Detecting privacy infractions in applications: A framework and methodology

We describe a framework and methodology for managing the privacy policy of an enterprise, including creation (based on factors like legislation and consumer preferences), validation and verification, deployment and enforcement, and compliance testing for business processes and software. To evaluate this approach, one module of our framework (compliance testing) is implemented for an existing prominent electronic commerce software application. Our unique approach monitors the personal information sent and received by the software application and converts it to a standardized representation. At defined points in the electronic commerce workflow, the transmissions are compared to a set of privacy rules (extracted from a privacy policy) to ascertain compliance. Non-compliant transmissions of personal information are labeled `potential privacy infractions´ and are reported. Though presently implemented for software testing, ultimately the methodology is intended to halt or alter a workflow to avoid privacy infractions.