CSI-COP by EU Research

Jaimz Winter (left) Coventry University’s CSI-COP Research Assistant; Professor Maayan ZhitomirskyGeffet (right), PI on CSI-COP at Bar Ilan University.

cookies to record what you put in the basket. Then there are persistent cookies, that are necessary for a website to work, while there will be others, like performance and analytics cookies. We went through the citizen scientists’ findings to build that classification.” The way websites are monitored and analysed is evolving, and today most websites outsource the analytics. “People today want more information about what’s happening on their website, such as the dwell time, and which pages are more interesting than others. Historically, you used to do that by putting little bits in your code, but nowadays people just outsource it,” outlines Ian Marshall, PI in CSI-COP as well as Chief Operating Officer at Coventry University,

Beneath the bonnet of online privacy The GDPR regulation was designed to give internet users a greater degree of control over their personal data, yet not all websites and apps are fully compliant and many still have trackers embedded. The CSI-COP project aimed to heighten awareness of what information is being gathered about us online, as Dr Huma Shah and Professor Ian Marshall explain. The

General

Data

Protection Regulation (GDPR) came into force across the European Union in 2018, regulating the way that cookies and other digital trackers can be used on websites to gather personal data. The regulation was designed to give individual internet users a greater degree of control over their personal data, which is reflected in its core principles. “For example, under GDPR websites need to be transparent when personal data is going to be collected, and the internet user has to give their informed consent, so tracking shouldn’t be done by default. The reason behind collecting users’ personal

data also has to be clearly stated. What is the purpose?” outlines Dr Huma Shah, Assistant Professor in AI Ethics in the research centre for Computational Science and Mathematical Modelling at Coventry University. Despite this, some tracking cookies are still embedded in many websites, and internet users are not always notified. “For example, Google analytics and Facebook login are ubiquitous across different websites, such as some healthcare websites. So Facebook will know when you are using that healthcare website,” explains Dr Shah. “Web development environments or platforms could have trackers embedded.”

CSI-COP project As the Science lead on the EU-funded CSI-COP project, Dr Shah is investigating the extent to which citizens are still being tracked online and looking at overall levels of compliance with GDPR. The wider aim in the project is to raise the level of scientific literacy amongst European citizens and heighten awareness of the privacy implications of unthinkingly accepting cookies when browsing the internet. “People may not really understand what they’re accepting when they accept cookies and what they’re giving away,” says Dr Shah. The project is tackling the issue by training citizen scientists to investigate

Citizen scientists (sitting: Lindsey Birnsteel -left; Sue Rowe - right) and Coventry University’s CSI-COP team (Professor Ian Marshall and Dr. Huma Shah standing, Matthias Pocs - sitting), and stakeholder, Dr. Matthew England checking permissions in mobile apps in CSI-COP main Dissemination event in Brussels 23 May 2023.

EU Research

Behavioural information how cookies are used on different websites and apps, engaging the general public across each of the countries represented in the CSICOP consortium. “We’re an international consortium, with partners in eight countries, each of which has been looking to recruit a diverse group of citizens. In previous citizen science projects there have been relatively few women and young people, so we worked with youth organisations and women’s groups, aiming to recruit a balanced cohort from the general public,” continues Dr Shah. The common characteristics among these citizens are that they all use the internet and share a concern about online privacy. An important initial step was to informally educate these citizen scientists through a short five-step course - ‘Your Right to Privacy Online’ - addressing key topics around online privacy. “What is privacy? What is personal data? How is our data harvested on the internet? What rights do we as citizens have? What free tools are available on the internet to help us manage our data?” outlines Dr Shah. Once they had completed the course, the interested citizens were asked if they would like to join the project and investigate the websites they visit and the apps they use, to find if they are clear about what cookies or tracking technologies exist beneath. The citizens recorded their investigations using a bespoke tool. “We didn’t want any thirdparty tracking. So we’re also showing our citizen scientists how to comply with GDPR,” says Dr Shah. “The citizen scientists then provided their opinion - was the cookie notice clear about what was underneath? Was the privacy policy transparent? Then citizens used the free website and app audit tools from the internet to essentially go beneath the bonnet of websites and apps to see what exactly was

www.euresearcher.com

under there. Our citizen scientists have so far looked at over 850 websites and 340 apps.” CSI-COP have already produced a ‘taxonomy of cookies and trackers’ from the citizen scientists’ website and app investigations. This followed the project’s work on data cleaning and classifying the different types of cookies. Dr Shah says “For example, e-commerce sites have session

A lot of website owners use Google analytics for example because it gives them behavioural information, such as which page on their website a user landed on and how long they stayed there. The problem is that it’s not only the website owner which gets the information, but also Google or whatever other company may be doing the analytics, which may not be fully compliant with GDPR.

CSI-COP citizen scientists’ website and app investigations are available to look through from the project website, and from the Zenodo open-access platform: Website investigations: CSI-COP project site: https://csi-cop.eu/project-results/citizen-scientists-website-investigations/ Zenodo: https://zenodo.org/record/7472957

App investigations: CSI-COP project site: https://csi-cop.eu/project-results/citizen-scientists-app-investigations/ Zenodo: https://zenodo.org/record/7472879

The document classifying cookies and trackers is available to download from the project website and from the Zenodo platform: CSI-COP website: https://csi-cop.eu/project-results/taxonomy-of-cookies-and-online-trackers/ Zenodo: https://zenodo.org/record/7801846 The citizen scientists and the CSI-COP researchers’ investigations were combined in the innovation of an open-access repository of online trackers. CSI-COP Repository was launched in the main project dissemination event in Brussels in May 2023 and is now freely available to search via the project website here: https://csi-cop.eu/repository/.