CNIL-Inria 2024 Prize: electronic voting and children's digital marketing in question

In today's digital age, securing information exchanges is of paramount importance, especially for electronic voting. After identifying vulnerabilities in the protocol set up for the French parliamentary elections in June 2022, Alexandre Debant and Lucca Hirschi, Inria researchers in the Pesto team (shared by Inria and Loria), proposed solutions for improving security, which were successfully implemented for the following ballot. They have just been awarded the eighth edition of the Cnil-Inria Prize.

For the 2022 legislative elections, French nationals living abroad were able to use remote electronic voting (e-voting). While this offers many advantages in terms of organisation and accessibility, e-voting requires a specific protocol that offers the same guarantees of security and confidentiality as a traditional polling station. “Internet voting wasn’t used in the 2017 legislative elections because the French National Cybersecurity Agency (ANSSI) considered that the system proposed at the time didn’t provide a sufficient degree of security”, says Alexandre Debant.

“ANSSI issues an advisory opinion, which the authorities responsible for organising elections generally follow”, adds Lucca Hirschi. “In 2022, the stakes were high because it was the biggest electronic election in terms of the number of ballot transmitted that had ever been organised on a global scale. The ANSSI gave the green light after an audit”.

The two researchers took a close interest in the operation. “Our colleagues Véronique Cortier, Pierrick Gaudry and Stéphane Glondu, who work on the Belenios voting platform, were asked to set up a 'trusted third-party' verification tool for these elections”, they explain. “We independently decided to explore the question by studying the limits of defence mechanisms. A document presenting the protocol was published one month before the election and on first reading we suspected potential security flaws. Our examination of the code confirmed our fears about the vacuity of the trusted third-party verification tool.

Targeting children difficult to identify

When surfing the Internet, children are a particularly vulnerable target for digital marketing. Does European law protect them sufficiently? That's the question posed by this interdisciplinary article, written by a lawyer and a computer scientist. Juliette Sénéchal, professor of private law at the University of Lille, works with the Spirals project-team at the Inria center in Lille, while Oana Goga is a researcher in computer science at the CNRS and in the Cedar project-team at the Inria Saclay Centre.

"The European regulation on digital services, or Digital Services Act, implemented on February 17, 2024, prohibits the targeting of minors by ads based on their profile and the use of personal data," points out Juliette Sénéchal. Does this guarantee respect for the privacy of the very young? Not so simple," replies Oana Goga. We've discovered that advertising agencies can place ads on specific video content. This practice is not targeting based on profiling, and therefore remains authorized. A child can be indirectly targeted if the video is a cartoon, for example." This "contextual" targeting proves difficult to spot, since it is aimed at specific content. And that's precisely what's problematic...

A roundabout way of targeting the very young

To take things a step further, Oana Goga conducted an experiment: she slipped into the shoes of an advertising executive to test YouTube channels for children. She placed small (neutral) films on top of online videos, just like advertisements. The children watched these images before their videos, without any moderation from the channels. That this possibility exists is one thing, but are advertisers abusing it?

To verify this, the researcher created fake profiles to view children's videos, and she actually saw advertisements. Are these ads the result of chance or of genuine targeting of minors? "The search engine systematically adds a note to the ads to give the targeting parameters. In this way, we were able to distinguish between ads that targeted the video, or on the contrary, those that targeted the user's profile or location." Result: the researchers discovered that this bypass practice is known to a small number of advertisers who actually target children.

Innovative, interdisciplinary insights

"With this article, we want to alert the European Union to the possibility of targeting the very young, and call for vigilance," insists Juliette Sénéchal. By combining their expertise, the lawyer and computer scientist have been able to shed new light, both legally and technically, on the targeting of minors by online advertising, despite the safeguards provided by the Digital Services Act. It was this innovative, interdisciplinary approach that won them the Cnil-Inria runner-up prize.

Our article brought this little-known subject to the attention of France's data protection regulator, the Cnil," enthuse the two researchers. Our next challenge will be to work with the European Union to ensure that all targeting of children is prevented, restricted or displayed, whether based on profiling or video content."