Skip to main content
SpringerLink
Log in

PIP: An Injection Pattern for Inserting Privacy Patterns and Services in Software

  • Conference paper
  • First Online:
Privacy Technologies and Policy (APF 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9484))

Included in the following conference series:

  • 1027 Accesses

Abstract

Increasingly, software engineers in organizations complying with privacy regulations are looking for repeatable ways to embed privacy in their code. We propose the concept of a Privacy Injection Pattern (PIP) for software engineers to use to automate dynamically “injecting” existing privacy patterns in existing or new code. The PIP is composed of a novel tri-abstraction combination of aspect-oriented programming, dependency injection, and mocking. Related work reveals fragmentation in using the software engineering abstractions separately to address privacy, as well as an absence of software injection patterns for privacy. We illustrate our new Privacy Injection Pattern and the simplicity of its implementation with a use case, and downloadable example code, that injects well-known de-identification patterns in a banking application. Adoption of our higher-level privacy injection pattern is expected to help software engineers comply more readily with Privacy by Design principles and to enable Privacy by Default. Early evaluation results for the PIP from practising software engineers are yet inconclusive.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Alexander, C., Ishikawa, S., Silverstein, M.: A Pattern Language: Towns, Buildings, Constructions. Oxford University Press, Oxford (1977)

    Google Scholar 

  2. Almorsy, M., Grundy, J., Ibrahim, A.S.: VAM-aaS: online cloud services security vulnerability analysis and mitigation-as-a-service. In: Wang, X., Cruz, I., Delis, A., Huang, G. (eds.) WISE 2012. LNCS, vol. 7651, pp. 411–425. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  3. Fort, M., Freiling, F.C., Penso, L.D., Benenson, Z., Kesdogan, D.: TrustedPals: secure multiparty computation implemented with smart cards. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 34–48. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  4. Bender, J., McWherter, J.: Professional Test Driven Development with C#: Developing Real World Applications with TDD. Wrox Press Ltd, Birmingham (2011)

    Google Scholar 

  5. Beresford, A.R., Rice, A., Skehin, N., Sohan, R.: Mockdroid: trading privacy for application functionality on smartphones. In: Proceedings of the 12th Workshop on Mobile Computing Systems and Applications, HotMobile, pp. 49–54 (2011)

    Google Scholar 

  6. Bodorik, P., Jutla, D.N., Dhillon, I.: Privacy compliance with web services. J. Inf. Assur. Secur. 4(5), 412–421 (2009)

    Google Scholar 

  7. Bodorik, P., Jutla, D.N., Bryn, A.: Privacy engineering with PAWS: injecting RESTful privacy web services. Report - 2015–06, Faculty of Computer Science, Dalhousie University (2015)

    Google Scholar 

  8. Brown, P.F., Janssen, G., Jutla, D.N., Sabo, J., Willett, M.: Privacy management reference model and methodology (PMRM) version 1.0, OASIS Committee Specification 01, July 2013

    Google Scholar 

  9. Cavoukian, A., Carter, F., Jutla, D., Sabo, J., Dawson, F., Fieten, S., Fox, J., Finneran, T.: Annex guide to privacy by design documentation for software engineers version 1.0 OASIS committee note draft 01, 25 June 2014. http://docs.oasis-open.org/pbd-se/pbd-se-annex/v1.0/cnd01/pbd-se-annex-v1.0-cnd01.pdf. Accessed 30 April 2015

  10. Cavoukian, A., Emam, K.E.: De-identification protocols: essential for protecting privacy, 25 June 2014. http://www.privacybydesign.ca/content/uploads/2014/09/pbd-de-identifcation-essential.pdf. Accessed 30 November 2014

  11. Cavoukian, A., Emam, K.E.: Dispelling the myths surrounding de-identification: anonymization remains a strong tool for protecting privacy, June 2011. https://www.futureofprivacy.org/wp-content/uploads/2011/07/Dispelling. The myth surrounding de-identification anonymization remains strong tool for protectin privacy.pdf. Accessed 15 May 2015

  12. Chen, K., Wang, D.-W.: An aspect-oriented approach to privacy-aware access control. In: Proceedings of the Sixth International Conference on Machine Learning and Cybernetics, pp. 3016–3021. IEEE, Hong Kong (2007)

    Google Scholar 

  13. Culp, A.: The dependency injection design pattern, 4 May 2011. Retrieved from MSDN: https://msdn.microsoft.com/en-us/library/vstudio/hh323705(v=vs.100).aspx

  14. Doty, N., Gupta, M.: Privacy design patterns and anti-patterns. In: Patterns Misapplied and Unintended Consequences. Trustbusters Workshop at the Symposium on Usable Privacy and Security, July 2013

    Google Scholar 

  15. Fowler, M.: Inversion of control containers and the dependency injection pattern, 23 de January de 2004. Obtenido de Martin Fowler: http://martinfowler.com/articles/injection.html

  16. Groves, M.D.: AOP in.NET Practical Aspect-Oriented Programming. Manning Publications Co., New York (2013)

    Google Scholar 

  17. Hafiz, M.: A collection of privacy design patterns. In: Proceedings of the Pattern Languages of Programs Conference (2006)

    Google Scholar 

  18. Haque, H.: A curry of Dependency Inversion Principle (DIP), Inversion of Control (IoC), Dependency Injection (DI) and IoC container, 12 de March de 2013. Obtenido de Code Project: http://www.codeproject.com/Articles/538536/A-curry-of-Dependency-Inversion-Principle-DIP-Inversion

  19. Hoepman, J.-H.: Privacy design strategies. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 446–459. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  20. Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: “These aren’t the droids you’re looking for”: retrofitting android to protect data from imperious applications. In: 18th ACM Conference on Computer and Communications Security. ACM, Chicago (2011)

    Google Scholar 

  21. Jezek, K., Holy, L., Brada, P.: Dependency injection refined by extra-functional properties. In: IEEE Symposium on Visual Languages and Human-Centric Computing: Poster and Demos, pp. 255–256 (2012)

    Google Scholar 

  22. Jutla, D.N., Bodorik P.: Sociotechnical architecture for online privacy. In: IEEE Security and Privacy, vol. 3, no. 2, pp. 29–39, March–April 2005. doi:10.1109/MSP.2005.50

    Google Scholar 

  23. Kalloniatis, C., Kavakli, E., Gritzalis, S.: Using privacy process patterns for incorporating privacy requirements into the system design process. In: The Second International Conference on Availability, Reliability and Security, ARES 2007, pp.1009–1017 (2007)

    Google Scholar 

  24. Kiczales, G., Lamping, L., Mendhekar, A., Maeda, C., Lopes, C., Loingtier, J.M.: Aspect Oriented Programming, ECOOP 1997—Object-Oriented Programming, pp. 220–242 (1997)

    Google Scholar 

  25. Laddad, R.: AspectJ in Action: Practical Aspect-Oriented Programming. Manning Publications Co., New York (2003)

    Google Scholar 

  26. Livne, O.E., Schultz, N.D., Narus, S.P.: Federated Querying Architecture with Clinical and Translational Health IT Application. Springer Science + Business Media, USA (2011)

    Google Scholar 

  27. Mourad, A., Laverdière, M.-A., Debbabi, M.: An aspect-oriented approach for the systematic security hardening of code. Comput. Secur. 27(3–4), 101–114 (2008)

    Article  Google Scholar 

  28. Narayanan, A., Shmatikov, V.: Robust de-anonymization of large sparse datasets. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy (2008)

    Google Scholar 

  29. Porekar, J., Jerman-Blazic, A., Klobucar, T.: Towards organizational privacy patterns. In: 2008 Second International Conference on Digital Society, pp. 15–19, February 2008

    Google Scholar 

  30. Prasanna, D.: Dependency Injection. Manning Publications Co., New York (2009)

    Google Scholar 

  31. Raghunathan, B.: Complete Book of Data Anonymization from Planning to Implementation. CRC Press Taylor and Francis Group, Boca Raton (2013)

    Google Scholar 

  32. van Rest, J., Boonstra, D., Everts, M., van Rijn, M., van Paassen, R.: Designing privacy-by-design. In: Preneel, B., Ikonomou, D. (eds.) APF 2012. LNCS, vol. 8319, pp. 55–72. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  33. Romanosky, S., Acquisto, A., Hong, J., Cranor, L., Friedman, B.: Privacy patterns for online interactions. In: Proceedings of the Pattern Languages of Programs Conference (2006)

    Google Scholar 

  34. Sadicoff, M., Larrondo-Petrie, M., Fernandez, E.: Privacy-aware network client pattern. In: Proceedings of the Pattern Languages of Programs Conference (2005)

    Google Scholar 

  35. Schumacher, M.: Security patterns and security standards - with selected security patterns for anonymity and privacy. In: European Conference on PaBern Languages of Programs (EuroPLoP 2002)

    Google Scholar 

  36. Schümmer, T.: The public privacy – patterns for filtering personal information in collaborative systems. In: CHI 2004 (2004)

    Google Scholar 

  37. Seemann, M.: Dependency Injection in.NET. Manning, New York (2012)

    Google Scholar 

  38. Seemann, M.: Mock Objects to the Rescue! Test Your.NET Code with NMock. MSDN Magazine, October de 2004

    Google Scholar 

  39. Sharma, N., Batra, U., Mukherjee, S.: Enhancing security in service oriented architecture driven EAI using aspect oriented programming in healthcare IT. Int. J. Sci. Eng. Res. 5(3), 50–55 (2014)

    Google Scholar 

  40. Shapiro, S.: Separating the baby from the bathwater - toward a generic and practical framework for anonymization. IEEE (2011)

    Google Scholar 

  41. Somerville, I.: Software Engineering. Pearson Education, UK (2011)

    Google Scholar 

  42. Win, B.D., Joosen, W., Piessens, F.: Developing secure applications through aspect-oriented programming. In: Aspect-Oriented Software Development, pp. 633–650. Addison-Wesley (2005)

    Google Scholar 

  43. Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming information-stealing smartphone applications (on android). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 93–107. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  44. Zhu, Z.J., Zulkernine, M.: A model-based aspect-oriented framework for building intrusion-aware software systems. Inf. Softw. Tech. 51, 865–875 (2009)

    Article  Google Scholar 

Download references

Acknowledgments

This material is supported by N. Ali’s post-graduate scholarship from the Government of the Province of Nova Scotia, Canada, and D. Jutla’s Federal Natural Sciences and Engineering Research Council of Canada (NSERC) grant for privacy and accessibility.

Author information

Authors and Affiliations

  1. Faculty of Computer Science, Dalhousie University, Dalhousie, India

    Naureen Ali & Peter Bodorik

  2. Sobey School of Business, Saint Mary’s University, Halifax, NS, Canada

    Dawn Jutla

Authors
  1. Naureen Ali
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dawn Jutla
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Peter Bodorik
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dawn Jutla .

Editor information

Editors and Affiliations

  1. Department of Computer Science, KU Leuven, Heverlee, Belgium

    Bettina Berendt

  2. Université du Luxembourg, Luxembourg, Luxembourg

    Thomas Engel

  3. ENISA, Maroussi Attiki, Greece

    Demosthenes Ikonomou

  4. Antenne Lyon La Doua, Inria, Villeurbanne, France

    Daniel Le Métayer

  5. ENISA, Maroussi Attiki, Greece

    Stefan Schiffner

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Ali, N., Jutla, D., Bodorik, P. (2016). PIP: An Injection Pattern for Inserting Privacy Patterns and Services in Software. In: Berendt, B., Engel, T., Ikonomou, D., Le Métayer, D., Schiffner, S. (eds) Privacy Technologies and Policy. APF 2015. Lecture Notes in Computer Science(), vol 9484. Springer, Cham. https://doi.org/10.1007/978-3-319-31456-3_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-31456-3_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-31455-6

  • Online ISBN: 978-3-319-31456-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation