privacy distilation for mobile applications
TRANSCRIPT
BCS Best of RESG Research 2014
Keerthi Thomas1, Arosha K. Bandara1, Blaine A. Price1, Bashar Nuseibeh1,2
1 Centre for Research in Computing, The Open University, Milton Keynes, UK 2Lero, University of Limerick, Ireland
Distilling Privacy Requirements for Mobile Applications
First Presented @ ICSE 2014 http://oro.open.ac.uk/39635/
http://www.asap-project.info
BCS Best of RESG Research 2014
PRIVACY
IdentificationExposure
Surveillance
Aggregation
Misinformation
Breach of trust
Power imbalance Cross-contextual information flow
Proximal access
Intrusion
Mobile
A right to appropriate flow of personal information in a given context (Nissenbaum 2010)
BCS Best of RESG Research 2014
Privacy needs of mobile users…. ...things like buses and trains I don’t feel so comfortable...,
because I don’t know...lots of people I don’t know...if they for example read some of the posts I have done...they don’t know the people that they are
aimed at or the back story
Mobile users
= Privacy Requirements?
Software Engineers
Interview Data
BCS Best of RESG Research 2014
• how to structure qualitative data & identify privacy threats?
• how to model information-flows critical to privacy?
• how to model mobile privacy requirements?
Problem Statement
?Interview data Privacy-aware
Mobile system
...things like buses and trains I don’t feel so comfortable..., because I don’t know...lots of
people I don’t know...if they for example read some of the posts I have done...they don’t know the people that they are aimed at or
the back story
BCS Best of RESG Research 2014
A novel approach…
Privacy-aware Mobile system
DistillationInterview data
...things like buses and trains I don’t feel so comfortable..., because I don’t know...lots of
people I don’t know...if they for example read some of the posts I have done...they don’t know the people that they are aimed at or
the back story
• Distillation employs analysis models and patterns to extract and refine privacy requirements for mobile applications.
• Distillation is a synthesis of thematic analysis from social sciences and Problem Frames from software engineering
BCS Best of RESG Research 2014
Informs new version
implements
Distillation Approach
Qualitative Data
System Requirements
Privacy Requirements
Privacy Threats / Concerns
Information Flow Model
Privacy Facets Framework
Mobile Application
Structure Qualitative
Data
1Info. Flow Modelling
2
Privacy Problem Analysis
3
assist in gathering
uses
mitigates
uses
BCS Best of RESG Research 2014
Qualitative Data
...things like buses and trains I don’t feel so comfortable..., because I don’t know...lots of people I don’t
know...if they for example read some of the posts I have done...they don’t
know the people that they are aimed at or the back story
Mancini et al. (2009). From spaces to places: emerging contexts in mobile privacy. Proceedings of the 11th international conference on Ubiquitous computing, Orlando, Florida, USA, ACM.
BCS Best of RESG Research 2014
Informs new version
implements
Distillation Approach
Qualitative Data
System Requirements
Privacy Requirements
Privacy Threats / Concerns
Information Flow Model
Privacy Facets Framework
Mobile Application
Structure Qualitative
Data
1Info. Flow Modelling
2
Privacy Problem Analysis
3
assist in gathering
uses
mitigates
uses
BCS Best of RESG Research 2014
• Privacy Sensitive Context identification (PS-Context)
• Facet questions (Information, Info. Flow, Actors & Place)
• Privacy threat description and mapping
• Problem patterns - information flow modelling
• Privacy arguments1 (extensions)
Privacy Facets Framework
Privacy Facets Framework
BCS Best of RESG Research 2014
Informs new version
implements
Distillation Approach
Qualitative Data
System Requirements
Privacy Requirements
Privacy Threats / Concerns
Information Flow Model
Privacy Facets Framework
Mobile Application
Structure Qualitative
Data
1Info. Flow Modelling
2
Privacy Problem Analysis
3
assist in gathering
uses
mitigates
uses
BCS Best of RESG Research 2014
Structuring of Qualitative Data
...things like buses and trains I don’t feel so comfortable...,
because I don’t know...lots of people I don’t know...if they for example read some of the posts I have done...they don’t know the people that they are
aimed at or the back story
Privacy Facets Framework
Privacy Sensitive Context
Negative Emotions
shows
NEICode :
BCS Best of RESG Research 2014
Structuring of Qualitative Data
...things like buses and trains I don’t feel so comfortable...,
because I don’t know...lots of people I don’t know...if they for example read some of the posts I have done...they don’t know the people that they are
aimed at or the back story
Privacy Facets Framework
Place Facet Questions
Indicates
NEICode :
User’s privacy is impacted by Place (location)
, PLACE(LOC)
T9 – Proximal Access Loss of reputation (H3), Loss of freedom (H6), Loss of anonymity (H7), Embarrassment (H9)
BCS Best of RESG Research 2014
Informs new version
implements
Distillation Approach
Qualitative Data
System Requirements
Privacy Requirements
Privacy Threats / Concerns
Information Flow Model
Privacy Facets Framework
Mobile Application
Structure Qualitative
Data
1Info. Flow Modelling
2
Privacy Problem Analysis
3
assist in gathering
uses
mitigates
uses
BCS Best of RESG Research 2014
Information-Flow Modelling
Msg. creating
Status Msg.
Msg. Display
Create Status
Message
Display Status Message ~ Fb-Friends
RequirementInformation
UserMachine
Machine
Friends
Screen Display
Privacy Facets Framework
BCS Best of RESG Research 2014
Informs new version
implements
Distillation Approach
Qualitative Data
System Requirements
Privacy Requirements
Privacy Threats / Concerns
Information Flow Model
Privacy Facets Framework
Structure Qualitative
Data
1Info. Flow Modelling
2
Privacy Problem Analysis
3
assist in gathering
uses
mitigates
uses
Mobile Application
BCS Best of RESG Research 2014
Privacy Problem Analysis
Privacy Facets Framework
Msg. creating
Status Msg.
Msg. Display
Create Status
Message
Display Status Message ~ Fb-Friends
PC9: Proximal Access Concern
1
23
RequirementInformation
UserMachine
Machine Screen Display
Passengers
Pub.Trans.
BCS Best of RESG Research 2014
Privacy Problem Analysis
Privacy Facets Framework
argument: PN1 "<<User>> can only share Status Messages with friends"
argument: PC9 “Status messages are visible to passengers co-located to <<User>> on <<Public Transport>>” rebuts PN1
argument: PR1 “Screen display filter is enabled when <<User>> is on <<Public Transport>>" mitigates PC9 depends on PR2,PR3
argument: PR2 “<<User>> on <<Public Transport>> is detected"
argument: PR3 “<<User>> in close proximity to others passengers is detected"
BCS Best of RESG Research 2014
Informs new version
implements
Distillation Approach
Qualitative Data
System Requirements
Privacy Requirements
Privacy Threats / Concerns
Information Flow Model
Privacy Facets Framework
Structure Qualitative
Data
1Info. Flow Modelling
2
Privacy Problem Analysis
3
assist in gathering
uses
mitigates
uses
Mobile Application
BCS Best of RESG Research 2014
• Evaluation based on Case-study design and QDA (a) employing a transparent and systematic process (b) providing traceability by linking outputs to qualitative data (c) demonstrating applicability or usefulness of results
Evaluation
Threats to validity Mitigation / future work
Reliability of thematic codes Test for inter-rater reliability using Software engineers.
Limitations on generalisability Apply Distillation on datasets from other empirical studies
Validation of privacy requirements
Apply Distillation in the context of a software development process
BCS Best of RESG Research 2014
• Distillation approach – Structure qualitative data – model information flows – privacy problem analysis to derive privacy requirements
• Privacy Facets Framework – PS-context identification – Privacy threat descriptions – Facet questions – Information-flow patterns – Privacy arguments (extension)
Contributions
Privacy Facets Framework
BCS Best of RESG Research 2014
Distilling Privacy Requirements for Mobile Applications
Thank you!http://www.asap-project.info
Keerthi Thomas1, Arosha K. Bandara1, Blaine A. Price1, Bashar Nuseibeh1,2
1 Centre for Research in Computing, The Open University, Milton Keynes, UK 2Lero, University of Limerick, Ireland
http://oro.open.ac.uk/39635/