Privacy Policy Compliance of Applications (Web/Mobile/Desktop)

Overview:

If an application collects personal data, there is an obligation to inform the user (Art. 13 GDPR). This duty to inform is realized by means of a privacy policy and can be created at various providers for a fee or free of charge. We would like to examine these. There are different aspects that can be focused on:

1. Actual behavior of the application vs. behavior of the application as described in the privacy policy.
2. How the described behavior in the privacy policy can be enforced for the application.
3. Analysis of different privacy policies.

Literature:

Ruoxi Sun and Minhui Xue. 2020. Quality Assessment of Online Automated Privacy Policy Generators: An Empirical Study. In Proceedings of the Evaluation and Assessment in Software Engineering (EASE ’20). Association for Computing Machinery, New York, NY, USA, 270275. https://doi.org/10.1145/3383219.3383247

Ryan Amos, Gunes Acar, Eli Lucherini, Mihir Kshirsagar, Arvind Narayanan, and Jonathan Mayer. 2021. Privacy Policies over Time: Curation and Analysis of a Million-Document Dataset. In Proceedings of the Web Conference 2021 (WWW ’21). Association for Computing Machinery, New York, NY, USA, 2165–2176. https://doi.org/10.1145/3442381.3450048

Hosseini, Henry & Degeling, Martin & Utz, Christine & Hu, Thomas. (2021). Unifying Privacy Policy Detection. Proceedings on Privacy Enhancing Technologies. 2021. https://doi.org/10.2478/popets-2021-0081

Nudging Developers to Implement Privacy Preserving Solutions

Overview:

Unfortunately, privacy-friendly implementation is not yet sufficiently present in the final products. This can have several causes. One reason may be the software developer who has not had sufficient training in the privacy theme complex. However, in order for developers to use privacy-friendly settings and implementations, they can be used. One way to do this in development environments is to make developers aware that they are collecting personal data with a certain function, and thus make the software developer aware of this. We want to identify and evaluate further possibilities here.

Literature:

Tianshi Li, Yuvraj Agarwal, and Jason I. Hong. 2018. Coconut: An IDE Plugin for Developing Privacy-Friendly Apps. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 2, 4, Article 178 (December 2018), 35 pages. https://doi.org/10.1145/3287056

Alessandro Acquisti, Idris Adjerid, Rebecca Balebako, Laura Brandimarte, Lorrie Faith Cranor, Saranga Komanduri, Pedro Giovanni Leon, Norman Sadeh, Florian Schaub, Manya Sleeper, Yang Wang, and Shomir Wilson. 2017. Nudges for Privacy and Security: Understanding and Assisting Users’ Choices Online. ACM Comput. Surv. 50, 3, Article 44 (May 2018), 41 pages. https://doi.org/10.1145/3054926

Analysing Privacy Impact Assessments Methodologies

Overview:

Data Protection Impact Assessments (DPIA) are required under the General Data Protection Regulation if the processing of personal data entails a high risk for the rights and freedoms of natural persons. Various actors offer methodologies for carrying out such assessments. Currently, DPIA do not work ideally. We want to investigate the reasons for this. Several aspects may be relevant here:

1. Evaluation of different DPIA
2. Software tools to support individual steps of a DPIA
3. Evaluation of existing tools

Literature:

Roger Clarke, An evaluation of privacy impact assessment guidance documents, International Data Privacy Law, Volume 1, Issue 2, May 2011, Pages 111–120 https://doi.org/10.1093/idpl/ipr002

Puijenbroek, Jeroen van and Jaap-Henk Hoepman. “Privacy Impact Assessments in Practice: Outcome of a Descriptive Field Research in the Netherlands.” IWPE@SP (2017).

J. Coles, S. Faily and D. Ki-Aries, „Tool-Supporting Data Protection Impact Assessments with CAIRIS,“ 2018 IEEE 5th International Workshop on Evolving Security & Privacy Requirements Engineering (ESPRE), Banff, AB, Canada, 2018, pp. 21-27, doi: 10.1109/ESPRE.2018.00010.

Related Topic

If you have a topic related to the ones mentioned above or in the field of ONLINE PRIVACY / DATA PROTECTION / PRIVACY IMPLEMENTATION do not hesitate to write me.