{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T19:12:20Z","timestamp":1760037140991,"version":"build-2065373602"},"reference-count":34,"publisher":"MDPI AG","issue":"10","license":[{"start":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T00:00:00Z","timestamp":1759968000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>With the rapid growth of digital interactions, safeguarding user privacy on websites has become a critical concern. This paper introduces a comprehensive framework that integrates both technical and policy-based factors to assess a website\u2019s level of privacy protection. The framework employs a scoring system that evaluates key technical elements, such as HTTP security headers, email authentication protocols (SPF, DKIM, DMARC), SSL\/TLS certificate usage, domain reputation, DNSSEC, and cookie practices. In parallel, it examines the clarity and GDPR compliance of privacy policies. The resulting score reflects not only the technical strength of a website\u2019s defenses but also the transparency with which data processing practices are communicated to users. To demonstrate its effectiveness, the framework was applied to two similarly sized private hospitals, generating comparative privacy scores under a unified metric. The results confirm the framework\u2019s value in producing measurable insights that enable cross-organizational privacy benchmarking. By combining policy evaluation with technical analysis, this work addresses a significant gap in existing research and offers a reproducible, extensible methodology for assessing website privacy posture from a visitor\u2019s perspective.<\/jats:p>","DOI":"10.3390\/fi17100463","type":"journal-article","created":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T07:56:29Z","timestamp":1759996589000},"page":"463","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Quantifying Website Privacy Posture Through Technical and Policy-Based Assessment"],"prefix":"10.3390","volume":"17","author":[{"given":"Ioannis","family":"Fragkiadakis","sequence":"first","affiliation":[{"name":"Department of Digital Systems, University of Piraeus, 18534 Piraeus, Greece"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8037-2191","authenticated-orcid":false,"given":"Stefanos","family":"Gritzalis","sequence":"additional","affiliation":[{"name":"Department of Digital Systems, University of Piraeus, 18534 Piraeus, Greece"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3101-5347","authenticated-orcid":false,"given":"Costas","family":"Lambrinoudakis","sequence":"additional","affiliation":[{"name":"Department of Digital Systems, University of Piraeus, 18534 Piraeus, Greece"}]}],"member":"1968","published-online":{"date-parts":[[2025,10,9]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Fragkiadakis, I., and Lambrinoudakis, C. (2025, January 21\u201323). Assessment of Online Privacy Policies. Proceedings of the 11th International Conference on Computer Technology Applications (ICCTA 2025), Vienna, Austria.","DOI":"10.1109\/ICCTA65425.2025.11166173"},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Schnell, K., Roy, K., and Siddula, M. (2023). A Descriptive Study of Webpage Designs for Posting Privacy Policies for Different-Sized US Hospitals to Create an Assessment Framework. Future Internet, 15.","DOI":"10.3390\/fi15030112"},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3698393","article-title":"A Systematic Review of Privacy Policy Literature","volume":"57","author":"Javed","year":"2024","journal-title":"ACM Comput. Surv."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"162","DOI":"10.1016\/j.comcom.2019.04.005","article-title":"A Comparison of web privacy protection techniques","volume":"144","author":"Mazel","year":"2019","journal-title":"Comput. Commun."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Lehmann, A., Whitehouse, D., Fischer-H\u00fcbner, S., Fritsch, L., and Raab, C. (2016). Evaluating Websites and Their Adherence to Data Protection Principles: Tools and Experiences. Privacy and Identity Management. Facing up to Next Steps: Privacy and Identity 2016. IFIP Advances in Information and Communication Technology, Springer.","DOI":"10.1007\/978-3-319-55783-0"},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Dabrowski, A., Merzdovnik, G., Ullrich, J., Sendera, G., and Weippl, E. (2019, January 27\u201329). Measuring Cookies and Web Privacy in a Post-GDPR World. Proceedings of the International Conference on Passive and Active Network Measurement (PAM 2019), Lecture Notes in Computer Science 11419, Puerto Varas, Chile.","DOI":"10.1007\/978-3-030-15986-3_17"},{"key":"ref_7","first-page":"103643","article-title":"Evolution of web tracking protection in Chrome","volume":"79","author":"Pan","year":"2023","journal-title":"J. Inf. Secur. Appl."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"731","DOI":"10.3390\/jcp4030034","article-title":"Protection of Personal Data in the Context of E-Commerce","volume":"4","author":"Dakic","year":"2024","journal-title":"J. Cybersecur. Priv."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"325","DOI":"10.1257\/pol.20210309","article-title":"Regulating Privacy Online: An Economic Evaluation of the GDPR","volume":"16","author":"Goldberg","year":"2024","journal-title":"Am. Econ. J. Econ. Policy"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"225","DOI":"10.7456\/tojdac.1569287","article-title":"User Data and Digital Privacy: Privacy Policies of Social Media Platforms","volume":"15","year":"2025","journal-title":"Turk. Online J. Des. Art Commun."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Sim, K., Heo, H., and Cho, H. (2024). Combating Web Tracking: Analyzing Web Tracking Technologies for User Privacy. Future Internet, 16.","DOI":"10.3390\/fi16100363"},{"key":"ref_12","unstructured":"(2025, August 18). HTTP Security Headers: A Complete Guide to HTTP Headers. Available online: https:\/\/www.darkrelay.com\/post\/http-security-headers."},{"key":"ref_13","unstructured":"(2025, August 18). HTTP Security Response Headers Cheat Sheet\u2014OWASP Cheat Sheet Series. Available online: https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/HTTP_Headers_Cheat_Sheet.html."},{"key":"ref_14","unstructured":"(2025, August 18). RFC 1049\u2014Content-Type Header Field for Internet Messages. Available online: https:\/\/datatracker.ietf.org\/doc\/html\/rfc1049."},{"key":"ref_15","unstructured":"(2025, August 18). RFC 6265\u2014HTTP State Management Mechanism. Available online: https:\/\/datatracker.ietf.org\/doc\/html\/rfc6265."},{"key":"ref_16","unstructured":"(2025, August 18). RFC 6797\u2014HTTP Strict Transport Security (HSTS). Available online: https:\/\/datatracker.ietf.org\/doc\/html\/rfc6797."},{"key":"ref_17","unstructured":"(2025, August 18). RFC 9111\u2014HTTP Caching. Available online: https:\/\/datatracker.ietf.org\/doc\/rfc9111\/."},{"key":"ref_18","unstructured":"(2025, August 18). Analyse Your HTTP Response Headers. Available online: https:\/\/securityheaders.com\/."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Al Qahtani, E., Javed, Y., Tabassum, S., Sahoo, L., and Shehab, M. (2023). Managing Access to Confidential Documents: A Case Study of an Email Security Tool. Future Internet, 15.","DOI":"10.3390\/fi15110356"},{"key":"ref_20","unstructured":"(2025, August 18). RFC 8616\u2014Email Authentication for Internationalized Mail. Available online: https:\/\/datatracker.ietf.org\/doc\/html\/rfc8616."},{"key":"ref_21","unstructured":"(2025, August 18). Set Up DMARC to Validate the From Address Domain for Cloud Senders. Available online: https:\/\/learn.microsoft.com\/en-us\/defender-office-365\/email-authentication-dmarc-configure."},{"key":"ref_22","unstructured":"(2025, August 18). Understanding Website Certificates|CISA, Available online: https:\/\/www.cisa.gov\/news-events\/news\/understanding-website-certificates."},{"key":"ref_23","unstructured":"(2025, August 18). Qualys SSL Labs. Available online: https:\/\/www.ssllabs.com\/."},{"key":"ref_24","unstructured":"(2025, August 18). Web Filter Lookup|FortiGuard Labs. Available online: https:\/\/fortiguard.fortinet.com\/webfilter."},{"key":"ref_25","unstructured":"(2025, August 18). Reputation Lookup||Cisco Talos Intelligence Group\u2014Comprehensive Threat Intelligence. Available online: https:\/\/talosintelligence.com\/reputation_center."},{"key":"ref_26","unstructured":"(2025, August 18). MX Lookup Tool\u2014Check Your DNS MX Records Online\u2014MxToolbox. Available online: https:\/\/mxtoolbox.com\/."},{"key":"ref_27","unstructured":"(2025, August 18). VirusTotal\u2014Home. Available online: https:\/\/www.virustotal.com\/gui\/home\/upload."},{"key":"ref_28","unstructured":"(2025, August 18). BarracudaCentral.org\u2014Technical Insight for Security Pros. Available online: https:\/\/www.barracudacentral.org\/."},{"key":"ref_29","unstructured":"(2025, August 18). DNSSEC\u2014What Is It and Why Is It Important?. Available online: https:\/\/www.icann.org\/resources\/pages\/dnssec-what-is-it-why-important-2019-03-05-en."},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Guill\u00e9n Cava, \u00c1.D., and Ruiz-Mart\u00ednez, A. (2025). WebTrackingScore: A Combined Web Tracking Risk Score System for Websites. Future Internet, 17.","DOI":"10.3390\/fi17010003"},{"key":"ref_31","unstructured":"(2025, August 18). Regulation (EU) 2016\/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95\/46\/EC (General Data Protection Regulation). Available online: http:\/\/data.europa.eu\/eli\/reg\/2016\/679\/oj."},{"key":"ref_32","unstructured":"(2025, August 18). Directive 2002\/58\/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications). Available online: https:\/\/eur-lex.europa.eu\/eli\/dir\/2002\/58\/oj."},{"key":"ref_33","unstructured":"(2025, August 18). Google Certified Publishing Partner. Available online: https:\/\/www.google.com\/ads\/publisher\/partners\/."},{"key":"ref_34","unstructured":"Tang, C., Liu, Z., Ma, C., Wu, Z., Li, Y., Liu, W., Zhu, D., Li, Q., Li, X., and Liu, T. (2023). PolicyGPT: Automated Analysis of Privacy Policies with Large Language Models. arXiv."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/17\/10\/463\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T18:50:48Z","timestamp":1760035848000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/17\/10\/463"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,9]]},"references-count":34,"journal-issue":{"issue":"10","published-online":{"date-parts":[[2025,10]]}},"alternative-id":["fi17100463"],"URL":"https:\/\/doi.org\/10.3390\/fi17100463","relation":{},"ISSN":["1999-5903"],"issn-type":[{"type":"electronic","value":"1999-5903"}],"subject":[],"published":{"date-parts":[[2025,10,9]]}}}