ABSTRACT
Pervasive use of software applications continue to challenge user privacy when users interact with software systems. Even though privacy practices such as Privacy by Design (PbD), have clear instructions for software developers to embed privacy into software designs, those practices are yet to become a common practice among software developers. The difficulty of developing privacy preserving software systems highlights the importance of investigating software developers and the problems they face when they are asked to embed privacy into application designs. Software developers are the community who can put practices such as PbD into action. Therefore identifying the problems they face when embedding privacy into software applications and providing solutions to those problems are important to enable the development of privacy preserving software systems. This study investigates 36 software developers in a software design task with instructions to embed privacy in order to identify the problems they face. We derive recommendation guidelines to address the problems to enable the development of privacy preserving software systems.
- Yasemin Acar, Michael Backes, Sascha Fahl, Simson Garfinkel, Doowon Kim, Michelle L Mazurek, and Christian Stransky. 2017. Comparing the usability of cryptographic apis. In Proceedings of the 38th IEEE Symposium on Security and Privacy.Google ScholarCross Ref
- Yasemin Acar, Sascha Fahl, and Michelle L Mazurek. 2016. You Are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users. In IEEE Cyber Security Development Conference, (IEEE Secdev). IEEE.Google Scholar
- Oshrat Ayalon, Eran Toch, Irit Hadar, and Michael Birnhack. 2017. How Developers Make Design Decisions about Users' Privacy: The Place of Professional Communities and Organizational Climate. In Companion of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing. ACM, 135--138. Google ScholarDigital Library
- Sean W Brooks, Michael E Garcia, Naomi B Lefkovitz, Suzanne Lightman, and Ellen M Nadeau. 2017. An Introduction to Privacy Engineering and Risk Management in Federal Information Systems. NIST Interagency/Internal Report (NISTIR)-8062 (2017).Google Scholar
- Ann Cavoukian. 2009. Privacy by Design. The Answer to Overcoming Negative Externalities Arising from Poor Management of Personal Data. In Trust Economics Workshop London, England, June, Vol. 23. 2009.Google Scholar
- Ann Cavoukian, Scott Taylor, and Martin E Abrams. 2010. Privacy by Design: essential for organizational accountability and strong business practices. Identity in the Information Society 3, 2 (2010), 405--413.Google ScholarCross Ref
- Juliet M Corbin and Anselm Strauss. 1990. Grounded theory research: Procedures, canons, and evaluative criteria. Qualitative sociology 13, 1 (1990), 3--21.Google Scholar
- George Danezis, Josep Domingo-Ferrer, Marit Hansen, Jaap-Henk Hoepman, Daniel Le Metayer, Rodica Tirtea, and Stefan Schiffner. 2015. Privacy and Data Protection by Design-from policy to engineering. European Union Agency for Network and Information Security (2015).Google Scholar
- Asunción Esteve. 2017. The business of personal data: Google, Facebook, and privacy issues in the EU and the USA. International Data Privacy Law 7, 1 (2017), 36--47.Google ScholarCross Ref
- The Canadian Express. 2018. Facebook's Zuckerberg admits mistakes in privacy scandal. (March 2018). Retrieved March 21, 2018 from https://www.columbiavalleypioneer.com/news/facebooks-zuckerberg-admits-mistakes-in-privacy-scandal/Google Scholar
- Graham R Gibbs. 2002. Qualitative data analysis: Explorations with NVivo. Open University.Google Scholar
- Tasha Glenn and Scott Monteith. 2014. Privacy in the digital world: medical and health data outside of HIPAA protections. Current psychiatry reports 16, 11 (2014), 494.Google Scholar
- Seda Gürses and Jose M del Alamo. 2016. Privacy Engineering: Shaping an Emerging Field of Research and Practice. IEEE Security & Privacy 14, 2 (2016), 40--46. Google ScholarDigital Library
- Irit Hadar, Tomer Hasson, Oshrat Ayalon, Eran Toch, Michael Birnhack, Sofia Sherman, and Arod Balissa. 2017. Privacy by designers: software developersâĂŹ privacy mindset. Empirical Software Engineering (2017), 1--31. Google ScholarDigital Library
- Shubham Jain and Janne Lindqvist. 2014. Should I Protect You? Understanding Developers' Behavior to Privacy-Preserving APIs. In Workshop on Usable Security (USEC 2014).Google ScholarCross Ref
- Ruogu Kang, Laura Dabbish, Nathaniel Fruchter, and Sara Kiesler. 2015. my data just goes everywhere:âĂİ user mental models of the internet and implications for privacy and security. In Symposium on Usable Privacy and Security (SOUPS). USENIX Association Berkeley, CA, 39--52. Google ScholarDigital Library
- Bonnie Kaplan. 2015. Selling health data: de-identification, privacy, and speech. Cambridge Quarterly of Healthcare Ethics 24, 3 (2015), 256--271.Google ScholarCross Ref
- Judy Kendall. 1999. Axial coding and the grounded theory controversy. Western journal of nursing research 21, 6 (1999), 743--757.Google Scholar
- Aniket Kittur, Ed H Chi, and Bongwon Suh. 2008. Crowdsourcing user studies with Mechanical Turk. In Proceedings of the SIGCHI conference on human factors in computing systems. ACM, 453--456. Google ScholarDigital Library
- Joanne K Kumekawa. 2001. Health information privacy protection: crisis or common sense. Online Journal of Issues in Nursing 6, 3 (2001).Google Scholar
- Marie Caroline Oetzel and Sarah Spiekermann. 2014. A systematic methodology for privacy impact assessments: a design science approach. European Journal of Information Systems 23, 2 (2014), 126--150.Google ScholarCross Ref
- Inah Omoronyia, Luca Cavallaro, Mazeiar Salehie, Liliana Pasquale, and Bashar Nuseibeh. 2013. Engineering adaptive privacy: on the role of privacy awareness requirements. In Proceedings of the 2013 International Conference on Software Engineering. IEEE Press, 632--641. Google ScholarDigital Library
- Anthony J Onwuegbuzie and Nancy L Leech. 2005. On becoming a pragmatic researcher: The importance of combining quantitative and qualitative research methodologies. International journal of social research methodology 8, 5 (2005), 375--387.Google ScholarCross Ref
- Andreas Pfitzmann and Marit Hansen. 2010. A terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management. (2010).Google Scholar
- Ashwini Rao, Florian Schaub, Norman Sadeh, Alessandro Acquisti, and Ruogu Kang. 2016. Expecting the unexpected: Understanding mismatched privacy expectations online. In Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library
- Jeff Sedayao, Rahul Bhardwaj, and Nakul Gorade. 2014. Making big data, privacy, and anonymization work together in the enterprise: experiences and issues. In Big Data (BigData Congress), 2014 IEEE International Congress on. IEEE, 601--607. Google ScholarDigital Library
- Awanthika Senarath and Arachchilage NAG. 2017. Understanding Organizational Approach towards End User Privacy. Australasian Conference on Information Systems (2017).Google Scholar
- Swapneel Sheth, Gail Kaiser, and Walid Maalej. 2014. Us and them: a study of privacy requirements across North America, Asia, and Europe. In Proceedings of the 36th International Conference on Software Engineering. ACM, 859--870. Google ScholarDigital Library
- Daniel J Solove and Paul Schwartz. 2014. Information privacy law. Wolters Kluwer Law & Business.Google Scholar
- Sarah Spiekermann. 2012. The challenges of privacy by design. Commun. ACM 55, 7 (2012), 38--40. Google ScholarDigital Library
- Keerthi Thomas, Arosha K Bandara, Blaine A Price, and Bashar Nuseibeh. 2014. Distilling privacy requirements for mobile applications. In Proceedings of the 36th International Conference on Software Engineering. ACM, 871--882. Google ScholarDigital Library
- Leo R Vijayasarathy and Charles W Butler. 2016. Choice of software development methodologies: Do organizational, project, and team characteristics matter? IEEE Software 33, 5 (2016), 86--94.Google ScholarDigital Library
- Dominik Wermke and Michelle Mazurek. 2017. Security Developer Studies with GitHub Users: Exploring a Convenience Sample. In Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library
- Richmond Y Wong, Deirdre K Mulligan, Ellen Van Wyk, James Pierce, and John Chuang. 2017. Eliciting Values Reflections by Engaging Privacy Futures Using Design Workbooks. Proceedings of the ACM on Human Computer Interaction 1, 2 (2017). Google ScholarDigital Library
- Kim Wuyts, Riccardo Scandariato, and Wouter Joosen. 2014. LIND (D) UN privacy threat tree catalog. (2014).Google Scholar
Recommendations
Will They Use It or Not? Investigating Software Developers’ Intention to Follow Privacy Engineering Methodologies
With the increasing concerns over privacy in software systems, there is a growing enthusiasm to develop methods to support the development of privacy aware software systems. Inadequate privacy in software system designs could result in users losing ...
Privacy-Patterns for IoT Application Developers
UbiComp/ISWC '22 Adjunct: Adjunct Proceedings of the 2022 ACM International Joint Conference on Pervasive and Ubiquitous Computing and the 2022 ACM International Symposium on Wearable ComputersDesigning Internet of things (IoT) applications (apps) is challenging due to the heterogeneous nature of the systems on which these apps are deployed. Personal data, often classified as sensitive, may be collected and analysed by IoT apps, where data ...
The perspective of Brazilian software developers on data privacy
Abstract Context:Maintaining the privacy of user data is a concern in software development to satisfy customer needs or to comply with privacy laws. Recent studies have shown that software development approaches still neglect non-...
Highlights- Companies should encourage their employees to achieve privacy knowledge.
- ...
Comments