Model-Based Privacy Analysis in Industrial Ecosystems

Article 25 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing and the free movement of personal data, refers to data protection by design and by default. Privacy and data protection by design implies that IT systems need to be adapted or focused to technically support privacy and data protection. To this end, we need to verify whether security and privacy are supported by a system, or any change in the design of the system is required. In this paper, we provide a model-based privacy analysis approach to analyze IT systems that provide IT services to service customers. An IT service may rely on different enterprises to process the data that is provided by service customers. Therefore, our approach is modular in the sense that it analyzes the system design of each enterprise individually. The approach is based on the four privacy fundamental elements, namely purpose, visibility, granularity, and retention. We present an implementation of the approach based on the CARiSMA tool. To evaluate our approach, we apply it to an industrial case study.

[1]  Jan Jürjens,et al.  Secure Information Flow for Concurrent Processes , 2000, CONCUR.

[2]  Jan Jürjens Modelling Audit Security for Smart-Cart Payment Schemes with UML-SEC , 2001, SEC.

[3]  Ruth Breu,et al.  Key Issues of a Formally Based Process Model for Security Engineer-ing , 2003 .

[4]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[5]  Jan Jürjens,et al.  Model-Based Security Engineering with UML , 2004, FOSAD.

[6]  Martin S. Olivier,et al.  Using Purpose Lattices to Facilitate Customisation of Privacy Agreements , 2007, TrustBus.

[7]  Stefanos Gritzalis,et al.  Addressing privacy requirements in system design: the PriS method , 2008, Requirements Engineering.

[8]  Siani Pearson,et al.  Taking account of privacy when designing cloud computing services , 2009, 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing.

[9]  Siani Pearson,et al.  A Model-Based Privacy Compliance Checker , 2009, Int. J. E Bus. Res..

[10]  Ann Cavoukian,et al.  Advancing privacy and security in computing, networking and systems innovations through privacy by design , 2009, CASCON.

[11]  Ken Barker,et al.  A Lattice-Based Privacy Aware Access Control Model , 2009, 2009 International Conference on Computational Science and Engineering.

[12]  Ken Barker,et al.  A Data Privacy Taxonomy , 2009, BNCOD.

[13]  Lorrie Faith Cranor,et al.  Engineering Privacy , 2009, IEEE Transactions on Software Engineering.

[14]  Carmela Troncoso,et al.  Engineering Privacy by Design , 2011 .

[15]  Jan Jürjens,et al.  Enhancing security requirements engineering by organizational learning , 2012, Requirements Engineering.

[16]  Jan Jürjens,et al.  Guiding a General-Purpose C Verifier to Prove Cryptographic Protocols , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[17]  Florian Kerschbaum,et al.  Privacy-Preserving Computation - (Position Paper) , 2012, APF.

[18]  Sarah Spiekermann,et al.  The challenges of privacy by design , 2012, Commun. ACM.

[19]  Xin Jin,et al.  RABAC: Role-Centric Attribute-Based Access Control , 2012, MMM-ACNS.

[20]  Paul Ash,et al.  The Importance of Trust , 2013 .

[21]  Munawar Hafiz,et al.  A pattern language for developing privacy enhancing technologies , 2013, Softw. Pract. Exp..

[22]  Jaap-Henk Hoepman,et al.  PDF hosted at the Radboud Repository of the Radboud University Nijmegen , 2022 .

[23]  Daniel Le Métayer,et al.  Privacy by Design: From Technologies to Architectures - (Position Paper) , 2014, APF.

[24]  Andrea Bondavalli,et al.  Towards a UML Profile for Privacy-Aware Applications , 2015, 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing.

[25]  Jan Jürjens,et al.  Supporting Model-Based Privacy Analysis by Exploiting Privacy Level Agreements , 2016, 2016 IEEE International Conference on Cloud Computing Technology and Science (CloudCom).