Distilling Privacy Requirements for Mobile Applications

Author(s): K. Thomas, A. Bandara, B. Price, B. Nuseibeh
Venue: International Conference on Software Engineering
Date: 2014

Type of Experiement: Case Study
Class/Experience Level: Other
Data Collection Method: Survey


This paper claims two major contributions: that of privacy facets and requirements distillation. Privacy facets allows for the identification of privacy requirements using a variety of means based on varying contextual perspectives; those of actors, information, information flows, and places. Requirements distillation refers to “a systematic method for qualitative data analysis that employs analysis models and patterns to extract and refine emergent software requirements.”

The authors of this paper analyze the results of a previously conducted survey that involves uses of the Facebook mobile application. The work in this paper focuses on the ability to derive privacy requirements based on qualitative feedback from users. This is done on qualitative data because the privacy concerns and thus the privacy requirements of a system depend on the physical and socio-cultural context of the people using the application. This paper provides a systematic way of categorizing/classifying potential privacy harms that users may encounter and discusses software that may be used to detect these harms and warn the user about potentially unwanted disclosure of information. The approach suggested has a few notable shortcomings that are addressed by the authors in their discussion (Section 6). Overall, this approach is novel but may run into issues in terms of generalizability and scalability.