Cited By
View all- Majeed AHwang S(2021)A Comprehensive Analysis of Privacy Protection Techniques Developed for COVID-19 PandemicIEEE Access10.1109/ACCESS.2021.31306109(164159-164187)Online publication date: 2021
Modeling of Personalized Privacy Disclosure Behavior: A Formal Method Approach
ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security
Article No.: 116, Pages 1 - 13
Abstract
In order to create user-centric and personalized privacy management tools, the underlying models must account for individual users’ privacy expectations, preferences, and their ability to control their information sharing activities. Existing studies of users’ privacy behavior modeling attempt to frame the problem from a request’s perspective, which lack the crucial involvement of the information owner, resulting in limited or no control of policy management. Moreover, very few of them take into the consideration the aspect of correctness, explainability, usability, and acceptance of the methodologies for each user of the system. In this paper, we present a methodology to formally model, validate, and verify personalized privacy disclosure behavior based on the analysis of the user’s situational decision-making process. We use a model checking tool named UPPAAL to represent users’ self-reported privacy disclosure behavior by an extended form of finite state automata (FSA), and perform reachability analysis for the verification of privacy properties through computation tree logic (CTL) formulas. We also describe the practical use cases of the methodology depicting the potential of formal technique towards the design and development of user-centric behavioral modeling. This paper, through extensive amounts of experimental outcomes, contributes several insights to the area of formal methods and user-tailored privacy behavior modeling.
References
[1]
Mark S Ackerman, Lorrie Faith Cranor, and Joseph Reagle. 1999. Privacy in e-commerce: examining user scenarios and privacy preferences. In Proceedings of the 1st ACM conference on Electronic commerce. 1–8.
[2]
Walid A Afifi and Laura K Guerrero. 2000. Motivations underlying topic avoidance in close relationships. Balancing the secrets of private disclosures (2000), 165–180.
[3]
Icek Ajzen 1991. The theory of planned behavior. Organizational behavior and human decision processes 50, 2 (1991), 179–211.
[4]
Vangalur S Alagar and Kasilingam Periyasamy. 2011. Specification of software systems. Springer Science & Business Media.
[5]
Paul Ashley, Satoshi Hada, Günter Karjoth, Calvin Powers, and Matthias Schunter. 2003. Enterprise privacy authorization language (EPAL). IBM Research 30(2003), 31.
[6]
Guillaume Aucher, Guido Boella, and Leendert Van Der Torre. 2011. A dynamic logic for privacy compliance. Artificial Intelligence and Law 19, 2-3 (2011), 187.
[7]
Christel Baier and Joost-Pieter Katoen. 2008. Principles of model checking. MIT press.
[8]
Adam Barth, Anupam Datta, John C Mitchell, and Helen Nissenbaum. 2006. Privacy and contextual integrity: Framework and applications. In 2006 IEEE Symposium on Security and Privacy (S&P’06). IEEE, 15–pp.
[9]
Gerd Behrmann, Alexandre David, and Kim G Larsen. 2006. A tutorial on Uppaal 4.0. Department of computer science, Aalborg university (2006).
[10]
Matthew L Bolton, Noelia Jiménez, Marinus M van Paassen, and Maite Trujillo. 2014. Automatically generating specification properties from task models for the formal verification of human–automation interaction. IEEE Transactions on Human-Machine Systems 44, 5 (2014), 561–575.
[11]
Travis D Breaux, Hanan Hibshi, and Ashwini Rao. 2014. Eddy, a formal language for specifying and analyzing data flow specifications for conflicting privacy requirements. Requirements Engineering 19, 3 (2014), 281–307.
[12]
Tom Buchanan, Carina Paine, Adam N Joinson, and Ulf-Dietrich Reips. 2007. Development of measures of online privacy concern and protection for use on the Internet. Journal of the Association for Information Science and Technology 58, 2(2007), 157–165.
[13]
Edmund M Clarke and Jeannette M Wing. 1996. Formal methods: State of the art and future directions. ACM Computing Surveys (CSUR) 28, 4 (1996), 626–643.
[14]
Mark Conner, Sara FL Kirk, Janet E Cade, and Jennifer H Barrett. 2003. Environmental influences: factors influencing a woman’s decision to use dietary supplements. The Journal of nutrition 133, 6 (2003), 1978S–1982S.
[15]
Elisa Costante, Yuanhao Sun, Milan Petković, and Jerry Den Hartog. 2012. A machine learning solution to assess privacy policy completeness: (short paper). In Proceedings of the 2012 ACM Workshop on Privacy in the Electronic Society. 91–96.
[16]
Lorrie Cranor. 2002. Web privacy with P3P. ” O’Reilly Media, Inc.”.
[17]
Tamara Dinev and Paul Hart. 2006. An extended privacy calculus model for e-commerce transactions. Information systems research 17, 1 (2006), 61–80.
[18]
G Eleftherakis and P Kefalas. 2001. Towards model checking of finite state machines extended with memory through refinement. Advances in signal processing and computer technologies (2001), 321–326.
[19]
Paul Grace and Mike Surridge. 2017. Towards a model of user-centered privacy preservation. In Proceedings of the 12th International Conference on Availability, Reliability and Security. 1–8.
[20]
Orna Grumberg, Doron A Peled, and EM Clarke. 1999. Model checking.
[21]
Jerold L Hale, Brian J Householder, and Kathryn L Greene. 2002. The theory of reasoned action. The persuasion handbook: Developments in theory and practice 14 (2002), 259–286.
[22]
Wannes Heirman, Michel Walrave, and Koen Ponnet. 2013. Predicting adolescents’ disclosure of personal information in exchange for commercial incentives: An application of an extended theory of planned behavior. Cyberpsychology, Behavior, and Social Networking 16, 2(2013), 81–87.
[23]
Leslie K John, Alessandro Acquisti, and George Loewenstein. 2011. Strangers on a plane: Context-dependent willingness to divulge sensitive information. Journal of consumer research 37, 5 (2011), 858–873.
[24]
Rezvan Joshaghani, Stacy Black, Elena Sherman, and Hoda Mehrpouyan. 2019. Formal specification and verification of user-centric privacy policies for ubiquitous systems. In Proceedings of the 23rd International Database Applications & Engineering Symposium. 1–10.
[25]
Bart Piet Knijnenburg and Alfred Kobsa. 2014. Increasing sharing tendency without reducing satisfaction: finding the best privacy-settings user interface for social networks. (2014).
[26]
Soonho Kong, Sicun Gao, Wei Chen, and Edmund Clarke. 2015. dReach: δ-reachability analysis for hybrid systems. In International Conference on TOOLS and Algorithms for the Construction and Analysis of Systems. Springer, 200–205.
[27]
Padmanabhan Krishnan and Kostyantyn Vorobyov. 2013. Enforcement of privacy requirements. In IFIP International Information Security Conference. Springer, 272–285.
[28]
O Rivera Kurkovsky, Oscar Rivera, and Jay Bhalodi. 2007. Classification of privacy management techniques in pervasive computing. International Journal of u-and e-Service, Science and Technology 11, 1(2007), 55–71.
[29]
Kim G Larsen, Paul Pettersson, and Wang Yi. 1997. UPPAAL in a nutshell. International journal on software tools for technology transfer 1, 1-2(1997), 134–152.
[30]
Robert S Laufer and Maxine Wolfe. 1977. Privacy as a concept and a social issue: A multidimensional developmental theory. Journal of social Issues 33, 3 (1977), 22–42.
[31]
Scott Lederer, Jennifer Mankoff, and Anind K Dey. 2003. Who wants to know what when? privacy preference determinants in ubiquitous computing. In CHI’03 extended abstracts on Human factors in computing systems. 724–725.
[32]
Heather Richter Lipford, Andrew Besmer, and Jason Watson. 2008. Understanding Privacy Settings in Facebook with an Audience View.UPSEC 8(2008), 1–8.
[33]
Yabing Liu, Krishna P Gummadi, Balachander Krishnamurthy, and Alan Mislove. 2011. Analyzing facebook privacy settings: user expectations vs. reality. In Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference. 61–70.
[34]
Jiajun Lu, Zhiqiu Huang, and Changbo Ke. 2014. Verification of Behavior-aware Privacy Requirements in Web Services Composition.JSW 9, 4 (2014), 944–951.
[35]
May O Lwin and Jerome D Williams. 2003. A model integrating the multidimensional developmental theory of privacy and theory of planned behavior to examine fabrication of information online. Marketing Letters 14, 4 (2003), 257–272.
[36]
Octav-Ionuţ Macovei. 2015. Determinants of consumers’ pro-environmental behavior–toward an integrated model. Journal of Danubian Studies and Research 5, 2 (2015).
[37]
Alessandra Mazzia, Kristen LeFevre, and Eytan Adar. 2012. The pviz comprehension tool for social network privacy settings. In Proceedings of the Eighth Symposium on Usable Privacy and Security. 1–12.
[38]
AK Mehdy, Michael D Ekstrand, Bart P Knijnenburg, and Hoda Mehrpouyan. 2021. Privacy as a Planned Behavior: Effects of Situational Factors on Privacy Perceptions and Plans. UMAP’21, June 21–25, 2021, Utrecht, Netherlands© 2021 Association for Computing Machinery.(2021).
[39]
AKM Nuhil Mehdy and Hoda Mehrpouyan. 2020. A User-Centric and Sentiment Aware Privacy-Disclosure Detection Framework based on Multi-input Neural Network. In PrivateNLP@ WSDM. 21–26.
[40]
Nuhil Mehdy, Casey Kennington, and Hoda Mehrpouyan. 2019. Privacy Disclosures Detection in Natural-Language Text Through Linguistically-motivated Artificial Neural Network. In 2nd EAI International Conference on Security and Privacy in New Computing Environments. EAI.
[41]
Hoda Mehrpouyan, Ion Madrazo Azpiazu, and Maria Soledad Pera. 2017. Measuring personality for automatic elicitation of privacy preferences. In 2017 IEEE Symposium on Privacy-Aware Computing (PAC). IEEE, 84–95.
[42]
Helen Nissenbaum. 2004. Privacy as contextual integrity. Wash. L. Rev. 79(2004), 119.
[43]
Noam. 2015. Noam is a JavaScript library for working with automata and formal grammars for regular and context-free languages. https://github.com/izuzak/noam. [Online; accessed 10-May-2021].
[44]
Sylvia Osborn, Ravi Sandhu, and Qamar Munawer. 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions on Information and System Security (TISSEC) 3, 2(2000), 85–106.
[45]
Sandra Petronio. 2015. Communication privacy management theory. The international encyclopedia of interpersonal communication (2015), 1–9.
[46]
Hai-bo Shen and Fan Hong. 2006. An attribute-based access control model for web services. In 2006 Seventh International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT’06). IEEE, 74–79.
[47]
Itamar Simonson and Amos Tversky. 1992. Choice in context: Tradeoff contrast and extremeness aversion. Journal of marketing research 29, 3 (1992), 281–295.
[48]
Welderufael B Tesfay, Peter Hofmann, Toru Nakamura, Shinsaku Kiyomoto, and Jetzabel Serna. 2018. I read but don’t agree: Privacy policy benchmarking using machine learning and the eu gdpr. In Companion Proceedings of the The Web Conference 2018. 163–166.
[49]
Paul Van Schaik. 1999. Involving users in the specification of functionality using scenarios and model-based evaluation. Behaviour & Information Technology 18, 6 (1999), 455–466.
[50]
Ryan West, Christopher Mayhorn, Jefferson Hardee, and Jeremy Mendel. 2009. The weakest link: A psychological perspective on why users make poor security decisions. In Social and Human elements of information security: Emerging Trends and countermeasures. IGI Global, 43–60.
[51]
Alan F Westin. 1968. Privacy and freedom. Washington and Lee Law Review 25, 1 (1968), 166.
[52]
Xiaokui Xiao and Yufei Tao. 2006. Personalized privacy preservation. In Proceedings of the 2006 ACM SIGMOD international conference on Management of data. 229–240.
[53]
Mike Z Yao and Daniel G Linz. 2008. Predicting self-protections of online privacy. CyberPsychology & Behavior 11, 5 (2008), 615–617.
[54]
Junbeom Yoo, Eunkyoung Jee, and Sungdeok Cha. 2009. Formal modeling and verification of safety-critical software. IEEE software 26, 3 (2009), 42–49.
Recommendations
Formal Verification of Differential Privacy for Interactive Systems (Extended Abstract)
Differential privacy is a promising approach to privacy preserving data analysis with a well-developed theory for functions. Despite recent work on implementing systems that aim to provide differential privacy, the problem of formally verifying that ...
Privacy through pseudonymity in user-adaptive systems
User-adaptive applications cater to the needs of each individual computer user, taking for example users' interests, level of expertise, preferences, perceptual and motoric abilities, and the usage environment into account. Central user modeling servers ...
Comments
Information & Contributors
Information
Published In
August 2021
1447 pages
ISBN:9781450390514
DOI:10.1145/3465481
Copyright © 2021 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 17 August 2021
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
Conference
ARES 2021
ARES 2021: The 16th International Conference on Availability, Reliability and Security
August 17 - 20, 2021
Vienna, Austria
Acceptance Rates
Overall Acceptance Rate 228 of 451 submissions, 51%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 450Total Downloads
- Downloads (Last 12 months)200
- Downloads (Last 6 weeks)13
Reflects downloads up to 03 Oct 2024
Other Metrics
Citations
Cited By
View all- Majeed AHwang S(2021)A Comprehensive Analysis of Privacy Protection Techniques Developed for COVID-19 PandemicIEEE Access10.1109/ACCESS.2021.31306109(164159-164187)Online publication date: 2021
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatGet Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in