conference logo

Playlist "PrivacyScore.org"

PrivacyScore.org

Dominik Herrmann

PrivacyScore.org is an automated website scanner that allows to investigate websites for privacy and security issues. You can scan individual websites or enter a list of related websites to see how they compare against each other. The beta of PrivacyScore has been launched on June 8. We will present insights from running the platform for the first few months, some interesting benchmarking results and our future plans.

PrivacyScore.org (https://privacyscore.org) (in public beta since June 2017) is an automated website scanner that allows anyone to investigate websites for privacy and security issues. Users can scan individual websites or submit a list of related websites to learn how they compare against each other. On the one hand public benchmarks improve transparency for citizens, on the other the benchmarks can be of use for data protection agencies that want to or have to audit content providers in their jurisdiction. The benchmarks are also of value for research: We are analyzing whether public "blaming and shaming" and/or transparent comparisons of sites within a peer group create an incentive for site operators to implement additional security/privacy measures.

PrivacyScore can be used for various purposes. First, users can determine whether a specific website implements best practices in terms of security and privacy protection. Second, users can assess how a website ranks within its peer group. They can also aggregate results according to site attributes (such as country of origin or funding source) and influence the ranking according to their own preferences.

At the moment PrivacyScore reports on four types of issues: 1) "Tracking and privacy checks" test if the website is tracking you or whether it makes use of third party trackers. 2) "Website encryption checks" test if the web server offers HTTPS connections, and whether it is configured according to the state of the art. 3) "Web security checks" test if the website leaks internal information and whether it sets HTTP headers that protect against client-side attacks. 4) "Mail encryption checks" test whether the mail servers of a website support state-of-the-art transport encryption.