Thesis and Abstract

Multilateral Privacy Requirements Analysis in Online Social Networks

Promotors:

Prof. Dr. Bettina Berendt
Prof. Dr. ir. Bart Preneel

Jury:

Prof. Dr. ir. Paul Sas (president)
Prof. Dr. Bettina Berendt
Prof. Dr. ir. Bart Preneel
Prof. Dr. Serge Gutwirth
Prof. Dr. ir. Frank Piessens
Prof. Dr. Dave Clarke
Dr. ir. Claudia Diaz
Dr. habil. Thomas Santen

Abstract:

The massive collection, processing and dissemination of information in communication networks and the resulting surveillance practices of governments, companies, or even individuals, have led to privacy concerns regarding potential individual and societal harms. These concerns with respect to informational privacy have been echoed in computer science, legal studies and surveillance studies. While computer scientists have developed privacy solutions, legal studies and surveillance studies researchers have proposed privacy notions for information and communication technologies. The objective of this thesis is to provide a set of concepts to reconcile these privacy notions and solutions -- that are often abstracted away from a specific social context -- and their interpretation in a given social context by different stakeholders (multilaterality) during requirements engineering.

Requirements engineering is a sub-phase of software engineering during which the desired behavior of the system-to-be in a given environment is defined. In this thesis, in order to address the problem of engineering privacy requirements, we break it down into three parts: the privacy requirements definition problem, the privacy requirements analysis problem and the privacy requirements elicitation problem.

In addressing the privacy requirements definition problem, we start with the assumption that privacy, as a legal concept, is contextual, relational and non-absolute. We analyze aspects of different privacy notions that have to be considered when defining what privacy requirements are. We use our analysis to show that existing requirements engineering concepts are not appropriate with respect to the subjectivity, relationality and temporality of notions of privacy. We further discuss the privacy notions underlying privacy solutions and based on their differences categorize them under three privacy research paradigms: the privacy as confidentiality, privacy as control, and privacy as practice paradigms. We conclude that different privacy notions and privacy solutions from all three privacy research paradigms should be considered during privacy requirements engineering.

Next, we define a privacy requirements ontology, a set of concepts for requirements engineers to relate stakeholder privacy concerns with respect to a system-to-be, to well-defined and quantifiable properties of the system-to-be during privacy requirements analysis. Specifically, we introduce the concepts privacy concerns, privacy goals and privacy constraints, and define the relationships between them. Based on these concepts we re-define the privacy requirements engineering problem.

Finally, we apply our ontology to online Social Network Services (SNS). In order to gather stakeholder privacy viewpoints, we propose the extension of the coherence method for viewpoints analysis with elements of the privacy requirements ontology. Further, we evaluate the potentials and limitations of existing requirements elicitation techniques for eliciting privacy concerns and propose a novel technique. We show how our approach can alleviate the challenges of eliciting privacy concerns in web-based wide-user audience systems like SNS. We elicit stakeholder and privacy concern viewpoints and focus on one of the privacy concern viewpoints: unforeseeable visibility. We then execute a multilateral privacy requirements analysis of SNS design elements that facilitate the unforeseeable visibility concern. We conclude with an evaluation of the privacy requirements ontology concepts and outlook into future research.