Disambiguating Requirements Through Syntax-Driven Semantic Analysis of Information Types

  • Mitra Bokaei HosseiniEmail author
  • Rocky Slavin
  • Travis Breaux
  • Xiaoyin Wang
  • Jianwei Niu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12045)


[Context and motivation] Several state laws and app markets, such as Google Play, require the disclosure of app data practices to users. These data practices constitute critical privacy requirements statements, since they underpin the app’s functionality while describing how various personal information types are collected, used, and with whom they are shared. [Question/Problem] When such statements contain abstract terminology referring to information types (e.g., “we collect your device information”), the statements can become ambiguous and thus reduce shared understanding among app developers, policy writers and users. [Principle Ideas/Results] To overcome this obstacle, we propose a syntax-driven method to infer semantic relations from a given information type. We use the inferred relations from a set of information types (i.e. lexicon) to populate a partial ontology. The ontology is a knowledge graph that can be used to guide requirements authors in the selection of the most appropriate information type terms. [Contributions] Our method employs a shallow typology to categorize individual words in an information type, which are then used to discharge production rules in a context-free grammar (CFG). The CFG is augmented with semantic attachments that are used to generate the semantic relations. This method is evaluated on 1,853 unique information types from 30 privacy policies to yield 0.99 precision and 0.91 recall when compared to human interpretation of the same information types.


Privacy policy Abstraction Ontology 



This research was supported by NSF #1736209 and #1748109.


  1. 1.
    Anton, A.I., Earp, J.B.: A requirements taxonomy for reducing web site privacy vulnerabilities. Requir. Eng. 9(3), 169–185 (2004)CrossRefGoogle Scholar
  2. 2.
    Bach, E.: An extension of classical transformational grammar (1976)Google Scholar
  3. 3.
    Bhatia, J., Breaux, T.D.: Towards an information type lexicon for privacy policies. In: RELAW, pp. 19–24. IEEE (2015)Google Scholar
  4. 4.
    Bhatia, J., Breaux, T.D., Schaub, F.: Mining privacy goals from privacy policies using hybridized task recomposition. TOSEM 25(3), 22 (2016)CrossRefGoogle Scholar
  5. 5.
    Boyd, S., Zowghi, D., Gervasi, V.: Optimal-constraint lexicons for requirements specifications. In: Sawyer, P., Paech, B., Heymans, P. (eds.) REFSQ 2007. LNCS, vol. 4542, pp. 203–217. Springer, Heidelberg (2007). Scholar
  6. 6.
    Breaux, T.D., Antón, A.I., Spafford, E.H.: A distributed requirements management framework for legal compliance and accountability. Comput. Secur. 28(1–2), 8–17 (2009)CrossRefGoogle Scholar
  7. 7.
    Breaux, T.D., Baumer, D.L.: Legally “reasonable” security requirements: a 10-year FTC retrospective. Comput. Secur. 30(4), 178–193 (2011)CrossRefGoogle Scholar
  8. 8.
    Breaux, T.D., Hibshi, H., Rao, A.: Eddy, a formal language for specifying and analyzing data flow specifications for conflicting privacy requirements. Requir. Eng. 19(3), 281–307 (2013). CrossRefGoogle Scholar
  9. 9.
    Breitman, K.K., do Prado Leite, J.C.S.: Ontology as a requirements engineering product. In: Proceedings. In: 11th IEEE International Requirements Engineering Conference, pp. 309–319. IEEE (2003)Google Scholar
  10. 10.
    Corbin, J., Strauss, A.: Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory. Sage Publications (2014)Google Scholar
  11. 11.
    De Saussure, F., Harris, R.: Course in General Linguistics. (Open Court Classics). Open Court, Chicago and La Salle (1998)Google Scholar
  12. 12.
    Evans, M.C., Bhatia, J., Wadkar, S., Breaux, T.D.: An evaluation of constituency-based hyponymy extraction from privacy policies. In: RE, pp. 312–321. IEEE (2017)Google Scholar
  13. 13.
    Fensel, D., McGuiness, D., Schulten, E., Ng, W.K., Lim, G.P., Yan, G.: Ontologies and electronic commerce. IEEE Intell. Syst. 16(1), 8–14 (2001)CrossRefGoogle Scholar
  14. 14.
    Fleiss, J.L.: Measuring nominal scale agreement among many raters. Psychol. Bull. 76(5), 378 (1971)CrossRefGoogle Scholar
  15. 15.
    Frege, G.: Über begriff und gegenstand (1892)Google Scholar
  16. 16.
    FTC: FTC’s \(\$\)5 billion Facebook settlement: record-breaking and history-making (2019)Google Scholar
  17. 17.
    Gervasi, V., Zowghi, D.: On the role of ambiguity in RE. In: Wieringa, R., Persson, A. (eds.) REFSQ 2010. LNCS, vol. 6182, pp. 248–254. Springer, Heidelberg (2010). Scholar
  18. 18.
    Harris, K.D.: Privacy on the go: recommendations for the mobile ecosystem (2013)Google Scholar
  19. 19.
    Henk, B.: The lambda calculus: its syntax and semantics. Stud. Logic Found. Math. (1984)Google Scholar
  20. 20.
    Hookway, C.: Peirce-Arg Philosophers. Routledge, Abingdon (2010)CrossRefGoogle Scholar
  21. 21.
    Bokaei Hosseini, M., Breaux, T.D., Niu, J.: Inferring ontology fragments from semantic role typing of lexical variants. In: Kamsties, E., Horkoff, J., Dalpiaz, F. (eds.) REFSQ 2018. LNCS, vol. 10753, pp. 39–56. Springer, Cham (2018). Scholar
  22. 22.
    Hosseini, M.B., Wadkar, S., Breaux, T.D., Niu, J.: Lexical similarity of information type hypernyms, meronyms and synonyms in privacy policies. In: AAAI Fall Symposium (2016)Google Scholar
  23. 23.
    Janssen, T.M., Partee, B.H.: Compositionality. In: Handbook of Logic and Language, pp. 417–473. Elsevier (1997)Google Scholar
  24. 24.
    Jurafsky, D., Martin, J.H.: Speech and Language Processing, vol. 3. Pearson, London (2014)Google Scholar
  25. 25.
    Massey, A.K., Rutledge, R.L., Antón, A.I., Swire, P.P.: Identifying and classifying ambiguity for regulatory requirements. In: RE, pp. 83–92. IEEE (2014)Google Scholar
  26. 26.
    Miller, G.A.: WordNet: a lexical database for english. Commun. ACM 38(11), 39–41 (1995)CrossRefGoogle Scholar
  27. 27.
    Oltramari, A., et al.: PrivOnto: a semantic framework for the analysis of privacy policies. Semant. Web 9(2), 185–203 (2018)CrossRefGoogle Scholar
  28. 28.
    Petronella, G.: Analyzing privacy of android applications (2014)Google Scholar
  29. 29.
    Reidenberg, J.R., Bhatia, J., Breaux, T.D., Norton, T.B.: Ambiguity in privacy policies and the impact of regulation. J. Leg. Stud. 45(S2), S163–S190 (2016)CrossRefGoogle Scholar
  30. 30.
    Saldaña, J.: The Coding Manual for Qualitative Researchers. Sage, Thousand Oaks (2015)Google Scholar
  31. 31.
    Slavin, R., et al.: Toward a framework for detecting privacy policy violations in android application code. In: ICSE (2016)Google Scholar
  32. 32.
    Wang, X., Qin, X., Hosseini, M.B., Slavin, R., Breaux, T.D., Niu, J.: GUILeak: identifying privacy practices on GUI-based data (2018)Google Scholar
  33. 33.
    Zimmeck, S., et al.: Automated analysis of privacy requirements for mobile apps. In: NDSS (2017)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Mitra Bokaei Hosseini
    • 1
    Email author
  • Rocky Slavin
    • 2
  • Travis Breaux
    • 3
  • Xiaoyin Wang
    • 2
  • Jianwei Niu
    • 2
  1. 1.St. Mary’s UniversitySan AntonioUSA
  2. 2.University of Texas at San AntonioSan AntonioUSA
  3. 3.Carnegie Mellon UniversityPittsburghUSA

Personalised recommendations