CAREER: Privacy-Accountable Mobile Software Supply Chain

职业：隐私负责的移动软件供应链

• 批准号: 2339537
• 负责人: Xiaojing Liao
• 金额: $ 56.7万
• 依托单位: Indiana University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2024
• 资助国家: 美国
• 起止时间: 2024-07-01 至 2029-06-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2339537&HistoricalAwards=false
• 关键词: CAREER; Privacy; Accountable; Mobile; Software

Data protection regulations specify how personal data must be protected when used by others. Tracking and accounting for protections of data privacy has emerged as a pivotal requirement in contemporary data protection regulations. As a result, those who are responsible for using personal data, so-called data controllers, must actively enhance the privacy safeguards they provide. This project addresses the intricate challenges surrounding privacy accountability within the mobile software ecosystem, characterized by the opacity of third-party code modules, particularly third-party libraries. Existing methods for achieving privacy accountability primarily emphasize data transparency, often overlooking essential principles like data minimization and purpose limitation and facing integration challenges within mobile software development lifecycles. This research project seeks to address these limitations by presenting innovative approaches to enforce privacy accountability throughout the mobile software development process. The goal is to establish a more privacy-conscious and accountable mobile ecosystem, benefiting both users and data controllers. The outcomes of the research will contribute to educational curriculum and training to help developers achieve privacy goals plus additional outreach through workshop and bootcamp venues. The project's technical objectives are divided into three research thrusts: (1) understanding privacy accountability challenges in the mobile third-party code modules; (2) designing a privacy-accountable disclosure framework; (3) continuously enforcing privacy accountability properties in mobile software development lifecycle. The technical contribution of this research lies in advancing the socio-technical understanding of privacy non-compliance risks and accountability challenges within the mobile software supply chain. Additionally, it involves designing novel technical foundations that seamlessly integrate various methodologies and disciplines. This includes program analysis, formal methods, natural language processing, and human subject research, culminating in a privacy-accountable disclosure framework and continuous privacy accountability enforcement mechanism. These innovations are designed to be easily adoptable within the mobile software supply chain. The research will foster a holistic approach to enhancing privacy protection and accountability in mobile software development lifecycle and contribute to the creation of a safer and more privacy-conscious mobile ecosystem.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

数据保护法规规定了个人数据在被他人使用时必须如何保护。对数据隐私的保护进行跟踪和核算已成为当代数据保护法规的关键要求。因此，那些负责使用个人数据的人，即所谓的数据管制员，必须积极加强他们提供的隐私保护。该项目解决了移动软件生态系统中围绕隐私责任的复杂挑战，其特点是第三方代码模块，特别是第三方库的不透明。现有的实现隐私责任的方法主要强调数据透明度，往往忽略了数据最小化和目的限制等基本原则，并在移动软件开发生命周期中面临集成挑战。本研究项目试图通过提出在整个移动软件开发过程中加强隐私责任的创新方法来解决这些限制。目标是建立一个更具隐私意识和更负责任的移动生态系统，使用户和数据控制器都受益。研究结果将有助于教育课程和培训，以帮助开发人员实现隐私目标，并通过研讨会和训练营场所进行额外的推广。该项目的技术目标分为三个研究主题：(1)了解移动第三方代码模块中的隐私责任挑战；(2)设计隐私责任披露框架；(3)在移动软件开发生命周期中持续执行隐私责任属性。这项研究的技术贡献在于促进对移动软件供应链中的隐私、不合规风险和问责挑战的社会技术理解。此外，它还涉及设计无缝集成各种方法和学科的新型技术基础。这包括程序分析、正式方法、自然语言处理和人类主题研究，最终形成隐私责任披露框架和持续的隐私责任执行机制。这些创新设计为便于在移动软件供应链中采用。这项研究将促进在移动软件开发生命周期中加强隐私保护和责任的整体方法，并有助于创建一个更安全、更具隐私意识的移动生态系统。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。