Analyzing Privacy in Software

In our increasingly digital world, a pressing concern emerges: How do we secure our privacy as we increasingly depend on software? As we navigate through apps and platforms, the complexities of data privacy become evident. Understanding the intricate fow of personal data, ensuring compliance with evolving global regulations, and developing adaptable tools for diverse software environments are paramount. This Ph.D. thesis delves deep into these challenges, ofering insights and solutions that span from the granular details of code to the broader validation of privacy policies. The first challenge is the subtlety of personal data. Legal defnitions are often abstract and translating them into technical requirements is no easy task. Identifying what constitutes personal data in a sea of code is a daunting challenge. Secondly, understanding how personal data fows within systems is crucial. With regulations like the General Data Protection Regulation (GDPR) in place, it is crucial to know what kind of processing personal data undergoes for compliance checks. Lastly, diferent projects have diferent needs. For developers doing self-analysis, a detailed examination of compiled code can reveal intricate data fows. However, for large industry projects, high-level source code analysis may be more practical for third parties to quickly gauge privacy compliance situations across millions of lines. Investigations into these aspects resulted in the eight papers that are presented in this dissertation. They also led to the following additional contributions: (1) A privacy fow-graph tailored for Java and Android applications; this approach aids in the Data Protection Impact Assessment (DPIA) process. (2) A biometric data identifcation approach developed to pinpoint biometric API usage within Java and Android applications; this method ensures alignment with the GDPR. (3) An automatic comparison approach that addresses the collection of user interaction data in mobile apps by comparing an app’s privacy policy claims with its actual code implementation. (4) An automated code review assistant that ofers a method to identify and categorize relevant code segments in source code, thus reducing the manual review efort. The contributions ofer guidance for developers and legal experts, connecting the detailed aspects of software development with the clear rules of privacy regulations. These contributions can pave the way for a clearer, more streamlined, and compliant online environment, ensuring that as we use digital platforms, our privacy is always protected.