Keerthi Thomas is a PhD student at the Open University, supervised by Prof. Bashar Nuseibeh, Dr. Arosha Bandara, and Mr. Blaine Price. Her research focuses on eliciting and analyzing users' privacy requirements for mobile applications. Previous work has shown privacy requirements vary based on users' changing contexts. However, most existing approaches do not address challenges of understanding privacy needs for mobile apps. Thomas proposes a systematic approach using a user-centric model combining contextual and interaction data to capture how privacy requirements are "distilled" from empirical studies of mobile social networking app users.

1. 2010 CRC PhD Student Conference
Distilling Privacy Requirements for Mobile Applications
Keerthi Thomas
k.thomas@open.ac.uk
Supervisors Prof. Bashar Nuseibeh
Dr. Arosha Bandara
Mr. Blaine Price
Department/Institute Computing
Status Part-time
Probation viva After
Starting date Oct. 2008
As mobile computing applications become commonplace, eliciting and analysing users’
privacy requirements associated with these applications is increasingly important. Such
mobile privacy requirements are closely linked to both the physical and socio-cultural context
in which the applications are used.
Previous research by Adams and Sasse [1] has highlighted how system designers, policy
makers and organisations can easily become isolated from end-users’ perceptions of privacy
in different contexts. For mobile applications, end-users’ context changes frequently and
Mancini et al.’s observations of such users [2] suggest that changes in users’ context result in
changes in the users’ privacy requirements. Omitting these privacy requirements not only
affects the user’s privacy but also has an impact on how well the system is adopted or utilised.
Moreover, the design of technologies influencing privacy management is often considered
and addressed as an afterthought [3], when in fact the guarantees and assurances of privacy
should have been included in the design right from the outset. The aim of my research is
therefore to ensure that privacy requirements of mobile systems are captured early, together
with the specification of the possible variations in these systems’ operating context.
Privacy requirements have been analysed from different perspectives by the requirements
engineering community. Anton et al. [4] explored the role of policy and stakeholder privacy
values, Breaux and Anton [5] modelled requirements based on privacy laws such as HIPAA,
and Cranor et al. [6] represented her requirements using privacy policies of various online
organisations. Some researchers have modelled privacy as part of a wider modelling effort.
For example, Yu and Cysneiros [7] characterised privacy as a non-functional requirement in
i* using OECD guidelines [8], and Kalloniatis et al. [9] described a security engineering
method to incorporate privacy requirements early in the system development process.
However, I am not aware of any work that specifically focuses on the challenges of
understanding the privacy requirements associated with mobile computing applications.
Eliciting end-user privacy requirements for mobile applications is both sensitive and
difficult. Questionnaires do not reveal the ‘real’ choices end-users make because the decisions
are influenced by the emerging context in a particular situation. Shadowing users for long
hours is neither practical nor useful as the experience of being under observation is likely to
change the behaviour of the users in ways that invalidate any observed behaviours that relate
to privacy. Mancini et al.’s prior work [2] showed that privacy preferences and behaviours in
relation to mobile applications are closely linked to socio-cultural, as well as to physical,
boundaries that separate different contexts in which the applications are used. From the
literature survey carried out earlier, I am not aware of any requirements engineering process
that specifically supported the elicitation of privacy requirements for mobile or context-aware
systems. Given the complexities and the need to elicit privacy requirements for mobile
systems, the aim of my research is therefore to address the following questions:
Page 102 of 125

2. 2010 CRC PhD Student Conference
(i) What are the end-user privacy requirements for mobile applications?
(ii) How can privacy requirements be elicited for mobile applications? What elicitation
techniques, requirement models and analysis methods are needed in the privacy
requirements engineering process?
To address these research questions, I present a systematic approach to modelling privacy
requirements for mobile computing applications where I demonstrate how requirements are
derived (“distilled”) from raw empirical data gathered from studying users of mobile social
networking applications. I propose the use of a user-centric privacy requirements model that
combines relevant contextual information with the users’ interaction and privacy perceptions
of the mobile application. The development of this model was informed by empirical data
gathered from my previous studies of mobile privacy [2]. Finally, I validate my work by using
the model as the basis for extending existing requirements modelling approaches, such as
Problem Frames. I show how the extended Problem Frames approach can be applied to
capture and analyse privacy requirements for mobile social networking applications.
References
[1] Adams, A. and Sasse, M.A., Privacy issues in ubiquitous multimedia environments: Wake sleeping
dogs, or let them lie? in Proc. of INTERACT ’99, Edinburgh, 1999, pp. 214-221J.
[2] Mancini, C., et al., From spaces to places: emerging contexts in mobile privacy. in Proc. of the
11th Int, Conf. on Ubiquitous computing, Orlando, FL, 2009, pp. 1-10.
[3] Anton, A.I. and Earp, J.B., Strategies for Developing Policies and Requirements for Secure
Electronic Commerce Systems. in 1st ACM Workshop on Security and Privacy in E-Commerce,
Athens, Greece, 2000, pp. unnumbered pages.
[4] Anton, A.I., Earp, J.B., Alspaugh, T.A., and Potts, C., The Role of Policy and Stakeholder Privacy
Values in Requirements Engineering. in Proc. of the 5th IEEE Int. Symp, on Requirements
Engineering, 2001, pp.138.
[5] Breaux, T.D. and Anton, A.I., Mining rule semantics to understand legislative compliance. in Proc.
of the 2005 ACM workshop on Privacy in the electronic society, Alexandria, VA, USA, 2005, pp.
51 - 54
[6] Cranor, L.F., 1998. The platform for privacy preferences. Communications of ACM 42 (2), 48–55.
[7] Yu, E. and L.M. Cysneiros. Designing for Privacy and Other Competing Requirements. in 2nd
Symp. on Requirements Engineering for Information Security (SREIS'02). 2002. Raleigh, North
Carolina.
[8] “Inventory of instruments and mechanisms contributing to the implementation and enforcement of
the OCDE privacy guidelines on global networks” Head of Publications Services, OECD, 2 rue-
André-Pascal, 75775 Paris Cedex 16, France.
[9] Kalloniatis, C., Kavakli, E., and Gritzalis, S. Addressing privacy requirements in system design:
the PriS method Requirements Engineering, Springer London, 13 (3). pp. 241-255.
Page 103 of 125