Abstract
Article 25 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing and the free movement of personal data, refers to data protection by design and by default. Privacy and data protection by design implies that IT systems need to be adapted or focused to technically support privacy and data protection. To this end, we need to verify whether security and privacy are supported by a system, or any change in the design of the system is required. In this paper, we provide a model-based privacy analysis approach to analyze IT systems that provide IT services to service customers. An IT service may rely on different enterprises to process the data that is provided by service customers. Therefore, our approach is modular in the sense that it analyzes the system design of each enterprise individually. The approach is based on the four privacy fundamental elements, namely purpose, visibility, granularity, and retention. We present an implementation of the approach based on the CARiSMA tool. To evaluate our approach, we apply it to an industrial case study.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Personal data in the cloud: The importance of trust. Technical report, Fujitso Global Business Group, Tokyo 105-7123, Japan, September 2010
CARiSMA (2016). https://rgse.uni-koblenz.de/carisma/
The European Parliament and the Council of the European Union, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Official J. Eur. Union, vol. 199, pp 1–88 (April 2016)
VisiOn Project (2016). http://www.visioneuproject.eu/
Ahmadian, S., Jürjens, J.: Supporting model-based privacy analysis by exploiting privacy level agreements. In: 8th IEEE International Conference on Cloud Computing Technology and Science (CloudCom 2016) (2016)
Antignac, T., Métayer, D.: Privacy by design: from technologies to architectures. In: Preneel, B., Ikonomou, D. (eds.) APF 2014. LNCS, vol. 8450, pp. 1–17. Springer, Cham (2014). doi:10.1007/978-3-319-06749-0_1
Barker, K., Askari, M., Banerjee, M., Ghazinour, K., Mackas, B., Majedi, M., Pun, S., Williams, A.: A Data Privacy Taxonomy, pp. 42–54. Springer, Heidelberg (2009)
Basso, T., Montecchi, L., Moraes, R., Jino, M., Bondavalli, A.: Towards a UML profile for privacy-aware applications. In: 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing, pp. 371–378, October 2015
Breu, R., Burger, K., Hafner, M., Jürjens, J., Popp, G., Wimmel, G., Lotz, V.: Key issues of a formally based process model for security engineering. In: Sixteenth International Conference “Software & Systems Engineering & Their Applications”, Paris (2003)
Cavoukian, A., Chibba, M.: Advancing privacy and security in computing, networking and systems innovations through privacy by design. In: Proceedings of the 2009 conference of the Centre for Advanced Studies on Collaborative Research, 2–5 November 2009, Toronto, Ontario, Canada, pp. 358–360 (2009)
Cloud Security Alliance: Privacy Level Agreement [V2]: A Compliance Tool for Providing Cloud Services in the European Union (2013)
Dupressoir, F., Gordon, A.D., Jürjens, J., Naumann, D.A.: Guiding a general-purpose C verifier to prove cryptographic protocols. J. Comput. Secur. 22(5), 823–866 (2014). http://dx.doi.org/10.3233/JCS-140508
Ghazinour, K., Majedi, M., Barker, K.: A lattice-based privacy aware access control model. In: International Conference on Computational Science and Engineering, CSE 2009, vol. 3, pp. 154–159, August 2009
Gürses, S., Gonzalez Troncoso, C., Diaz, C.: Engineering privacy by design. In: Computers, Privacy & Data Protection (2011)
Hafiz, M.: A pattern language for developing privacy enhancing technologies. Softw. Pract. Exper. 43(7), 769–787 (2013)
Hoepman, J.H.: Privacy Design Strategies, pp. 446–459. Springer, Heidelberg (2014)
Jin, X., Sandhu, R.S., Krishnan, R.: RABAC: role-centric attribute-based access control. In: International Conference on Mathematical Methods, Models and Architectures for Computer Network Security (MMM-ACNS), pp. 84–96 (2012)
Jürjens, J.: Secure information flow for concurrent processes. In: Palamidessi, C. (ed.) CONCUR 2000. LNCS, vol. 1877, pp. 395–409. Springer, Heidelberg (2000). doi:10.1007/3-540-44618-4_29
Jürjens, J.: Modelling audit security for smart-card payment schemes with UMLsec. In: Dupuy, M., Paradinas, P. (eds.) Trusted Information: The New Decade Challenge, pp. 93–108 (2001). Proceedings of the 16th International Conference on Information Security (SEC 2001). http://www.jurjens.de/jan
Jürjens, J.: Model-based security engineering with UML. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds.) FOSAD 2004-2005. LNCS, vol. 3655, pp. 42–77. Springer, Heidelberg (2005). doi:10.1007/11554578_2
Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005)
Kalloniatis, C., Kavakli, E., Gritzalis, S.: Addressing privacy requirements in system design: the PriS method. Requirements Eng. 13(3), 241–255 (2008)
Kerschbaum, F.: Privacy-Preserving Computation, pp. 41–54. Springer, Heidelberg (2014)
Object Management Group (OMG): UML 2.5 Superstructure Specification (2011)
Pearson, S.: Taking account of privacy when designing cloud computing services. In: Proceedings of the 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing, pp. 44–52, CLOUD 2009. IEEE Computer Society (2009)
Pearson, S., Allison, D.: A model-based privacy compliance checker. IJEBR 5(2), 63–83 (2009)
Schneider, K., Knauss, E., Houmb, S., Islam, S., Jürjens, J.: Enhancing security requirements engineering by organisational learning. Requirements Eng. J. (REJ) 17(1), 35–56 (2012)
Spiekermann, S.: The challenges of privacy by design. Commun. ACM 55(7), 38–40 (2012)
Spiekermann, S., Cranor, L.F.: Engineering privacy. IEEE Trans. Softw. Eng. 35(1), 67–82 (2009)
van Staden, W., Olivier, M.S.: Using Purpose Lattices to Facilitate Customisation of Privacy Agreements, pp. 201–209. Springer, Heidelberg (2007)
Acknowledgements
This research was partially supported by the research project Visual Privacy Management in User Centric Open Environments (supported by the EU’s Horizon 2020 program, Proposal number: 653642).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Ahmadian, A.S., Strüber, D., Riediger, V., Jürjens, J. (2017). Model-Based Privacy Analysis in Industrial Ecosystems. In: Anjorin, A., Espinoza, H. (eds) Modelling Foundations and Applications. ECMFA 2017. Lecture Notes in Computer Science(), vol 10376. Springer, Cham. https://doi.org/10.1007/978-3-319-61482-3_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-61482-3_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-61481-6
Online ISBN: 978-3-319-61482-3
eBook Packages: Computer ScienceComputer Science (R0)