Privacy Bills of Materials: A Transparent Privacy Information Inventory for Collaborative Privacy Notice Generation in Mobile App Development

TL;DR

This paper introduces PriBOM, a systematic approach that leverages development team roles and static analysis to improve privacy notice creation and transparency in mobile app development.

Contribution

The paper presents PriBOM, a novel framework for capturing and coordinating privacy information among development teams to enhance privacy documentation and notices.

Findings

PriBOM improves privacy notice accuracy and transparency.

Human evaluation shows PriBOM's perceived usefulness.

PriBOM supports privacy compliance in DevOps for mobile apps.

Abstract

Privacy regulations mandate that developers must provide authentic and comprehensive privacy notices, e.g., privacy policies or labels, to inform users of their apps' privacy practices. However, due to a lack of knowledge of privacy requirements, developers often struggle to create accurate privacy notices, especially for sophisticated mobile apps with complex features and in crowded development teams. To address these challenges, we introduce Privacy Bills of Materials (PriBOM), a systematic software engineering approach that leverages different development team roles to better capture and coordinate mobile app privacy information. PriBOM facilitates transparency-centric privacy documentation and specific privacy notice creation, enabling traceability and trackability of privacy practices. We present a pre-fill of PriBOM based on static analysis and privacy notice analysis techniques. We demonstrate the perceived usefulness of PriBOM through a human evaluation with 150 diverse participants. Our findings suggest that PriBOM could serve as a significant solution for providing privacy support in DevOps for mobile apps.