by TRUST aWARE consortium

Now that the TRUST aWARE project has come to an end, it is time to take a look back at the three years our consortium has been working hand in hand towards the achievement of common and exciting goals. These goals, altogether, were aimed to support and help our key stakeholders to effectively manage security & privacy (S&P) issues, with a special focus on citizens. Have we succeeded? Let’s see…

Recent project updates

In the last months of execution, the TRUST aWARE project has advanced strongly, quickly, and consistently towards its objectives. Looking back to November 2023 takes us to the final versions of each of the tools developed by the technical partners (see the following section) and integrated into the TRUST aWARE dashboard. Adjustments and refinements had been made based on the recommendations and suggestions that emerged during the first pilot involving volunteers (citizens) from four different countries (Italy, France, Romania, and Spain). Subsequently, and following the co-creation methodology designed for TRUST aWARE, these final versions were evaluated in a more thorough manner by volunteers through a new pilot that was coordinated among the four participating associations. Aspects such as user experience, accessibility, usability, or usefulness were the focus of the tests, providing very satisfactory results overall, although also identifying areas for improvement in the future.

In parallel, the TRUST aWARE Collaborative Threat Intelligence (CTI) platform has been continuously updated with new feeds and enhanced with a vertical service dashboard, as a robust and transparent way to share and analyse up-to-date S&P-related information and threats. Some of those feeds came directly from the static and dynamic analysis tools developed in the framework of the project for Android apps. Moreover, in order to  support other organisations to deploy and connect their own Malware Information Sharing Platform (MISP) instance, a training course was prepared and uploaded to the TRUST aWARE YouTube channel.

It is also is worth highlighting the great effort made in the field of standardisation and certification, designing a certification model based on Europrivacy. The so-called Interprivacy is an interoperability-focused certification solution to ease privacy-compliant international data transfers,and extends beyond our continent, with liaisons and partnerships in America, Africa, and Asia. TRUST aWARE was happy and proud of publishing more than 20 papers in peer-reviewed journals/conferences and participating in a large number of international events, catering to sectors of great relevance such as banking, public administration, or industry. Discussions in these fora, together with meetings held with members of our Advisory Board (Booking, Caixabank, MasterCard, CERT.PL), have allowed for reflection, progress, and improvement from socio-economic and technological perspectives.

Key results and achievements

TRUST aWARE partners strongly worked towards the creation of the Digital Security & Privacy Analysis Lab, a suite of tools designed to enhance digital security and privacy. These backend stand-alone tools are versatile and can easily integrate with other software. The lab houses:

1. Privacy Adviser – A natural language privacy-related information analyser for Android apps: This tool uses advancements in Natural Language Processing (NLP) and Large Language Models (LLMs) to help users understand how their personal data is handled. It provides an understandable summary of the app’s privacy policy and functionality, highlighting the permissions required. This allows users to evaluate the app’s functionality-to-permission fidelity, ensuring no permission hides a malicious behaviour. Our lab also offers in-depth search tools, enabling users to retrieve specific fragments of the documents related to certain tags. This means users can find parts of privacy policies related to specific types of personal information or certain privacy practices, or obtain pieces of the app functionality description related to the request of certain permissions.
2. Ad Analyser – An advertisement analyser for Facebook. This tool works by installing a browser extension that collects information and provides a profile of the ads shown to the user. It includes statistics about the ads, their frequency, the advertisers targeting them, and the reasons for targeting based on the user’s Facebook profile, content, and interactions. It even has a function to hide any undesired ad.
3. A software analyser for Android apps that performs both static and dynamic analysis. Static analysis involves examining the source code of apps for potential privacy risks, while dynamic analysis observes the app’s behaviour in a controlled environment for any privacy implications. By utilising both methods, we can detect more complex behaviours that may pose a threat to privacy.

In summary, the Digital Privacy Analysis Lab is a comprehensive set of tools designed to promote user’s privacy across different platforms and foster awareness, education, and discussion about it. Moreover, as the co-creation methodology lies at the core of TRUST aWARE’s initial approach for the design, development, and evaluation of tools intended for citizens as end users, a dashboard integrating the Privacy Adviser, Ad Analyser and two additional functionalities has been designed and developed with the support of volunteers from the four aforementioned countries (with a focus on minors and people above 65 years). The two additional functionalities deal with:

4. Security Analysis.This helps users to check the security of files and websites. For files, the user will be informed if they are malicious or potentially unwanted. For websites, the user will be informed whether it is clean, used for malicious purposes, or not suitable for specific categories of the users.
5. Resources. A set of training materials elaborated by the consortium end-user organisations, as well as a selection of external references, tackling topics such as the use of social networks, safe purchase on the internet and other interesting guidelines for privacy protection and preservation.

In addition to this, and specifically aimed for Data Protection Officers (DPOs), Data Protection Authorities (DPAs) and Computer Emergency Response Teams (CERTs), an S&P Cyber Threat Intelligence (S&PCTI) framework was designed and implemented to support those stakeholders in the collection, analysis and sharing of S&P threats. It is based on a MISP instance – which stands for Malware Information Sharing Platform and Threat Sharing – and enables real-time collaboration, allows for customised categories, and customisation of the taxonomy. Indeed, this is one of TRUST aWARE achivements: a new taxonomy that goes beyond security and embraces privacy concepts as a way to categorise related threats. On this basis, our S&PCTI is fed with events from trustworthy sources, as well as the results of our software analyser for Android apps. This allows authorities and key players to receive up-to-date and reliable information on actual S&P threats, underpinning early detection, prevention and mitigation of associated risks.

Standardisation and certification

Standards are capable of ensuring the coordinated implementation of the various approaches to privacy, security and confidentiality, and technology within the TRUST aWARE project. They are integral to the development of solutions and tools in the context of S&P compliance. Numerous standards are already being used to address various challenges in realising the TRUST aWARE vision, therefore it is crucial for TRUST aWARE to focus its efforts on developing standard-aligned innovations.

Through multiple steps, the consortium members of the project worked together to establish directory baselines for the development of standardisation activities and efforts for developers, conducted a meticulous and continuous desk reasearch throughout all 36 months of the project, lead survey analysis on existing relevant standards and last but not least, created a synthesised standardisation engagement plan. In addition to that, multiple consortium members worked directly with key regulators, authorities and SDOs on standardisation efforts and contributed to important standards, such as Europrivacy.

Furthermore, certification comes hand in hand with standardisation, as it can be used to prove compliance with data protection and privacy requirements on a wide scale. The General Data Protection Regulation (GDPR) stipulates in Article 42 that certification mechanisms may be used by data controllers and processors to prove compliance with the obligations arising out of the GDPR. Thus, certification is of great relevance for the TRUST aWARE project as a whole, its tools and other output.

The efforts of the consortium partners in regard to certification included a comprehensive mapping of relevant existing certification mechanisms. This mapping ensured an insightful comparison of these mechanisms, in order to best align the characteristics of the TRUST aWARE project with a fitting certification scheme. Additionally, the project benefits from the close cooperation with consortium members that are involved in the development of the Europrivacy certification scheme. The use of the Europrivacy certification scheme, as an EU-wide European Data Protection Seal, is able to bring about reliable and trust-enhancing results for the project.

Parts of the project’s exploitable results included the development of a dedicated proposal for a certification scheme for international data transfers building up on Europrivacy, which is currently being presented and analysed by top international regulators and stakeholders from all sectors.

Challenges overcome

TRUST aWARE is a project that combines its concern for addressing day-to-day challenges in both security and privacy fields. Security issues have been addressed for decades, although the continuous evolution of technologies requires a revisit and improvement of techniques along with the implementation of new, more effective ones, as demonstrated, for example, in the Activity Monitor tool. On the other hand, interest in privacy has exponentially grown in recent years with social networks, artificial intelligence, Internet of Things, and big data, as information becomes more interconnected and exposed. However, raising awareness about the importance of preserving privacy is a daunting task, to which TRUST aWARE has contributed not only through the implementation of different tools (for example, Privacy Adviser and Ad Analyser) but also through the audiovisual materials generated ad hoc and available through the TRUST aWARE dashboard.

End users have been the keystone throughout the project, and while it is apparent that a co-creation approach involves multidisciplinary teams and addressing factors beyond purely technological ones, it has been proven that the results obtained better meet user’s needs and requirements. This leads the consortium to a position where the outcomes are closer to an advanced exploitation (or commercalisation) phase.

And now, what?

Throughout the project, the TRUST aWARE partners have paid attention to the sustainability of the results and their potential exploitation in the medium and long term. For each of the identified key exploitable results, a comprehensive analysis has been conducted with several possible pathways, ranging from new R&D projects to their incorporation into the solution portfolios of participating companies. Intermediate approaches are also possible because we are open to hear, learn and collaborate. And you?