NSF Award
2317185
The advent of the surveillance economy in the modern Internet has significantly transformed understandings of privacy. Governments worldwide have proposed various legislative solutions to encourage responsible behavior by companies handling personally identifiable information. However, the relationship between regulation and software design, and the ultimate efficacy of enforcement paradigms at promoting widespread compliance with data protection standards, are difficult to measure. This research leverages a combined team of legal and engineering experts to provide the first tool to systematically evaluate how privacy laws impact approaches to personally identifiable information in software development, laying the foundation for a new regulatory paradigm based on proactive, rather than reactive, models of enforcement, which rely on mass automated notifications rather than labor-intensive individual enforcement actions.<br/><br/>The research begins with a comprehensive study of privacy legislation, including contrasting approaches to enforcement. The investigators will then develop an automatic framework based on machine learning and program analysis to assess the impact of privacy regulations on real-world software. Lastly, the investigators will utilize the data from the previous two activities to develop conclusions on how regulatory and enforcement paradigms can be improved to develop more effective models of compliance among software developers. In addition to generating concrete lessons for improving the efficiency and efficacy of privacy legislation, the research will advance program analysis and natural language processing techniques for extracting complex software information and verifying compliance with privacy regulations<br/><br/>This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
