This summer I had the opportunity to be part of two major research projects. One of them was the elaboration of a software requirements document for a tool intended to assist system analysts in extracting requirements engineering from legal texts (Software Requirements Document for Regulatory Analysis Tool [pdf]) and the other was the analysis of several airlines' privacy policies applying the goal mining techniques designed at The Privacy Place (North Carolina State University). Because my background on these subject matters was almost null, I spent a considerable amount of time becoming acquainted with the corresponding concepts, terminology, and rationale. Below is the list of all the papers that I read in order to have a better understanding of the projects to which I devoted my time this past summer.
Before starting to work on the software requirements document, it was very useful to read the requirement documents of other tools that were previously designed at the Privacy Place, namely the Digital Rights Management System and the SPRAT.
Airlines' Privacy Policies Analysis Related Readings:
A Requirements Taxonomy to Reduce Website Privacy Vulnerabilities
Annie I. Antón and Julie B. Earp. Requirements Engineering Journal, Springer Verlag, 9(3), pp. 169-185, August 2004.
Annie I. Antón, Qingfeng He and David Baumer. IEEE Security & Privacy, 2(6), pp. 12-18, November/December 2004.
The Lack of Clarity in Financial Privacy Policies and the Need for Standardization
Annie I. Antón, Julia B. Earp, Davide Bolchini, Qingfeng He, Carlos Jensen and William Stufflebeam, IEEE Security & Privacy, 2(2), pp. 36-45, 2004.
The ChoicePoint Dilemma: How Data Brokers Should Handle the Privacy of Personal Information
Paul N. Otto, Annie I. Antón and David L. Baumer. To Appear: IEEE Security & Privacy, 2007.
This paper focuses on the widely publicized ChoicePoint case, a data broker that suffered fraudulent access to its database of vast personal information. Because data breaches such as this one pose serious risk to millions of customers, all research efforts made to minimize said risk should be highly valued. Through this example I was able to better understand the need to protect private information.
HIPAA's Effect on Web Site Privacy Policies [IEEE]
Annie I. Antón, Julia B. Earp, Matthew W. Vail, Neha Jain, Carrie Gheen and Jack M. Frink. IEEE Security & Privacy, 5(1), pp. 45-52, January/February 2007.
This paper presents an analysis on how healthcare regulations such as the Health Insurance Portability and Accountability Act (HIPAA) affect the way privacy policies are written, even at the protection goals and vulnerabilities level. Results revealed that, in general, after HIPAA became effective, privacy policies became more difficult to comprehend mainly because they had higher Flesch Reading Ease Score. The policies became more descriptive, but this fact hasn’t necessarily improved online privacy practices.