Automated Software Analysis for Privacy Policy Compliance

Privacy of data collected and processed online has become more relevant in the last 20 years. Due to the rise of the Internet, online marketing, and advertisement, consumer data has become a very valuable resource. In recent years laws have been introduced in multiple jurisdictions to regulate the processing of these data. The businesses and websites which use this information must comply with these laws. Currently, the processes for checking and analysing software compliance with policy requirements are still highly human-dependent. In this thesis, we analyse previous work in automatic software compliance with privacy requirements. We selected PrivGuard, an existing framework, and we conducted extensive experiments with that framework to assess its ability to automate software compliance verification [https://www.usenix.org/system/files/sec22-wang-lun.pdf]. The goals of this thesis are twofold. First, we select today’s two most popular privacy regulations, namely CPRA and GDPR ([https://cpra.gtlaw.com/cpra-full-text/], [https://gdpr-info.eu/]) and we write formal specifications of those regulations in PrivGuard. Next, we identify three software benchmarks that explicitly, store and manipulate personal consumer information, and we analyse those with PrivGuard’s analysis tool, called PrivAnalyzer. Finally, we assess the effectiveness of PrivGuard and PrivAnalyzer concerning the specification and verification of privacy policies. We also identify ways in which these tools can be improved to increase their effectiveness.