology (ICT) ecosystem has been particularly fruitful in explaining the landscape of vulnerabilities and attacks that can be observed. The core of this work is rooted in information security economics. This chapter surveys the state of the art of the existing research with a focus on the criminal threats to cybersecurity.