Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
133 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Evaluating Privacy Perceptions, Experience, and Behavior of Software Development Teams (2404.01283v2)

Published 1 Apr 2024 in cs.SE and cs.HC

Abstract: With the increase in the number of privacy regulations, small development teams are forced to make privacy decisions on their own. In this paper, we conduct a mixed-method survey study, including statistical and qualitative analysis, to evaluate the privacy perceptions, practices, and knowledge of members involved in various phases of the Software Development Life Cycle (SDLC). Our survey includes 362 participants from 23 countries, encompassing roles such as product managers, developers, and testers. Our results show diverse definitions of privacy across SDLC roles, emphasizing the need for a holistic privacy approach throughout SDLC. We find that software teams, regardless of their region, are less familiar with privacy concepts (such as anonymization), relying on self-teaching and forums. Most participants are more familiar with GDPR and HIPAA than other regulations, with multi-jurisdictional compliance being their primary concern. Our results advocate the need for role-dependent solutions to address the privacy challenges, and we highlight research directions and educational takeaways to help improve privacy-aware SDLC.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (77)
  1. South Africa. Protection of personal information act (popi act). https://popia.co.za, 2024 (accessed Feb 10, 2024).
  2. Empirical analysis of security vulnerabilities in python packages. Empirical Software Engineering, 28(3):59, 2023.
  3. Developers say the darnedest things: Privacy compliance processes followed by developers of child-directed apps. Proceedings on Privacy Enhancing Technologies, 4(2022):24, 2022.
  4. Understanding developers’ privacy and security mindsets via climate theory. Empirical Software Engineering, 26:1–43, 2021.
  5. Improving app privacy: Nudging app developers to protect user privacy. IEEE Security & Privacy, 12(4):55–58, 2014.
  6. The privacy and security behaviors of smartphone app developers.(2014). DOI: http://dx. doi. org/10.1184, 1, 2014.
  7. Privacy on the books and on the ground. Stanford Law Review, pages 247–315, 2011.
  8. Engineering privacy by design: Are engineers ready to live up to the challenge? The Information Society, 35(3):122–142, 2019.
  9. The governance of privacy: Policy instruments in global perspective. Routledge, 2017.
  10. Language models are few-shot learners. Advances in neural information processing systems, 33:1877–1901, 2020.
  11. Ann Cavoukian. Privacy by design - the 7 foundational principles implementation and mapping of fair information practices. www.privacybydesign.ca, pages 1–12, 2009.
  12. A critical analysis of privacy design strategies. In 2016 IEEE security and privacy workshops (SPW), pages 33–40. IEEE, 2016.
  13. A mixed-method study on security and privacy practices in danish companies. arXiv preprint arXiv:2104.04030, 2021.
  14. Do you really code? designing and evaluating screening questions for online surveys with programmers. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), pages 537–548. IEEE, 2021.
  15. Evaluating privacy questions from stack overflow: Can chatgpt compete? arXiv preprint arXiv:2306.11174, 2023.
  16. Cynthia Dwork. Differential privacy. In International colloquium on automata, languages, and programming, pages 1–12. Springer, 2006.
  17. “money makes the world go around”: Identifying barriers to better privacy in children’s apps from developers’ perspectives. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, pages 1–15, 2021.
  18. European Union. The eu general data protection regulation (gdpr). http://www.eugdpr.org/, 2024 (accessed February 10, 2024).
  19. Federal Trade Commission. Children’s online privacy protection rule; final rule. http://tinyurl.com/5fh55th2, 2024 (accessed Feb 12, 2024).
  20. CodeBERT: A pre-trained model for programming and natural languages. In Findings of the Association for Computational Linguistics: EMNLP 2020, pages 1536–1547, Online, November 2020. Association for Computational Linguistics.
  21. Towards a Framework for Tracking Legal Compliance in Healthcare. In John Krogstie, Andreas Opdahl, and Guttorm Sindre, editors, Advanced Information Systems Engineering, pages 218–232. Springer Berlin Heidelberg, 2007.
  22. Compliance analysis based on a goal-oriented requirement language evaluation methodology. In 2009 17th IEEE International Requirements Engineering Conference, pages 133–142. IEEE, 2009.
  23. Legal Goal-oriented Requirement Language (Legal GRL) for Modeling Regulations. In Proceedings of the 6th International Workshop on Modeling in Software Engineering, pages 1–6, New York, NY, USA, 2014. ACM.
  24. Government of California. California consumer privacy act (ccpa). https://oag.ca.gov/privacy/ccpa, 2022 (accessed July 20, 2022).
  25. Developers are not the enemy!: The need for usable security apis. IEEE Security & Privacy, 14:40–46, 2016.
  26. Privacy by designers: software developers’ privacy mindset. Empirical Software Engineering, 23(1):259–289, 2018.
  27. Dynamic privacy leakage analysis of android third-party libraries. Journal of Information Security and Applications, 46:259–270, 2019.
  28. The Health Insurance Portability and Accountability Act (HIPAA). https://www.hhs.gov/hipaa/index.html, 2024 (accessed Feb 10, 2024).
  29. J. Hoepman. Privacy design strategies (extended abstract). 2014.
  30. J-H Hoepman. Making privacy by design concrete. 2018.
  31. How different are young adults from older adults when it comes to information privacy attitudes and policies? Available at SSRN 1589864, 2010.
  32. "those things are written by lawyers, and programmers are reading that." mapping the communication gap between software developers and privacy experts. Proc. Priv. Enhancing Technol., 2024:151–170, 2024.
  33. Mobile application privacy risk assessments from user-authored scenarios. In Proceedings of the 31st IEEE International Requirements Engineering Conference, pages 1–12, Pittsburgh, Pennsylvania, United States, September 2023. IEEE.
  34. Privacy engineering in the wild: Understanding the practitioners’ mindset, organisational aspects, and current practices. IEEE Transactions on Software Engineering, 2023.
  35. Towards fine-grained localization of privacy behaviors. In 2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P), pages 258–277, 2023.
  36. Prigen: Towards automated translation of android applications’ code to privacy captions. In International Conference on Research Challenges in Information Science, pages 142–151. Springer, 2021.
  37. Pact: Detecting and classifying privacy behavior of android applications. In Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec ’22, page 104–118, New York, NY, USA, 2022. Association for Computing Machinery.
  38. Where to recruit for security development studies: Comparing six software developer samples. In 31st USENIX Security Symposium (USENIX Security 22), pages 4041–4058, 2022.
  39. Unpacking privacy labels: A measurement and developer perspective on google’s data safety section. arXiv preprint arXiv:2306.08111, 2023.
  40. Use of ranks in one-criterion variance analysis. Journal of the American statistical Association, 47(260):583–621, 1952.
  41. How developers talk about personal data and what it means for user privacy: A case study of a developer forum on reddit. Proceedings of the ACM on Human-Computer Interaction, 4(CSCW3):1–28, 2021.
  42. Documenting and sharing software knowledge using screencasts. Empirical Software Engineering, 22:1478–1507, 2017.
  43. Serge Egelman Noura Alomar and and Jordan L. Fischer. Developers say the darnedest things: Privacy compliance processes followed by developers of child-directed apps. Proceedings on Privacy Enhancing Technologies, 2022(4), 2022.
  44. US Department of Education. The Family Educational Rights and Privacy Act (FERPA). https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html, 2024 (accessed Feb 10, 2024).
  45. On the ridiculousness of notice and consent: Contradictions in app privacy policies. 2019.
  46. Data protection and privacy legislation worldwide. https://unctad.org/page/data-protection-and-privacy-legislation-worldwide, Dec 2021.
  47. R OpenAI. Gpt-4 technical report. arXiv, pages 2303–08774, 2023.
  48. Prolific. ac—a subject pool for online experiments. Journal of Behavioral and Experimental Finance, 17:22–27, 2018.
  49. Understanding developers privacy concerns through reddit thread analysis. arXiv preprint arXiv:2304.07650, 2023.
  50. Eric Rescorla. The transport layer security (tls) protocol version 1.3. Technical report, 2018.
  51. Advanced encryption standard. Proceedings of federal information processing standards publications, national institute of standards and technology, 19:22, 2001.
  52. Role-based access control models. Computer, 29(2):38–47, 1996.
  53. On the recruitment of company developers for security studies: results from a qualitative interview study. In Nineteenth Symposium on Usable Privacy and Security (SOUPS 2023), pages 321–340, 2023.
  54. J P Shaffer. Multiple hypothesis testing. Annual Review of Psychology, 46(1):561–584, 1995.
  55. Toward a framework for detecting privacy policy violations in android application code. In Proceedings of the 38th International Conference on Software Engineering, pages 25–36, 2016.
  56. Daniel J Solove. A taxonomy of privacy. University of Pennsylvania law review, pages 477–564, 2006.
  57. Engineering privacy. IEEE Transactions on Software Engineering, 35(1):67–82, 2009.
  58. Inside the organization: Why privacy and security engineering is a challenge for engineers. Proceedings of the IEEE, 107(3):600–615, 2018.
  59. Understanding engineers’ drivers and impediments for ethical system development: The case of privacy and security engineering. 2018.
  60. Latanya Sweeney. k-anonymity: A model for protecting privacy. International journal of uncertainty, fuzziness and knowledge-based systems, 10(05):557–570, 2002.
  61. Privacy, permissions, and the health app ecosystem: A stack overflow exploration. In Proceedings of the 2022 European Symposium on Usable Security, pages 117–130, 2022.
  62. Privacy champions in software teams: Understanding their motivations, strategies, and challenges. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, pages 1–15, 2021.
  63. “i don’t know too much about it”: On the security mindsets of computer science students. In Thomas Groß and Theo Tryfonas, editors, Socio-Technical Aspects in Security and Trust, pages 27–46, Cham, 2021. Springer International Publishing.
  64. Understanding privacy-related advice on stack overflow. Proceedings on Privacy Enhancing Technologies, 2022(2):114–131, 2022.
  65. A survey on developer-centred security. In 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pages 129–138. IEEE, 2019.
  66. “developers are responsible”: What ad networks tell developers about privacy. In Extended Abstracts of the 2021 CHI Conference on Human Factors in Computing Systems, pages 1–11, 2021.
  67. Recruiting participants with programming skills: A comparison of four crowdsourcing platforms and a cs student mailing list. In CHI Conference on Human Factors in Computing Systems, CHI ’22, New York, NY, USA, 2022. Association for Computing Machinery.
  68. Understanding privacy-related questions on stack overflow. In Proceedings of the 2020 CHI conference on human factors in computing systems, pages 1–14, 2020.
  69. Thales Group. 2021 thales data threat report. https://cpl.thalesgroup.com/en-gb/euro-data-threat-report#download-popup, 2024 (accessed February 10, 2024).
  70. The Federal Trade Commission. Privacy and security enforcement. 2024 (accessed Feb 10, 2024).
  71. UC Berkeley - School of Information. Privacy patterns org. https://privacypatterns.org/, 2024 (accessed February 10, 2024).
  72. University of California - Berkeley - School of Information. Privacy patterns - collaborative development of privacy software design patterns. https://github.com/privacypatterns, 2024 (accessed February 10, 2024).
  73. Varonis. 84 must-know data breach statistics for 2023. https://www.varonis.com/blog/data-breach-statistics, 2024 (accessed February 10, 2024).
  74. Atvhunter: Reliable version detection of third-party libraries for vulnerability identification in android applications. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), pages 1695–1707, 2021.
  75. Privacyflash pro: Automating privacy policy generation for mobile apps. 2021.
  76. Maps: Scaling privacy compliance analysis to a million apps. Proc. Priv. Enhancing Tech., 2019:66, 2019.
  77. Michael Zimmer. The gaze of the perfect search engine: Google as an infrastructure of dataveillance. In Web search: Multidisciplinary perspectives, pages 77–99. Springer, 2008.
Citations (3)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now