Requirements Engineering

, Volume 16, Issue 1, pp 3–32 | Cite as

A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements

  • Mina DengEmail author
  • Kim Wuyts
  • Riccardo Scandariato
  • Bart Preneel
  • Wouter Joosen
Digital Privacy


Ready or not, the digitalization of information has come, and privacy is standing out there, possibly at stake. Although digital privacy is an identified priority in our society, few systematic, effective methodologies exist that deal with privacy threats thoroughly. This paper presents a comprehensive framework to model privacy threats in software-based systems. First, this work provides a systematic methodology to model privacy-specific threats. Analogous to STRIDE, an information flow–oriented model of the system is leveraged to guide the analysis and to provide broad coverage. The methodology instructs the analyst on what issues should be investigated, and where in the model those issues could emerge. This is achieved by (i) defining a list of privacy threat types and (ii) providing the mappings between threat types and the elements in the system model. Second, this work provides an extensive catalog of privacy-specific threat tree patterns that can be used to detail the threat analysis outlined above. Finally, this work provides the means to map the existing privacy-enhancing technologies (PETs) to the identified privacy threats. Therefore, the selection of sound privacy countermeasures is simplified.


Privacy Threat modeling Requirements Secure software engineering 



This research is partially funded by the Interuniversity Attraction Poles Programme Belgian State, Belgian Science Policy, and by the Research Fund K.U. Leuven.


  1. 1.
    Lamsweerde AV, Brohez S, Landtsheer RD, Janssens D, Informatique DD (2003) From system goals to intruder anti-goals: attack generation and resolution for security requirements engineering. In: Proceedings of the RE03 workshop on requirements for high assurance systems (RHAS03), pp 49–56Google Scholar
  2. 2.
    van Lamsweerde A (2009) Requirements engineering: from system goals to UML models to software specifications. Wiley, ChichesterGoogle Scholar
  3. 3.
    Howard M, Lipner S (2006) The security development lifecycle. Microsoft Press, Redmond, WAGoogle Scholar
  4. 4.
    Mcgraw G (2006) Software security: building security. Addison-Wesley Professional, Boston, NYGoogle Scholar
  5. 5.
    Schneier B (2000) Secrets and lies: digital security in a networked world. Wiley, New YorkGoogle Scholar
  6. 6.
    Andreas GS, Opdahl AL (2001) Templates for misuse case description. In: Proceedings of the 7th international workshop on requirements engineering, foundation for software quality, pp 4–5Google Scholar
  7. 7.
    Opdahl AL, Sindre G (2009) Experimental comparison of attack trees and misuse cases for security threat identification. Inf Softw Technol 51(5):916–932. SPECIAL ISSUE: Model-Driven Development for Secure Information SystemsGoogle Scholar
  8. 8.
    Solove DJ (2006) A taxonomy of privacy. Univ PA Law Rev 154(3):477; GWU Law School Public Law Research Paper No. 129Google Scholar
  9. 9.
    Solove DJ (2008) Understanding privacy. Harvard University Press, CambridgeGoogle Scholar
  10. 10.
    Pfitzmann A, Hansen M (2010) A terminology for talking about privacy by data minimization: anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management (Version 0.33 April 2010), technical report, TU Dresden and ULD Kiel,
  11. 11.
    Hansen M (2008) Linkage control integrating the essence of privacy protection into identity management systems. In: Cunningham P, Cunningham M (eds) Collaboration and the knowledge economy: issues, applications, case studies, Proceedings of eChallenges, IOS Press, Amsterdam, pp 1585–1592Google Scholar
  12. 12.
    Danezis G (2008) Talk: an introduction to u-prove privacy protection technology, and its role in the identity metasystem—what future for privacy technology.
  13. 13.
    ISO 17799 (2000) Information technology code of practice for information security management, technical report, British Standards InstituteGoogle Scholar
  14. 14.
    Roe M (1997) Cryptography and evidence. PhD thesis, University of Cambridge, Clare CollegeGoogle Scholar
  15. 15.
    McCallister E, Grance T, Kent K (2009) Guide to protecting the confidentiality of personally identifiable information (PII) (draft), technical report, National Institute of Standards and Technology (US)Google Scholar
  16. 16.
    Lederer S, Hong JI, Dey AK, Landay JA (2004) Personal privacy through understanding and action: five pitfalls for designers. Pers Ubiquitous Comput 8:440–454CrossRefGoogle Scholar
  17. 17.
    Patil S, Kobsa A (2009) Privacy considerations in awareness systems: designing with privacy in mind, chap 8. In: Human computer interaction series, Springer London, pp 187–206Google Scholar
  18. 18.
    P3P, Platform for privacy preferences project, W3C P3P specifications.
  19. 19.
    EU (1995) Directive 95/46/EC of the European parliament and of the council of 24 october 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Off J Eur Commun 281:31–50.
  20. 20.
    HIPAA (2006) HIPAA administrative simplification: enforcement; final rule. United States Department of Health & Human Service. Fed Regist Rules Regul 71(32):8390–8433.
  21. 21.
    PIPEDA (2009) Personal information protection and electronic documents act (2000, c. 5).
  22. 22.
    Australia’s national privacy regulator: privacy act.
  23. 23.
    OECD (1980) Guidelines on the protection of privacy and transborder flows of personal data, organization for economic cooperation and development.,2340,en_2649_34255_1815186_1_1_1_1,00.html
  24. 24.
    Breaux TD, Anton AI, Boucher, Dorfman M (2008) Legal requirements, compliance and practice: an industry case study in accessibility. In: RE’08: Proceedings of the 16th IEEE international requirements engineering conference (RE’08), IEEE Society Press, pp 43–52Google Scholar
  25. 25.
    United States Department of Justice, Workforce investment act of 1998, SEC. 508. electronic and information technology.
  26. 26.
    Breaux T, Antón A (2008) Analyzing regulatory rules for privacy and security requirements. IEEE Trans Softw Eng 34(1):5–20CrossRefGoogle Scholar
  27. 27.
    Danezis G, Diaz C, Syverson P (2009) Systems for anonymous communication. In: CRC handbook of financial cryptography and security. Chapman and Hall, Boca Raton, FL, p 61Google Scholar
  28. 28.
    Sweeney L (2002) K-anonymity: a model for protecting privacy. Int J Uncertain Fuzziness Knowl-Based Syst 10(5):557–570Google Scholar
  29. 29.
    Alexander I (2003) Misuse cases: use cases with hostile intent. IEEE Softw 20(1):58–66CrossRefGoogle Scholar
  30. 30.
  31. 31.
    MSDN Library, Improving web application security: threats and countermeasuresGoogle Scholar
  32. 32.
    NIST, Risk management guide for information technology systems, special publication 800-30.
  33. 33.
    C. S. E. Institute, OCTAVE.
  34. 34.
    Wuyts K, Scandariato R, Decker BD, Joosen W (2009) Linking privacy solutions to developer goals. Availability, reliability and security, international conference on 0:847–852Google Scholar
  35. 35.
    Kalloniatis C, Kavakli E, Gritzalis S (2008) Addressing privacy requirements in system design: the pris method. Requir Eng 13:241–255. Google Scholar
  36. 36.
    PETs, Annual symposium on privacy enhancing technologies, homepage.
  37. 37.
    Chaum D (1981) Untraceable electronic mail, return addresses, and digital pseudonyms. Commun ACM 24(2):84–88CrossRefGoogle Scholar
  38. 38.
    Chaum D (1985) Security without identification: transaction systems to make big brother obsolete. Commun ACM 28(10):1030–1044CrossRefGoogle Scholar
  39. 39.
    Chaum D (1988) The dining cryptographers problem: unconditional sender and recipient untraceability. J Cryptol 1(1):65–75CrossRefMathSciNetGoogle Scholar
  40. 40.
    Pfitzmann A, Pfitzmann B, Waidner M (1991) ISDN-mixes: untraceable communication with very small bandwidth overhead. In: Proceedings of the GI/ITG conference on communication in distributed systems, pp 451–463Google Scholar
  41. 41.
    Goldschlag DM, Reed MG, Syverson PF (1996) Hiding routing information. In: Anderson R (ed) Proceedings of information hiding: first international workshop. Springer-Verlag, LNCS 1174, pp 137–150Google Scholar
  42. 42.
    Reiter M, Rubin A (1998) Crowds: anonymity for web transactions. ACM Transact Inf Syst Secur 1(1):1–23. Google Scholar
  43. 43.
    Bacard A, Cypherpunk tutorial.
  44. 44.
    Mixmaster, Mixmaster homepage.
  45. 45.
    Mixminion, Mixminion officia site.
  46. 46.
    Back A, Goldberg I, Shostack A (2001) Freedom systems 2.1 security issues and analysis, white paper, Zero Knowledge Systems, IncGoogle Scholar
  47. 47.
    Berthold O, Federrath H, Köpsell S (2000) Web MIXes: a system for anonymous and unobservable internet access. In: Federrath H (ed) Proceedings of designing privacy enhancing technologies: workshop on design issues in anonymity and unobservability, Springer-Verlag, LNCS 2009, pp 115–129Google Scholar
  48. 48.
    Dingledine R, Mathewson N, Syverson P (2004) Tor: the second-generation onion router. In: Proceedings of the 13th USENIX security symposiumGoogle Scholar
  49. 49.
    Pfitzmann A, Waidner M (1985) Networks without user observability—design options. In: Proceedings of EUROCRYPT 1985, Springer-Verlag, LNCS 219Google Scholar
  50. 50.
    Waidner M, Pfitzmann B (1990) The dining cryptographers in the disco: unconditional sender and recipient untraceability. In: Proceedings of EUROCRYPT 1989, Springer-Verlag, LNCS 434Google Scholar
  51. 51.
    Abadia M, Fournet C (2004) Private authentication. Theor Comput Sci 322:427–476CrossRefGoogle Scholar
  52. 52.
    Aiello W, Bellovin SM, Blaze M, Canetti R, Ioannidis J, Keromytis AD, Reingold O (2004) Just fast keying: key agreement in a hostile internet. ACM Trans Inf Syst Secur 7:2004CrossRefGoogle Scholar
  53. 53.
    Brands S, Chaum D (1993) Distance-bounding protocols (extended abstract). In: EUROCRYPT93. Springer-Verlag, LNCS 765, pp 344–359Google Scholar
  54. 54.
    Camenisch J, Lysyanskaya A (2004) Signature schemes and anonymous credentials from bilinear maps. In: Proceedings crypto. Springer-Verlag, LNCS 3152, pp 56–72Google Scholar
  55. 55.
    Naor M (2002) Deniable ring authentication. In: Proceedings of crypto 2002, Springer-Verlag, LNCS 2442, pp 481–498Google Scholar
  56. 56.
    Borisov N, Goldberg I, Brewer E (2004) Off-the-record communication, or, why not to use PGP. In: Proceedings of the 2004 ACM workshop on privacy in the electronic society. ACM New York, NY, pp. 77–84Google Scholar
  57. 57.
    Yao ACC (1982) Protocols for secure computations. In: Proceedings of 23rd IEEE symposium on foundations of computer science, pp 160–164Google Scholar
  58. 58.
    Naor M, Nissim K (2001) Communication complexity and secure function evaluation, CoRR, vol. cs.CR/0109011Google Scholar
  59. 59.
    Deng M, Bianchi T, Piva A, Preneel B (2009) An efficient buyer-seller watermarking protocol based on composite signal representation. In: Proceedings of the 11th ACM workshop on multimedia and security (Princeton, NJ). ACM, New York, NY, pp 9–18Google Scholar
  60. 60.
    Chor B, Goldreich O, Kushilevitz E, Sudan M (1998) Private information retrieval. J ACM 45:965–981Google Scholar
  61. 61.
    Rabin MO (1981) How to exchange secrets by oblivious transfer, technical report tr-81. Aiken Computation Laboratory, Harvard UniversityGoogle Scholar
  62. 62.
    Cachin C (1998) On the foundations of oblivious transfer. In: Advances in cryptology—Eurocrypt 1998. Springer-Verlag, LNCS 1403, pp 361–374Google Scholar
  63. 63.
    Verykios V, Bertino E, Fovino I, Provenza L, Saygin Y, Theodoridis Y (2004) State-of-the-art in privacy preserving data mining. ACM SIGMOD Record 3:50–57CrossRefGoogle Scholar
  64. 64.
    Pinkas B (2002) Cryptographic techniques for privacy preserving data mining. SIGKDD Explor 4(2):12–19CrossRefGoogle Scholar
  65. 65.
    Abdalla M, Bellare M, Catalano D, Kiltz E, Kohno T, Lange T, Malone-lee J, Neven G, Paillier P, Shi H (2005) Searchable encryption revisited: consistency properties, relation to anonymous ibe, and extensions. In: Proceeding of CRYPTO. Springer-Verlag, pp 205–222Google Scholar
  66. 66.
    Ostrovsky R, Skeith WE III (2005) Private searching on streaming data. CRYPTO pp 223–240Google Scholar
  67. 67.
    Sweeney L (2002) Achieving k-anonymity privacy protection using generalization and suppression. Int J Uncertain Fuzziness Knowl-Based Syst 10(5):571–588Google Scholar
  68. 68.
    Machanavajjhala A, Gehrke J, Kifer D, Venkitasubramaniam M (2006) l-diversity: privacy beyond k-anonymity. In: Proceedings of the 22nd international conference on data engineering (ICDE’06), p 24Google Scholar
  69. 69.
    Anderson R, Petitcolas F (1998) On the limits of steganography. IEEE J Sel Areas Commun 16:474–481CrossRefGoogle Scholar
  70. 70.
    Moskowitz I, Newman RE, Crepeau DP, Miller AR (2003) Covert channels and anonymizing networks. In: Workshop on privacy in the electronic society, ACM, Washington, DC, pp 79–88Google Scholar
  71. 71.
    Kirovski D, Malvar HS (2001) Robust covert communication over a public audio channel using spread spectrum. In: Information hiding, pp 354–368Google Scholar
  72. 72.
    Hansen M, Berlich P, Camenisch J, Clauß S, Pfitzmann A, Waidner M (2004) Privacy-enhancing identity management. Inf Secur Tech Rep (ISTR) 9(1):35–44. Scholar
  73. 73.
    Clauß S, Pfitzmann A, Hansen M, Herreweghen EV (2002) Privacy-enhancing identity management. IPTS Rep 67:8–16zbMATHGoogle Scholar
  74. 74.
    Simoens K, Tuyls P, Preneel B (2009) Privacy weaknesses in biometric sketches. In: Proceedings of the 2009 30th IEEE symposium on security and privacy. IEEE Computer Society, Washington, DC, pp 188–203Google Scholar
  75. 75.
    Menezes AJ, Oorschot PCV, Vanstone SA, Rivest RL (1997) Handbook of applied cryptography. CRC Press, WashingtonGoogle Scholar
  76. 76.
    Fontaine C, Galand F (2007) A survey of homomorphic encryption for non-specialists. EURASIP J Inf Secur.
  77. 77.
    Camenisch J, Damgard I (1998) Verifiable encryption and applications to group signatures and signature sharing. In: Technical report RS-98-32, BRICS, Department of Computer Science, University of AarhusGoogle Scholar
  78. 78.
    Georgiadis CK, Mavridis I, Pangalos G, Thomas RK (2001) Flexible team-based access control using contexts. In: SACMAT, pp 21–27Google Scholar
  79. 79.
    Carminati B, Ferrari E (2008) Privacy-aware collaborative access control in web-based social networks. In: Proceedings of the 22nd IFIP WG 11.3 working conference on data and applications security (DBSEC2008)Google Scholar
  80. 80.
    Ardagna CA, Camenisch J, Kohlweiss M, Leenes R, Neven G, Priem B, Samarati P, Sommer D, Verdicchio M (2009) Exploiting cryptography for privacy-enhanced access control: a result of the PRIME project. J Comput Secur 18(1):123–160Google Scholar
  81. 81.
    OASIS, eXtensible access control markup language: XACML 3.0.
  82. 82.
    IBM, Enterprise privacy authorization language: EPAL 1.2.
  83. 83.
    Lipford HR, Besmer A, Watson J (2008) Understanding privacy settings in facebook with an audience view. In: Churchill EF, Dhamija R (eds) Proceedings of the 1st conference on usability, psychology, and security, USENIX Association, Berkeley, CA, USA.
  84. 84.
    Anderson J, Diaz C, Bonneau J, Stajano F (2009) Privacy-enabling social networking over untrusted networks. In: WOSN ’09: Proceedings of the 2nd ACM workshop on online social networks. pp 1–6Google Scholar
  85. 85.
    Beato F, Kohlweiss M, Wouters K (2009) Enforcing access control in social networks. HotPets.
  86. 86.
    PrimeLife, The European PrimeLife research project—privacy and identity management in Europe for life.
  87. 87.
    Mylopoulos J, Chung L, Nixon B (1992) Representing and using non-functional requirements: a process-oriented approach. IEEE Transact Softw Eng 18:483–497CrossRefGoogle Scholar
  88. 88.
    Privacy guidelines for developing software products and services, version 3.1, technical report, Microsoft Coorporation, Sept 2008Google Scholar
  89. 89.
    Microsoft security development lifecycle (SDL) version 3.2, technical report, Microsoft Coorporation, April 2008Google Scholar
  90. 90.
    Yu E, Cysneiros LM (2002) Designing for privacy and other competing requirements. In: Proceedings of the 2nd symposium on requirements engineering for information security, SREIS-02, pp 15–16Google Scholar
  91. 91.
    Liu L, Yu E, Mylopoulos J (2003) Security and privacy requirements analysis within a social setting. Requir Eng IEEE Int Conf 0:151Google Scholar
  92. 92.
    Miyazaki S, Mead N, Zhan J (2008) Computer-aided privacy requirements elicitation technique. Asia-Pacific conference on services computing. 2006 IEEE, pp 367–372Google Scholar
  93. 93.
    Antón AI, Earp JB, Reese A (2002) Analyzing website privacy requirements using a privacy goal taxonomy. In: RE ’02: Proceedings of the 10th anniversary IEEE joint international conference on requirements engineering. IEEE Computer Society, pp 23–31Google Scholar
  94. 94.
    Danezis G (2007) Talk: introduction to privacy technology.

Copyright information

© Springer-Verlag London Limited 2010

Authors and Affiliations

  • Mina Deng
    • 1
    Email author
  • Kim Wuyts
    • 2
  • Riccardo Scandariato
    • 2
  • Bart Preneel
    • 1
  • Wouter Joosen
    • 2
  1. 1.Electrical Engineering DepartmentIBBT-COSICHeverleeBelgium
  2. 2.Computer Science DepartmentIBBT-DistriNetHeverleeBelgium

Personalised recommendations