Privacy Policy Ontology

Government regulations increasingly require mobile and web-based application (app) companies to standardize their data practices concerning the collection, use, and sharing of various types of information. A summary of these practices are communicated to users through online privacy policies. The challenge of acquiring requirements from data practice descriptions, however, is that privacy policies often contain ambiguities. Abstract and ambiguous terminology in requirements statements concerning information types (e.g., "we collect your device information"), can reduce shared understanding among app developers, policy writers, and users. To address this challenge, we propose a syntax-driven method that first parses a given information type phrase (e.g. mobile device identifier) into its constituents using a context-free grammar and second infers semantic relationships between constituents using semantic rules. The inferred semantic relationships between a given phrase and its constituents generate a hierarchy that models the generality and ambiguity of phrases. Through this method, we infer relations from a lexicon consisting of a set of information type phrases to populate a partial ontology. The resulting ontology is a knowledge graph that can be used to guide requirements authors in the selection of the most appropriate information type terms. We evaluate the method’s performance using two criteria: (1) expert assessment of relations between information types; and (2) non-expert preferences for relations between information types. The results suggest performance improvement when compared to a previously proposed method. We also evaluate the reliability of the method considering the information types extracted from different data practices (e.g., collection, usage, sharing, etc.) in privacy policies for mobile or web-based apps in various app domains. This data repository contains lexicons and ontologies that we used to construct and evaluate our method.

随着政府法规的日益严格，移动和基于网络的（app）公司被要求标准化其在收集、使用和共享各种类型信息方面的数据实践。这些实践通过在线隐私政策向用户传达。然而，从数据实践描述中获取要求所面临的挑战是，隐私政策往往包含模糊性。在关于信息类型（例如，“我们收集您的设备信息”）的要求陈述中，抽象和模糊的术语可能会降低应用开发者、政策制定者和用户之间的共同理解。为了应对这一挑战，我们提出了一种基于语法的解析方法，首先使用上下文无关文法将给定的信息类型短语（例如，移动设备标识符）解析为其组成部分，然后使用语义规则推断组成部分之间的语义关系。给定短语及其组成部分之间的推断语义关系生成一个层次结构，该结构模拟了短语的普遍性和模糊性。通过此方法，我们从由一组信息类型短语组成的词汇表中推断关系，以填充部分本体。由此产生的本体是一个知识图谱，可用于指导要求作者在选择最合适的信息类型术语时的决策。我们使用两个标准来评估该方法的表现：一是对信息类型之间关系的专家评估；二是非专家对信息类型之间关系的偏好。结果表明，与先前提出的方法相比，性能有所提升。我们还评估了该方法在不同应用领域（例如，收集、使用、共享等）的移动或基于网络的app隐私政策中提取的信息类型时的可靠性。此数据仓库包含我们构建和评估方法所使用的词汇表和本体。