Skip to main content
SpringerLink
Log in

Commitment analysis to operationalize software requirements from privacy policies

  • Digital Privacy
  • Published:
Requirements Engineering Aims and scope Submit manuscript

Abstract

Online privacy policies describe organizations’ privacy practices for collecting, storing, using, and protecting consumers’ personal information. Users need to understand these policies in order to know how their personal information is being collected, stored, used, and protected. Organizations need to ensure that the commitments they express in their privacy policies reflect their actual business practices, especially in the United States where the Federal Trade Commission regulates fair business practices. Requirements engineers need to understand the privacy policies to know the privacy practices with which the software must comply and to ensure that the commitments expressed in these privacy policies are incorporated into the software requirements. In this paper, we present a methodology for obtaining requirements from privacy policies based on our theory of commitments, privileges, and rights, which was developed through a grounded theory approach. This methodology was developed from a case study in which we derived software requirements from seventeen healthcare privacy policies. We found that legal-based approaches do not provide sufficient coverage of privacy requirements because privacy policies focus primarily on procedural practices rather than legal practices.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17

Similar content being viewed by others

Notes

  1. In re Gateway Learning Corp., 138 F.T.C. 443 (2004).

  2. “Agents are active, persistent (software) components that perceive, reason, act, and communicate” [24].

  3. http://www.gsk.com/global/privacy_statement.htm, accessed August 21, 2008.

  4. http://www.drugstore.com/npp, accessed August 21, 2008.

  5. Health Insurance Portability and Accountability Act of 1996, 42 U.S.C.A. 1320d to d-8 (West Supp. 1998).

  6. The Child Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506, P.L. No. 105–277, 112 Stat. 2681–728.

  7. http://www.dossia.org/privacy, accessed December 9, 2008.

  8. http://www.aetna.com/about/information_practices.html, accessed August 21, 2008.

  9. http://www.aetna.com/about/privacy.html, accessed August 21, 2008.

  10. http://www.aetna.com

  11. http://www.drugstore.com

  12. http://www.gsk.com

  13. http://www.dossia.org

References

  1. Abbott RJ (1983) Program design by informal english descriptions. Commun ACM 26(11):882–894

    Article  MATH  Google Scholar 

  2. Antón AI (1997) Goal Identification and Refinement in the Specification of Software-Based Information Systems. Ph.D. Thesis, Georgia Institute of Technology

  3. Antón A (2007) Is that vault really protecting your privacy? ThePrivacyPlace.org Blog. 9 Oct 2007

  4. Antón AI, Earp JB (2004) A requirements taxonomy for reducing web site privacy vulnerabilities. Requir Eng J 9(3):169–185

    Article  Google Scholar 

  5. Antón AI, Earp JB, Carter RA (2003) Precluding incongruous behavior by aligning software requirements with security and privacy policies. Inf Softw Technol, Elsevier 45(14): 967–977

    Google Scholar 

  6. Antón AI, Earp JB, Vail MW, Jain N, Gheen C, Frink JM (2007) HIPAA’s Effect on web site privacy policies. IEEE Secur Priv 5(1):45–52

    Article  Google Scholar 

  7. Breaux TD (2009) Legal Requirements Acquisition for the Specification of Legally Compliant Information Systems. Ph.D. Thesis, North Carolina State University, April 2009

  8. Breaux TD, Antón AI (2005) Deriving semantic models from privacy policies. In: Proceedings of IEEE 6th workshop on policies for distributed systems and networks, pp 67–76

  9. Breaux TD, Antón AI (2008) Analyzing regulatory rules for privacy and security requirements. IEEE Trans Softw Eng 34(1):5–20

    Article  Google Scholar 

  10. Breaux TD, Antón AI, Doyle J (2008) Semantic parameterization: a process for modeling domain descriptions. ACM Trans Softw Eng Methodol 18(2):1–27

    Article  Google Scholar 

  11. Breaux TD, Vail MW, Antón AI (2006) Towards regulatory compliance: extracting rights and obligations to align requirements with regulations. In: Proceedings of the 13th IEEE international conference on requirements engineering

  12. Cleland-Huang J, Chang CK, Sethi G, Javvaji K, Hu H, Xia J (2002) Automating speculative queries through event-based requirements traceability. In: Proceedings of the IEEE joint international requirements engineering conference (RE’02), 9–13 September 2002, pp 289–296

  13. Earp JB, Antón AI, Aiman-Smith L, Stufflebeam W (2005) Examining internet privacy policies within the context of user privacy values. IEEE Trans Eng Manag 52(2):227–237

    Article  Google Scholar 

  14. Federal Trade Commission (2004) Federal trade commission decisions: findings, options, and orders, July 1, 2004 to December 31, 2004, Vol. 138

  15. Federal Trade Commission (2009) Privacy initiative: unfairness & deception—enforcement. Accessed 2 June 2009. http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html

  16. Federal Trade Commission Act (15 U.S.C. §§41-58)

  17. Garner BA (ed) (2004) Black’s law dictionary, 8th edn. West

  18. Ghanavati S, Amyot D, Peyton L (2007) Towards a framework for tracking legal compliance in healthcare. In: Proceedings of the 19th international conference of advanced information systems engineering, pp 218–232

  19. Glaser BG (1978) Theoretical sensitivity. Sociology Press, Mill Valley

    Google Scholar 

  20. Glaser BG, Strauss AL (1967) The discovery of grounded theory. Aldine Transaction, Chicago

    Google Scholar 

  21. Haddadi A (1995) A formal theory of commitments. In: Communication and cooperation in agent systems, vol 1056. Lecture notes in computer science. Springer, Berlin, pp 51–82

  22. Hofmann M (2006) Federal trade commission enforcement of privacy. In: Wolf C (ed) Proskauer on privacy: a guide to privacy and data security law in the information age. Practising Law Institute, New York, NY

  23. Hohfeld WN (1913) Some fundamental legal conceptions as applied in judicial reasoning. Yale Law J 23(1):16–59

    Article  Google Scholar 

  24. Huhns MN, Singh MP (eds) (1998) Readings in agents. Morgan Kaufman, San Francisco

    Google Scholar 

  25. Manning CD, Schütze H (1999) Foundations of statistical natural language processing. The MIT Press, Cambridge

    MATH  Google Scholar 

  26. Massey AK, Otto PN, Antón AI (2009) Prioritizing legal requirements. In: Proceedings of the second international workshop on requirements engineering and law

  27. Massey AK, Otto PN, Hayward LJ, Antón AI (2010) Evaluating existing security and privacy requirements for legal compliance. Requir Eng J 15(1):119–137

    Article  Google Scholar 

  28. Maxwell JC, Antón AI (2009) Developing production rule models to aid in acquiring requirements from legal texts. In: Proceedings of the 17th intl. IEEE requirements engineering conference, pp 101–110

  29. Maxwell JC, Antón AI (2009) Checking existing requirements for compliance with law using a production rule model. In: Proceedings of the second international workshop on requirements engineering and law

  30. Otto PN, Antón AI (2007) Addressing legal requirements in requirements engineering. In: Proceedings of the 15th IEEE international requirements engineering conference, pp 5–14

  31. Potts C, Takahashi K, Antón AI (1994) Inquiry—based requirements analysis. IEEE Softw 11(2):21–32

    Article  Google Scholar 

  32. Robinson WN (2005) Implementing rule-based monitors within a framework for continuous requirements monitoring. In: Proceedings of the 38th Hawaii international conference on system sciences

  33. Siena A, Perini A, Susi A, Mylopoulos J (2009) A meta-model for modelling law-compliant requirements. In: Proceedings of the second international workshop on requirements engineering and law

  34. Sotto LJ, Simpson AP (2008) Surviving an FTC investigation after a data breach. N Y Law J

  35. Vail MW, Earp JB, Antón AI (2008) An empirical study of consumer perceptions and comprehension of web site privacy policies. IEEE Trans Eng Manag 55(3):442–454

    Article  Google Scholar 

  36. Wan F, Singh MP (2005) Formalizing and achieving multiparty agreements via commitments. In: Proceedings of autonomous agents and multi-agent systems, pp 770–777

  37. Yin RK (2003) Case study research: design and methods. In: Applied social research methods series, vol 5, 3rd edn. Sage Publications

  38. Young J, Antón AI (2008) Are google health’s privacy practices healthy? ThePrivacyPlace.org. 20 June 2008

Download references

Acknowledgments

NSF ITR grant #0325269 and NSF Cyber Trust Grant #0430166 partially funded this work. We thank Annie Antón, Aaron Massey, Jeremy Maxwell, Andrea Villanes, Gurleen Kaur, Ramya Gopalan, and Bharat Kaushik for their comments.

Author information

Authors and Affiliations

  1. Department of Computer Science, College of Engineering, North Carolina State University, Raleigh, NC, USA

    Jessica D. Young

Authors
  1. Jessica D. Young
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jessica D. Young.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Young, J.D. Commitment analysis to operationalize software requirements from privacy policies. Requirements Eng 16, 33–46 (2011). https://doi.org/10.1007/s00766-010-0108-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00766-010-0108-6

Keywords

Search

Navigation