Nataliia Bielova’s Call to Privacy Research: Journey of a Rising Star

The funny thing is, I wasn’t first interested in privacy. I spent my postdoc year at Inria in Rennes working on secure information flow in programming languages until a strange inner calling started resonating in 2012. I was attending the flagship conference in my area of expertise, the IEEE Security & Privacy in San Francisco, where I was dreaming to publish one day. On my second day there I bumped into a young PhD student presenting her poster. There she was, passionately discussing her new paper on detecting and defending against Web tracking. Her name was Franziska Roesner and I remember thinking: “Wow, this is fascinating, I wish I could do something like this one day!”

Back home, I started delving into the brand new field of web tracking research and soon got caught into Ashkan Soltani and his colleagues’ early investigations on cookies “respawning” - process by which browser cookies recreate themselves after being deleted by the user.

I must say there was a before and after San Francisco, but it would take a few more years for me to make the big move. I first repurposed my current research to the detection of web tracking. Then I got my tenure at Inria Sophia Antipolis, gave birth to my daughter and met Guillene Ribière from the Inria TIPD (Transfer, Innovation and Partnerships Department). Our spirit-lifting conversations convinced me to attend the CPDP conference for law professionals, where I found out that Inria Privatics colleagues were already involved in the transdisciplinary collaboration with law scholars and regulators.

Around that time, my first PhD student, Doliere Francis Some, started making large-scale measurements to detect vulnerabilities in 1 million web pages. While such automated measurements are pure computer science, it soon dawned on me that I needed law scholars as well. So, winning the Young Researcher Grant from the French National Research Agency (ANR JCJC) for the PrivaWeb project in 2018 enabled me to set up my first transdisciplinary team to address the complex problem of legal compliance of websites with the laws designed to protect users.

Law researcher Cristiana Santos started working with me in 2019 and what we found out was most concerning: hundreds of websites were using cookie banners that didn’t respect users’ privacy choice. Our work got published at the same flagship IEEE Security and Privacy Conference that I had attended in 2012 : eight years later, my dream was coming true! It didn’t take long for the None Of Your Business (NOYB) NGO to follow suit. They leveraged our research to file three GDPR complaints to the French Data Protection Authority (CNIL). Over the next three years, our paper would be cited over 200 times while NOYB would file 500 more complaints to European Data Protection Authorities based on our work. The Belgian Data Protection Authority even used the arguments from our scientific paper in its decision to fine IAB Europe over its consent framework's GDPR violations.

As these events unfolded, human-computer interaction and design scholar Colin M. Gray had just published his first taxonomy of dark patterns. We thought it would be interesting to delve into these pervasive and hard-to-regulate patterns that hide within cookie banners to coerce users into doing something they wouldn’t do otherwise.

Our early-morning calls with Colin during the 2020 pandemic soon gave birth to the very first research study combining the knowledge of Computer Science, Law and HCI/Design scholars. Published at the flagship ACM Human-Computer Interaction conference (ACM CHI'2021), it reached a pinnacle reserved to the top 5% of papers: the "Best of CHI Honorable Mention".

If you ask me how the enforcement of privacy laws is doing these days, I would say that the sky is brighter above countries like France, thanks to the CNIL’s tireless efforts. I spent one year in their Digital Innovation Lab (LINC) helping to regulate web tracking and dark patterns while strengthening relationships with academic research. These bonds are even more critical as increasingly complex privacy threats are looming in the areas of mobile, IoT, new voice interfaces and augmented/virtual reality.

Collaboration with other disciplines such as economics are equally critical to further analyze the complex technological ecosystem and the economic incentives at hand for each stakeholder involved. Without this in-depth understanding, regulators and policy makers cannot protect citizens from the advanced technologies that leak user data and from the dark patterns that manipulate them on an unprecedented scale.

It is also important to reach beyond the academic and regulation realms to empower citizen themselves. When my Privatics colleague Cedric Lauradoux contacted me back in 2017 to invite me to take part in a new Inria Learning Lab MOOC on Privacy Protection, I didn’t hesitate for one second. So far, the MOOC has been attended by more than 43,000 French-speaking participants from all over the world.

My legal twin Cristiana Santos has moved to Utrecht University and won an Inria International Chair to focus on the most critical fields of consent and dark pattern lawfulness. In the meantime, I have had the joy to mentor, together with Arnaud Legout from the DIANA team, the talented PhD student Imane Fouad and MSc intern Vera Wesselkamp. Our joint research on Web tracking detection was published at the top Privacy Enhancing Technologies Symposium (PETs) in 2020 and the Federal Trade Commission (FTC) invited Imane to present this work. Her follow-up 2022 PETs paper on cookie respawning received a recognition by the Future of Privacy Forum’s “Privacy Papers for Policymakers”: the Honorable mention for the Student Paper Award in 2023.

I am incredibly proud of my students’ success and cannot wait for them to enjoy the scientific freedom as much as I do at Inria. I often encourage them to make time for career-building by networking and attending key events, but also to open up to each other about the ups and downs of their academic career. Next on my agenda for the privacy research community is to offer free on-site child care as part of every conference, which will greatly help young women attend key events.

By sharing my own personal and professional experience whenever I can, I also hope to encourage more female students to consider computer science and transdisciplinary research as a career. Based on my own experience, I know that even a single role model can have a great impact on a young woman’s career choice.

In addition to building more connections with regulators both within and beyond the EU, I am currently working beyond Data Protection for my research to cover Consumer Protection, Competition and new EU laws (Digital Services Act package - DSA and DMA, Data Governance Act, AI Act). My work will also see more and more transdisciplinary collaborations with scholars in economics and hopefully psychology, neuroscience and brain-computer interaction soon.