RSLingo4Privacy Studio - A Tool to Improve the Specification and Analysis of Privacy Policies

André Ribeiro, Alberto Rodrigues da Silva

2017

Abstract

Popular software applications collect and retain a lot of users’ information, part of which is personal and sensitive. To assure that only the desired information is made public, these applications have to define and publish privacy policies that describe how they manage and disclose this information. Problems arise when privacy policies are misinterpreted, for instance because they contain ambiguous and inconsistent statements, what results in a defective application of the policy enforcement mechanisms. The RSLingo4Privacy approach aims to improve the specification and analysis of such policies. This paper presents and discusses its companion tool, the RSLingo4Privacy Studio, which materializes this approach by providing the technological support for users being able to specify, analyze and publish policies based on the RSL-IL4Privacy domain specific language. We validated its feasibility using popular websites policies such as Dropbox, Facebook, IMDB, LinkedIn, Twitter and Zynga. We conclude this paper with a discussion of the related work, namely a comparative analysis of pros and cons of RSLingo4Privacy Studio with other previous proposals.

References

  1. Ashley, P. et al., 2003. Enterprise Policy Authorization Language 1.2 (EPAL) Specification, W3C. https:// www.w3.org/Submission/2003/SUBM-EPAL20031110.
  2. Baader, F. et al., 2003. The Description Logic Handbook: Theory, Implementation, and Applications. Cambridge University Press.
  3. Bechhofer, S. et al., 2004. OWL: Web Ontology Language Reference. W3C Recommendation.
  4. Berners-Lee, T., 2005. An RDF language for the Semantic Web. https://www.w3.org/DesignIssues/Notation3.
  5. Bettini, L., 2016. Implementing Domain-Specific Languages with Xtext and Xtend. Packt Publishing Ltd.
  6. Breaux, T. D., Hibshi, H. and Rao, A. 2014. Eddy, a formal language for specifying and analyzing data flow specifications for conflicting privacy requirements. Requirements Engineering. 19, 3, 281- 307.
  7. Caramujo, J., Silva, A.R., 2015. Analyzing Privacy Policies based on a Privacy-Aware Profile: the Facebook and LinkedIn case studies. In Proc. of the 17th CBI conference. IEEE, 1, 77-84.
  8. Caramujo, J., et al., 2017. A Domain-Specific Language for the Specification of Privacy-Aware Requirements. INESC-ID Technical Report.
  9. Cranor, L., 2002. P3P Preference Exchange Language 1.0 (APPEL) Specification, W3C, https:// www.w3.org/TR/P3P-preferences.
  10. Cranor, L., 2003. P3P: Making privacy policies more useful. IEEE Security & Privacy. 1, 6, 50-55.
  11. Cranor, L. et al., 2006. Platform for Privacy Preferences 1.1 (P3P) Specification, W3C, https:// www.w3.org/TR/P3P11.
  12. Damianou, N. et al., 2002. Tools for domain-based policy management of distributed systems. Network Operations and Management Symposium. IEEE, 203- 217.
  13. Ferreira, D., Silva, A. R, 2012. RSLingo: An Information Extraction Approach toward Formal Requirements Specifications. In Proc. of the 2nd MoDRE workshop. IEEE, 39-48.
  14. Ferreira, D., Silva, A. R., 2013. RSL-IL: An Interlingua for Formally Documenting Requirements. In Proc. of the 3rd MoDRE workshop. IEEE CS.
  15. Ferreira, D., Silva, A. R. 2013a. RSL-PL: A Linguistic Pattern Language for Documenting Software Requirements, in Proceedings of RePa'13, IEEE CS.
  16. Haley, C., Laney, R., Moffett, J., Nuseibeh, B., 2008. Security requirements engineering: A framework for representation and analysis. IEEE Transactions on Software Engineering, 34(1), 133-153.
  17. Han, W., Lei, C., 2012. A survey on policy languages in network and security management. Computer Networks. 56, 1, 477-489.
  18. Haugen, Ø., Wasowski, A., Czarnecki, K., 2012. CVL: Common Variability Language. In SPLC. ACM, 2, 266-267.
  19. Kagal, L., Finin, T., Joshi, A., 2003. A policy language for a pervasive computing environment. In Proc. of the 4th POLICY workshop. IEEE, 63-74.
  20. Karat, J. et al., 2005. Designing natural language and structured entry methods for privacy policy authoring. Human-Computer Interaction - INTERACT 2005. Springer, 671-684.
  21. Kotu, V. and Deshpande, B., 2014. Predictive Analytics and Data Mining: Concepts and Practice with RapidMiner. Morgan Kaufmann.
  22. Landwehr, C., 2016. Privacy research directions. Communications. ACM, 59, 2, 29-31.
  23. Mernik, M., Heering, J., Sloane, A. 2005. When and how to develop domain-specific languages. ACM Computing Surveys, 37(4):316-344.
  24. Moore, B. et al., 2001. Policy Core Information 1.0 Specification, RFC 3060, http://www.ietf.org/ rfc/rfc3060.
  25. Nadas, A. et al., 2014. A model-integrated authoring environment for privacy policies. Science of Computer Programming. 89, Part B, 105-125.
  26. OASIS, 2013. eXtensible Access Control Markup Language 3.0 (XACML) Specification. .http:// docs.oasis-open.org/xacml/3.0/xacml-3.0-core-specos-en.pdf.
  27. Pohl, K. Requirements Engineering: Fundamentals, Principles, and Techniques. Springer, 2010.
  28. Ribeiro, A., Sousa, L., Silva, A. R., 2016. Comparative Analysis of Workbenches to Support DSMLs: Discussion with Non-Trivial Model-Driven Development Needs, in Proceedings of MODELSWARD'2016, SCITEPRESS.
  29. Shah, A.B., 2005. An integrated development environment for policies. Master Thesis. University of Baltimore.
  30. Silva, A. R., 2015. Model-Driven Engineering: A Survey Supported by a Unified Conceptual Model, Computer Languages, Systems & Structures 43 (C), 139-155.
  31. Silva, A. R., 2015a. SpecQua: Towards a Framework for Requirements Specifications with Increased Quality, in Lecture Notes in Business Information Processing (LNBIP), LNBIP 227, Springer.
  32. Silva, A. R., et al., 2016. Improving the Specification and Analysis of Privacy Policies: The RSLingo4Privacy Approach. In Proc. of the 8th ICEIS conference. SCITEPRESS, 336-347.
  33. Silva, A. R., 2017. RSLingo's RSL: Requirements Specification Language Based on Linguistic Patterns. INESC-ID Technical Report.
  34. Uszok, A. et al., 2003. KAoS policy and domain services: Toward a description-logic approach to policy representation, deconfliction, and enforcement. In Proc. of the 4th POLICY workshop. IEEE, 93-96.
  35. Voelter, M., Benz, S., Dietrich, C., Engelmann, B., Helander, M., Kats, L. C., Visser, E., Wachsmuth, G. 2013. DSL engineering: Designing, implementing and using domain-specific languages, dslbook.org.
  36. Wishart, R. et al., 2010. Collaborative privacy policy authoring in a social networking context. In Proc. of the POLICY symposium. IEEE, 1-8.
Download


Paper Citation


in Harvard Style

Ribeiro A. and Silva A. (2017). RSLingo4Privacy Studio - A Tool to Improve the Specification and Analysis of Privacy Policies . In Proceedings of the 19th International Conference on Enterprise Information Systems - Volume 2: ICEIS, ISBN 978-989-758-248-6, pages 52-63. DOI: 10.5220/0006310400520063


in Bibtex Style

@conference{iceis17,
author={André Ribeiro and Alberto Rodrigues da Silva},
title={RSLingo4Privacy Studio - A Tool to Improve the Specification and Analysis of Privacy Policies},
booktitle={Proceedings of the 19th International Conference on Enterprise Information Systems - Volume 2: ICEIS,},
year={2017},
pages={52-63},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006310400520063},
isbn={978-989-758-248-6},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 19th International Conference on Enterprise Information Systems - Volume 2: ICEIS,
TI - RSLingo4Privacy Studio - A Tool to Improve the Specification and Analysis of Privacy Policies
SN - 978-989-758-248-6
AU - Ribeiro A.
AU - Silva A.
PY - 2017
SP - 52
EP - 63
DO - 10.5220/0006310400520063