Abstract
Increasingly, software engineers in organizations complying with privacy regulations are looking for repeatable ways to embed privacy in their code. We propose the concept of a Privacy Injection Pattern (PIP) for software engineers to use to automate dynamically “injecting” existing privacy patterns in existing or new code. The PIP is composed of a novel tri-abstraction combination of aspect-oriented programming, dependency injection, and mocking. Related work reveals fragmentation in using the software engineering abstractions separately to address privacy, as well as an absence of software injection patterns for privacy. We illustrate our new Privacy Injection Pattern and the simplicity of its implementation with a use case, and downloadable example code, that injects well-known de-identification patterns in a banking application. Adoption of our higher-level privacy injection pattern is expected to help software engineers comply more readily with Privacy by Design principles and to enable Privacy by Default. Early evaluation results for the PIP from practising software engineers are yet inconclusive.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alexander, C., Ishikawa, S., Silverstein, M.: A Pattern Language: Towns, Buildings, Constructions. Oxford University Press, Oxford (1977)
Almorsy, M., Grundy, J., Ibrahim, A.S.: VAM-aaS: online cloud services security vulnerability analysis and mitigation-as-a-service. In: Wang, X., Cruz, I., Delis, A., Huang, G. (eds.) WISE 2012. LNCS, vol. 7651, pp. 411–425. Springer, Heidelberg (2012)
Fort, M., Freiling, F.C., Penso, L.D., Benenson, Z., Kesdogan, D.: TrustedPals: secure multiparty computation implemented with smart cards. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 34–48. Springer, Heidelberg (2006)
Bender, J., McWherter, J.: Professional Test Driven Development with C#: Developing Real World Applications with TDD. Wrox Press Ltd, Birmingham (2011)
Beresford, A.R., Rice, A., Skehin, N., Sohan, R.: Mockdroid: trading privacy for application functionality on smartphones. In: Proceedings of the 12th Workshop on Mobile Computing Systems and Applications, HotMobile, pp. 49–54 (2011)
Bodorik, P., Jutla, D.N., Dhillon, I.: Privacy compliance with web services. J. Inf. Assur. Secur. 4(5), 412–421 (2009)
Bodorik, P., Jutla, D.N., Bryn, A.: Privacy engineering with PAWS: injecting RESTful privacy web services. Report - 2015–06, Faculty of Computer Science, Dalhousie University (2015)
Brown, P.F., Janssen, G., Jutla, D.N., Sabo, J., Willett, M.: Privacy management reference model and methodology (PMRM) version 1.0, OASIS Committee Specification 01, July 2013
Cavoukian, A., Carter, F., Jutla, D., Sabo, J., Dawson, F., Fieten, S., Fox, J., Finneran, T.: Annex guide to privacy by design documentation for software engineers version 1.0 OASIS committee note draft 01, 25 June 2014. http://docs.oasis-open.org/pbd-se/pbd-se-annex/v1.0/cnd01/pbd-se-annex-v1.0-cnd01.pdf. Accessed 30 April 2015
Cavoukian, A., Emam, K.E.: De-identification protocols: essential for protecting privacy, 25 June 2014. http://www.privacybydesign.ca/content/uploads/2014/09/pbd-de-identifcation-essential.pdf. Accessed 30 November 2014
Cavoukian, A., Emam, K.E.: Dispelling the myths surrounding de-identification: anonymization remains a strong tool for protecting privacy, June 2011. https://www.futureofprivacy.org/wp-content/uploads/2011/07/Dispelling. The myth surrounding de-identification anonymization remains strong tool for protectin privacy.pdf. Accessed 15 May 2015
Chen, K., Wang, D.-W.: An aspect-oriented approach to privacy-aware access control. In: Proceedings of the Sixth International Conference on Machine Learning and Cybernetics, pp. 3016–3021. IEEE, Hong Kong (2007)
Culp, A.: The dependency injection design pattern, 4 May 2011. Retrieved from MSDN: https://msdn.microsoft.com/en-us/library/vstudio/hh323705(v=vs.100).aspx
Doty, N., Gupta, M.: Privacy design patterns and anti-patterns. In: Patterns Misapplied and Unintended Consequences. Trustbusters Workshop at the Symposium on Usable Privacy and Security, July 2013
Fowler, M.: Inversion of control containers and the dependency injection pattern, 23 de January de 2004. Obtenido de Martin Fowler: http://martinfowler.com/articles/injection.html
Groves, M.D.: AOP in.NET Practical Aspect-Oriented Programming. Manning Publications Co., New York (2013)
Hafiz, M.: A collection of privacy design patterns. In: Proceedings of the Pattern Languages of Programs Conference (2006)
Haque, H.: A curry of Dependency Inversion Principle (DIP), Inversion of Control (IoC), Dependency Injection (DI) and IoC container, 12 de March de 2013. Obtenido de Code Project: http://www.codeproject.com/Articles/538536/A-curry-of-Dependency-Inversion-Principle-DIP-Inversion
Hoepman, J.-H.: Privacy design strategies. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 446–459. Springer, Heidelberg (2014)
Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: “These aren’t the droids you’re looking for”: retrofitting android to protect data from imperious applications. In: 18th ACM Conference on Computer and Communications Security. ACM, Chicago (2011)
Jezek, K., Holy, L., Brada, P.: Dependency injection refined by extra-functional properties. In: IEEE Symposium on Visual Languages and Human-Centric Computing: Poster and Demos, pp. 255–256 (2012)
Jutla, D.N., Bodorik P.: Sociotechnical architecture for online privacy. In: IEEE Security and Privacy, vol. 3, no. 2, pp. 29–39, March–April 2005. doi:10.1109/MSP.2005.50
Kalloniatis, C., Kavakli, E., Gritzalis, S.: Using privacy process patterns for incorporating privacy requirements into the system design process. In: The Second International Conference on Availability, Reliability and Security, ARES 2007, pp.1009–1017 (2007)
Kiczales, G., Lamping, L., Mendhekar, A., Maeda, C., Lopes, C., Loingtier, J.M.: Aspect Oriented Programming, ECOOP 1997—Object-Oriented Programming, pp. 220–242 (1997)
Laddad, R.: AspectJ in Action: Practical Aspect-Oriented Programming. Manning Publications Co., New York (2003)
Livne, O.E., Schultz, N.D., Narus, S.P.: Federated Querying Architecture with Clinical and Translational Health IT Application. Springer Science + Business Media, USA (2011)
Mourad, A., Laverdière, M.-A., Debbabi, M.: An aspect-oriented approach for the systematic security hardening of code. Comput. Secur. 27(3–4), 101–114 (2008)
Narayanan, A., Shmatikov, V.: Robust de-anonymization of large sparse datasets. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy (2008)
Porekar, J., Jerman-Blazic, A., Klobucar, T.: Towards organizational privacy patterns. In: 2008 Second International Conference on Digital Society, pp. 15–19, February 2008
Prasanna, D.: Dependency Injection. Manning Publications Co., New York (2009)
Raghunathan, B.: Complete Book of Data Anonymization from Planning to Implementation. CRC Press Taylor and Francis Group, Boca Raton (2013)
van Rest, J., Boonstra, D., Everts, M., van Rijn, M., van Paassen, R.: Designing privacy-by-design. In: Preneel, B., Ikonomou, D. (eds.) APF 2012. LNCS, vol. 8319, pp. 55–72. Springer, Heidelberg (2014)
Romanosky, S., Acquisto, A., Hong, J., Cranor, L., Friedman, B.: Privacy patterns for online interactions. In: Proceedings of the Pattern Languages of Programs Conference (2006)
Sadicoff, M., Larrondo-Petrie, M., Fernandez, E.: Privacy-aware network client pattern. In: Proceedings of the Pattern Languages of Programs Conference (2005)
Schumacher, M.: Security patterns and security standards - with selected security patterns for anonymity and privacy. In: European Conference on PaBern Languages of Programs (EuroPLoP 2002)
Schümmer, T.: The public privacy – patterns for filtering personal information in collaborative systems. In: CHI 2004 (2004)
Seemann, M.: Dependency Injection in.NET. Manning, New York (2012)
Seemann, M.: Mock Objects to the Rescue! Test Your.NET Code with NMock. MSDN Magazine, October de 2004
Sharma, N., Batra, U., Mukherjee, S.: Enhancing security in service oriented architecture driven EAI using aspect oriented programming in healthcare IT. Int. J. Sci. Eng. Res. 5(3), 50–55 (2014)
Shapiro, S.: Separating the baby from the bathwater - toward a generic and practical framework for anonymization. IEEE (2011)
Somerville, I.: Software Engineering. Pearson Education, UK (2011)
Win, B.D., Joosen, W., Piessens, F.: Developing secure applications through aspect-oriented programming. In: Aspect-Oriented Software Development, pp. 633–650. Addison-Wesley (2005)
Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming information-stealing smartphone applications (on android). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 93–107. Springer, Heidelberg (2011)
Zhu, Z.J., Zulkernine, M.: A model-based aspect-oriented framework for building intrusion-aware software systems. Inf. Softw. Tech. 51, 865–875 (2009)
Acknowledgments
This material is supported by N. Ali’s post-graduate scholarship from the Government of the Province of Nova Scotia, Canada, and D. Jutla’s Federal Natural Sciences and Engineering Research Council of Canada (NSERC) grant for privacy and accessibility.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Ali, N., Jutla, D., Bodorik, P. (2016). PIP: An Injection Pattern for Inserting Privacy Patterns and Services in Software. In: Berendt, B., Engel, T., Ikonomou, D., Le Métayer, D., Schiffner, S. (eds) Privacy Technologies and Policy. APF 2015. Lecture Notes in Computer Science(), vol 9484. Springer, Cham. https://doi.org/10.1007/978-3-319-31456-3_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-31456-3_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-31455-6
Online ISBN: 978-3-319-31456-3
eBook Packages: Computer ScienceComputer Science (R0)