Guiding App Developers on Privacy and Security

Design Matters

Majid HatamianChair of Mobile Business & Multilateral Security

Goethe University Frankfurt

majid.hatamian@m-chair.de

www.hatamian.net

12th June 2019 – Rome, Italy

IPEN Workshop 2019

Outline

24.06.2019 2

App Developers Guide2

Introduction1

Summary3

Outline

24.06.2019 3

App Developers Guide2

Introduction1

Summary3

After one year…

IntroductionProblem Definition

24.06.2019 4

Lack of

developer-centric

privacy research

Law itself is not

enough

IntroductionProblem Definition

24.06.2019 5

Users are more concerned

Apps are still greedy

Outline

24.06.2019 6

App Developers Guide2

Introduction1

Summary3

App Developers Guide

24.06.2019

National and international bodies

Legal and technical documents

Institutes and authorities

Not only what to do, but also how to do it

7

App Developers Guide

24.06.2019 8

App

Developers

Guide

Extraction of Relevant

Principles

Checking the Overlaps

Compilation and

Categorization of

Principles

Regulatory

Documents

Review

Data Protection Expert

Discussion

Supports

Developer

Scientific/Technical Documents Review

App Developers GuidePrivacy & Security Design Principles Catalog

24.06.2019 9

Purpose limitation &

Data minimization

Unlinkability

Storage limitation

Transparency

Integrity &

Confidentiality

Accountability

Intervenability

24.06.2019 9

Purpose limitation &

Data minimization

Unlinkability

Storage limitation

Transparency

Integrity &

Confidentiality

Accountability

Intervenability

• Sharing limitation

• 3rd parties & 3rd countries

• 3rd party content

App Developers GuidePrivacy & Security Design Principles Catalog

24.06.2019 9

Purpose limitation &

Data minimization

Unlinkability

Storage limitation

Transparency

Integrity &

Confidentiality

Accountability

Intervenability

• Anonymization

• Pseudonymization

App Developers GuidePrivacy & Security Design Principles Catalog

24.06.2019 9

Purpose limitation &

Data minimization

Unlinkability

Storage limitation

Transparency

Integrity &

Confidentiality

Accountability

Intervenability

• Data retention

• Data accuracy

App Developers GuidePrivacy & Security Design Principles Catalog

24.06.2019 9

Purpose limitation &

Data minimization

Unlinkability

Storage limitation

Transparency

Integrity &

Confidentiality

Accountability

Intervenability

• Ex-ante measures

• Ex-post measures

App Developers GuidePrivacy & Security Design Principles Catalog

24.06.2019 9

Purpose limitation &

Data minimization

Unlinkability

Storage limitation

Transparency

Integrity &

Confidentiality

Accountability

Intervenability

• Sharing security

• Storage security

• Unauthorized access

prevention

• Safeguard measures

• Secure payment

• Device & OS

App Developers GuidePrivacy & Security Design Principles Catalog

24.06.2019 9

Purpose limitation &

Data minimization

Unlinkability

Storage limitation

Transparency

Integrity &

Confidentiality

Accountability

Intervenability

• Internal procedures

• Data Protection Impact

Assessments (DPIAs)

App Developers GuidePrivacy & Security Design Principles Catalog

24.06.2019 9

Purpose limitation &

Data minimization

Unlinkability

Storage limitation

Transparency

Integrity &

Confidentiality

Accountability

Intervenability

• User’s rights

• User’s consent

App Developers GuidePrivacy & Security Design Principles Catalog

Outline

24.06.2019 10

App Developers Guide2

Introduction1

Summary3

Summary

24.06.2019

Promises do not match actions

• Absolute freedom!

There is a gap between privacy regulation and

implementation of real world app privacy practices

• The presented guide catalog may help filling it.

11

24.06.2019 19

Chair of Mobile Business & Multilateral Security

Majid Hatamian, Ph.D. candidateGoethe University Frankfurt

E-Mail: majid.hatamian@m-chair.de

WWW: www.hatamian.net

www.m-chair.de