CAREER: Privacy-Accountable Mobile Software Supply Chain

职业：隐私负责的移动软件供应链

• 批准号: 2339537
• 负责人: Xiaojing Liao
• 金额: $ 56.7万
• 依托单位: Indiana University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2024
• 资助国家: 美国
• 起止时间: 2024-07-01 至 2029-06-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2339537&HistoricalAwards=false
• 关键词: CAREER; Privacy; Accountable; Mobile; Software

Data protection regulations specify how personal data must be protected when used by others. Tracking and accounting for protections of data privacy has emerged as a pivotal requirement in contemporary data protection regulations. As a result, those who are responsible for using personal data, so-called data controllers, must actively enhance the privacy safeguards they provide. This project addresses the intricate challenges surrounding privacy accountability within the mobile software ecosystem, characterized by the opacity of third-party code modules, particularly third-party libraries. Existing methods for achieving privacy accountability primarily emphasize data transparency, often overlooking essential principles like data minimization and purpose limitation and facing integration challenges within mobile software development lifecycles. This research project seeks to address these limitations by presenting innovative approaches to enforce privacy accountability throughout the mobile software development process. The goal is to establish a more privacy-conscious and accountable mobile ecosystem, benefiting both users and data controllers. The outcomes of the research will contribute to educational curriculum and training to help developers achieve privacy goals plus additional outreach through workshop and bootcamp venues. The project's technical objectives are divided into three research thrusts: (1) understanding privacy accountability challenges in the mobile third-party code modules; (2) designing a privacy-accountable disclosure framework; (3) continuously enforcing privacy accountability properties in mobile software development lifecycle. The technical contribution of this research lies in advancing the socio-technical understanding of privacy non-compliance risks and accountability challenges within the mobile software supply chain. Additionally, it involves designing novel technical foundations that seamlessly integrate various methodologies and disciplines. This includes program analysis, formal methods, natural language processing, and human subject research, culminating in a privacy-accountable disclosure framework and continuous privacy accountability enforcement mechanism. These innovations are designed to be easily adoptable within the mobile software supply chain. The research will foster a holistic approach to enhancing privacy protection and accountability in mobile software development lifecycle and contribute to the creation of a safer and more privacy-conscious mobile ecosystem.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

数据保护法规规定了其他人使用个人数据时必须如何保护。数据隐私保护的跟踪和核算已成为当代数据保护法规的关键要求。因此，负责使用个人数据的人（即所谓的数据控制者）必须积极加强他们提供的隐私保护。该项目解决了移动软件生态系统中围绕隐私责任的复杂挑战，其特点是第三方代码模块（尤其是第三方库）的不透明性。实现隐私问责的现有方法主要强调数据透明度，往往忽视数据最小化和目的限制等基本原则，并面临移动软件开发生命周期内的集成挑战。该研究项目旨在通过提出创新方法来解决这些限制，以在整个移动软件开发过程中加强隐私责任。目标是建立一个更加注重隐私和负责任的移动生态系统，使用户和数据控制者都受益。研究成果将有助于教育课程和培训，帮助开发人员实现隐私目标，并通过研讨会和训练营场所进行额外的宣传。该项目的技术目标分为三个研究重点：（1）了解移动第三方代码模块中的隐私责任挑战； (2) 设计隐私负责任的披露框架； (3) 在移动软件开发生命周期中不断强化隐私责任属性。这项研究的技术贡献在于促进了对移动软件供应链中隐私不合规风险和责任挑战的社会技术理解。此外，它还涉及设计无缝集成各种方法和学科的新颖技术基础。这包括程序分析、形式化方法、自然语言处理和人类受试者研究，最终形成隐私问责披露框架和持续隐私问责执行机制。这些创新旨在在移动软件供应链中轻松采用。该研究将采用整体方法来加强移动软件开发生命周期中的隐私保护和问责制，并有助于创建更安全、更具隐私意识的移动生态系统。该奖项反映了 NSF 的法定使命，并通过使用评估结果被认为值得支持。基金会的智力价值和更广泛的影响审查标准。