Tracking and consent dialogs have become ubiquitous with seemingly every website and app pleading users to agree to their personal data being processed and their behaviour being tracked, often with the help of tens or even hundreds of third-party companies. But the bar for legally performing tracking in the EU is high. In this post, I detail both the legal requirements for tracking and collecting consent in general and present a comprehensive list of criteria for a legally compliant consent dialog.
I analyzed the new data safety section on the Google Play Store for datarequests.org and found popular apps admitting to collecting and sharing highly sensitive data for advertising and tracking. More than one quarter of apps transmitted tracking data not declared in their data safety label.
For my mobile privacy research, I need to know which Android apps are the most popular. I reverse-engineered an undocumented
batchexecute API endpoint that the Play Store website uses internally to programmatically access the top charts. Based on that, I created the
parse-play NPM package.
An investigation for datarequests.org showed that the free browser extension Honey doesn’t just collect coupon codes. Using the GDPR’s right to access, we confirmed that they also permanently store their user’s history data on a large scale. That’s why we have submitted complaints.
RCE in Jitsi Meet Electron prior to 2.3.0 due to insecure use of shell.openExternal() (CVE-2020-25019)
I discovered a remote code execution vulnerability in Jitsi Meet Electron versions prior to 2.3.0 (CVE-2020-25019). This post contains a write-up of the problem which was caused by an insecure use of Electron’s shell.openExternal().
Passing user-controlled input to Electron’s shell.openExternal() function is commonly warned against for security reasons. But what are the actual possible attacks in this scenario? This post introduces some potential attacks.
This post contains a translation of the model constitution for a registered tax-priviledged association under German law (“eingetragener steuerbefreiter Verein”). It is licensed as CC0.
At first glance, the GDPR can appear confusing like any other legal topic. In this post, I briefly explain the most important terms and concepts related to the GDPR so that you can easily remain in control.
The supervisory data protection authorities are independent bodies whose task it is to make sure that data protection laws are followed. If you believe a company infringes on your rights, you can submit a complaint with them at no cost. In this post, I explain the data protection authorities and help you find to correct one to contact if you want to lodge a complaint.
In this article I present an approach to generate a list of all available one-word domains in any language. Some filters (like word class) can be applied.