Marlies Santos' DMP Website (Summer 2007)

This summer I had the opportunity to be part of two major research projects. One of them was the elaboration of a software requirements document for a tool intended to assist system analysts in extracting requirements engineering from legal texts (Software Requirements Document for Regulatory Analysis Tool [pdf]) and the other was the analysis of several airlines' privacy policies applying the goal mining techniques designed at The Privacy Place (North Carolina State University). Because my background on these subject matters was almost null, I spent a considerable amount of time becoming acquainted with the corresponding concepts, terminology, and rationale. Below is the list of all the papers that I read in order to have a better understanding of the projects to which I devoted my time this past summer.

Before starting to work on the software requirements document, it was very useful to read the requirement documents of other tools that were previously designed at the Privacy Place, namely the Digital Rights Management System and the SPRAT.

Airlines' Privacy Policies Analysis Related Readings:

A Requirements Taxonomy to Reduce Website Privacy    Vulnerabilities
Annie I. Antón and Julie B. Earp. Requirements Engineering Journal, Springer Verlag, 9(3), pp. 169-185, August 2004.

This paper contains a detailed explanation of the taxonomy used as a content analysis technique to classify goals in a privacy policy. All the protection and vulnerability goals including their sub-classifications are thoroughly described. In addition, the authors explain the goal mining process, goal refinement heuristics as well as concrete examples of how to apply both. This paper laid the foundation upon which a good part of my work was done as far as the goal mining process is concerned.

Inside JetBlue's Privacy Policy Violations
Annie I. Antón, Qingfeng He and David Baumer. IEEE Security & Privacy, 2(6), pp. 12-18, November/December 2004.

This paper contains a detailed analysis of the JetBlue’s privacy policy, which led to the identification of the goals (protections and vulnerabilities) present in it. The goal mining technique applied was particularly useful in this case because it enabled analysts to recognize specific violations corresponding to the goals extracted.
The Lack of Clarity in Financial Privacy Policies and the Need for Standardization
Annie I. Antón, Julia B. Earp, Davide Bolchini, Qingfeng He, Carlos Jensen and William Stufflebeam, IEEE Security & Privacy, 2(2), pp. 36-45, 2004.

The authors of this paper conducted a comprehensive case study in which they analyzed the financial privacy policies from three banks, three insurance companies, and three securities firms. The results obtained are summarized in a table that has the specific number of protection goals, vulnerabilities, unclassified goals as well as the Flesch Reading Ease Score of each privacy policy. Additionally, we are presented with a list of the most commonly used words in privacy policies, which later became the repository of the PGMT.

The ChoicePoint Dilemma: How Data Brokers Should Handle the Privacy of Personal Information
Paul N. Otto, Annie I. Antón and David L. Baumer. To Appear: IEEE Security & Privacy, 2007.

This paper focuses on the widely publicized ChoicePoint case, a data broker that suffered fraudulent access to its database of vast personal information. Because data breaches such as this one pose serious risk to millions of customers, all research efforts made to minimize said risk should be highly valued. Through this example I was able to better understand the need to protect private information.

HIPAA's Effect on Web Site Privacy Policies [IEEE]
Annie I. Antón, Julia B. Earp, Matthew W. Vail, Neha Jain, Carrie Gheen and Jack M. Frink. IEEE Security & Privacy, 5(1), pp. 45-52, January/February 2007.

This paper presents an analysis on how healthcare regulations such as the Health Insurance Portability and Accountability Act (HIPAA) affect the way privacy policies are written, even at the protection goals and vulnerabilities level. Results revealed that, in general, after HIPAA became effective, privacy policies became more difficult to comprehend mainly because they had higher Flesch Reading Ease Score. The policies became more descriptive, but this fact hasn’t necessarily improved online privacy practices.