On January 29, 2024, the European Data Protection Board (EDPB) announced the release of the "EDPB Website Auditing Tool" (hereinafter also "EDPB WAT"), a tool designed to conduct analyses of websites.
This tool has been developed as open source, under the European Union Public License v. 1.2, by the Support Pool of Experts (SPE), a group of experts in technical and/or legal fields. Their aim is to support Data Protection Authorities and the EDPB itself in the development of tools that facilitate a harmonized application of current regulations on personal data protection.
Following the interest generated by the EDPB's announcement, we decided to test the tool. After several trials, we observed that EDPB WAT collects information on cookies, data stored in local storage, the use of HTTPS protocols, the potential presence of forms communicating via unencrypted protocols, data traffic (specifically, the domains with which the renderer has communicated), and beacons. Additionally, EDPB WAT can be integrated with the "testssl.sh" tool, which analyzes TLS/SSL ciphers, protocols used, and checks for any known vulnerabilities in encryption systems, providing the CVE (Common Vulnerabilities and Exposures) identification code of the tested vulnerabilities.
EDPB WAT allows gathering the aforementioned information while browsing the website to be analysed (via the Chromium browser, integrated into the tool). Furthermore, EDPB WAT allows to import and processing data extracted from the major public browsers in .har format, or data collected through the "Website Evidence Collector (WEC)", a tool released in 2021 by the European Data Protection Supervisor (EDPS).
It is also possible to manually create or import databases (called Knowledge Bases) to save information on cookies and data stored in local storage. EDPB WAT can compare the cookies and data stored in local storage identified on the analysed website with those saved in the Knowledge Base, highlighting, regarding cookies, whether the name and/or domain match and, regarding data stored in local storage, whether the key and/or script match.
Finally, EDPB WAT allows to generate reports and evaluating, in a granular manner, if the various elements identified during the analysis are compliant, non-compliant, or to be defined. However, such assessments are not made autonomously by the tool: it is the user who must manually input their own considerations, for which possessing adequate technical-legal expertise is therefore necessary and fundamental.
In conclusion, EDPB WAT enriches the range of tools available for conducting technical-computer science analyses of websites, which, with the support of consultants, can become an excellent tool for analyses on the legal compliance of websites.
Author: Avv. Lorenzo Balestra
Contact: Avv. Luisa Romano l.romano@bergsmore.com