On 22nd January, 2020 Guillaume Prunier, deputy CEO of Inria and François Pellegrini, member of the CNIL, presented the CNIL-Inria Prize at the CPDP conference in Brussels. This European prize, created by the CNIL and Inria in 2016 as part of the partnership between the two institutions, aims to encourage research in the field of data protection and privacy. Papers were mainly selected on the two criteria of scientific excellence and societal impact, by a jury co-chaired by François Pellegrini for the CNIL, and Nataliia Bielova for Inria.
This prize is an opportunity to raise the scientific community's awareness of data protection issues and the need to develop research projects in this field, particularly in the light of developments brought by the European Regulation on the protection of personal data (GDPR), and in particular the new requirements for privacy by design and accountability.
The awarded paper, entitled "An Analysis of Pre-installed Android Software”, by Julien Gamba, Mohammed Rashed, Abbas Razaghpanah, Juan Tapiador and Narseo Vallina-Rodriguez, has been accepted for publication at the IEEE Symposium on Security and Privacy 2020.
This article investigates the privacy and security issues associated with pre-installed software on Android devices, and their supply chain. As opposed to user-installed software, pre-installed apps are privileged and can operate without user consent, bypassing the Android permission system, without any possibility of opting-out. The study conducted is impressive in terms of the number of applications, device models and vendors analysed, as well as the depth of the study through static and dynamic analysis approaches. This paper has a high impact on end users and privacy regulation, as it describes practical ways in which companies and the applications they create may cooperate as an ecosystem to bypass data protection safeguards. It brings attention to the need to develop system audit tools for mobile applications that do not consider only the behavior of individual applications, but also their interactions.
The award jury has also highlighted three runner-up articles that were recognized by the jury as exceptional research in privacy protection, with very high impact on both society and industry:
- “Hiding from Whom? Threat-Models and In-the-Making Encryption Technologies”, by Ksenia Ermoshina and Francesca Musiani;
- “Investigating Ad Transparency Mechanisms in Social Media: A Case Study of Facebook's Explanations”, by Athanasios Andreou, Giridhari Venkatadri, Oana Goga, Krishna P. Gummadi, Patrick Loiseau, and Alan Mislove;
- “Knock Knock, Who’s There? Membership Inference on Aggregate Location Data”, by Apostolos Pyrgelis, Carmela Troncoso, and Emiliano De Cristofaro.
The prize was awarded by the jury members, renowned researchers in the privacy field of computer science: Josep Domingo-Ferrer, Simone Fischer-Hübner, Sébastien Gambs, Seda Gürses, two CNIL members: François Pellegrini (co-chair) and Félicien Vallet, and two Inria researchers: Nataliia Bielova (co-chair) and Mathieu Cunche. More than forty-five articles were submitted to the jury, which evidences the ever growing interest of the scientific community for this event.
The Awarded Team
- Julien Gamba, PhD Student at the IMDEA Networks Institute and the University Carlos III of Madrid (UC3M), Spain;
- Mohammed Rashed, PhD student at the Computer Security Lab (COSEC), UC3M, Spain;
- Abbas Razaghpanah, Research Scientist at the International Computer Science Institute (ICSI), in Berkeley, California, USA;
- Juan Tapiador, Computer Scientist in the Computer Security Lab (COSEC), UC3M, Spain;
- Narseo Vallina-Rodriguez, Assistant Research Professor at the IMDEA Networks Institute and Research Scientist at the Networking and Security team at the International Computer Science Institute (ICSI) in Berkeley, California, USA.
For more information