Abstract
Privacy is gaining more and more attention in society and hence, gains more importance as a software quality that has to be considered during software development. A privacy goal that has not yet been deeply studied is the empowerment of end-users to have control over how their personal data is processed by information systems. This privacy goal is called intervenability. Several surveys have shown that one of end-users’ main privacy concerns is the lack of intervenability options in information systems. In this paper, we refine the privacy goal intervenability into a software requirements taxonomy and relate it to a taxonomy of transparency requirements because transparency can be regarded as a prerequisite for intervenability. The combined taxonomy of intervenability and transparency requirements shall guide requirements engineers to identify the intervenability requirements relevant for the system they consider. We validated the completeness of our taxonomy by comparing it to the relevant literature that we derived based on a systematic literature review.
This work was partially supported by the Deutsche Forschungsgemeinschaft (DFG) under grant No. GRK 2167, Research Training Group “User-Centered Social Media”.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The draft of the EU data protection regulation was adopted with some changes on 27 April 2016 and entered into force on 24 May 2016. Note that our analysis is based on the draft and not on the final version of the regulation.
- 2.
http://www.core.edu.au/conference-portal (accessed on 20 June 2016).
References
GSMA: MOBILE PRIVACY: consumer research insights and considerations for policymakers, February 2014. http://www.gsma.com/publicpolicy/wp-content/uploads/2014/02/MOBILE_PRIVACY_Consumer_research_insights_and_considerations_for_policymakers-Final.pdf. Accessed 20 June 2016
Symantec: State of Privacy Report 2015 (2015). https://www.symantec.com/content/en/us/about/presskits/b-state-of-privacy-report-2015.pdf. Accessed 20 June 2016
Quah, A.M.Y., Röhm, U.: User awareness and policy compliance of data privacy in cloud computing. In: Proceedings of the First Australasian Web Conference, AWC 2013, vol. 144, pp. 3–12, Darlinghurst, Australia, Australian Computer Society, Inc. (2013)
Ackerman, M.S., Cranor, L.F., Reagle, J.: Privacy in e-Commerce: examining user scenarios and privacy preferences. In: Proceedings of the 1st ACM Conference on Electronic Commerce, EC 1999, New York, NY, USA, pp. 1–8. ACM (1999)
Hansen, M.: Top 10 mistakes in system design from a privacy perspective and privacy protection goals. In: Camenisch, J., Crispo, B., Fischer-Hübner, S., Leenes, R., Russello, G. (eds.) Privacy and Identity Management for Life. IFIP AICT, vol. 375, pp. 14–31. Springer, Heidelberg (2012)
Meis, R., Wirtz, R., Heisel, M.: A taxonomy of requirements for the privacy goal transparency. In: Fischer-Hübner, S., Lambrinoudakis, C., López, J. (eds.) TrustBus 2015. LNCS, vol. 9264, pp. 195–209. Springer, Heidelberg (2015)
ISO/IEC: ISO/IEC 29100:2011 Information technology - Security techniques - Privacy Framework. Technical report, International Organization for Standardization and International Electrotechnical Commission (2011)
European Commission: Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52012PC0011. Accessed 20 June 2016
OECD: OECD guidelines on the protection of privacy and transborder flows of personal data. Technical report, Organisation of Economic Co-Operation and Development (1980)
US Federal Trade Commission: Privacy online: Fair information practices in the electronic marketplace, a report to congress (2000)
Jalali, S., Wohlin, C.: Systematic literature studies: database searches vs. backward snowballing. In: Proceedings of the ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM 2012, pp. 29–38. ACM (2012)
Bier, C.: How usage control and provenance tracking get together - a data protection perspective. In: IEEE Security and Privacy Workshops (SPW), pp. 13–17, May 2013
Hoepman, J.: Privacy design strategies - (extended abstract). In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., El Kalam, A.A., Sans, T. (eds.) ICT Systems Security and Privacy Protection. IFIP Advances in Information and Communication Technology, vol. 428, pp. 446–459. Springer, Heidelberg (2014)
Mouratidis, H., Islam, S., Kalloniatis, C., Gritzalis, S.: A framework to support selection of cloud providers based on security and privacy requirements. J. Syst. Softw. 86(9), 2276–2293 (2013)
Miyazaki, S., Mead, N., Zhan, J.: Computer-aided privacy requirements elicitation technique. In: IEEE Asia-Pacific Services Computing Conference (APSCC), pp. 367–372, December 2008
Kalloniatis, C., Mouratidis, H., Vassilis, M., Islam, S., Gritzalis, S., Kavakli, E.: Towards the design of secure and privacy-oriented information systems in the cloud: identifying the major concepts. Comput. Stand. Interfaces 36(4), 759–775 (2014)
Kalloniatis, C.: Designing privacy-aware systems in the cloud. In: Fischer-Hübner, S., Lambrinoudakis, C., López, J. (eds.) TrustBus 2015. LNCS, vol. 9264, pp. 113–123. Springer, Heidelberg (2015)
Spiekermann, S., Cranor, L.: Engineering privacy. IEEE Trans. Softw. Eng. 35(1), 67–82 (2009)
Makri, E.-L., Lambrinoudakis, C.: Privacy principles: towards a common privacy audit methodology. In: Fischer-Hübner, S., Lambrinoudakis, C., López, J. (eds.) TrustBus 2015. LNCS, vol. 9264, pp. 219–234. Springer, Heidelberg (2015)
Acquisti, A., Adjerid, I., Brandimarte, L.: Gone in 15 seconds: the limits of privacy transparency and control. IEEE Secur. Priv. 11(4), 72–74 (2013)
Masiello, B.: Deconstructing the privacy experience. IEEE Secur. Priv. 7(4), 68–70 (2009)
Krol, K., Preibusch, S.: Effortless privacy negotiations. IEEE Secur. Priv. 13(3), 88–91 (2015)
Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. RE 16, 3–32 (2011)
Komanduri, S., Shay, R., Norcie, G., Ur, B., Cranor, L.F.: Adchoices? compliance with online behavioral advertising notice and choice requirements. Technical report, CyLab - Carnegie Mellon University (2011). https://www.cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab11005.pdf. Accessed 20 June 2016
Cranor, L.F.: Necessary but not sufficient: standardized mechanisms for privacy notice and choice. JTHTL 10(2), 273–308 (2012)
Wicker, S., Schrader, D.: Privacy-aware design principles for information networks. Proc. IEEE 99(2), 330–350 (2011)
Strickland, L.S., Hunt, L.E.: Technology, security, and individual privacy: new tools, new threats, and new public perceptions: research articles. J. Am. Soc. Inf. Sci. Technol. 56(3), 221–234 (2005)
Sheth, S., Kaiser, G., Maalej, W.: Us and them: a study of privacy requirements across North America, Asia, and Europe. In: Proceedings of the 36th International Conference on Software Engineering, ICSE 2014, pp. 859–870. ACM (2014)
Fhom, H., Bayarou, K.: Towards a holistic privacy engineering approach for smart grid systems. In: IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 234–241, November 2011
Antón, A.I., Earp, J.B., Reese, A.: Analyzing website privacy requirements using a privacy goal taxonomy. In: IEEE International Confernce on Requirements Engineering, pp. 23–31 (2002)
Antón, A.I.: Earp: a requirements taxonomy for reducing web site privacy vulnerabilities. Requirements Eng. 9(3), 169–185 (2004)
Sype, Y.S.V.D., Seigneur, J.: Case study: legal requirements for the use of social login features for online reputation updates. In: Cho, Y., Shin, S.Y., Kim, S., Hung, C., Hong, J. (eds.) Symposium on Applied Computing, SAC, pp. 1698–1705. ACM (2014)
Basso, T., Moraes, R., Jino, M., Vieira, M.: Requirements, design and evaluation of a privacy reference architecture for web applications and services. In: Proceedings of the 30th Annual ACM Symposium on Applied Computing, pp. 1425–1432. ACM (2015)
Lobato, L., Fernandez, E., Zorzo, S.: Patterns to support the development of privacy policies. In: International Conference on Availability, Reliability and Security (ARES), pp. 744–749, March 2009
Caron, X., Bosua, R., Maynard, S.B., Ahmad, A.: The internet of things (iot) and its impact on individual privacy: an Australian perspective. Comput. Law Secur. Rev. 32(1), 4–15 (2016)
Borgesius, F.Z.: Informed consent: we can do better to defend privacy. IEEE Secur. Priv. 13(2), 103–107 (2015)
Breaux, T.: Privacy requirements in an age of increased sharing. IEEE Softw. 31(5), 24–27 (2014)
Langheinrich, M.: Privacy by design — principles of privacy-aware ubiquitous systems. In: Abowd, G.D., Brumitt, B., Shafer, S. (eds.) UbiComp 2001. LNCS, vol. 2201, pp. 273–291. Springer, Heidelberg (2001)
Feigenbaum, J., Freedman, M.J., Sander, T., Shostack, A.: Privacy engineering for digital rights management systems. In: Sander, T. (ed.) DRM 2001. LNCS, vol. 2320, pp. 76–105. Springer, Heidelberg (2002)
Wright, D., Raab, C.: Privacy principles, risks and harms. Int. Rev. Law, Comput. Technol. 28(3), 277–298 (2014)
Guarda, P., Zannone, N.: Towards the development of privacy-aware systems. Inf. Softw. Technol. 51(2), 337–350 (2009)
Hedbom, H.: A survey on transparency tools for enhancing privacy. In: Matyáš, V., Fischer-Hübner, S., Cvrček, D., Švenda, P. (eds.) The Future of Identity. IFIP AICT, vol. 298, pp. 67–82. Springer, Heidelberg (2009)
Smith, H.J., Dinev, T., Xu, H.: Information privacy research: an interdisciplinary review. MIS Q. 35(4), 989–1016 (2011)
Meis, R., Heisel, M.: Computer-aided identification and validation of privacy requirements. Information 7(2), 28 (2016)
Sabit, S.: Consideration of intervenability requirements in software development. Master thesis, University of Duisburg-Essen, Germany, August 2015
Acknowledgment
We thank Sylbie Sabit who provided a starting point for this research with her master thesis [45].
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Meis, R., Heisel, M. (2016). Understanding the Privacy Goal Intervenability. In: Katsikas, S., Lambrinoudakis, C., Furnell, S. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2016. Lecture Notes in Computer Science(), vol 9830. Springer, Cham. https://doi.org/10.1007/978-3-319-44341-6_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-44341-6_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-44340-9
Online ISBN: 978-3-319-44341-6
eBook Packages: Computer ScienceComputer Science (R0)