Page d'accueil // SnT // News & E... // Research Seminar: Engineering Privacy through Integrated Policy and Source Code Analysis

Research Seminar: Engineering Privacy through Integrated Policy and Source Code Analysis

twitter linkedin facebook google+ email this page
Add to calendar
Conférencier : Prof. Travis D. Breaux (Carnegie Mellon University)
Date de l'événement : mardi, 16 janvier 2018, 14:30 - 15:30
Lieu : Room E004, JFK Building
29 Avenue J.F. Kennedy
L-1855 Kirchberg

While pervasive and ubiquitous computing provides individuals with increased access to information and automated decision making, this access can affect personal privacy through increased collection, sharing and use of personal information. The EU General Data Protection Regulation (GDPR) introduces privacy by design, while recent U.S. government guidance emphasizes responsible use, in which original data collection purposes are preserved and propagated to verify that subsequent uses are consistent with the data subject's original expectations. This emphasis highlights the need for a reliable privacy semantics, which organizations can use to predict how their data collection, use and sharing practices affect personal privacy.

To address this challenge, we designed a domain specific language, called Eddy, that has a formal semantics expressed in Description Logic and enables reasoning over privacy practices commonly found in online privacy policies. This includes checking whether a policy violates the OECD collection or use limitation principles, which have been an international standard for over 35 years. Using Eddy, data users can express their needs in the context of a larger privacy policy framework maintained by their organization. The framework supports sharing information with third parties and allows users to check the OECD properties across third-party data flows and within third-party policies. This research reveals that the semantics of privacy is potentially unbounded, wherein each party uses slightly different terminology to describe and regulate personal data use through policies, which is a potential source of policy ambiguity and inconsistency and which becomes an obstruction to formal analysis. To align policy analysis with system analysis, we extended our framework to check mobile app source code for privacy policy violations using static and dynamic analysis, and to measure privacy risk to individuals as a means to inform developers about how to prioritize privacy controls with increased data sensitivity.

Travis D. Breaux is an Associate Professor of Computer Science, appointed in the Institute for Software Research of the School of Computer Science at Carnegie Mellon University. Dr. Breaux's research program searches for new methods and tools for developing correct software specifications and ensuring that software systems conform to those specifications in a transparent, reliable and trustworthy manner. This includes demonstrating compliance with U.S. and international privacy and security laws, policies and standards. Dr. Breaux is the Director of the Requirements Engineering Laboratory at Carnegie Mellon University. Dr. Breaux has several publications in ACM and IEEE-sponsored journals and conference proceedings, including best paper nominations and an honorable mention for a 10-year most influential paper award. Dr. Breaux is a member of the ACM SIGSOFT, IEEE Computer Society and USACM Public Policy Committee.