Enforcing Privacy in Web Applications
Ariel Futoransky and Ariel Waissbein
Third Annual Conference on Privacy, Security and Trust. October 12-14, 2005. The Fairmont Algonquin, St. Andrews , New Brunswick, Canada.
Date published
privacy, web-scripting languages, usability, web-application security, PHP.


The development of web applications is typically done oblivious to privacy precautions. Largely, this is due to lack of technical knowledge and appropriate tools for enforcing privacy. As a result, web users’ personal information is constantly at risk. We introduce a solution that protects arbitrary web applications from several dangerous privacy threats. It is easy to install, usable (e.g., in terms of expressiveness and appropriate enforcement), and requires no changes to the web application’s code. Its main functionality is given by modules that are situated between web server and user, and between web server and APIs. These modules assign a privacy tag to inbound data according to its origin (e.g., received through a web form field or stored in an internal database); and block outbound data according to its privacy tag, what is its destination, and its syntax. This allows us, for example, to block private data from being exposed to users. We have implemented a prototype for the PHP platform that is efficient in terms of CPU and memory usage. We also verified that it enforces privacy in several potentially-vulnerable scenarios.

Furthermore, we provide a plug-in for web browsers that lets users visualize the privacy policy in action.