Supporting the design of privacy-aware business processes via privacy process patterns

Privacy is an increasingly important concern for modern software systems which handle personal and sensitive user information. Privacy by design has been established in order to highlight the path to be followed during a system's design phase ensuring the appropriate level of privacy for the information it handles. Nonetheless, transitioning between privacy concerns identified early during the system's design phase, and privacy implementing technologies to satisfy such concerns at the later development stages, remains a challenge. In order to overcome this issue, mainly caused by the lack of privacy-related expertise of software systems engineers, this work proposes a series of privacy process patterns. The proposed patterns encapsulate expert knowledge and provide predefined solutions for the satisfaction of different types of privacy concerns. The patterns presented in this work are used as a component of an existing privacy-aware system design methodology, through which they are applied to a real life system.

[1]  Fabio Massacci,et al.  How to capture, model, and verify the knowledge of legal, security, and privacy experts: a pattern-based approach , 2007, ICAIL.

[2]  S. Fischer-Hübner IT-Security and Privacy: Design and Use of Privacy-Enhancing Security Mechanisms , 2001 .

[3]  AndrGe Bacard Computer Privacy Handbook: A Practical Guide to E-Mail Encryption, Data Protection, and PGP Privacy Software , 1995 .

[4]  Fabio Massacci,et al.  How to integrate legal requirements into a requirements engineering methodology for the development of security and privacy patterns , 2009, Artificial Intelligence and Law.

[5]  Yossi Matias,et al.  How to Make Personalized Web Browising Simple, Secure, and Anonymous , 1997, Financial Cryptography.

[6]  Paolo Giorgini,et al.  Designing secure business processes with SecBPMN , 2015, Software & Systems Modeling.

[7]  Jan O. Borchers A pattern approach to interaction design , 2001, DIS '00.

[8]  Maurice D. Mulvenna,et al.  Personalization on the Net using Web mining: introduction , 2000, CACM.

[9]  Arun Ross,et al.  Handbook of Biometrics , 2007 .

[10]  Munawar Hafiz,et al.  A pattern language for developing privacy enhancing technologies , 2013, Softw. Pract. Exp..

[11]  David Chaum,et al.  The dining cryptographers problem: Unconditional sender and recipient untraceability , 1988, Journal of Cryptology.

[12]  Ronald L. Rivest,et al.  Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems , 2003, SPC.

[13]  M. Bouaziz,et al.  An Introduction to Computer Security , 2012 .

[14]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[15]  J. C. Cannon Privacy: What Developers and IT Professionals Should Know , 2004 .

[16]  Ann Cavoukian,et al.  Privacy by Design [Leading Edge] , 2012, IEEE Technol. Soc. Mag..

[17]  Mario Piattini,et al.  Security patterns and requirements for internet-based applications , 2006, Internet Res..

[18]  Carmela Troncoso,et al.  Engineering Privacy by Design , 2011 .

[19]  Simone Fischer-Hübner,et al.  IT-Security and Privacy , 2001, Lecture Notes in Computer Science.

[20]  Christian Grothoff,et al.  gap - Practical Anonymous Networking , 2003, Privacy Enhancing Technologies.

[21]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[22]  Stefanos Gritzalis,et al.  PriS Methodology: Incorporating Privacy Requirements into the System Design Process , 2005 .

[23]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[24]  Stefanos Gritzalis,et al.  Enhancing Web privacy and anonymity in the digital era , 2004, Inf. Manag. Comput. Secur..

[25]  Haralambos Mouratidis,et al.  Aligning Security and Privacy to Support the Development of Secure Information Systems , 2012, J. Univers. Comput. Sci..

[26]  Stefanos Gritzalis,et al.  Addressing privacy requirements in system design: the PriS method , 2008, Requirements Engineering.

[27]  Max Jacobson,et al.  A Pattern Language: Towns, Buildings, Construction , 1981 .

[28]  Mark von Rosing,et al.  Business Process Model and Notation - BPMN , 2015, The Complete Business Process Handbook, Vol. I.

[29]  Jason Hong,et al.  Privacy patterns for online interactions , 2006, PLoP '06.

[30]  James A. Landay,et al.  Development and evaluation of emerging design patterns for ubiquitous computing , 2004, DIS '04.

[31]  Haralambos Mouratidis,et al.  Incorporating privacy patterns into semi-automatic business process derivation , 2016, 2016 IEEE Tenth International Conference on Research Challenges in Information Science (RCIS).

[32]  Brian Neil Levine,et al.  A protocol for anonymous communication over the Internet , 2000, CCS.

[33]  George T. Duncan,et al.  Enhancing Access to Microdata while Protecting Confidentiality: Prospects for the Future , 1991 .

[34]  Hironori Washizaki,et al.  A survey on security patterns , 2008 .

[35]  Paul F. Syverson,et al.  Onion routing , 1999, CACM.

[36]  Matt Bishop Introduction to Computer Security , 2004 .

[37]  Michael Weiss,et al.  Security Patterns Meet Agent Oriented Software Engineering: A Complementary Solution for Developing Secure Information Systems , 2005, ER.

[38]  Michael K. Reiter,et al.  Crowds: anonymity for Web transactions , 1998, TSEC.

[39]  A. Pfitzmann,et al.  A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management , 2010 .

[40]  Markus Schumacher,et al.  Security Patterns and Security Standards , 2002, EuroPLoP.

[41]  Stefanos Gritzalis,et al.  Using Privacy Process Patterns for Incorporating Privacy Requirements into the System Design Process , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[42]  Jan Mendling,et al.  Seven process modeling guidelines (7PMG) , 2010, Inf. Softw. Technol..

[43]  R. Hes,et al.  Privacy-Enhancing Technologies: The Path to Anonymity , 1998 .