Perceptions of ICT Practitioners Regarding Software Privacy

During software development activities, it is important for Information and Communication Technology (ICT) practitioners to know and understand practices and guidelines regarding information privacy, as software requirements must comply with data privacy laws and members of development teams should know current legislation related to the protection of personal data. In order to gain a better understanding on how industry ICT practitioners perceive the practical relevance of software privacy and privacy requirements and how these professionals are implementing data privacy concepts, we conducted a survey with ICT practitioners from software development organizations to get an overview of how these professionals are implementing data privacy concepts during software design. We performed a systematic literature review to identify related works with software privacy and privacy requirements and what methodologies and techniques are used to specify them. In addition, we conducted a survey with ICT practitioners from different organizations. Findings revealed that ICT practitioners lack a comprehensive knowledge of software privacy and privacy requirements and the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, LGPD, in Portuguese), nor they are able to work with the laws and guidelines governing data privacy. Organizations are demanded to define an approach to contextualize ICT practitioners with the importance of knowledge of software privacy and privacy requirements, as well as to address them during software development, since LGPD must change the way teams work, as a number of features and controls regarding consent, documentation, and privacy accountability will be required.

[1]  Rose-Mharie Åhlfeldt,et al.  Privacy and Security in Cyberspace: Training Perspectives on the Personal Data Ecosystem , 2013, 2013 European Intelligence and Security Informatics Conference.

[2]  Mariana Maia Peixoto,et al.  PCM Tool: Privacy Requirements Specification in Agile Software Development , 2019 .

[3]  Ira S. Rubinstein,et al.  Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents , 2012 .

[4]  Bashar Nuseibeh,et al.  Designing Privacy-aware Internet of Things Applications , 2017, Inf. Sci..

[5]  Tatjana Welzer,et al.  A Model of Perception of Privacy, Trust, and Self-Disclosure on Online Social Networks , 2019, Entropy.

[6]  Dragos Ilie,et al.  Privacy and DRM Requirements for Collaborative Development of AI Applications , 2018, ARES.

[7]  Haralambos Mouratidis,et al.  Towards Detecting and Mitigating Conflicts for Privacy and Security Requirements , 2019, 2019 13th International Conference on Research Challenges in Information Science (RCIS).

[8]  Michael Friedewald,et al.  Seven Types of Privacy , 2013, European Data Protection.

[9]  Marc Langheinrich,et al.  Engineering Privacy by Design: Are engineers ready to live up to the challenge? , 2018, Inf. Soc..

[10]  Barbara Kitchenham,et al.  Procedures for Performing Systematic Reviews , 2004 .

[11]  A. Cavoukian,et al.  Privacy by Design: essential for organizational accountability and strong business practices , 2010 .

[12]  Raimundas Matulevicius,et al.  Privacy-enhanced BPMN: enabling data privacy analysis in business processes models , 2019, Software and Systems Modeling.

[13]  Maritta Heisel,et al.  Privacy Policy Specification Framework for Addressing End-Users' Privacy Requirements , 2019, TrustBus.

[14]  Haralambos Mouratidis,et al.  Model Based Process to Support Security and Privacy Requirements Engineering , 2012, Int. J. Secur. Softw. Eng..

[15]  T. Gorschek,et al.  On Understanding How Developers Perceive and Interpret Privacy Requirements Research Preview , 2020, REFSQ.

[16]  Hossain Shahriar,et al.  Compliance Checking of Open Source EHR Applications for HIPAA and ONC Security and Privacy Requirements , 2019, 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC).

[17]  Q. He A Framework for Modeling Privacy Requirements in Role Engineering , 2003 .

[18]  Irit Hadar,et al.  The Importance of Empathy for Analyzing Privacy Requirements , 2018, 2018 IEEE 5th International Workshop on Evolving Security & Privacy Requirements Engineering (ESPRE).

[19]  Davor Svetinovic,et al.  A taxonomy of security and privacy requirements for the Internet of Things (IoT) , 2014, 2014 IEEE International Conference on Industrial Engineering and Engineering Management.

[20]  Marc Langheinrich,et al.  Inside the Organization: Why Privacy and Security Engineering Is a Challenge for Engineers , 2018, Proceedings of the IEEE.

[21]  José M. del Álamo,et al.  Privacy Engineering: Shaping an Emerging Field of Research and Practice , 2016, IEEE Security & Privacy.

[22]  Seiya Miyazaki,et al.  Computer-Aided Privacy Requirements Elicitation Technique , 2008, 2008 IEEE Asia-Pacific Services Computing Conference.

[23]  Sarah Spiekermann,et al.  The challenges of privacy by design , 2012, Commun. ACM.

[24]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[25]  Evangelia Kavakli,et al.  Pris Tool: A Case Tool For Privacy-Oriented Requirements Engineering , 2009, MCIS.

[26]  Liliana Pasquale,et al.  The Grace Period Has Ended: An Approach to Operationalize GDPR Requirements , 2018, 2018 IEEE 26th International Requirements Engineering Conference (RE).

[27]  Elizabeth D. Mynatt,et al.  STRAP: A Structured Analysis Framework for Privacy , 2005 .

[28]  Stefanos Gritzalis,et al.  Addressing privacy requirements in system design: the PriS method , 2008, Requirements Engineering.

[29]  Haralambos Mouratidis,et al.  A security requirements modelling language for cloud computing environments , 2019, Software and Systems Modeling.

[30]  Christoph Stach,et al.  Recommender-based privacy requirements elicitation - EPICUREAN: an approach to simplify privacy settings in IoT applications with respect to the GDPR , 2019, SAC.

[31]  Eran Toch,et al.  How Developers Make Design Decisions about Users' Privacy: The Place of Professional Communities and Organizational Climate , 2017, CSCW Companion.

[32]  Haralambos Mouratidis,et al.  Modelling the interplay of security, privacy and trust in sociotechnical systems: a computer-aided design approach , 2019, Software and Systems Modeling.

[33]  Stuart S. Shapiro,et al.  Privacy by design , 2010, Commun. ACM.

[34]  Haralambos Mouratidis,et al.  A Semi-Automatic Approach for Eliciting Cloud Security and Privacy Requirements , 2017, HICSS.

[35]  Yon Dohn Chung,et al.  An anonymization protocol for continuous and dynamic privacy-preserving data collection , 2019, Future Gener. Comput. Syst..

[36]  Lionel C. Briand,et al.  Modeling Security and Privacy Requirements: a Use Case-Driven Approach , 2018, Inf. Softw. Technol..

[37]  Mariana Maia Peixoto,et al.  Specifying privacy requirements with goal-oriented modeling languages , 2018, SBES.

[38]  Rüdiger Zarnekow,et al.  Security and Privacy System Requirements for Adopting Cloud Computing in Healthcare Data Sharing Scenarios , 2013, AMCIS.

[39]  Aikaterini-Georgia Mavroeidi,et al.  The Role of Gamification in Privacy Protection and User Engagement , 2020, Security and Privacy From a Legal, Ethical, and Technical Perspective.

[40]  Haralambos Mouratidis,et al.  Assurance of Security and Privacy Requirements for Cloud Deployment Models , 2018, IEEE Transactions on Cloud Computing.

[41]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[42]  Jörg Dörr,et al.  Enabling Users to Specify Correct Privacy Requirements , 2019, REFSQ.

[43]  C. Raab,et al.  Right engineering? The redesign of privacy and personal data protection , 2018 .

[44]  Wouter Joosen,et al.  A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements , 2011, Requirements Engineering.

[45]  Nancy R. Mead,et al.  Adapting the SQUARE Process for Privacy Requirements Engineering , 2010 .

[46]  Eran Toch,et al.  Privacy by designers: software developers’ privacy mindset , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[47]  Kristian Beckers,et al.  Comparing Privacy Requirements Engineering Approaches , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[48]  Christos Kalloniatis Incorporating privacy in the design of cloud-based systems: a conceptual meta-model , 2017, Inf. Comput. Secur..

[49]  Luigi Logrippo,et al.  Configuring Data Flows in the Internet of Things for Security and Privacy Requirements , 2018, FPS.

[50]  Israa Alqassem Privacy and security requirements framework for the internet of things (IoT) , 2014, ICSE Companion.

[51]  Josep Domingo-Ferrer,et al.  Privacy and Data Protection by Design - from policy to engineering , 2014, ArXiv.

[52]  Pearl Brereton,et al.  Performing systematic literature reviews in software engineering , 2006, ICSE.

[53]  Ann Cavoukian,et al.  Understanding How to Implement Privacy by Design, One Step at a Time , 2020, IEEE Consumer Electronics Magazine.

[54]  Luiz Marcio Cysneiros,et al.  Reusable Knowledge for Achieving Privacy: A Canadian Health Information Technologies Perspective , 2005, WER.

[55]  Annie I. Antón,et al.  Addressing Legal Requirements in Requirements Engineering , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[56]  Silvio Romero de Lemos Meira,et al.  Using CMMI together with agile software development: A systematic review , 2015, Inf. Softw. Technol..

[57]  Juan Carlos Augusto,et al.  Security and privacy requirements engineering for human centric IoT systems using eFRIEND and Isabelle , 2017, 2017 IEEE 15th International Conference on Software Engineering Research, Management and Applications (SERA).

[58]  Pearl Brereton,et al.  Systematic literature reviews in software engineering - A systematic literature review , 2009, Inf. Softw. Technol..

[59]  Zahra Shakeri Hossein Abad,et al.  Choosing Requirements for Experimentation with User Interfaces of Requirements Modeling Tools , 2017, 2017 IEEE 25th International Requirements Engineering Conference (RE).

[60]  Ann Cavoukian,et al.  Privacy by Design [Leading Edge] , 2012, IEEE Technol. Soc. Mag..