Precise Analysis of Purpose Limitation in Data Flow Diagrams
Paper in proceeding, 2022

Data Flow Diagrams (DFDs) are primarily used for modelling functional properties of a system. In recent work, it was shown that DFDs can be used to also model non-functional properties, such as security and privacy properties, if they are annotated with appropriate security- and privacy-related information. An important privacy principle one may wish to model in this way is purpose limitation. But previous work on privacy-aware DFDs (PA-DFDs) considers purpose limitation only superficially, without explaining how the purpose of DFD activators and flows ought to be specified, checked or inferred. In this paper, we define a rigorous formal framework for (1) annotating DFDs with purpose labels and privacy signatures, (2) checking the consistency of labels and signatures, and (3) inferring labels from signatures. We implement our theoretical framework in a proof-of concept tool consisting of a domain-specific language (DSL) for specifying privacy signatures and algorithms for checking and inferring purpose labels from such signatures. Finally, we evaluate our framework and tool through a case study based on a DFD from the privacy literature.

Privacy by design

purpose limitation

data flow diagram


Hanaa Alshareef

Chalmers, Computer Science and Engineering (Chalmers), Formal methods

K. Tuma

Vrije Universiteit Amsterdam

Sandro Stucki

Chalmers, Computer Science and Engineering (Chalmers), Information Security

Gerardo Schneider

University of Gothenburg

Riccardo Scandariato

Technical University of Hamburg (TUHH)

ACM International Conference Proceeding Series

9781450396707 (ISBN)

17th International Conference on Availability, Reliability and Security, ARES 2022
Vienna, Austria,

Subject Categories

Embedded Systems

Computer Science

Computer Systems



More information

Latest update

1/3/2024 9