Identifying incompleteness in privacy policy goals using semantic frames

Bhatia, Jaspreet; Evans, Morgan C.; Breaux, Travis D.

doi:10.1007/s00766-019-00315-y

Cited by 15 publications

(19 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The requirements in our taxonomy are written in natural language and structured into templates. Although we believe that this is the most intuitive form to developers, future work could explore other alternative forms such as semantic frame-based representation [48]. We have manually derived requirements in this study as it is essential to examine structure of statements and how privacy requirements are expressed in different regulations and frameworks.…”

Section: Discussionmentioning

confidence: 99%

“…This enables the use of formal tools to detect conflicting privacy requirements within a policy. Bhatia et al [48] proposed to represent data practice descriptions as semantic frames to identify incompleteness in privacy policies in organisations. They analysed 15 policies and identified 17 semantic roles associated with four categories of data action (collection, retention, usage and transfer) to express the incompleteness in data action context.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Mining and Classifying Privacy and Data Protection Requirements in Issue Reports

Sangaroonsilp¹,

Dam²,

Morakot³

et al. 2021

Preprint

View full text Add to dashboard Cite

Digital and physical footprints are a trail of user activities collected over the use of software applications and systems. As software becomes ubiquitous, protecting user privacy has become challenging. With the increasing of user privacy awareness and advent of privacy regulations and policies, there is an emerging need to implement software systems that enhance the protection of personal data processing. However, existing privacy regulations and policies only provide high-level principles which are difficult for software engineers to design and implement privacy-aware systems. In this paper, we develop a taxonomy that provides a comprehensive set of privacy requirements based on four well-established personal data protection regulations and privacy frameworks, the General Data Protection Regulation (GDPR), ISO/IEC 29100, Thailand Personal Data Protection (PDPA) and Asia-Pacific Economic Cooperation (APEC) privacy framework. These requirements are extracted, classified and refined into a level that can be used to map with issue reports. We have also performed a study on how two large open-source software projects (Google Chrome and Moodle) address the privacy requirements in our taxonomy through mining their issue reports. The paper discusses how the collected issues were classified, and presents the findings and insights generated from our study.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Mining and Classifying Privacy and Data Protection Requirements in Issue Reports

Sangaroonsilp¹,

Dam²,

Morakot³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Guerriero et al [67] propose a framework for specifying, enforcing and checking privacy policies in data-intensive applications. Bhatia et al [68] present a semantic frame-based representation for privacy statements that can be used to identify incompleteness in four categories of data action: collection, retention, usage, and transfer. Lippi et al [69] present 33 metadata types for GDPR privacy policies and provide automatic support for vagueness detection based on manually crafted rules and ML classifiers built using the exact terminology of the policies as learning features.…”

Section: Completeness Checking Of Privacy Policiesmentioning

confidence: 99%

AI-enabled Automation for Completeness Checking of Privacy Policies

Amaral¹,

Abualhaija²,

Torre³

et al. 2021

Preprint

View full text Add to dashboard Cite

Technological advances in information sharing have raised concerns about data protection. Privacy policies contain privacy-related requirements about how the personal data of individuals will be handled by an organization or a software system (e.g., a web service or an app). In Europe, privacy policies are subject to compliance with the General Data Protection Regulation (GDPR). A prerequisite for GDPR compliance checking is to verify whether the content of a privacy policy is complete according to the provisions of GDPR. Incomplete privacy policies might result in large fines on violating organization as well as incomplete privacy-related software specifications. Manual completeness checking is both time-consuming and error-prone. In this paper, we propose AI-based automation for the completeness checking of privacy policies. Through systematic qualitative methods, we first build two artifacts to characterize the privacy-related provisions of GDPR, namely a conceptual model and a set of completeness criteria. Then, we develop an automated solution on top of these artifacts by leveraging a combination of natural language processing and supervised machine learning. Specifically, we identify the GDPR-relevant information content in privacy policies and subsequently check them against the completeness criteria. To evaluate our approach, we collected 234 real privacy policies from the fund industry. Over a set of 48 unseen privacy policies, our approach detected 300 of the total of 334 violations of some completeness criteria correctly, while producing 23 false positives. The approach thus has a precision of 92.9% and recall of 89.8%. Compared to a baseline that applies keyword search only, our approach results in an improvement of 24.5% in precision and 38% in recall.

show abstract

“…This enables the use of formal tools to detect conflicting privacy requirements within a policy. Bhatia et al [24] proposed to represent data practice descriptions as semantic frames to identify incompleteness in privacy policies in organisations. They analysed 15 policies and identified 17 semantic roles associated with four categories of data action (collection, retention, usage and transfer) to express the incompleteness in data action context.…”

Section: Related Workmentioning

confidence: 99%

A Taxonomy for Mining and Classifying Privacy Requirements in Issue Reports

Sangaroonsilp¹,

Dam²,

Morakot³

et al. 2021

Preprint

View full text Add to dashboard Cite

Digital and physical footprints are a trail of user activities collected over the use of software applications and systems. As software becomes ubiquitous, protecting user privacy has become challenging. With the increasing of user privacy awareness and advent of privacy regulations and policies, there is an emerging need to implement software systems that enhance the protection of personal data processing. However, existing privacy regulations and policies only provide high-level principles which are difficult for software engineers to design and implement privacy-aware systems. In this paper, we develop a taxonomy that provides a comprehensive set of privacy requirements based on two well-established and widely-adopted privacy regulations and frameworks, the General Data Protection Regulation (GDPR) and the ISO/IEC 29100. These requirements are refined into a level that is implementable and easy to understand by software engineers, thus supporting them to attend to existing regulations and standards. We have also performed a study on how two large open-source software projects (Google Chrome and Moodle) address the privacy requirements in our taxonomy through mining their issue reports. The paper discusses how the collected issues were classified, and presents the findings and insights generated from our study.

show abstract

Identifying incompleteness in privacy policy goals using semantic frames

Cited by 15 publications

References 23 publications

Mining and Classifying Privacy and Data Protection Requirements in Issue Reports

Mining and Classifying Privacy and Data Protection Requirements in Issue Reports

AI-enabled Automation for Completeness Checking of Privacy Policies

A Taxonomy for Mining and Classifying Privacy Requirements in Issue Reports

Contact Info

Product

Resources

About