Re: Use of DPV to represent source code from Mugdha Khedkar on 2024-07-09 (public-dpvcg@w3.org from July 2024)

From: Mugdha Khedkar <mugdha.khedkar@uni-paderborn.de>
Date: Tue, 9 Jul 2024 11:49:26 +0000
To: "public-dpvcg@w3.org" <public-dpvcg@w3.org>
Message-ID: <b90f91c71c9348e396ba00bb91e618e7@uni-paderborn.de>

Please excuse the typo in the previous mail. We wonder how one would use DPV to represent a process that collects multiple data items and processes them in different ways. For example, if we have a piece of code that collects both name and email address and then stores them, would we represent that using the following schema:

ex:App dpv:PersonalDataHandling ;
    dpv:hasPersonalDataHandling ex:NameStore ;
    dpv:hasPersonalDataHandling ex:EmailStore .

ex:NameStore rdf:type dpv:PersonalDataHandling ;
    dpv:hasPersonalData dpv:Name ;
    dpv:hasProcessing dpv:Collect, dpv:Store .

ex:EmailStore rdf:type dpv:PersonalDataHandling ;
    dpv:hasPersonalData dpv:Email ;
    dpv:hasProcessing dpv:Collect, dpv:Store .

Or using the following schema:

ex:App dpv:PersonalDataHandling ;
    dpv:hasPersonalData dpv:Name, dpv:Email ;
    dpv:hasProcessing dpv:Collect, dpv:Store .

Regards,

Mugdha

________________________________


Mugdha Khedkar

M. Sc.

Wissenschaftliche Mitarbeiterin

Fachgruppe Secure Software Engineering | Heinz Nixdorf Institut

[1715862455068]

Fürstenallee 11

33102 Paderborn

Raum F1.213

Telefon +49 5251 60-6584

Mail mugdha.khedkar@upb.de<mailto:mugdha.khedkar@upb.de>

Web www.uni-paderborn.de<http://www.uni-paderborn.de/> | hni.upb.de<https://www.hni.uni-paderborn.de/>


<https://www.hni.uni-paderborn.de/>

________________________________
From: Mugdha Khedkar
Sent: Tuesday, July 9, 2024 1:33:06 PM
To: public-dpvcg@w3.org
Cc: Eric Bodden
Subject: Use of DPV to represent source code


Hello,


I am a PhD student working with Prof. Dr. Eric Bodden<https://www.bodden.de/> at Heinz Nixdorf Institute, Paderborn University (Germany)<https://www.hni.uni-paderborn.de/>. We work on analyzing source code statically i.e. before execution. We are designing a static analysis to ensure data protection in Android apps. More details of our work can be found here: https://dl.acm.org/doi/10.1145/3647632.3651389. We currently have a prototype that visualizes the source code of an Android app as a graph which illustrates how collected personal data flows through the code. For example, which methods are called on it, how it is processed, where it is stored, where it is accessed, and so on. This visualization is tailored towards app developers.


We are next exploring how we can use DPV (version 2) to create a visualization tailored towards the privacy assessment team (DPOs, auditors). This visualization will be created by converting the existing visualization (for app developers) into one that answers several assessment questions and can be understood by DPOs and auditors.  We have looked at the examples given in the primer<https://w3c.github.io/cg-reports/dpvcg/CG-FINAL-primer-20221205/> and we wonder how one would use DPV to represent a process that collects multiple data items and processes them in different ways. For example, if we have a piece of code that collects both name and email address and then stores them, would we represent that using the following schema:

ex:App dpv:PersonalDataHandling ;
    dpv:hasPersonalDataHandling ex:InternalAnalytics ;
    dpv:hasPersonalDataHandling ex:SendingNewsletters .

ex:NameStore rdf:type dpv:PersonalDataHandling ;
    dpv:hasPersonalData dpv:Name ;
    dpv:hasProcessing dpv:Collect, dpv:Store .

ex:EmailStore rdf:type dpv:PersonalDataHandling ;
    dpv:hasPersonalData dpv:Email ;
    dpv:hasProcessing dpv:Collect, dpv:Store .

Or using the following schema:

ex:App dpv:PersonalDataHandling ;
    dpv:hasPersonalData dpv:Name, dpv:Email ;
    dpv:hasProcessing dpv:Collect, dpv:Store .

In our work, we would like to use DPV as a meta-model to systematically express privacy properties found in the source code of Android apps. This will include several challenges such as representing control and data flow between different data items and processing operations. Do you already know of any work that uses DPV to represent source code so that it is understandable to non-developers? Would the DPVCG be interested in such work? Please let us know. We look forward to hearing from you.


Regards,

Mugdha

________________________________


Mugdha Khedkar

M. Sc.

Wissenschaftliche Mitarbeiterin

Fachgruppe Secure Software Engineering | Heinz Nixdorf Institut

[1715862455068]

Fürstenallee 11

33102 Paderborn

Raum F1.213

Telefon +49 5251 60-6584

Mail mugdha.khedkar@upb.de<mailto:mugdha.khedkar@upb.de>

Web www.uni-paderborn.de<http://www.uni-paderborn.de/> | hni.upb.de<https://www.hni.uni-paderborn.de/>

<https://www.hni.uni-paderborn.de/>

Attachments

image/png attachment: OutlookEmoji-171586245506820dd3bc0-aa61-429b-85fd-4076b898f779.png
image/png attachment: OutlookEmoji-17158624550687e29e0ff-bf8c-4526-a4cd-a34f8971ae44.png
image/png attachment: OutlookEmoji-17158624550680b74d177-de4f-4da0-80e8-bf921d32a08b.png
image/png attachment: OutlookEmoji-171586245506883d84f64-0204-43b4-a66b-45c1993b3ab0.png
image/png attachment: OutlookEmoji-171586245506839338fe5-9b8c-4aa8-b253-62e5c2c5465b.png
image/png attachment: OutlookEmoji-171586245506819e3bf77-245a-4aca-8a73-b530b7464a97.png

Received on Tuesday, 9 July 2024 12:49:51 UTC