Abstract
The increasing use of personal information on Web-based applications can result in unexpected disclosures. Consumers often have only the stated Web site policies as a guide to how their information is used, and thus on which to base their browsing and transaction decisions. However, each policy is different, and it is difficult—if not impossible—for the average user to compare and comprehend these policies. This paper presents a taxonomy of privacy requirements for Web sites. Using goal-mining, the extraction of pre-requirements goals from post-requirements text artefacts, we analysed an initial set of Internet privacy policies to develop the taxonomy. This taxonomy was then validated during a second goal extraction exercise, involving privacy policies from a range of health care related Web sites. This validation effort enabled further refinement to the taxonomy, culminating in two classes of privacy requirements: protection goals and vulnerabilities. Protection goals express the desired protection of consumer privacy rights, whereas vulnerabilities describe requirements that potentially threaten consumer privacy. The identified taxonomy categories are useful for analysing implicit internal conflicts within privacy policies, the corresponding Web sites, and their manner of operation. These categories can be used by Web site designers to reduce Web site privacy vulnerabilities and ensure that their stated and actual policies are consistent with each other. The same categories can be used by customers to evaluate and understand policies and their limitations. Additionally, the policies have potential use by third-party evaluators of site policies and conflicts.
Similar content being viewed by others
Notes
5 USC 552a (1994)
Health Insurance Portability and Accountability Act of 1996, 42 USCA. 1320d to d-8 (West Supp. 1998).
Federal Register 59918 et seq., Department of Health and Human Services, Office of the Secretary, 45 CFR Parts 160 through 164, Standards for Privacy of Individually Identifiable Health Information, (28 December 2000).
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (). Articles 6,10 and 11 address notice/awareness; Article 7 addresses choice/consent; Article 12 addresses access/participation; Articles 16 and 17 address integrity/security; Articles 22, 23 and 23 address enforcement/redress.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (). Articles 25 and 26 address information transfer
References
Cranor LF, Reagle J, Ackerman MS (1999) Beyond concern: understanding net users’ attitudes about online privacy. AT&T Labs-Research Technical Report TR 99.4.3.http://www.research.att.com/library/trs/TRs/99/99.4/99.43/report.htm
Earp JB, Baumer D (2003) Innovative Web use to learn about consumer behavior and online privacy. Commun ACM 46(4):81–83
Goldman J, Hudson Z, Smith RM (2000) Privacy report on the privacy policies and practices of health Websites, Sponsored by the California HealthCare Foundation
Federal Trade Commission (1998) Privacy online: a report to congress.http://www.ftc.gov/reports/privacy3/
Federal Trade Commission (2000) Privacy online: fair information practices in the electronic marketplace. A report to congress
Antón AI, Earp JB, Potts C, Alspaugh TA (2001) The role of policy and privacy values in requirements engineering. IEEE 5th International Symposium on Requirements Engineering (RE’01), Toronto, Canada, pp 138–145, 27–31 August 2001
Antón AI, Earp JB (2001) Strategies for developing policies and requirements for secure electronic commerce systems. In: Anup K (ed) E-commerce security and privacy. Kluwer, Glosh, pp 29–46 CHECK STYLE
Antón AI (1997) Goal identification and refinement in the specification of software-based information systems. Dissertation, Georgia Institute of Technology, Atlanta, GA
Antón AI, Potts C (1998) The use of goals to surface requirements for evolving systems. International Conference on Software Engineering (ICSE ‘98). Kyoto, Japan, pp 157–166, 19–25 April 1998
van Lamsweerde A (2001) Goal-oriented requirements engineering: a guided tour. IEEE 5th International Symposium on Requirements Engineering (RE’01). Toronto, Canada, pp 249–261, 27–31 August 2001
Mylopoulos J, Chung L, Liao S, Wang H, Yu E (2001) Exploring alternatives during requirements analysis. IEEE Softw 18(1):92 –96
Glaser BC, Strauss AL (1967) The discovery of grounded theory. Aldine, Chicago
Antón AI, Earp JB Reese A (2002) Analyzing Web site privacy requirements using a privacy goal taxonomy. 10th Anniversary IEEE Joint Requirements Engineering Conference (RE’02). Essen, Germany, pp 23–31, 9–13 September 2002
The code of fair information practices (1973) U.S. Department of Health, Education and Welfare, Secretary’s Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens, viii.http://www.epic.org/privacy/consumer/code_fair_info.html
Culnan MJ (1999) Georgetown Internet privacy policy survey: report to the federal trade commission. The McDonough School of Business , Georgetown University, Washington, DC,http://www.msb.edu/faculty/culnanm/gippshome.html
Electronic Privacy Information Center (1999) Surfer beware III: privacy policies without privacy protection.http://www.epic.org/reports/surfer-beware3.html
Baumer D, Earp JB and Payton FC (2000) Privacy of medical records: IT implications of HIPAA. ACM Comput Soc 30(4):40–47
Reagle J, Cranor LF (1999) The platform for privacy preferences. Commun ACM 42(2):48–55
Benessi P (1999) TRUSTe: An online privacy seal program. Commun ACM 42(2):56 – 59
P3P Public Overview. http://www.w3.org/P3P/, cited 24 June 2002
Cranor L, Langheinrich M, and Marchiori M (2002) A P3P preference exchange language 1.0 (APPEL1.0): W3C working draft.http://www.w3.org/TR/P3P-preferences/, cited 15 April 2002
Electronic Privacy Information Center (2000) Pretty poor privacy: an assessment of P3P and Internet privacy.http://www.epic.org/reports/prettypoorprivacy.html
Mulligan D, Schwartz A, Cavoukian A, Gurski M (2000) P3P and privacy: an update for the privacy community.http://www.cdt.org/privacy/pet/p3pprivacy.shtml, cited 28 March 2000
Cohen D, Feather MS, Narayanaswamy K, Fickas SS (1997) Automatic monitoring of software requirements. International Conference on Software Engineering, pp 602 –603
Fickas S, Feather MS (1995) Requirements monitoring in dynamic environments. Second IEEE International Symposium on Requirements Engineering, pp 140 –147
Feather MS, Fickas S, van Lamsweerde A, Ponsard C (1998) Reconciling system requirements and runtime behaviour. Ninth International Workshop on Software Specification and Design, pp 50 –59
FTC sues failed Website, Toysmart.com, for deceptively offering for sale personal information of Website visitors. FTC File No. 002–3274. 10 July 2000
Antón AI, Carter RA, Dagnino A, Dempster JH, Siege DH (2001) Deriving goals from a use-case based requirements specification. Req Eng (6):63–73
Robinson WN (1997) Electronic brokering for assisted contracting of software applets. Proceedings of the Thirtieth Hawaii International Conference on System Sciences, vol. 4, pp 449–458
Antón AI, McCracken WM, Potts C (1994) Goal decomposition and scenario analysis in business process reengineering. Advanced Information System Engineering: 6th International Conference, CAiSE ‘94 Proceedings, Utrecht, The Netherlands, pp 94–104, 6–10 June 1994
Jarke M, Bui XT, Carroll JM (1998) Scenario management: an interdisciplinary approach. Req Eng 3(3/4):154–173
Potts C (1999) ScenIC: A strategy for inquiry-driven requirements determination. Proceedings IEEE 4th International Symposium on Requirements Engineering (RE’99), Limerick, Ireland, 7–11 June 1999
Rolland C, Souveyet C, Achour CB (1998) Guiding goal modeling using scenarios. IEEE Trans Softw Eng 24(12):1055–1071
Antón AI (1996) Goal-based requirements analysis. Second IEEE International Conference on Requirements Engineering (ICRE ‘96), Colorado Springs, Colorado, pp 136–144, 15–18 April 1996
Krippendorff K (1980) Content analysis: an introduction to its methodology, vol. 5. Sage, Newbury Park, CA
Policy framework for interpreting risk in eCommerce security. CERIAS Technical Report (1999), Purdue University,http://www.cerias.purdue.edu/techreports/public/PFIRES.pdf
Abbot RJ (1983) Program design by informal english descriptions. Commun ACM 26(11):882–894
Booch G (1991) Object-oriented design with applications. Benjamin Cummings, Redwood City, CA
Rumbaugh J, Blaha M, Premerlani W, Eddy F, Lorensen W (1991) Object-modeling and design. Prentice Hall, New York
Potts C, Takahashi K, Antón AI (1994) Inquiry-based requirements analysis. IEEE Softw 11(2):21–32
Jarvinen O, Earp J, Antón AI (2002) A visibility classification scheme for privacy management requirements. 2nd Symposium on Requirements Engineering for Information Security, Raleigh, NC, 17–18 October 2002
Antón AI, Earp JB, Carter RA (2003) Precluding incongruous behavior by aligning software requirements with security and privacy policies. Inf Softw Technol 45(14):967–977
Alspaugh T, Antón AI, Barnes T, Mott B (1999) An integrated scenario management strategy. IEEE Fourth International Symposium on Requirements Engineering (RE’99), University of Limerick, Ireland, pp 142–149, 7–11 June 1999
CDT (2000) CDT’s guide to online privacy: privacy basics: the OECD guidelines.http://www.cdt.org/privacy/guide/basic/oecdguidelines.html, cited 6 August 2002
Acknowledgments
This work was supported by NSF ITR Grant #0113792 and the CRA’s Distributed Mentor Project. The authors wish to thank Shane Smith, Kevin Farmer, Angela Reese, Hema Srikanth and Ha To. Additionally, we thank Thomas Alspaugh, Colin Potts, Richard Smith and Gene Spafford for discussions leading to our classification of privacy protection goals and vulnerabilities.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Antón, A.I., Earp, J.B. A requirements taxonomy for reducing Web site privacy vulnerabilities. Requirements Eng 9, 169–185 (2004). https://doi.org/10.1007/s00766-003-0183-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00766-003-0183-z