| dc.contributor.advisor | Østvold, Bjarte M. | |
| dc.contributor.advisor | Vinterbo, Staal | |
| dc.contributor.author | Tang, Feiyang | |
| dc.date.accessioned | 2024-03-20T13:17:44Z | |
| dc.date.available | 2024-03-20T13:17:44Z | |
| dc.date.issued | 2024 | |
| dc.identifier.isbn | 978-82-326-7757-3 | |
| dc.identifier.issn | 2703-8084 | |
| dc.identifier.uri | https://hdl.handle.net/11250/3123422 | |
| dc.description.abstract | In our increasingly digital world, a pressing concern emerges: How do we secure our privacy as we increasingly depend on software? As we navigate through apps and platforms, the complexities of data privacy become evident. Understanding the intricate flow of personal data, ensuring compliance with evolving global regulations, and developing adaptable tools for diverse software environments are paramount. This Ph.D. thesis delves deep into these challenges, offering insights and solutions that span from the granular details of code to the broader validation of privacy policies.
The first challenge is the subtlety of personal data. Legal definitions are often abstract and translating them into technical requirements is no easy task. Identifying what constitutes personal data in a sea of code is a daunting challenge. Secondly, understanding how personal data flows within systems is crucial. With regulations like the General Data Protection Regulation (GDPR) in place, it is crucial to know what kind of processing personal data undergoes for compliance checks. Lastly, different projects have different needs. For developers doing self-analysis, a detailed examination of compiled code can reveal intricate data flows. However, for large industry projects, high-level source code analysis may be more practical for third parties to quickly gauge privacy compliance situations across millions of lines.
Investigations into these aspects resulted in the eight papers that are presented in this dissertation. They also led to the following additional contributions: (1) A privacy flow-graph tailored for Java and Android applications; this approach aids in the Data Protection Impact Assessment (DPIA) process. (2) A biometric data identification approach developed to pinpoint biometric API usage within Java and Android applications; this method ensures alignment with the GDPR. (3) An automatic comparison approach that addresses the collection of user interaction data in mobile apps by comparing an app’s privacy policy claims with its actual code implementation. (4) An automated code review assistant that offers a method to identify and categorize relevant code segments in source code, thus reducing the manual review effort.
The contributions offer guidance for developers and legal experts, connecting the detailed aspects of software development with the clear rules of privacy regulations. These contributions can pave the way for a clearer, more streamlined, and compliant online environment, ensuring that as we use digital platforms, our privacy is always protected. | en_US |
| dc.language.iso | eng | en_US |
| dc.publisher | NTNU | en_US |
| dc.relation.ispartofseries | Doctoral theses at NTNU;2024:82 | |
| dc.relation.haspart | Paper 1: Tang, Feiyang; Østvold, Bjarte M.. Assessing software privacy using the privacy flow-graph. I: MSR4P&S 2022:
- This is the author's version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version of Record was published in Proceedings of the 1st International Workshop on Mining Software Repositories Applications for Privacy and Security. Association for Computing Machinery (ACM) 2022 ISBN 978-1-4503-9457-4. s. 7-15 https://doi.org/10.1145/3549035.3561185 | en_US |
| dc.relation.haspart | Paper 2: Tang, Feiyang. PABAU: Privacy Analysis of Biometric API Usage. I: 2022 IEEE Smartworld, Ubiquitous Intelligence & Computing, Scalable Computing & Communications, Digital Twin, Privacy Computing, Metaverse, Autonomous & Trusted Vehicles (SmartWorld/UIC/ScalCom/DigitalTwin/PriComp/Meta). IEEE conference proceedings 2022 ISBN 979-8-3503-4655-8. s. 2295-2302 https:// 10.1109/SmartWorld-UIC-ATC-ScalCom-DigitalTwin-PriComp-Metaverse56740.2022.00327
© 2022 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works | en_US |
| dc.relation.haspart | Paper 3: Tang, Feiyang; Østvold, Bjarte M.; Bruntink, Magiel. Identifying Personal Data Processing for Code Review. I: Proceedings of the 9th International Conference on Information Systems Security and Privacy ICISSP 2023. SciTePress 2023 ISBN 978-989-758-624-8. s. 568-575 https://doi.org/ 10.5220/0011725700003405 CC BY-NC-ND 4.0 | en_US |
| dc.relation.haspart | Paper 4: Tang, Feiyang; Østvold, Bjarte M.; Bruntink, Magiel. Helping Code Reviewer Prioritize: Pinpointing Personal Data and Its Processing. I: Volume 371: New Trends in Intelligent Software Methodologies, Tools and Techniques. IOS Press 2023 ISBN 978-1-64368-430-7. s. 109-124 https://doi.org/10.3233/FAIA230228 | en_US |
| dc.relation.haspart | Paper 5: Tang, Feiyang; Østvold, Bjarte Mayanja. Transparency in App Analytics: Analyzing the Collection of User Interaction Data. I: 2023 20th Annual International Conference on Privacy, Security and Trust (PST). IEEE Press 2023 s. 405-415 https://doi.org/10.1109/PST58708.2023.10320181
© 2023 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works | en_US |
| dc.relation.haspart | Paper 6: Tang, F. and Østvold, B. (2023). User Interaction Data in Apps: Comparing Policy Claims to Implementations. Published at the 18th IFIP Summer School on Privacy and Identity Management 2023 (IFIPSC 2023). | en_US |
| dc.relation.haspart | Paper 7: Tang, F. and Østvold, B. (2024). Finding Privacy-relevant Source Code. arXiv:2401.07316v1 | en_US |
| dc.relation.haspart | Paper 8: Tang, F. and Østvold, B. (2024). Software Privacy and Program Analysis: Insights, Methods, and Opportunities. | en_US |
| dc.title | Analyzing Privacy in Software | en_US |
| dc.type | Doctoral thesis | en_US |
| dc.subject.nsi | VDP::Technology: 500::Information and communication technology: 550 | en_US |
