Periodic Reporting for period 2 - TRUST aWARE (Enhancing Digital Security, Privacy and TRUST in softWARE)
Berichtszeitraum: 2022-12-01 bis 2024-05-31
In a multi-party socio-technical context, the TRUST aWARE vision aimed to revert the current “S&P vicious cycle” by providing holistic and actionable intelligence and tools for the different stakeholders towards turning it into a “TRUST aWARE virtuous cycle”. The tools and solutions offer effective mechanisms to protect the freedom, security, and privacy of citizens across platforms while enhancing users’ TRUST on SoftWARE, cybersafety, and EU’s digital market position. Specifically, TRUST aWARE has achieved to facilitate this by delivering:
• User-friendly tools to protect consumers against S&P cyberthreats to enable them to better understand, control, detect and respond to S&P threats and attacks.
• Collective intelligence for Computer Emergency Response Teams (CERTs) and authorities in collaboration with citizens, Chief Information Security Officers (CISOs) and Data Protection Officers (DPOs) to ensure and audit that digital products and their S&P practices are transparent, secure and in compliance with regulation.
• Knowledge to foster S&P-by-design in software engineering by supporting developers and digital service operators with standards and certification methods.
The collaboration among the multidisciplinary consortium partners has allowed TRUST aWARE to achieve the pre-defined goals and specific objectives in due time with no major deviations. The project has significantly contributed to the development of S&P assets (not only software tools, but also dissemination materials, a certification scheme, standards analysis, guidelines, best practices, etc.) with a high socio-economic impact, as measured in the corresponding deliverables. Details about these assets are provided in the following sections and available via different channels (e.g. public deliverables, peer-reviewed publications or open datasets).
• User-friendly tools to protect consumers against S&P cyberthreats to enable them to better understand, control, detect and respond to S&P threats and attacks.
• Collective intelligence for Computer Emergency Response Teams (CERTs) and authorities in collaboration with citizens, Chief Information Security Officers (CISOs) and Data Protection Officers (DPOs) to ensure and audit that digital products and their S&P practices are transparent, secure and in compliance with regulation.
• Knowledge to foster S&P-by-design in software engineering by supporting developers and digital service operators with standards and certification methods.
The collaboration among the multidisciplinary consortium partners has allowed TRUST aWARE to achieve the pre-defined goals and specific objectives in due time with no major deviations. The project has significantly contributed to the development of S&P assets (not only software tools, but also dissemination materials, a certification scheme, standards analysis, guidelines, best practices, etc.) with a high socio-economic impact, as measured in the corresponding deliverables. Details about these assets are provided in the following sections and available via different channels (e.g. public deliverables, peer-reviewed publications or open datasets).
The work carried out along RP2 focused on the extension and enhancement of the developments from RP1, as well as the application of the co-creation methodology, to successfully achieve all the objectives and key performance indicators (KPIs) that were defined at the proposal stage. In parallel, special attention was paid to build a certification scheme and widely disseminate and communicate the results and outcomes, which were also analysed for uptake, adoption and exploitation.
• A combination of citizen engagement actions, stakeholder engagement activities, methodological design actions, co-creation and piloting activities was carried out. This includes two rounds of pilots involving a total of 561 participants from four countries (Spain, France, Italy and Romania), resulting in feedback for further functionality and usability improvement as well as guidelines, best practices and recommendations.
• An advanced suite of tools aimed at enhancing digital privacy was completed. This suite includes (i) a software analyser for Android apps capable of both static and dynamic analysis, ensuring comprehensive privacy evaluations; (ii) a natural language privacy-related information analyser for Android apps that provides in-depth privacy insights; and (iii) Ad Analyser for Facebook, which profiles the ads shown to users via a browser extension and collects and analyses ad-related information. These tools are seamlessly integrated with other TRUST aWARE developments, specifically the TRUST aWARE Malware Information Sharing Platform (MISP) instance (see below) and the TRUST aWARE dashboard, a user-centric front-end component oto assist and educate users at the time of addressing their specific S&P threats.
• A set of cybersecurity and privacy protection tools was completed. Starting from previous developments by TRUST aWARE partners, these tools improves existing functionalities and build new ones: (i) Activity Monitor is designed to detect and counteract attacks that traditional anti-malware engines may miss; (ii) DiAPK is a classifier that identifies malicious Android Packages (APKs) using static software analysis and machine learning-based models; (iii) CheckMyNews is a software designed to collect data about the public posts, news posts, and ads the users receive on their feeds .
• A Collaborative Cyber Threat Intelligence (CTI) platform was deployed based on a MISP instance, which relies on a taxonomy specifically conceived to tackle security and privacy (S&P) threats. A MISP training course was elaborated to master the use of the MISP platform and an online platform to present reports on existing S&P risk levels was also developed.
• A socio-economic impact assessment was conducted, quantifying the social and economic impacts identified with inputs from international studies and S&P and technology experts. Similarly, the ethical impact assessment validated the identified ethical impacts through a workshop with project partners and external experts, benchmarked the methodology against the SIENNA methodology, and offered design recommendation for S&P tools.
• A standards guideline was generated explaining step-by-step how developers can comply with standards to enhance privacy protections when developing their tools.
• A specific extension of Europrivacy for international data transfer under article 46 of the GDPR was developed. It was particularly focused on the implementations of a high-level certification scheme to bridge major international regulatory certification schemes (Interprivacy).
• The consortium produced 22 peer-reviewed publications in journals/international conferences and 1 book, attended 26 industry or regulatory events and participated in 79 events in total. Besides that, information was released through the website (www.trustaware.eu) newsletters and social media (X and Linkedin, @trustaware).
Along the whole execution of the TRUST aWARE project, the different developments were continuously monitored to early identify key exploitable results (KERs):
• KER1: Static/dynamic analysis
• KER2: NLP tool for the analysis of privacy policies
• KER3: Content analysis
• KER4: Cybersecurity protection, detection and response tools
• KER5: S&P dashboard
• KER6: S&P CTI platform
• KER7: S&P certification and search engine
• KER8: Training programme
These KERs were duly analysed (owners, interest, roles, competitors, target users, SWOT, etc.) as part of the exploitation and sustainability plan.
• A combination of citizen engagement actions, stakeholder engagement activities, methodological design actions, co-creation and piloting activities was carried out. This includes two rounds of pilots involving a total of 561 participants from four countries (Spain, France, Italy and Romania), resulting in feedback for further functionality and usability improvement as well as guidelines, best practices and recommendations.
• An advanced suite of tools aimed at enhancing digital privacy was completed. This suite includes (i) a software analyser for Android apps capable of both static and dynamic analysis, ensuring comprehensive privacy evaluations; (ii) a natural language privacy-related information analyser for Android apps that provides in-depth privacy insights; and (iii) Ad Analyser for Facebook, which profiles the ads shown to users via a browser extension and collects and analyses ad-related information. These tools are seamlessly integrated with other TRUST aWARE developments, specifically the TRUST aWARE Malware Information Sharing Platform (MISP) instance (see below) and the TRUST aWARE dashboard, a user-centric front-end component oto assist and educate users at the time of addressing their specific S&P threats.
• A set of cybersecurity and privacy protection tools was completed. Starting from previous developments by TRUST aWARE partners, these tools improves existing functionalities and build new ones: (i) Activity Monitor is designed to detect and counteract attacks that traditional anti-malware engines may miss; (ii) DiAPK is a classifier that identifies malicious Android Packages (APKs) using static software analysis and machine learning-based models; (iii) CheckMyNews is a software designed to collect data about the public posts, news posts, and ads the users receive on their feeds .
• A Collaborative Cyber Threat Intelligence (CTI) platform was deployed based on a MISP instance, which relies on a taxonomy specifically conceived to tackle security and privacy (S&P) threats. A MISP training course was elaborated to master the use of the MISP platform and an online platform to present reports on existing S&P risk levels was also developed.
• A socio-economic impact assessment was conducted, quantifying the social and economic impacts identified with inputs from international studies and S&P and technology experts. Similarly, the ethical impact assessment validated the identified ethical impacts through a workshop with project partners and external experts, benchmarked the methodology against the SIENNA methodology, and offered design recommendation for S&P tools.
• A standards guideline was generated explaining step-by-step how developers can comply with standards to enhance privacy protections when developing their tools.
• A specific extension of Europrivacy for international data transfer under article 46 of the GDPR was developed. It was particularly focused on the implementations of a high-level certification scheme to bridge major international regulatory certification schemes (Interprivacy).
• The consortium produced 22 peer-reviewed publications in journals/international conferences and 1 book, attended 26 industry or regulatory events and participated in 79 events in total. Besides that, information was released through the website (www.trustaware.eu) newsletters and social media (X and Linkedin, @trustaware).
Along the whole execution of the TRUST aWARE project, the different developments were continuously monitored to early identify key exploitable results (KERs):
• KER1: Static/dynamic analysis
• KER2: NLP tool for the analysis of privacy policies
• KER3: Content analysis
• KER4: Cybersecurity protection, detection and response tools
• KER5: S&P dashboard
• KER6: S&P CTI platform
• KER7: S&P certification and search engine
• KER8: Training programme
These KERs were duly analysed (owners, interest, roles, competitors, target users, SWOT, etc.) as part of the exploitation and sustainability plan.
TRUST aWARE contributed to the progress beyond the state of the art in different areas, especially for the suite of tools aimed at enhancing digital privacy, as these developments started from a low TRL and the evolution was based on cutting-edge techniques. Details can be found on the corresponding deliverables.
In relation to socio-economic aspects, two analyses were conducted: (i) a social cost benefit analysis, which identifies the value of the impact to society and the public sector, and (ii) a private cost-benefit analysis which focuses on the private sector impact. The impacts were monetised with the help of past research into each of the impacts, a user survey and a partner survey examining estimates of change. The results show that there is a net positive impact of the project if implemented in full for both society and private users. Finally, a number of data gaps, where future research is needed, were identified in the course of the analyses. Results were reported in the public deliverable D5.3 and also contributed to the development of recommendations in the public deliverable D5.12.
In relation to socio-economic aspects, two analyses were conducted: (i) a social cost benefit analysis, which identifies the value of the impact to society and the public sector, and (ii) a private cost-benefit analysis which focuses on the private sector impact. The impacts were monetised with the help of past research into each of the impacts, a user survey and a partner survey examining estimates of change. The results show that there is a net positive impact of the project if implemented in full for both society and private users. Finally, a number of data gaps, where future research is needed, were identified in the course of the analyses. Results were reported in the public deliverable D5.3 and also contributed to the development of recommendations in the public deliverable D5.12.