A Taxonomy of Requirements for the Privacy Goal Transparency

Conference paper
First Online:
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9264)

Abstract

Privacy is a growing concern during software development. Transparency–in the sense of increasing user’s privacy-awareness–is a privacy goal that is not as deeply studied in the literature as the properties anonymity and unlinkability. To be compliant with legislation and standards, requirements engineers have to identify the requirements on transparency that are relevant for the software to be developed. To assist the identification process, we provide a taxonomy of transparency requirements derived from legislation and standards. This taxonomy is validated using related research which was identified using a systematic literature review. Our proposed taxonomy can be used by requirements engineers as basis to systematically identify the relevant transparency requirements leading to a more complete and coherent set of requirements.

Keywords

Personal Data Systematic Literature Review Data Subject Requirement Engineer Supervisory Authority 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in to check access.

References

  1. 1.
    Hansen, M.: Top 10 mistakes in system design from a privacy perspective and privacy protection goals. In: Camenisch, J., Crispo, B., Fischer-Hübner, S., Leenes, R., Russello, G. (eds.) Privacy and Identity Management for Life. IFIP AICT, vol. 375, pp. 14–31. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  2. 2.
    Probst, T., Hansen, M.: Privacy protection goals in privacy and data protection evaluations. Working paper, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, July 2013Google Scholar
  3. 3.
    ISO/IEC: ISO/IEC 29100:2011 Information technology - Security techniques - Privacy Framework. Technical report, International Organization for Standardization and International Electrotechnical Commission (2011)Google Scholar
  4. 4.
    European Commission: Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), January 2012. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52012PC0011
  5. 5.
    OECD: OECD guidelines on the protection of privacy and transborder flows of personal data. Technical report, Organisation of Economic Co-Operation and Development (1980)Google Scholar
  6. 6.
    US Federal Trade Commission: Privacy online: Fair information practices in the electronic marketplace, a report to congress (2000)Google Scholar
  7. 7.
    Solovo, D., Rotenberg, M.: Information Privacy Law. Aspen Elective Series. Aspen Publishers, New York (2003)Google Scholar
  8. 8.
    Breaux, T.: Privacy requirements in an age of increased sharing. IEEE Softw. 31(5), 24–27 (2014)CrossRefGoogle Scholar
  9. 9.
    Reinfelder, L., Benenson, Z., Gassmann, F.: Differences between Android and iPhone users in their security and privacy awareness. In: Eckert, C., Katsikas, S.K., Pernul, G. (eds.) TrustBus 2014. LNCS, vol. 8647, pp. 156–167. Springer, Heidelberg (2014) Google Scholar
  10. 10.
    Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requirements Eng. 16(1), 3–32 (2011)CrossRefGoogle Scholar
  11. 11.
    Sheth, S., Kaiser, G., Maalej, W.: Us and them: a study of privacy requirements across North America, Asia, and Europe. In: Proceedings of the 36th International Conference on Software Engineering. ICSE 2014, pp. 859–870. ACM (2014)Google Scholar
  12. 12.
    Rost, M., Pfitzmann, A.: Datenschutz-Schutzziele - revisited. Datenschutz und Datensicherheit - DuD 33(6), 353–358 (2009)CrossRefGoogle Scholar
  13. 13.
    Bier, C.: How usage control and provenance tracking get together - a data protection perspective. In: IEEE Security and Privacy Workshops (SPW), pp. 13–17, May 2013Google Scholar
  14. 14.
    Zviran, M.: User’s perspectives on privacy in web-based applications. J. Comput. Inf. Syst. 48(4), 97–105 (2008)Google Scholar
  15. 15.
    Sheehan, K.B., Hoy, M.G.: Dimensions of privacy concern among online consumers. J. Public Policy Mark. 19(1), 62–73 (2000)CrossRefGoogle Scholar
  16. 16.
    Fhom, H., Bayarou, K.: Towards a holistic privacy engineering approach for smart grid systems. In: IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 234–241, November 2011Google Scholar
  17. 17.
    Spiekermann, S., Cranor, L.: Engineering privacy. IEEE Trans. Softw. Eng. 35(1), 67–82 (2009)CrossRefGoogle Scholar
  18. 18.
    Breaux, T., Gordon, D.: What engineers should know about us security and privacy law. IEEE Secur. Priv. 11(3), 72–76 (2013)CrossRefGoogle Scholar
  19. 19.
    Tomaszewski, J.: Are you sure you had a privacy incident? IEEE Secur. Priv. 4(6), 64–66 (2006)CrossRefGoogle Scholar
  20. 20.
    Hoepman, J.: Privacy design strategies - (extended abstract). In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., El Kalam, A.A., Sans, T. (eds.) ICT Systems Security and Privacy Protection. IFIP AICT, vol. 428, pp. 446–459. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  21. 21.
    Jones, R., Tahri, D.: EU law requirements to provide information to website visitors. Comput. Law Secur. Rev. 26(6), 613–620 (2010)CrossRefGoogle Scholar
  22. 22.
    Kung, A., Freytag, J.C., Kargl, F.: Privacy-by-design in its applications. In: IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM), pp. 1–6, June 2011Google Scholar
  23. 23.
    Mulligan, D.: The enduring importance of transparency. IEEE Secur. Priv. 12(3), 61–65 (2014)CrossRefGoogle Scholar
  24. 24.
    Wright, D.: The state of the art in privacy impact assessment. Comput. Law Secur. Rev. 28(1), 54–61 (2012)CrossRefGoogle Scholar
  25. 25.
    Langheinrich, M.: Privacy by design–principles of privacy-aware ubiquitous systems. In: Abowd, G.D., Brumitt, B., Shafer, S. (eds.) Ubiquitous Computing (Ubicomp). LNCS, vol. 2201, pp. 273–291. Springer, Heidelberg (2001)Google Scholar
  26. 26.
    Otto, P., Anton, A., Baumer, D.: The ChoicePoint dilemma: how data brokers should handle the privacy of personal information. IEEE Secur. Priv. 5(5), 15–23 (2007)CrossRefGoogle Scholar
  27. 27.
    Masiello, B.: Deconstructing the privacy experience. IEEE Secur. Priv. 7(4), 68–70 (2009)MathSciNetCrossRefGoogle Scholar
  28. 28.
    Solove, D.J.: A taxonomy of privacy. Univ. Pennsylvania Law Rev. 154(3), 477–560 (2006)CrossRefGoogle Scholar
  29. 29.
    Wicker, S., Schrader, D.: Privacy-aware design principles for information networks. Proc. IEEE 99(2), 330–350 (2011)CrossRefGoogle Scholar
  30. 30.
    Sype, Y.S.V.D., Seigneur, J.: Case study: legal requirements for the use of social login features for online reputation updates. In: Cho, Y., Shin, S.Y., Kim, S., Hung, C., Hong, J. (eds.) SAC, pp. 1698–1705. ACM, South Korea (2014). Please check and confirm the inserted city name for Reference [30]Google Scholar
  31. 31.
    Mouratidis, H., Islam, S., Kalloniatis, C., Gritzalis, S.: A framework to support selection of cloud providers based on security and privacy requirements. J. Syst. Softw. 86(9), 2276–2293 (2013)CrossRefGoogle Scholar
  32. 32.
    Kalloniatis, C., Mouratidis, H., Vassilis, M., Islam, S., Gritzalis, S., Kavakli, E.: Towards the design of secure and privacy-oriented information systems in the cloud: identifying the major concepts. Comput. Stand. Interfaces 36(4), 759–775 (2014)CrossRefGoogle Scholar
  33. 33.
    Wright, D., Raab, C.: Privacy principles, risks and harms. Int. Rev. Law Comput. Technol. 28(3), 277–298 (2014)CrossRefGoogle Scholar
  34. 34.
    Pötzsch, S.: Privacy awareness: a means to solve the privacy paradox? In: Matyáš, V., Fischer-Hübner, S., Cvrček, D., Švenda, P. (eds.) The Future of Identity in the Information Society. IFIP AICT, vol. 298, pp. 226–236. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  35. 35.
    Feigenbaum, J., Freedman, M.J., Sander, T., Shostack, A.: Privacy engineering for digital rights management systems. In: Sander, T. (ed.) DRM 2001. LNCS, vol. 2320, pp. 76–105. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  36. 36.
    Alcalde Bagüés, S., Mitic, J., Zeidler, A., Tejada, M., Matias, I.R., Fernandez Valdivielso, C.: Obligations: building a bridge between personal and enterprise privacy in pervasive computing. In: Furnell, S.M., Katsikas, S.K., Lioy, A. (eds.) TrustBus 2008. LNCS, vol. 5185, pp. 173–184. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  37. 37.
    Hedbom, H.: A survey on transparency tools for enhancing privacy. In: Matyáš, V., Fischer-Hübner, S., Cvrček, D., Švenda, P. (eds.) The Future of Identity in the Information Society. IFIP AICT, vol. 298, pp. 67–82. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  38. 38.
    Antón, A.I., Earp, J.B., Reese, A.: Analyzing website privacy requirements using a privacy goal taxonomy. In: IEEE International Conference on Requirements Engineering, 23–31 (2002)Google Scholar
  39. 39.
    Antón, A.I.: Earp: a requirements taxonomy for reducing web site privacy vulnerabilities. Requirements Eng. 9(3), 169–185 (2004)CrossRefGoogle Scholar
  40. 40.
    Anton, A., Earp, J., Vail, M., Jain, N., Gheen, C., Frink, J.: HIPAA’s effect on web site privacy policies. IEEE Secur. Priv. 5(1), 45–52 (2007)CrossRefGoogle Scholar
  41. 41.
    Miyazaki, S., Mead, N., Zhan, J.: Computer-aided privacy requirements elicitation technique. In: IEEE Asia-Pacific Services Computing Conference (APSCC), pp. 367–372, December 2008Google Scholar
  42. 42.
    Casassa Mont, M.: Dealing with privacy obligations: important aspects and technical approaches. In: Katsikas, S.K., López, J., Pernul, G. (eds.) TrustBus 2004. LNCS, vol. 3184, pp. 120–131. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  43. 43.
    Kelley, P.G., Bresee, J., Cranor, L.F., Reeder, R.W.: A “nutrition label” for privacy. In: Proceedings of the 5th Symposium on Usable Privacy and Security. SOUPS 2009, pp. 4:1–4:12. ACM (2009)Google Scholar
  44. 44.
    Kelley, P.G., Cesca, L., Bresee, J., Cranor, L.F.: Standardizing privacy notices: an online study of the nutrition label approach. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. CHI 2010, pp. 1573–1582. ACM (2010)Google Scholar
  45. 45.
    Lobato, L., Fernandez, E., Zorzo, S.: Patterns to support the development of privacy policies. In: International Conference on Availability, Reliability and Security (ARES), pp. 744–749, March 2009Google Scholar
  46. 46.
    Jalali, S., Wohlin, C.: Systematic literature studies: database searches vs. backward snowballing. In: Proceedings of the ACM-IEEE International Symposium on Empirical Software Engineering and Measurement. ESEM 2012, pp. 29–38. ACM (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.paluno - The Ruhr Institute for Software TechnologyUniversity of Duisburg-EssenEssenGermany

Personalised recommendations