- From: Harshvardhan Pandit <me@harshp.com>
- Date: Tue, 9 Jul 2024 19:20:19 +0100
- To: Mugdha Khedkar <mugdha.khedkar@uni-paderborn.de>, "public-dpvcg@w3.org" <public-dpvcg@w3.org>
Hi Mugdha.
Thank you for your interest and question.
I think both ways of using DPV are okay in the sense that they
communicate the intended information. Whether to separate each data
category into a separate process or combine them together is an
implementation choice.
Personally, I tihnk this:
ex:App dpv:Processg ;
dpv:hasPersonalData dpv:Name, dpv:Email ;
dpv:hasProcessing dpv:Collect, dpv:Store .
... should be interpreted as meaning both Name and Email are Collected
and Stored. It is the same with purposes, legal basis, etc. Where the
details are different, separate processes become necessary.
For DPV 2.0, we have suggested using dpv:Process instead of
dpv:PersonalDataHandling. Also the Primer has recently been updated
(shortened in favour of the specification being more detailed), and we
have updated the DPV specification with more details and examples.
I will try to add the example you have to the Process section
highlighting the interpretation and use of separation vs combination
after discussing it with others.
P.S. You are welcome to join the group and participate in this
discussion and improving the DPV documentation.
Regards,
Harsh
On 09/07/2024 12:49, Mugdha Khedkar wrote:
> Please excuse the typo in the previous mail. We wonder how one would use
> DPV to represent a process that collects multiple data items and
> processes them in different ways. For example, if we have a piece of
> code that collects both name and email address and then stores them,
> would we represent that using the following schema:
>
> ex:App dpv:PersonalDataHandling ; dpv:hasPersonalDataHandling
> ex:NameStore ; dpv:hasPersonalDataHandling ex:EmailStore .
> ex:NameStorerdf:type dpv:PersonalDataHandling ; dpv:hasPersonalData
> dpv:Name ; dpv:hasProcessing dpv:Collect, dpv:Store .
> ex:EmailStore rdf:type dpv:PersonalDataHandling ; dpv:hasPersonalData
> dpv:Email ; dpv:hasProcessing dpv:Collect, dpv:Store .
>
> Or using the following schema:
>
> ex:App dpv:PersonalDataHandling ;dpv:hasPersonalData dpv:Name, dpv:Email
> ; dpv:hasProcessing dpv:Collect, dpv:Store .
>
> Regards,
>
> Mugdha
>
> ------------------------------------------------------------------------
>
> *M**ugdha Khedkar*
>
> M. Sc.
>
> Wissenschaftliche Mitarbeiterin
>
> Fachgruppe Secure Software Engineering | Heinz Nixdorf Institut
>
> 1715862455068
>
> Fürstenallee 11
>
> 33102 Paderborn
>
> *Raum*F1.213
>
> *Telefon*+49 5251 60-6584
>
> *Mail*mugdha.khedkar@upb.de <mailto:mugdha.khedkar@upb.de>
>
> *Web *www.uni-paderborn.de <http://www.uni-paderborn.de/>| hni.upb.de
> <https://www.hni.uni-paderborn.de/>
>
>
> <https://www.hni.uni-paderborn.de/>
>
> ------------------------------------------------------------------------
> *From:* Mugdha Khedkar
> *Sent:* Tuesday, July 9, 2024 1:33:06 PM
> *To:* public-dpvcg@w3.org
> *Cc:* Eric Bodden
> *Subject:* Use of DPV to represent source code
>
> **Hello,
>
>
> I am a PhD student working with Prof. Dr. Eric Bodden
> <https://www.bodden.de/>at Heinz Nixdorf Institute, Paderborn University
> (Germany) <https://www.hni.uni-paderborn.de/>. We work on analyzing
> source code statically i.e. before execution. We are designing a static
> analysis to ensure data protection in Android apps. More details of our
> work can be found here: https://dl.acm.org/doi/10.1145/3647632.3651389
> <https://dl.acm.org/doi/10.1145/3647632.3651389>. We currently have a
> prototype that visualizes the source code of an Android app as a graph
> which illustrates how collected personal data flows through the code.
> For example, which methods are called on it, how it is processed, where
> it is stored, where it is accessed, and so on. This visualization is
> tailored towards app developers.
>
>
> We are next exploring how we can use DPV (version 2) to create a
> visualization tailored towards the privacy assessment team (DPOs,
> auditors). This visualization will be created by converting the existing
> visualization (for app developers) into one that answers several
> assessment questions and can be understood by DPOs and auditors. We
> have looked at the examples given in the primer
> <https://w3c.github.io/cg-reports/dpvcg/CG-FINAL-primer-20221205/>and we
> wonder how one would use DPV to represent a process that collects
> multiple data items and processes them in different ways. For example,
> if we have a piece of code that collects both name and email address and
> then stores them, would we represent that using the following schema:
>
> ex:App dpv:PersonalDataHandling ; dpv:hasPersonalDataHandling
> ex:InternalAnalytics ; dpv:hasPersonalDataHandling ex:SendingNewsletters
> . ex:NameStorerdf:type dpv:PersonalDataHandling ; dpv:hasPersonalData
> dpv:Name ; dpv:hasProcessing dpv:Collect, dpv:Store .
> ex:EmailStore rdf:type dpv:PersonalDataHandling ; dpv:hasPersonalData
> dpv:Email ; dpv:hasProcessing dpv:Collect, dpv:Store .
>
> Or using the following schema:
>
> ex:App dpv:PersonalDataHandling ;dpv:hasPersonalData dpv:Name, dpv:Email
> ; dpv:hasProcessing dpv:Collect, dpv:Store .
>
> In our work, we would like to use DPV as a meta-model to systematically
> express privacy properties found in the source code of Android apps.
> This will include several challenges such as representing control and
> data flow between different data items and processing operations. Do you
> already know of any work that uses DPV to represent source code so that
> it is understandable to non-developers? Would the DPVCG be interested in
> such work? Please let us know. We look forward to hearing from you.
>
>
> Regards,
>
> Mugdha**
>
> ------------------------------------------------------------------------
>
> *M**ugdha Khedkar*
>
> M. Sc.
>
> Wissenschaftliche Mitarbeiterin
>
> Fachgruppe Secure Software Engineering | Heinz Nixdorf Institut
>
> 1715862455068
>
> Fürstenallee 11
>
> 33102 Paderborn
>
> *Raum*F1.213
>
> *Telefon*+49 5251 60-6584
>
> *Mail*mugdha.khedkar@upb.de <mailto:mugdha.khedkar@upb.de>
>
> *Web *www.uni-paderborn.de <http://www.uni-paderborn.de/>| hni.upb.de
> <https://www.hni.uni-paderborn.de/>
>
> <https://www.hni.uni-paderborn.de/>
>
--
---
Harshvardhan J. Pandit, Ph.D
Assistant Professor
ADAPT Centre, Dublin City University
https://harshp.com/
Received on Tuesday, 9 July 2024 18:20:27 UTC