Barkhuus and Dey .
Functionality- and Goal-Oriented Analysis
One of the difficulties in identifying privacy requirements is that they are often non-functional characteristics of a product and are difficult to enumerate exhaustively. Patrick and Kenny’s Privacy Interface Analysis (PIA) is a process to systematically identify vulnerabilities in privacy-sensitive user interfaces . In PIA, designers describe the service or application using UML case models and derive the necessary interface functionalities from them. Then, they consider each functionality with respect to the principles of transparency, finality and use limitation, legitimate processing, and legal rights. Patrick and Kenny combine a functionality-oriented analysis process with an evaluation of the legal and social legitimacy of a given application. However, their process is relatively time consuming.
STRAP (Structured Analysis Framework for Privacy) also attempts to facilitate the identification of privacy vulnerabilities in interactive applications . STRAP employs a goal-oriented, iterative analysis process, and is composed of three successive steps: vulnerability analysis, design refinement, and evaluation. The analyst starts by defining the overall goals of the application and recursively subdividing these goals into subgoals in a tree-like fashion. Specific implementations are then attached to the leafs of this recursive goal definition tree, and vulnerabilities are then identified for each, leading to privacy requirements.
Jensen compared STRAP’s performance with PIA’s , Bellotti and Sellen’s framework , and Hong’s Risk Analysis framework . The results of this evaluation encouragingly suggest that designers using STRAP identified more privacy issues and more quickly than the other groups. Jensen notes, however, that the design of a shared calendaring system used in the study did not overlap with the applicability domain of the frameworks developed by Bellotti and Sellen and by Hong et al. This underscores the importance of tightly defining the scope of design methods.
Iachello and Abowd proposed employing the principle of proportionality and a related development process adapted from the legal and Data Protection Authority communities to analyze privacy . In a nutshell, the proportionality principle asserts that the burden on stakeholders of any IT application should be compatible with the benefits of the application. Assessing legitimacy implies a balancing between the benefits of data collection and the interest of the data subject in controlling the collection and disclosure of personal information. This balancing of interests is, of course, not unique to the European data protection community. Court rulings in the United States, including Supreme Court rulings, employ similar assessments .
Iachello and Abowd further propose to evaluate design alternatives at three stages of an iterative development process: at the outset of design, when application goals are defined (this part of the analysis is called the “desirability” judgment); during the selection of a technology to implement the application goals (this part is called “appropriateness”); and during the definition of “local” design choices impacting parameters and minor aspects of
end-user-privacy-in-human-computer-interaction-v57.docPage 63 of 85