privacy distilation for mobile applications

BCS Best of RESG Research 2014

Keerthi Thomas1, Arosha K. Bandara1, Blaine A. Price1, Bashar Nuseibeh1,2

1 Centre for Research in Computing, The Open University, Milton Keynes, UK 2Lero, University of Limerick, Ireland

Distilling Privacy Requirements for Mobile Applications

First Presented @ ICSE 2014 http://oro.open.ac.uk/39635/

http://www.asap-project.info

http://oro.open.ac.uk/39635/

http://www.asap-project.info/


PRIVACY

IdentificationExposure

Surveillance

Aggregation

Misinformation

Breach of trust

Power imbalance Cross-contextual information flow

Proximal access

Intrusion

Mobile

A right to appropriate flow of personal information in a given context (Nissenbaum 2010)


Privacy needs of mobile users…. ...things like buses and trains I don’t feel so comfortable...,

because I don’t know...lots of people I don’t know...if they for example read some of the posts I have done...they don’t know the people that they are

aimed at or the back story

Mobile users

= Privacy Requirements?

Software Engineers

Interview Data


• how to structure qualitative data & identify privacy threats?

• how to model information-flows critical to privacy?

• how to model mobile privacy requirements?

Problem Statement

?Interview data Privacy-aware

Mobile system

...things like buses and trains I don’t feel so comfortable..., because I don’t know...lots of

people I don’t know...if they for example read some of the posts I have done...they don’t know the people that they are aimed at or

the back story


A novel approach…

Privacy-aware Mobile system

DistillationInterview data

...things like buses and trains I don’t feel so comfortable..., because I don’t know...lots of

people I don’t know...if they for example read some of the posts I have done...they don’t know the people that they are aimed at or

the back story

• Distillation employs analysis models and patterns to extract and refine privacy requirements for mobile applications.

• Distillation is a synthesis of thematic analysis from social sciences and Problem Frames from software engineering


Informs new version

implements

Distillation Approach

Qualitative Data

System Requirements

Privacy Requirements

Privacy Threats / Concerns

Information Flow Model

Privacy Facets Framework

Mobile Application

Structure Qualitative

Data

1Info. Flow Modelling

2

Privacy Problem Analysis

3

assist in gathering

uses

mitigates

uses


Qualitative Data

...things like buses and trains I don’t feel so comfortable..., because I don’t know...lots of people I don’t

know...if they for example read some of the posts I have done...they don’t

know the people that they are aimed at or the back story

Mancini et al. (2009). From spaces to places: emerging contexts in mobile privacy. Proceedings of the 11th international conference on Ubiquitous computing, Orlando, Florida, USA, ACM.


Informs new version

implements


Qualitative Data

System Requirements





Mobile Application


Data


2


3

assist in gathering

uses

mitigates

uses


• Privacy Sensitive Context identification (PS-Context)

• Facet questions (Information, Info. Flow, Actors & Place)

• Privacy threat description and mapping

• Problem patterns - information flow modelling

• Privacy arguments1 (extensions)




Informs new version

implements


Qualitative Data

System Requirements





Mobile Application


Data


2


3

assist in gathering

uses

mitigates

uses


Structuring of Qualitative Data

...things like buses and trains I don’t feel so comfortable...,




Privacy Sensitive Context

Negative Emotions

shows

NEICode :


Structuring of Qualitative Data

...things like buses and trains I don’t feel so comfortable...,




Place Facet Questions

Indicates

NEICode :

User’s privacy is impacted by Place (location)

, PLACE(LOC)

T9 – Proximal Access Loss of reputation (H3), Loss of freedom (H6), Loss of anonymity (H7), Embarrassment (H9)


Informs new version

implements


Qualitative Data

System Requirements





Mobile Application


Data


2


3

assist in gathering

uses

mitigates

uses


Information-Flow Modelling

Msg. creating

Status Msg.

Msg. Display

Create Status

Message

Display Status Message ~ Fb-Friends

RequirementInformation

UserMachine

Machine

Friends

Screen Display



Informs new version

implements


Qualitative Data

System Requirements






Data


2


3

assist in gathering

uses

mitigates

uses

Mobile Application




Msg. creating

Status Msg.

Msg. Display

Create Status

Message

Display Status Message ~ Fb-Friends

PC9: Proximal Access Concern

1

23

RequirementInformation

UserMachine

Machine Screen Display

Passengers

Pub.Trans.




argument: PN1 "<<User>> can only share Status Messages with friends"

argument: PC9 “Status messages are visible to passengers co-located to <<User>> on <<Public Transport>>” rebuts PN1

argument: PR1 “Screen display filter is enabled when <<User>> is on <<Public Transport>>" mitigates PC9 depends on PR2,PR3

argument: PR2 “<<User>> on <<Public Transport>> is detected"

argument: PR3 “<<User>> in close proximity to others passengers is detected"


Informs new version

implements


Qualitative Data

System Requirements






Data


2


3

assist in gathering

uses

mitigates

uses

Mobile Application


• Evaluation based on Case-study design and QDA (a) employing a transparent and systematic process (b) providing traceability by linking outputs to qualitative data (c) demonstrating applicability or usefulness of results

Evaluation

Threats to validity Mitigation / future work

Reliability of thematic codes Test for inter-rater reliability using Software engineers.

Limitations on generalisability Apply Distillation on datasets from other empirical studies

Validation of privacy requirements

Apply Distillation in the context of a software development process


• Distillation approach – Structure qualitative data – model information flows – privacy problem analysis to derive privacy requirements

• Privacy Facets Framework – PS-context identification – Privacy threat descriptions – Facet questions – Information-flow patterns – Privacy arguments (extension)

Contributions



Distilling Privacy Requirements for Mobile Applications

Thank you!http://www.asap-project.info

Keerthi Thomas1, Arosha K. Bandara1, Blaine A. Price1, Bashar Nuseibeh1,2

1 Centre for Research in Computing, The Open University, Milton Keynes, UK 2Lero, University of Limerick, Ireland

http://oro.open.ac.uk/39635/

privacy distilation for mobile applications

Software

storybcs best of resg

mobile privacy requirements

privacy needs of mobile

mobile applicationsfirst

problem frames

problem statement

university of limerick

open university