DOM Instrumentation to Display Provenance Data

Abstract

With ever-evolving privacy laws, end users of software systems are increasingly expressing concerns about the usage of their data. Real-world incidents, such as the 2019 data breach affecting up to 112,000 Air New Zealand Airpoints customers, have contributed to a growing awareness of data privacy issues. In response to these concerns, Aotearoa New Zealand regulators re-evaluated the privacy act in 2020, imposing financial liability on data providers to mitigate potential breaches. To address the intentional obscurity of end users' data, this project contributes to an infrastructure enabling users to monitor the usage of their data when interacting with web applications. This is done by providing end users with increased transparency regarding the handling of their data during web browsing. Modern web applications have complex layered architectures, often involving server-side applications with existing solutions. Developing and retrofitting systems to support this transparency is both intricate and costly; hence, automation was the desirable approach. This research explored the implementation of a solution by extending support to an additional layer, exposing existing provenance data from the server-side domain to the client-side domain through manipulation of the client-side Document Object Model (DOM). This data was displayed back to the user as a pop-up instrumented within the DOM. To achieve this objective, a range of prototypes were developed to instrument the client-side DOM and expose existing provenance data. These prototypes included browser plugins, pure JavaScript instrumentation, and framework plugins. The project assessed the performance of each prototype by measuring performance overheads to determine whether the added performance cost is worth the functionality.