Keywords: Privacy, Security, Requirements and Software Engineering;
Risk and Legal Compliance
How do we ensure that information systems comply with policies, laws and social norms?
As computers and information sharing increasingly pervade our
everyday lives, we need greater assurance that software can
and will conform to our social and personal expectations. Policies and law
serve to document expectations among multiple parties and we can use these artifacts as a blueprint to discover software requirements. This is especially true in privacy, where corporate privacy policies and privacy regulations govern a range of software applications. To improve software quality and reliability, my
research addresses the challenges to aligning regulations and
policies with software specifications. This includes studying:
- Formal languages to express policies and system requirements, and tools to reason about conflicts, inconsistencies and ambiguities within and among policies and software specifications;
- Methods to enable requirements engineers, business analysts and software developers to analyze and refine policy into measurable system specifications that can be monitored over time; and
- Communities of practice that include diverse backgrounds, viewpoints and expertise, including law, computer science, government, industry and the public.
To learn more, read about my ongoing research projects or contact me.
|15 Aug 2013
||CMU, Fordham and Stanford receive NSF Frontier Award #1330596 to semi-automatically extract key privacy features from privacy policies and present these features to online website users to improve notice and choice.
|16 May 2013
||Breaux and Rao's paper at IEEE RE 2013 entitled Formal Analysis of Privacy Requirements Specifications for Multi-Tier Applications was nominated for best paper and invited (and now accepted!)for an extended journal version.
|8 May 2013
||Dave Gordon heads to Microsoft Research in Redmond, Washington for a 2013 summer internship.
|4 Feb 2013
||Breaux joined the 2014 ACM/IEEE International Conference on Software Engineering Program Committee (ICSE'14)
|1 Feb 2013
||Breaux invited as panelist to help celebrate International Privacy Day at Carnegie Mellon University. See the video on privacy in mobile web and social networking (link)
|6 Aug 2012
||Gordon and Breaux's paper at IEEE RE 2012 entitled Reconciling Multi-Jurisdictional Legal Requirements: A Case Study in Requirements Water Marking (DOI) was one of six best papers invited (and now accepted!) for an extended journal version.
|17 Jul 2012
||Breaux joined the 2013 IEEE Requirements Engineering Conference Program Board (RE'13)
|7-8 Jun 2012
||Breaux invited as discussant for Fred and Woody's paper Obscurity by Design at the 5th Privacy law Scholars Conference, Washington, D.C.
|2 May 2012
||Hewlett-Packard Cloud Security and Privacy Lab renewed our industry award for 2012-2013.
Formal Analysis of Privacy Requirements Specifications for Multi-Tier Applications [ PDF ]
In proceedings of IEEE RE'13,
presents a formal language for expressing and checking privacy requirements specifications for conflicts;
findings include techniques to model privacy policies and demonstration of potential conflicts among Facebook, Zynga and AOL Advertising. This conference publication was nominated for best paper.
A Cross-Domain Empirical Study and Legal Evaluation of the Requirements Water Marking Method
In Requirements Engineering J.
presents an empirical method for comparing legal requirements from across multiple jurisdictions;
findings include analysis of data breach notificaiton laws and requirements water marks to denote high and low standards of care. This extended journal paper is based on a prior IEEE RE'12 conference publication that was nominated for best paper (DOI).
Legally "Reasonable" Security Requirements: A 10-year FTC Retrospective
[ PDF ]
In Computers and Security,
30(4): 178-193. Presents empirical results expressing a definition of legally reasonable security
derived from FTC regulatory enforcement actions conducted in response to privacy violations.
Analyzing Regulatory Rules for Privacy and Security Requirements
[ PDF ]
In IEEE TSE,
34(1): 5-20. Presents a method to extract access rights and obligations from
regulations to reduce unwanted and unlawful uses and disclosures of protected
information in electronic information systems.
Legal Requirements, Compliance and Practice: An Industry Case Study in Accessibility
[ PDF ]
(Breaux, Antón, Boucher, Dorfman)
In IEEE RE'08.
We present preliminary results from a gap analysis on CISCO product requirements
using U.S. Section 508 accessibility law; the findings include five "best
practice" refinement patterns to improve regulatory harmony.
Semantic Parameterization: A Process for Modeling Domain Descriptions
[ PDF ]
(Breaux, Antón, Doyle)
In ACM TOSEM, 18(2): 5.
Presents a method for mapping descriptions of a domain (e.g., actors, actions, goals)
to Description Logic formula. The resulting logical theory can be used to formally
compare and reason about software requirements.
NIST publishes new Privacy Control Catalog in SP 800-53
The National Institute of Standards and Technology (NIST) proposed Appendix J to Special
Publication 800-53 to aid federal information systems with satisfying critical
privacy requirements. (see
FTC promotes Privacy by Design in new framework
Federal Trade Commission (FTC) proposes new privacy framework, including Do Not Track
and Privacy by Design to address increasing advances in technology and complex, often
invisible, data practices (see
SEC proposes Python as cash-flow e-file language
Securities Exchange Commission (SEC) proposes to require providers of asset-backed
securities to file "a computer program of the contractual cash flow provisions of
the securities in the form of downloadable source code in Python" (see
U.S. Bill S.773 proposes common security configuration language
Early draft of the Cybersecurity Act of 2009 proposes a "standard computer-readable
language for completely specifying the configuration of software" and a standard language
"to communicate vulnerability data to software users in real time," similar to the
CVE and related
36th ACM/IEEE International Conference on Software Engineering (ICSE'14)
Dates: Jun 1-7, 2014, Hyderabad, India
Submissions: Sep 13, 2013 (research papers)
20th International Working Conference on Requirements Engineering: Foundations of Software Quality (REFSQ)
Dates: Apr 7-10, 2014, Essen, Germany
Submissions: Oct 9, 2013 (abstracts), Oct 16 (papers)
22nd IEEE International Requirements Engineering Conference (RE'14)
Dates: Aug 25-29, 2014, Karlskrona, Sweden
Submissions: Mar 3/ Mar 10 (abstracts/research papers)
Archives of the International Workshop on Requirements Engineering and Law (RELAW)