Requirements Engineering

, Volume 19, Issue 3, pp 281–307 | Cite as

Eddy, a formal language for specifying and analyzing data flow specifications for conflicting privacy requirements

  • Travis D. Breaux
  • Hanan Hibshi
  • Ashwini Rao


Increasingly, companies use multi-source data to operate new information systems, such as social networking, e-commerce, and location-based services. These systems leverage complex, multi-stakeholder data supply chains in which each stakeholder (e.g., users, developers, companies, and government) must manage privacy and security requirements that cover their practices. US regulator and European regulator expect companies to ensure consistency between their privacy policies and their data practices, including restrictions on what data may be collected, how it may be used, to whom it may be transferred, and for what purposes. To help developers check consistency, we identified a strict subset of commonly found privacy requirements and we developed a methodology to map these requirements from natural language text to a formal language in description logic, called Eddy. Using this language, developers can detect conflicting privacy requirements within a policy and enable the tracing of data flows within these policies. We derived our methodology from an exploratory case study of the Facebook platform policy and an extended case study using privacy policies from Zynga and AOL Advertising. In this paper, we report results from multiple analysts in a literal replication study, which includes a refined methodology and set of heuristics that we used to extract privacy requirements from policy texts. In addition to providing the method, we report results from performing automated conflict detection within the Facebook, Zynga, and AOL privacy specifications, and results from a computer simulation that demonstrates the scalability of our formal language toolset to specifications of reasonable size.


Privacy Requirements Standardization Description logic Formal analysis 



We thank Dave Gordon and Darya Kurilova for their earlier feedback and the Requirements Engineering Lab at Carnegie Mellon University. This work was supported by NSF Award #1330596 and ONR Award #N00244-12-1-0014.


  1. 1.
    Anderson A (2006) A comparison of two privacy policy languages: EPAL and XACML. ACM workshop on secure web services, pp 53–60Google Scholar
  2. 2.
    Ashley P, Hada S, Karjoth G, Schunter M (2002) E-P3P privacy policies and privacy authorization. In: Proceedings of the ACM workshop on privacy in the electronic society, pp 103–109Google Scholar
  3. 3.
    Antón AI, Earp JB, He Q, Stufflebeam W, Bolchini D, Jensen C (2004) Financial privacy policies and the need for standardization. IEEE Secur Priv 2(2):36–45CrossRefGoogle Scholar
  4. 4.
    Antón AI, Earp JB (2004) A requirements taxonomy for reducing web site privacy vulnerabilities. Requir Eng J 9(3):169–185CrossRefGoogle Scholar
  5. 5.
    Aucher G, Boella G, van der Torre L (2010) Privacy policies with modal logic: a dynamic turn. In: Lecture Notes on Computer Science, vol 6181, pp 196–213 Google Scholar
  6. 6.
    Baader F, Calvenese D, McGuiness D (eds) (2003) The description logic handbook: theory, implementation and applications. Cambridge University Press, CambridgeGoogle Scholar
  7. 7.
    Barth A, Datta A, Mitchell JC, Nissenbaum H (2006) Privacy and contextual integrity: framework and applications. In: IEEE symposium on security and privacy, pp 184–198Google Scholar
  8. 8.
    Breaux TD, Antón AI (2005) Analyzing goal semantics for rights, permissions, and obligations. In: IEEE international requirements engineering conference, Paris, France, pp 177–186Google Scholar
  9. 9.
    Breaux TD, Antón AI (2008) Analyzing regulatory rules for privacy and security requirements. IEEE Trans Softw Eng 34(1):5–20CrossRefGoogle Scholar
  10. 10.
    Breaux TD, Antón AI, Doyle J (2009) Semantic parameterization: a conceptual modeling process for domain descriptions. ACM Trans Softw Eng Method 18(2) (article 5)Google Scholar
  11. 11.
    Breaux TD, Vail MW, Antón AI (2006) Towards regulatory compliance: extracting rights and obligations to align requirements with regulations. In: IEEE requirements engineering conference, pp 49–58Google Scholar
  12. 12.
    Breaux TD, Baumer DL (2011) Legally ‘reasonable’ security requirements: a 10-year FTC retrospective. Comput Secur 30(4):178–193CrossRefGoogle Scholar
  13. 13.
    Breaux TD, Rao A (2013) Formal analysis of privacy requirements specifications for multi-tier applications. In: IEEE 21st international requirements engineering conference (to appear)Google Scholar
  14. 14.
    Bradshaw J, Uszok A, Jeffers R, Suri N, Hayes P, Burstein M, Acquisti A, Benyo B, Breedy M, Carvalho M, Diller D, Johnson M, Kulkarni S, Lott J, Sierhuis M, van Hoof R (2003) Representation and reasoning for DAML-based policy and domain services in KAoS and Nomads. In: 2nd International joint conference on autonomous agents and multi agent systemsGoogle Scholar
  15. 15.
    Cranor L et al (2006) Platform for privacy preferences (P3P) specification. W3C working group noteGoogle Scholar
  16. 16.
    Cohen J (1968) Weighted kappa: nominal scale agreement with provision for scaled disagreement or partial credit. Psychol Bull 70(4):213–220CrossRefGoogle Scholar
  17. 17.
    Dean J, Ghemawat S (2004) MapReduce: simplified data processing on large clusters. In: 6th Symposium on operating system design and implementationGoogle Scholar
  18. 18.
    DeYoung H, Garg D, Jia L, Kaynar D, Datta A (2010) Experiences in the logical specification of the HIPAA and GLBA privacy laws. In: ACM workshop on privacy in the electronic society, pp 73–82Google Scholar
  19. 19.
    Farrell CB (2011) FTC charges deceptive privacy practices in Google’s rollout of its buzz social network. In: U.S. Federal Trade Commission News Release, March 30, 2011Google Scholar
  20. 20.
    Hanson C, Berners-Lee T, Kagal L, Sussman GJ, Weitzner D (2007) Data-purpose algebra: modeling data usage policies. In: 8th IEEE workshop on policies for distributed systems and networks, pp 173–177Google Scholar
  21. 21.
    Horty JF (1993) Deontic logic as founded in non-monotonic logic. Ann Math Artif Intell 9:69–91zbMATHMathSciNetCrossRefGoogle Scholar
  22. 22.
    Kagal L (2004) A policy-based approach to governing autonomous behavior in distributed environments. Ph.D. Thesis, University of Maryland, Baltimore CountyGoogle Scholar
  23. 23.
    Kahmer M, Gilliot M, Muller G (2008) Automating privacy compliance with ExPDT. In: 10th IEEE conference on e-commerce technology, pp 87–94Google Scholar
  24. 24.
    Krippendorff K (2004) Content analysis: an introduction to its methodology. Sage, Thousand OaksGoogle Scholar
  25. 25.
    Leon PG, Cranor LF, McDonald AM, McGuire R (2010) Token attempt: the misrepresentation of website privacy policies through the misuse of p3p compact policy tokens. In: 9th Workshop on privacy in the electronic society, pp 93–104Google Scholar
  26. 26.
    Lin HT, Sirin E (2008) Pellint—a performance lint tool for pellet. In: International workshop on OWL: experiences and directions (OWL-ED 2008)Google Scholar
  27. 27.
    Lupu E, Sloman M, Dulay N, Damianou N (2000) Ponder: realizing enterprise viewpoint concepts. In: 4th International conference on enterprise distributed object computing, Japan, pp 66–75Google Scholar
  28. 28.
    Lutz C, Wolter F, Zakharyashev M (2008) Temporal description logics: a survey. In: 15th IEEE international symposium on temporal representation and reasoning, pp 3–14Google Scholar
  29. 29.
    Moses T (ed) (2005) eXtensible Access Control Markup Language (XACML), v.2.0, OASIS StandardGoogle Scholar
  30. 30.
    May MJ (2008) Privacy APIs: formal models for analyzing legal and privacy requirements. Ph.D. Thesis, University of PennsylvaniaGoogle Scholar
  31. 31.
    Nissenbaum H (2004) Privacy as contextual integrity. Wash Law Rev 791:119–158Google Scholar
  32. 32.
    Powers C, Schunter M (2003) Enterprise policy authorization language, version 1.2. W3C Member SubmissionGoogle Scholar
  33. 33.
    Park J, Sandhu R (2004) The UCONABC usage control model. ACM Trans Inf Syst Secur 7(1):128–174CrossRefGoogle Scholar
  34. 34.
    Steel E, Fowler GA (2010) Facebook in privacy breach. Wall Street J.
  35. 35.
    Sweeney Latanya (2002) k-Anonymity: a model for protecting privacy. Int J Uncertain Fuzziness Knowl Based Syst 10(5):557–570zbMATHMathSciNetCrossRefGoogle Scholar
  36. 36.
    Tonti G, Bradshaw JM, Jeffers R, Montanari R, Suri N, Uszok A (2003) Semantic web languages for policy representation and reasoning: a comparison of KAoS, Rei, and Ponder. LNCS 2870:419–437Google Scholar
  37. 37.
    Uszok A, Bradshaw JM, Lott J, Breedy M, Bunch L (2008) New developments in ontology-based policy management: increasing the practicality and comprehensiveness of KAoS. In: IEEE workshop on policies for distributed systems and networks, pp 145–152Google Scholar
  38. 38.
    Wan F, Singh MP (2005) Formalizing and achieving multiparty agreements via commitments. In: 4th international joint conference on autonomous agents multiagent systems, pp. 770–777 Google Scholar
  39. 39.
    Yin RK (2009) Case study research, 4th edn. In: Applied social research methods series, v.5. Sage PublicationsGoogle Scholar
  40. 40.
    Yu T, Li N, Antón AI (2004) A formal semantics for P3P. ACM workshop on secure web services, pp 1–8Google Scholar
  41. 41.
    Young J (2011) Commitment analysis to operationalize software requirements from privacy policies. Requir Eng J 16:33–46CrossRefGoogle Scholar

Copyright information

© Springer-Verlag London 2013

Authors and Affiliations

  1. 1.Institute for Software ResearchCarnegie Mellon UniversityPittsburghUSA

Personalised recommendations