1. bookVolume 2022 (2022): Issue 1 (January 2022)
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

DataProVe: Fully Automated Conformance Verification Between Data Protection Policies and System Architectures

Published Online: 20 Nov 2021
Page range: 565 - 585
Received: 31 May 2021
Accepted: 16 Sep 2021
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

Privacy and data protection by design are relevant parts of the General Data Protection Regulation (GDPR), in which businesses and organisations are encouraged to implement measures at an early stage of the system design phase to fulfil data protection requirements. This paper addresses the policy and system architecture design and propose two variants of privacy policy language and architecture description language, respectively, for specifying and verifying data protection and privacy requirements. In addition, we develop a fully automated algorithm based on logic, for verifying three types of conformance relations (privacy, data protection, and functional conformance) between a policy and an architecture specified in our languages’ variants. Compared to related works, this approach supports a more systematic and fine-grained analysis of the privacy, data protection, and functional properties of a system. Our theoretical methods are then implemented as a software tool called DataProVe and its feasibility is demonstrated based on the centralised and decentralised approaches of COVID-19 contact tracing applications.

Keywords

[1] EU Parliament. General Data Protection Regulation, 2018. https://eur-lex.europa.eu/eli/reg/2016/679/oj. Search in Google Scholar

[2] Karen Kullo. Facebook sued over alleged scanning of private messages. Bloomberg, 2 January 2014. http://www.bloomberg.com/news/articles/2014-01-02/facebook-sued-over-alleged-scanning-of-private-messages. Search in Google Scholar

[3] Samual Gibbs. Belgium takes Facebook to court over privacy breaches and user tracking. The Guardian, 15 June 2015. http://www.theguardian.com/technology/2015/jun/15/belgium-facebook-court-privacy-breaches-ads. Search in Google Scholar

[4] Sean Buckley. Deleting Google Photos won’t stop your phone from uploading pictures. Engaget.com, 13 July 2015. http://www.engadget.com/2015/07/13/deleting-google-photos-wont-stop-your-phone-from-uploading-pict/. Search in Google Scholar

[5] K. Granville. Facebook and Cambridge Analytica: What You Need to Know as Fallout Widens. The New York Times, 19 March 2018. https://www.nytimes.com/2018/03/19/technology/facebook-cambridge-analytica-explained.html. Search in Google Scholar

[6] EU Parliament. GDPR, Article 25, 2018. https://eurlex.europa.eu/eli/reg/2016/679/oj. Search in Google Scholar

[7] EU Parliament. GDPR, Article 6, 2018. https://eur-lex.europa.eu/eli/reg/2016/679/oj. Search in Google Scholar

[8] S Trabelsi, Akram Njeh, Laurent Bussard, and Gregory Neven. Ppl engine: A symmetric architecture for privacy policy handling. W3C Workshop on Privacy and data usage control, pages 1–5, 04 2010. Search in Google Scholar

[9] Monir Azraoui, Kaoutar Elkhiyaoui, Melek Önen, Karin Bernsmed, Anderson Santana De Oliveira, and Jakub Sendor. A-ppl: An accountability policy language. In Joaquin Garcia-Alfaro, Jordi Herrera-Joancomartí, Emil Lupu, Joachim Posegga, Alessandro Aldini, Fabio Martinelli, and Neeraj Suri, editors, Data Privacy Management, Autonomous Spontaneous Security, and Security Assurance, pages 319–326, Cham, 2015. Springer. Search in Google Scholar

[10] I. Çelebi. Privacy enhanced secure tropos : A privacy modeling language for gdpr compliance. Master Thesis, 2018. Search in Google Scholar

[11] Vinh-Thong Ta, Denis Butin, and Daniel Le Métayer. Formal accountability for biometric surveillance: A case study. In Bettina Berendt, Thomas Engel, Demosthenes Ikonomou, Daniel Le Métayer, and Stefan Schiffner, editors, Privacy Technologies and Policy, pages 21–37. Springer, 2016. Search in Google Scholar

[12] Vinh-Thong Ta and Thibaud Antignac. Privacy by design: On the conformance between protocols and architectures. In Frédéric Cuppens, Joaquin Garcia-Alfaro, Nur Zincir Heywood, and Philip W. L. Fong, editors, Foundations and Practice of Security, pages 65–81. Springer, 2015. Search in Google Scholar

[13] A. Barth, A. Datta, J.C. Mitchell, and H. Nissenbaum. Privacy and contextual integrity: framework and applications. In 2006 IEEE Symposium on Security and Privacy (S P’06), page 15pp., 2006. Search in Google Scholar

[14] Shayak Sen, Saikat Guha, Anupam Datta, Sriram K. Rajamani, Janice Tsai, and Jeannette M. Wing. Bootstrapping privacy compliance in big data systems. In 2014 IEEE Symposium on Security and Privacy, pages 327–342, 2014. Search in Google Scholar

[15] Mina Deng, Kim Wuyts, Riccardo Scandariato, Bart Preneel, and Wouter Joosen. A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requirements Engineering Journal, 16(1):3–32, 2011. Search in Google Scholar

[16] Open policy agent. https://www.openpolicyagent.org/. Accessed: 2021-05-24. Search in Google Scholar

[17] The Platform for Privacy Preferences. P3P, 2012. http://www.w3.org/P3P/. Search in Google Scholar

[18] The Platform for Privacy Preferences (P3P). APPEL 1.0, 2012. http://www.w3.org/TR/2002/WD-P3P-preferences-20020415/. Search in Google Scholar

[19] Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, and Yirong Xu. Xpref: a preference language for p3p. Computer Networks, 48(5):809 – 827, 2005. Web Security. Search in Google Scholar

[20] M. Alshammari and A. Simpson. A model-based approach to support privacy compliance. Information and Computer Security,, 26(4):437–453, 2018. Search in Google Scholar

[21] Rainer Hörbe and Walter Hötzendorfer. Privacy by design in federated identity management. In 2015 IEEE Security and Privacy Workshops, pages 167–174, 2015. Search in Google Scholar

[22] Jeff Magee, Naranker Dulay, Susan Eisenbach, and Jeff Kramer. Specifying distributed software architectures. In Wilhelm Schäfer and Pere Botella, editors, Software Engineering — ESEC ’95, pages 137–153, Berlin, Heidelberg, 1995. Springer Berlin Heidelberg. Search in Google Scholar

[23] Robert Allen and David Garlan. A formal basis for architectural connection. ACM Transaction on Software Engineering and Methodology, 6(3):213–249, July 1997. Search in Google Scholar

[24] D. C. Luckham and J. Vera. An event-based architecture definition language. IEEE Transactions on Software Engineering, 21(9):717–734, 1995. Search in Google Scholar

[25] J. Perez, I. Ramos, J. Jaen, P. Letelier, and E. Navarro. Prisma: towards quality, aspect oriented and dynamic software architectures. In Third International Conference on Quality Software, 2003. Proceedings., pages 59–66, 2003. Search in Google Scholar

[26] R. Milner. A calculus of mobile processes, i. Information and Computation, 100(1):1 – 40, 1992. Search in Google Scholar

[27] Amelia Bădică and Costin Bădică. Fsp and fltl framework for specification and verification of middle-agents. Int. J. Appl. Math. Comput. Sci., 21(1):9–25, March 2011. Search in Google Scholar

[28] R. B. Franca, J. Bodeveix, M. Filali, J. Rolland, D. Chemouil, and D. Thomas. The aadl behaviour annex – experiments and roadmap. In 12th IEEE International Conference on Engineering Complex Computer Systems (ICECCS 2007), pages 377–382, 2007. Search in Google Scholar

[29] Thibaud Antignac and Daniel Le Métayer. Privacy architectures: Reasoning about data minimisation and integrity. In Sjouke Mauw and Christian D. Jensen, editors, Security and Trust Management, pages 17–32. Springer, 2014. Search in Google Scholar

[30] National Information Technology Development Agency. Nigeria Data Protection Regulation, 2019. Search in Google Scholar

[31] State of California Department of Justice. California Consumer Privacy Act, 2018. Search in Google Scholar

[32] Office of the Privacy Commissioner of Canada. Personal Information Protection and Electronic Documents Act, 2000. Search in Google Scholar

[33] EU Parliament. GDPR, Article 46, 2018. https://eurlex.europa.eu/eli/reg/2016/679/oj. Search in Google Scholar

[34] EU Parliament. GDPR, Article 5, 2018. https://eur-lex.europa.eu/eli/reg/2016/679/oj. Search in Google Scholar

[35] EU Parliament. GDPR, Article 30, 2018. https://eurlex.europa.eu/eli/reg/2016/679/oj. Search in Google Scholar

[36] EU Parliament. GDPR, Article 17, 2018. https://eurlex.europa.eu/eli/reg/2016/679/oj. Search in Google Scholar

[37] EU Parliament. GDPR, Article 45, 2018. https://eurlex.europa.eu/eli/reg/2016/679/oj. Search in Google Scholar

[38] Dataprove. https://github.com/Dataprove/Dataprovetool/. Search in Google Scholar

[39] Carmela Troncoso et. al. Decentralized Privacy-Preserving Proximity Tracing. GitHub, 25 May 2020. https://github.com/DP-3T/documents. Search in Google Scholar

[40] Pan European Privacy Preserving Proximity Tracing. Data Protection and Information System Architecture. GitHub, 20 April 2020. https://github.com/pepp-pt/pepp-pt-documentation. Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo