Privacy Flashcards
Problem for developers - Privacy
Privacy legislation is written by lawyers, developers have problems understanding
=> problems as developers need to implement legislation
Data subject, Data controller, Personal Data, Personal Identifyable Information
Data subject: User
Data controler: company
Personal data: Data of an Identifiable user
Personal Identifyable Information: Data that allows to identify user
“Mapping Communication Gap” Goal
RQ1: What are developers’, team coordinators’, and privacy experts’
perceptions of privacy requirements?
RQ2: How does the communication of privacy requirements between
developers, team coordinators, and privacy experts look like?
RQ3: How do privacy experts create, and team coordinators and developers
implement privacy requirements?
Map process of privacy in companies
“Mapping Communication Gap” Approach
Qualitative semi structured interviews, Grounded theory according to Charmaz
First: Examine knowledge on Privacy Concepts
Second: Ask Participants on Privacy in their companies
Third: Participants were presented with hypothetical requirements
“Mapping Communication Gap” Analysis
Reqruitment: Upwork, No screening
GT by Charmaz: Initial Coding: incident by incident
Focused coding: selecting categories from codes
Theoretical coding: specify relationships between categories
Multiple coders (two per interview)
“Mapping Communication Gap” Results
Privacy Expert designs approach, Developer implements, Team Coordinator used for communication
Both parties feel they lack informationl and wish for more direct communication
Experts feel that developers dont care for privacy
Developers feel that experts lack technical knowledge
“Mapping Communication Gap” Motivation for Privacy
Companies are not motivated by default but by fines, image loss etc
Common Ground Theory
Communication between privacy experts and developers has become adversarial.
More direct communications need. Implement privacy champion with knowledge of both. Include experts early in development.
“Sorry for bugging you so much’’ Setup
Lab in which developers complete privacy relevant tasks
Provide access to privacy expert chat
RQ1: How do developers implement privacy measures in their software?
RQ2: How do developers behave if they require information on privacy during
implementation?
RQ3: What issues do developers encounter during privacy measures
implementation?
Health app which contained private data of subjects. Four tasks and exit interview.
Task1: Warmup task backup (not privacy relevant)
Task2: Deletion request (needs to be deleted in database and backup)
Task3: Search function for doctor (are only the doctors patients shown? how much data does the doctor get?)
Task4: Advertisment emails (subject have not given consent before, so ask first)
“Sorry for bugging you so much’’ Groups
Control: No input
Prompted: Told that all solutions need to be compliant
Prompted + Expert Chat: Told that all solutions need to be compliant + expert chat
“Sorry for bugging you so much’’ Recruitment
Recruitment of past participants also snowballing and kleinanzeigen and screening.
“Sorry for bugging you so much’’ Analysis
Code analyzed by two researches indepently with third as a tiebreak
Qualitative analysis of interview with thematic analysis
“Sorry for bugging you so much’’ Results
Very little privacy consideration from all groups
Confidence in compliance was low
Very little searches or questions to experts
Based solution on existing solution (no rewrite) => privacy by design
Functionality was implemented first
However they can identify issues
Prompted groups not significantly better than not prompted
Experts didnt help to much
