Requirements Engineering

, Volume 9, Issue 3, pp 169–185 | Cite as

A requirements taxonomy for reducing Web site privacy vulnerabilities

  • Annie I. Antón
  • Julia B. Earp
Original Article


The increasing use of personal information on Web-based applications can result in unexpected disclosures. Consumers often have only the stated Web site policies as a guide to how their information is used, and thus on which to base their browsing and transaction decisions. However, each policy is different, and it is difficult—if not impossible—for the average user to compare and comprehend these policies. This paper presents a taxonomy of privacy requirements for Web sites. Using goal-mining, the extraction of pre-requirements goals from post-requirements text artefacts, we analysed an initial set of Internet privacy policies to develop the taxonomy. This taxonomy was then validated during a second goal extraction exercise, involving privacy policies from a range of health care related Web sites. This validation effort enabled further refinement to the taxonomy, culminating in two classes of privacy requirements: protection goals and vulnerabilities. Protection goals express the desired protection of consumer privacy rights, whereas vulnerabilities describe requirements that potentially threaten consumer privacy. The identified taxonomy categories are useful for analysing implicit internal conflicts within privacy policies, the corresponding Web sites, and their manner of operation. These categories can be used by Web site designers to reduce Web site privacy vulnerabilities and ensure that their stated and actual policies are consistent with each other. The same categories can be used by customers to evaluate and understand policies and their limitations. Additionally, the policies have potential use by third-party evaluators of site policies and conflicts.


Privacy requirements Security requirements 



This work was supported by NSF ITR Grant #0113792 and the CRA’s Distributed Mentor Project. The authors wish to thank Shane Smith, Kevin Farmer, Angela Reese, Hema Srikanth and Ha To. Additionally, we thank Thomas Alspaugh, Colin Potts, Richard Smith and Gene Spafford for discussions leading to our classification of privacy protection goals and vulnerabilities.


  1. 1.
    Cranor LF, Reagle J, Ackerman MS (1999) Beyond concern: understanding net users’ attitudes about online privacy. AT&T Labs-Research Technical Report TR 99.4.3.
  2. 2.
    Earp JB, Baumer D (2003) Innovative Web use to learn about consumer behavior and online privacy. Commun ACM 46(4):81–83CrossRefGoogle Scholar
  3. 3.
    Goldman J, Hudson Z, Smith RM (2000) Privacy report on the privacy policies and practices of health Websites, Sponsored by the California HealthCare FoundationGoogle Scholar
  4. 4.
    Federal Trade Commission (1998) Privacy online: a report to congress.
  5. 5.
    Federal Trade Commission (2000) Privacy online: fair information practices in the electronic marketplace. A report to congressGoogle Scholar
  6. 6.
    Antón AI, Earp JB, Potts C, Alspaugh TA (2001) The role of policy and privacy values in requirements engineering. IEEE 5th International Symposium on Requirements Engineering (RE’01), Toronto, Canada, pp 138–145, 27–31 August 2001Google Scholar
  7. 7.
    Antón AI, Earp JB (2001) Strategies for developing policies and requirements for secure electronic commerce systems. In: Anup K (ed) E-commerce security and privacy. Kluwer, Glosh, pp 29–46 CHECK STYLEGoogle Scholar
  8. 8.
    Antón AI (1997) Goal identification and refinement in the specification of software-based information systems. Dissertation, Georgia Institute of Technology, Atlanta, GAGoogle Scholar
  9. 9.
    Antón AI, Potts C (1998) The use of goals to surface requirements for evolving systems. International Conference on Software Engineering (ICSE ‘98). Kyoto, Japan, pp 157–166, 19–25 April 1998Google Scholar
  10. 10.
    van Lamsweerde A (2001) Goal-oriented requirements engineering: a guided tour. IEEE 5th International Symposium on Requirements Engineering (RE’01). Toronto, Canada, pp 249–261, 27–31 August 2001Google Scholar
  11. 11.
    Mylopoulos J, Chung L, Liao S, Wang H, Yu E (2001) Exploring alternatives during requirements analysis. IEEE Softw 18(1):92 –96CrossRefGoogle Scholar
  12. 12.
    Glaser BC, Strauss AL (1967) The discovery of grounded theory. Aldine, ChicagoGoogle Scholar
  13. 13.
    Antón AI, Earp JB Reese A (2002) Analyzing Web site privacy requirements using a privacy goal taxonomy. 10th Anniversary IEEE Joint Requirements Engineering Conference (RE’02). Essen, Germany, pp 23–31, 9–13 September 2002Google Scholar
  14. 14.
    The code of fair information practices (1973) U.S. Department of Health, Education and Welfare, Secretary’s Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens, viii.
  15. 15.
    Culnan MJ (1999) Georgetown Internet privacy policy survey: report to the federal trade commission. The McDonough School of Business , Georgetown University, Washington, DC,
  16. 16.
    Electronic Privacy Information Center (1999) Surfer beware III: privacy policies without privacy protection.
  17. 17.
    Baumer D, Earp JB and Payton FC (2000) Privacy of medical records: IT implications of HIPAA. ACM Comput Soc 30(4):40–47Google Scholar
  18. 18.
    Reagle J, Cranor LF (1999) The platform for privacy preferences. Commun ACM 42(2):48–55CrossRefGoogle Scholar
  19. 19.
    Benessi P (1999) TRUSTe: An online privacy seal program. Commun ACM 42(2):56 – 59CrossRefGoogle Scholar
  20. 20.
    P3P Public Overview., cited 24 June 2002
  21. 21.
    Cranor L, Langheinrich M, and Marchiori M (2002) A P3P preference exchange language 1.0 (APPEL1.0): W3C working draft., cited 15 April 2002
  22. 22.
    Electronic Privacy Information Center (2000) Pretty poor privacy: an assessment of P3P and Internet privacy.
  23. 23.
    Mulligan D, Schwartz A, Cavoukian A, Gurski M (2000) P3P and privacy: an update for the privacy community., cited 28 March 2000
  24. 24.
    Cohen D, Feather MS, Narayanaswamy K, Fickas SS (1997) Automatic monitoring of software requirements. International Conference on Software Engineering, pp 602 –603Google Scholar
  25. 25.
    Fickas S, Feather MS (1995) Requirements monitoring in dynamic environments. Second IEEE International Symposium on Requirements Engineering, pp 140 –147Google Scholar
  26. 26.
    Feather MS, Fickas S, van Lamsweerde A, Ponsard C (1998) Reconciling system requirements and runtime behaviour. Ninth International Workshop on Software Specification and Design, pp 50 –59Google Scholar
  27. 27.
    FTC sues failed Website,, for deceptively offering for sale personal information of Website visitors. FTC File No. 002–3274. 10 July 2000Google Scholar
  28. 28.
    Antón AI, Carter RA, Dagnino A, Dempster JH, Siege DH (2001) Deriving goals from a use-case based requirements specification. Req Eng (6):63–73Google Scholar
  29. 29.
    Robinson WN (1997) Electronic brokering for assisted contracting of software applets. Proceedings of the Thirtieth Hawaii International Conference on System Sciences, vol. 4, pp 449–458Google Scholar
  30. 30.
    Antón AI, McCracken WM, Potts C (1994) Goal decomposition and scenario analysis in business process reengineering. Advanced Information System Engineering: 6th International Conference, CAiSE ‘94 Proceedings, Utrecht, The Netherlands, pp 94–104, 6–10 June 1994Google Scholar
  31. 31.
    Jarke M, Bui XT, Carroll JM (1998) Scenario management: an interdisciplinary approach. Req Eng 3(3/4):154–173Google Scholar
  32. 32.
    Potts C (1999) ScenIC: A strategy for inquiry-driven requirements determination. Proceedings IEEE 4th International Symposium on Requirements Engineering (RE’99), Limerick, Ireland, 7–11 June 1999Google Scholar
  33. 33.
    Rolland C, Souveyet C, Achour CB (1998) Guiding goal modeling using scenarios. IEEE Trans Softw Eng 24(12):1055–1071CrossRefGoogle Scholar
  34. 34.
    Antón AI (1996) Goal-based requirements analysis. Second IEEE International Conference on Requirements Engineering (ICRE ‘96), Colorado Springs, Colorado, pp 136–144, 15–18 April 1996Google Scholar
  35. 35.
    Krippendorff K (1980) Content analysis: an introduction to its methodology, vol. 5. Sage, Newbury Park, CAGoogle Scholar
  36. 36.
    Policy framework for interpreting risk in eCommerce security. CERIAS Technical Report (1999), Purdue University,
  37. 37.
    Abbot RJ (1983) Program design by informal english descriptions. Commun ACM 26(11):882–894CrossRefGoogle Scholar
  38. 38.
    Booch G (1991) Object-oriented design with applications. Benjamin Cummings, Redwood City, CAGoogle Scholar
  39. 39.
    Rumbaugh J, Blaha M, Premerlani W, Eddy F, Lorensen W (1991) Object-modeling and design. Prentice Hall, New YorkGoogle Scholar
  40. 40.
    Potts C, Takahashi K, Antón AI (1994) Inquiry-based requirements analysis. IEEE Softw 11(2):21–32CrossRefGoogle Scholar
  41. 41.
    Jarvinen O, Earp J, Antón AI (2002) A visibility classification scheme for privacy management requirements. 2nd Symposium on Requirements Engineering for Information Security, Raleigh, NC, 17–18 October 2002Google Scholar
  42. 42.
    Antón AI, Earp JB, Carter RA (2003) Precluding incongruous behavior by aligning software requirements with security and privacy policies. Inf Softw Technol 45(14):967–977CrossRefGoogle Scholar
  43. 43.
    Alspaugh T, Antón AI, Barnes T, Mott B (1999) An integrated scenario management strategy. IEEE Fourth International Symposium on Requirements Engineering (RE’99), University of Limerick, Ireland, pp 142–149, 7–11 June 1999Google Scholar
  44. 44.
    CDT (2000) CDT’s guide to online privacy: privacy basics: the OECD guidelines., cited 6 August 2002 

Copyright information

© Springer-Verlag London Limited 2003

Authors and Affiliations

  1. 1.College of EngineeringNorth Carolina State UniversityRaleighUSA
  2. 2.College of ManagementNorth Carolina State UniversityRaleighUSA

Personalised recommendations