NSF Award
2217771
Recent years have seen a surge in privacy regulations across the globe. The main objective of these regulations is to protect user data and users’ rights by providing guidelines for organizations to follow. The assumption is that such guidelines will provide developers with a clear and concise framework for writing privacy-conscious code. However, even after the introduction of these regulatory frameworks, software regularly fails to protect user privacy. This often happens because the developer is responsible for ensuring that the legal framework is implemented correctly in the code, but writing privacy-conscious code requires developers to develop a thorough and nuanced understanding of the regulatory demands. To further such an understanding and develop solutions, this project explores the interaction between new privacy regulations and the software developers tasked with complying with them. The project team will look at how developers react to privacy regulations, analyzing discussions among developers in the face of new privacy regulations, code changes they make in response to shifting regulatory frameworks or new case laws interpreting existing regulations, and developer reactions to widely publicized privacy breaches. After identifying these interactions, this project aims to propose software development tools and methodologies to support the effective alignment of regulatory constraints and development practice.<br/><br/>The project brings together computer scientists experts in security, privacy, and usability, and legal and organizational behavior scholars with expertise in privacy law, algorithmic fairness, network consensus mechanisms, and computational linguistics. The team will study how new privacy laws are impacting software systems by examining the discussions developers are having among themselves, in public code repositories, bug tracking systems, and online fora. These discussions and related code updates in public repositories will be compared with the language of privacy used in the laws and regulations themselves, the public comments around the laws, and the broader public conversation on privacy, in order to understand privacy regulations that raise particular confusion, concerns, and errors. These comparisons will lead to a rigorous analysis of the impacts of new privacy regulations on software development and offer recommendations for improvements in terms of both regulation and software development.<br/><br/>This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
