Improving the Specification and Analysis of Privacy Policies - The RSLingo4Privacy Approach

Alberto Rodrigues da Silva, João Caramujo, Shaghayegh Monfared, Pavel Calado, Travis Breaux

Abstract

The common operation of popular web and mobile information systems involves the collection and retention of personal information and sensitive information about their users. This information needs to remain private and each system should show a privacy policy that describes in-depth how the users' information is managed and disclosed. However, the lack of a clear understanding and of a precise mechanism to enforce the statements described in the policy can constraint the development and adoption of these requirements. RSLingo4Privacy is a multi-language approach that intends to improve the specification and analysis of such policies, and which includes several processes with respective tools, namely: (P1) automatic classification and extraction of statements and text snippets from original policies into equivalent and logically consistent specifications (based on a privacy-aware specific language); (P2) visualization and authoring these statements in a consistent and rigorous way based on that privacy-aware specific language; (P3) automatic analysis and validation of the quality of these specifications; and finally (P4) policies (re)publishing. This paper presents and discusses the first two processes (P1 and P2). Despite having been evaluated against the policies of the most popular systems, for the sake of briefness, we just consider the Facebook policy for supporting the presentation and discussion of current results of the proposed approach.

References

  1. Ammar, W., et al., 2012. Automatic categorization of privacy policies: A pilot study. In School of Computer Science, Language Technology Institute, Technical Report CMU-LTI-12-019.
  2. Baader, F., Calvenese, D., McGuiness, D. (eds), 2003. The description logic handbook: theory, implementation and applications. Cambridge University Press.
  3. Bettini, L., 2013. Implementing Domain-Specific Languages with Xtext and Xtend. Packt Publishing Ltd.
  4. Bird, S., Klein, E., Loper, E., 2009. Natural Language Processing with Python. O'Reilly Media, 1st edition.
  5. Breaux, T.D., Baumer, D.L., 2011. Legally 'Reasonable' Security Requirements: A 10-year FTC Retrospective. Computers & Security, 30(4):178-193.
  6. Breaux, T. D., Hibshi, H. and Rao, A., 2014. Eddy, a formal language for specifying and analyzing data flow specifications for conflicting privacy requirements. Requirements Engineering, 19(3):1-27.
  7. Breaux, T. D., Smullen, D., Hibshi, H., 2015. Detecting Repurposing and Over-collection in Multi-Party Privacy Requirements Specifications. In Proceedings of IEEE International Requirements Engineering Conference (RE'15).
  8. Caramujo, J., Silva, A. R., 2015. Analyzing Privacy Policies based on a Privacy-Aware Profile: the Facebook and LinkedIn case studies. In Proceedings of IEEE CBI'2015, IEEE.
  9. Ceri, S. et al., 1995. Web Information Retrieval. Springer, 2013.
  10. Cortes, C. and Vapnik, V., 1995. Support-vector networks. Machine Learning, 20(3):273-297.
  11. Cunningham, H., 2006. Information Extraction, Automatic. In Encyclopedia of Language & Linguistics, volume 5. Elsevier, 2nd edition.
  12. Davis, A. M., 2005. Just Enough Requirements Management: Where Software Development Meets Marketing. Dorset House Publishing, 1st edition.
  13. Emam, K., Koru, A., 2008. A Replicated Survey of IT Software Project Failures. IEEE Software, 25(5):84-90.
  14. Farrell, C.B., 2011. FTC charges deceptive privacy practices in Google's rollout of its buzz social network. In U.S. Federal Trade Commission News Release, March 30.
  15. Ferreira, D., Silva, A. R., 2012. RSLingo: An Information Extraction Approach toward Formal Requirements Specifications. In Proc. of the 2nd Int. Workshop on Model-Driven Requirements Engineering, IEEE CS.
  16. Ferreira, D., Silva, A. R., 2013. RSL-IL: An Interlingua for Formally Documenting Requirements. In Proc. of the of Third IEEE International Workshop on ModelDriven Requirements Engineering, IEEE CS.
  17. Ferreira, D., Silva, A. R., 2013a. RSL-PL: A Linguistic Pattern Language for Documenting Software Requirements. In Proc. of Third International Workshop on Requirements Patterns, IEEE CS.
  18. Kagal, L., Finin, T. and Joshi, A., 2003. A policy language for a pervasive computing environment. In Proc. of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, 63-74.
  19. Kovitz, B., 1998. Practical Software Requirements: Manual of Content and Style. Manning.
  20. Lafferty, J., McCallum, A. and Pereira, F., 2001. Conditional Random Fields: Probabilistic Models for Segmenting and Labeling Sequence Data. In Proceedings of the 18th International Conference on Machine Learning.
  21. Pohl, K., 2010. Requirements Engineering: Fundamentals, Principles, and Techniques, Springer.
  22. Quinlan, J., 1986. Induction of Decision Trees, Machine Learning, 1(1):81-106.
  23. Ramos, J., 2003. Using tf-idf to determine word relevance in document queries. In Proceedings of the first instructional conference on machine learning.
  24. Robertson, S., Robertson, J., 2006. Mastering the Requirements Process, 2nd edition. Addison-Wesley.
  25. Sarawagi, S., 2008. Information Extraction. Foundations and Trends in Databases 1(3):261-377.
  26. Silva, A. R., 2014. SpecQua: Towards a Framework for Requirements Specifications with Increased Quality. In Enterprise Information Systems. Springer.
  27. Silva, A.R., 2015. Model-Driven Engineering: A Survey Supported by a Unified Conceptual Model. Computer Languages, Systems & Structures, 43. Elsevier.
  28. Sommerville, I., Sawyer, P., 1997. Requirements Engineering: A Good Practice Guide. Wiley.
  29. Steel, E., Fowler, G. A., 2010. Facebook in privacy breach. Wall Street Journal, Oct. 18.
  30. Tonti, G. et al., 2003. Semantic Web languages for policy representation and reasoning: A comparison of KAoS, Rei, and Ponder. The Semantic Web - ISWC, 2870, 419-437.
  31. Uszok, A. et al., 2003. KAoS policy and domain services: Toward a description-logic approach to policy representation, deconfliction, and enforcement. In Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks.
Download


Paper Citation


in Harvard Style

da Silva A., Caramujo J., Monfared S., Calado P. and Breaux T. (2016). Improving the Specification and Analysis of Privacy Policies - The RSLingo4Privacy Approach . In Proceedings of the 18th International Conference on Enterprise Information Systems - Volume 1: ICEIS, ISBN 978-989-758-187-8, pages 336-347. DOI: 10.5220/0005870503360347


in Bibtex Style

@conference{iceis16,
author={Alberto Rodrigues da Silva and João Caramujo and Shaghayegh Monfared and Pavel Calado and Travis Breaux},
title={Improving the Specification and Analysis of Privacy Policies - The RSLingo4Privacy Approach},
booktitle={Proceedings of the 18th International Conference on Enterprise Information Systems - Volume 1: ICEIS,},
year={2016},
pages={336-347},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005870503360347},
isbn={978-989-758-187-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 18th International Conference on Enterprise Information Systems - Volume 1: ICEIS,
TI - Improving the Specification and Analysis of Privacy Policies - The RSLingo4Privacy Approach
SN - 978-989-758-187-8
AU - da Silva A.
AU - Caramujo J.
AU - Monfared S.
AU - Calado P.
AU - Breaux T.
PY - 2016
SP - 336
EP - 347
DO - 10.5220/0005870503360347