Formalising privacy regulations with bigraphs.

IF 3.2 3区计算机科学 Q3 COMPUTER SCIENCE, SOFTWARE ENGINEERING

Software and Systems Modeling Pub Date : 2026-01-01 Epub Date: 2025-06-24 DOI:10.1007/s10270-025-01293-2

Ebtihal Althubiti, Blair Archibald, Michele Sevegnani

{"title":"Formalising privacy regulations with bigraphs.","authors":"Ebtihal Althubiti, Blair Archibald, Michele Sevegnani","doi":"10.1007/s10270-025-01293-2","DOIUrl":null,"url":null,"abstract":"With many governments regulating the handling of user data-the General Data Protection Regulation, the California Consumer Privacy Act, and the Saudi Arabian Personal Data Protection Law-ensuring systems comply with data privacy legislation is of high importance. Checking compliance is a tricky process and often includes many manual elements. We propose that formal methods, that model systems mathematically, can provide strong guarantees to help companies prove their adherence to legislation. To increase usability we advocate a diagrammatic approach, based on bigraphical reactive systems, where privacy experts can explicitly visualise the systems and describe updates, via rewrite rules, that describe system behaviour. The rewrite rules allow flexibility in integrating privacy policies with user-specified systems. We focus on modelling notions of providing consent, withdrawing consent, purpose limitations, the right to access and sharing data with third parties, and define privacy properties that we want to prove within the systems. Properties are expressed using the computation tree logic and proved using model checking. To show the generality of the proposed framework, we apply it to two examples: a bank notification system, inspired by Monzo's privacy policy, and a cloud-based home healthcare system based on the Fitbit app's privacy policy.","PeriodicalId":49507,"journal":{"name":"Software and Systems Modeling","volume":"25 2","pages":"487-513"},"PeriodicalIF":3.2000,"publicationDate":"2026-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC12996049/pdf/","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Software and Systems Modeling","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s10270-025-01293-2","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"2025/6/24 0:00:00","PubModel":"Epub","JCR":"Q3","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

With many governments regulating the handling of user data-the General Data Protection Regulation, the California Consumer Privacy Act, and the Saudi Arabian Personal Data Protection Law-ensuring systems comply with data privacy legislation is of high importance. Checking compliance is a tricky process and often includes many manual elements. We propose that formal methods, that model systems mathematically, can provide strong guarantees to help companies prove their adherence to legislation. To increase usability we advocate a diagrammatic approach, based on bigraphical reactive systems, where privacy experts can explicitly visualise the systems and describe updates, via rewrite rules, that describe system behaviour. The rewrite rules allow flexibility in integrating privacy policies with user-specified systems. We focus on modelling notions of providing consent, withdrawing consent, purpose limitations, the right to access and sharing data with third parties, and define privacy properties that we want to prove within the systems. Properties are expressed using the computation tree logic and proved using model checking. To show the generality of the proposed framework, we apply it to two examples: a bank notification system, inspired by Monzo's privacy policy, and a cloud-based home healthcare system based on the Fitbit app's privacy policy.

Abstract Image

查看原文本刊更多论文

用图表形式化隐私法规。

由于许多政府都在规范用户数据的处理——《通用数据保护条例》、《加州消费者隐私法》和《沙特阿拉伯个人数据保护法》——确保系统符合数据隐私立法是非常重要的。检查遵从性是一个棘手的过程，通常包括许多手工元素。我们建议，正式的方法，即数学模型系统，可以提供强有力的保证，帮助公司证明他们遵守法律。为了提高可用性，我们提倡一种基于图形反应系统的图解方法，隐私专家可以通过重写描述系统行为的规则，明确地将系统可视化并描述更新。重写规则允许灵活地将隐私策略与用户指定的系统集成在一起。我们专注于提供同意、撤回同意、目的限制、访问和与第三方共享数据的权利等概念的建模，并定义我们想要在系统中证明的隐私属性。属性用计算树逻辑表示，用模型检验证明。为了展示所提出框架的通用性，我们将其应用于两个例子：受Monzo隐私政策启发的银行通知系统，以及基于Fitbit应用程序隐私政策的基于云的家庭医疗保健系统。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Software and Systems Modeling 工程技术-计算机：软件工程

CiteScore

6.00

自引率

20.00%

发文量

104

审稿时长

>12 weeks

期刊介绍： We invite authors to submit papers that discuss and analyze research challenges and experiences pertaining to software and system modeling languages, techniques, tools, practices and other facets. The following are some of the topic areas that are of special interest, but the journal publishes on a wide range of software and systems modeling concerns: Domain-specific models and modeling standards; Model-based testing techniques; Model-based simulation techniques; Formal syntax and semantics of modeling languages such as the UML; Rigorous model-based analysis; Model composition, refinement and transformation; Software Language Engineering; Modeling Languages in Science and Engineering; Language Adaptation and Composition; Metamodeling techniques; Measuring quality of models and languages; Ontological approaches to model engineering; Generating test and code artifacts from models; Model synthesis; Methodology; Model development tool environments; Modeling Cyberphysical Systems; Data intensive modeling; Derivation of explicit models from data; Case studies and experience reports with significant modeling lessons learned; Comparative analyses of modeling languages and techniques; Scientific assessment of modeling practices