Model-based Approaches to Privacy Compliance
Doctoral thesis, 2022
In the last decade, information technologies have been developing dramatically, and therefore data harvested via the Internet is growing rapidly. This technological change has a negative impact on privacy due to the sensitivity of the data collected and shared without convenient control or monitoring. The General Data Protection Regulation (GDPR) of the European Union has been in effect for more than three years, limiting how organizations collect, manage, and handle personal data. The GDPR poses both new challenges and opportunities for technological institutions. In this work, we address various aspects of privacy and propose approaches that can overcome some challenges of the GDPR. We focus on improving two currently adopted approaches to leverage them to enforce some of the GDPR's requirements by design.
The first part of this work is devoted to developing an access control model to effectively capture the nature of information accessed and shared in online social networks (OSNs). They might raise serious problems in what concerns users' privacy. One privacy risk is caused by accessing and sharing co-owned data items, i.e., when a user posts a data item that involves other users, some users' privacy might be disclosed. Another risk is caused by the privacy settings offered by OSNs that do not, in general, allow fine-grained enforcement. We propose a collaborative access control framework to deal with such privacy issues. We also present a proof-of-concept implementation of our approach.
In the second part of the thesis, we adopt Data Flow Diagrams (DFDs) as a convenient representation to integrate privacy engineering activities into software design. DFDs are inadequate as a modeling tool for privacy, and there is a need to evolve them to be a privacy-aware approach. The first privacy-related lack that we solve is automatically inserting privacy requirements during design. Secondly, since DFDs have a hierarchical structure, we propose a refinement framework for DFDs that preserves structural and functional properties and the underlying privacy concepts. Finally, we take a step towards modeling privacy properties, and in particular purpose limitation, in DFDs, by defining a mathematical framework that elaborates how the purpose of a DFD should be specified, verified, or inferred. We provide proof-of-concept tools for all the proposed frameworks and evaluate them through case studies.
The first part of this work is devoted to developing an access control model to effectively capture the nature of information accessed and shared in online social networks (OSNs). They might raise serious problems in what concerns users' privacy. One privacy risk is caused by accessing and sharing co-owned data items, i.e., when a user posts a data item that involves other users, some users' privacy might be disclosed. Another risk is caused by the privacy settings offered by OSNs that do not, in general, allow fine-grained enforcement. We propose a collaborative access control framework to deal with such privacy issues. We also present a proof-of-concept implementation of our approach.
In the second part of the thesis, we adopt Data Flow Diagrams (DFDs) as a convenient representation to integrate privacy engineering activities into software design. DFDs are inadequate as a modeling tool for privacy, and there is a need to evolve them to be a privacy-aware approach. The first privacy-related lack that we solve is automatically inserting privacy requirements during design. Secondly, since DFDs have a hierarchical structure, we propose a refinement framework for DFDs that preserves structural and functional properties and the underlying privacy concepts. Finally, we take a step towards modeling privacy properties, and in particular purpose limitation, in DFDs, by defining a mathematical framework that elaborates how the purpose of a DFD should be specified, verified, or inferred. We provide proof-of-concept tools for all the proposed frameworks and evaluate them through case studies.
GDPR
purpose limitation
social networks
refinement
privacy by design
data flow diagram
collaborative access control
Kollektorn, Kemivägen 9, MC2-huset, Chalmers University of Technology
Opponent: Thomas Troels Hildebrandt University of Copenhagen, Denmark.
Author
Hanaa Alshareef
Chalmers, Computer Science and Engineering (Chalmers), Formal methods
A collaborative access control framework for online social networks
Journal of Logical and Algebraic Methods in Programming,; Vol. 114(2020)
Journal article
Transforming data flow diagrams for privacy compliance
MODELSWARD 2021 - Proceedings of the 9th International Conference on Model-Driven Engineering and Software Development,; (2021)p. 207-215
Paper in proceeding
Alshareef, H. , Stucki S. , Schneider, G. Systematic Enhancement of Data Flow Diagrams with Privacy Checks
Refining Privacy-Aware Data Flow Diagrams
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics),; Vol. 13085(2021)p. 121-140
Paper in proceeding
Precise Analysis of Purpose Limitation in Data Flow Diagrams
ACM International Conference Proceeding Series,; (2022)
Paper in proceeding
Areas of Advance
Information and Communication Technology
Subject Categories
Other Engineering and Technologies
Electrical Engineering, Electronic Engineering, Information Engineering
Control Engineering
Computer Science
ISBN
978-91-7905-684-1
Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 5150
Publisher
Chalmers
Kollektorn, Kemivägen 9, MC2-huset, Chalmers University of Technology
Opponent: Thomas Troels Hildebrandt University of Copenhagen, Denmark.