Model-based Approaches to Privacy Compliance
Doctoral thesis, 2022

In the last decade, information technologies have been developing dramatically, and therefore data harvested via the Internet is growing rapidly. This technological change has a negative impact on privacy due to the sensitivity of the data collected and shared without convenient control or monitoring. The General Data Protection Regulation (GDPR) of the European Union has been in effect for more than three years, limiting how organizations collect, manage, and handle personal data. The GDPR poses both new challenges and opportunities for technological institutions. In this work, we address various aspects of privacy and propose approaches that can overcome some challenges of the GDPR. We focus on improving two currently adopted approaches to leverage them to enforce some of the GDPR's requirements by design. 

The first part of this work is devoted to developing an access control model to effectively capture the nature of information accessed and shared in online social networks (OSNs). They might raise serious problems in what concerns users' privacy. One privacy risk is caused by accessing and sharing co-owned data items, i.e., when a user posts a data item that involves other users, some users' privacy might be disclosed. Another risk is caused by the privacy settings offered by OSNs that do not, in general, allow fine-grained enforcement. We propose a collaborative access control framework to deal with such privacy issues. We also present a proof-of-concept implementation of our approach.

In the second part of the thesis, we adopt Data Flow Diagrams (DFDs) as a convenient representation to integrate privacy engineering activities into software design. DFDs are inadequate as a modeling tool for privacy, and there is a need to evolve them to be a privacy-aware approach. The first privacy-related lack that we solve is automatically inserting privacy requirements during design. Secondly, since DFDs have a hierarchical structure, we propose a refinement framework for DFDs that preserves structural and functional properties and the underlying privacy concepts. Finally, we take a step towards modeling privacy properties, and in particular purpose limitation, in DFDs, by defining a mathematical framework that elaborates how the purpose of a DFD should be specified, verified, or inferred. We provide proof-of-concept tools for all the proposed frameworks and evaluate them through case studies.

GDPR

purpose limitation

social networks

refinement

privacy by design

data flow diagram

collaborative access control

Kollektorn, Kemivägen 9, MC2-huset, Chalmers University of Technology
Opponent: Thomas Troels Hildebrandt University of Copenhagen, Denmark.

Author

Hanaa Alshareef

Chalmers, Computer Science and Engineering (Chalmers), Formal methods

A collaborative access control framework for online social networks

Journal of Logical and Algebraic Methods in Programming,;Vol. 114(2020)

Journal article

Transforming data flow diagrams for privacy compliance

MODELSWARD 2021 - Proceedings of the 9th International Conference on Model-Driven Engineering and Software Development,;(2021)p. 207-215

Paper in proceeding

Alshareef, H. , Stucki S. , Schneider, G. Systematic Enhancement of Data Flow Diagrams with Privacy Checks

Refining Privacy-Aware Data Flow Diagrams

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics),;Vol. 13085(2021)p. 121-140

Paper in proceeding

Precise Analysis of Purpose Limitation in Data Flow Diagrams

ACM International Conference Proceeding Series,;(2022)

Paper in proceeding

Areas of Advance

Information and Communication Technology

Subject Categories

Other Engineering and Technologies

Electrical Engineering, Electronic Engineering, Information Engineering

Control Engineering

Computer Science

ISBN

978-91-7905-684-1

Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 5150

Publisher

Chalmers

Kollektorn, Kemivägen 9, MC2-huset, Chalmers University of Technology

Opponent: Thomas Troels Hildebrandt University of Copenhagen, Denmark.

More information

Latest update

11/9/2023