The Fair Information Practice Principles (FIPPs) proposed by the Federal Trade Commission (FTC) are the result of an enquiry to promote the adequate handling of personal information in information systems.
1. Notice/Awareness: Subjects should be given notice of the collection of personal information from them before it takes place.
2. Choice/Consent: Subjects should be given the choice of cancelling the collection of their personal information.
3. Access/Participation: Subjects should be allowed to access their personal information that has been collected.
4. Integrity/Security Information collectors should ensure that the information they collect is accurate and secure.
5. Enforcement/Redress: In order to ensure that the Fair Information Practice Principles are applied, there must be enforcement measures available to the Subjects.
The STRAP Framework is an iterative process that aims at the identification of privacy vulnerabilities throughout all the stages of the software development process.
- Design Analysis: The whole process starts by performing a Goal-oriented analysis of the whole system. The main actors, goals and major system components are identified. They are represented in a tree diagram following a dependency hierarchy (Figure 1). Goals are represented in the circles and actors are represented with colours on each goal. For each goal we ask the following analytical questions: “What information is captured/accessed for this goal?”, “Who are the actors involved in the capture and access?”, “What knowledge is derived from this information?” and “What is done with the information afterward?”
- Design refinement: Once all the vulnerabilities are identified, we iterate over them and decide which ones can be eliminated and which ones can be mitigated. For example: if one vulnerability is that personal information needs to be stored in a server and it can be stolen, then the mitigation is to keep the information encrypted.
- Evaluation: Elaborate a set of different design that tackle the goals of the system and evaluate them. Choose the design alternative that implies a lesser impact on privacy.
- Iteration: As the conceptualisation of the project evolves, repeat the different steps again to make sure that all the vulnerabilities are always documented and identified. Together with the vulnerabilities, it is necessary to document the assumptions taken in the design. Before new features are added to the system, they need to be evaluated and used to update the goal tree, adding new objectives and actors as needed.
Diagram with the process of the STRAP framework
C. Jensen, J. Tullio, C. Potts, and E. D. Mynatt, “STRAP: a structured analysis framework for privacy,” 2005.