Entering a website and accepting cookies is a very common and oft-repeated gesture when navigating the Internet. But this small action, which is often done automatically and without thought, entails security risks: by consenting to cookies, you lose control over your sensitive information, as you cannot review the conditions you have just accepted. In order to avoid this vulnerability, a research team from the Universitat Rovira i Virgili has developed an innovative environment based on blockchain technology that allows users to control what happens to their personal data and what it is used for at all times.
Accepting cookies gives permission for sensitive information to be shared, which puts at risk the privacy of users, who are uncertain how it will be used and for what purposes. To mitigate these risks, the European Union proposed the General Data Protection Regulation (GDPR), whereby service providers need to obtain explicit consent from data subjects to collect and process their personal data. The response of many web providers to this requirement has been to present users with a form when they access a service: the cookie acceptance form. But the law does not define how these providers should transparently demonstrate that they have this consent and most users do not know what rights they have over their personal data or have efficient methods to be on the lookout for what third parties do with their data.
The study led by the URV has consisted of creating a personal data management platform based on blockchain technology. It generates smart contracts which are published for life on the block chain and cannot be interfered with; that is to say, the terms agreed cannot be modified and the binding nature of the contract cannot be denied.
In order to use this smart contract, the user must install a programme in the browser that intercepts the request for consent and responds in accordance with their preferences. “Taking this small step makes browsing more agile and secure and complies with the main requirements of the European data protection law,” says Jordi Castellà, a researcher at the URV’s Department of Computer Engineering and Mathematics, who took part in the research.
In addition, all the consents accepted can be controlled and managed from a mobile application to keep track of who has them, when they were granted, what they are being used for and how to modify the details at any time.
For web service providers, this environment enables them to demonstrate, in the event of an audit, that they have obtained consent from users. Information is accessed through a secure access control system.