Software engineering for privacy in-the-large

There will be an estimated 35 zettabytes (35$times$10textsuperscript{21}) of digital records worldwide by the year 2020. This effectively amounts to privacy management on an ultra-large-scale. In this briefing, we discuss the privacy challenges posed by such an ultra-large-scale ecosystem - we term this ``Privacy in the Large''. We will contrast existing approaches to privacy management, reflect on their strengths and limitations in this regard and outline key software engineering research and practice challenges to be addressed in the future

Norm-based and commitment-driven agentification of the Internet of Things

There are no doubts that the Internet-of-Things (IoT) has conquered the ICT industry to the extent that many governments and organizations are already rolling out many anywhere,anytime online services that IoT sustains. However, like any emerging and disruptive technology, multiple obstacles are slowing down IoT practical adoption including the passive nature and privacy invasion of things. This paper examines how to empower things with necessary capabilities that would make them proactive and responsive. This means things can, for instance reach out to collaborative peers, (un)form dynamic communities when necessary, avoid malicious peers, and be “questioned” for their actions. To achieve such empowerment, this paper presents an approach for agentifying things using norms along with commitments that operationalize these norms. Both norms and commitments are specialized into social (i.e., application independent) and business (i.e., application dependent), respectively. Being proactive, things could violate commitments at run-time, which needs to be detected through monitoring. In this paper, thing agentification is illustrated with a case study about missing children and demonstrated with a testbed that uses different IoT-related technologies such as Eclipse Mosquitto broker and Message Queuing Telemetry Transport protocol. Some experiments conducted upon this testbed are also discussed

Responsible AI Pattern Catalogue: A Collection of Best Practices for AI Governance and Engineering

Responsible AI is widely considered as one of the greatest scientific challenges of our time and is key to increase the adoption of AI. Recently, a number of AI ethics principles frameworks have been published. However, without further guidance on best practices, practitioners are left with nothing much beyond truisms. Also, significant efforts have been placed at algorithm-level rather than system-level, mainly focusing on a subset of mathematics-amenable ethical principles, such as fairness. Nevertheless, ethical issues can arise at any step of the development lifecycle, cutting across many AI and non-AI components of systems beyond AI algorithms and models. To operationalize responsible AI from a system perspective, in this paper, we present a Responsible AI Pattern Catalogue based on the results of a Multivocal Literature Review (MLR). Rather than staying at the principle or algorithm level, we focus on patterns that AI system stakeholders can undertake in practice to ensure that the developed AI systems are responsible throughout the entire governance and engineering lifecycle. The Responsible AI Pattern Catalogue classifies the patterns into three groups: multi-level governance patterns, trustworthy process patterns, and responsible-AI-by-design product patterns. These patterns provide systematic and actionable guidance for stakeholders to implement responsible AI

Securing intellectual capital:an exploratory study in Australian universities

Purpose – To investigate the links between IC and the protection of data, information and knowledge in universities, as organizations with unique knowledge-related foci and challenges.Design/methodology/approach – We gathered insights from existing IC-related research publications to delineate key foundational aspects of IC, identify and propose links to traditional information security that impact the protection of IC. We conducted interviews with key stakeholders in Australian universities in order to validate these links.Findings – Our investigation revealed two kinds of embeddedness characterizing the organizational fabric of universities: (1) vertical and (2) horizontal, with an emphasis on the connection between these and IC-related knowledge protection within these institutions.Research implications – There is a need to acknowledge the different roles played by actors within the university, and the relevance of information security to IC-related preservation.Practical implications – Framing information security as an IC-related issue can help IT security managers communicate the need for knowledge security with executives in higher education, and secure funding to preserve and secure such IC-related knowledge, once its value is recognized.Originality/value – This is one of the first studies to explore the connections between data and information security and the three core components of IC’s knowledge security in the university context

Study of Fundamental Rights Limitations for Online Enforcement through Self-Regulation

The use of self-regulatory or privatized enforcement measures in the online environment can give rise to various legal issues that affect the fundamental rights of internet users. First, privatized enforcement by internet services, without state involvement, can interfere with the effective exercise of fundamental rights by internet users. Such interference may, on occasion, be disproportionate, but there are legal complexities involved in determining the precise circumstances in which this is the case. This is because, for instance, the private entities can themselves claim protection under the fundamental rights framework (e.g. the protection of property and the freedom to conduct business). Second, the role of public authorities in the development of self-regulation in view of certain public policy objectives can become problematic, but has to be carefully assessed. The fundamental rights framework puts limitations on government regulation that interferes with fundamental rights. Essentially, such limitations involve the (negative) obligation for States not to interfere with fundamental rights. Interferences have to be prescribed by law, pursue a legitimate aim and be necessary in a democratic society. At the same time, however, States are also under the (positive) obligation to take active measures in order to ensure the effective exercise of fundamental rights. In other words, States must do more than simply refrain from interference. These positive obligations are of specific interest in the context of private ordering impact on fundamental rights, but tend to be abstract and hard to operationalize in specific legal constellations. This study’s central research question is: What legal limitations follow from the fundamental rights framework for self-regulation and privatized enforcement online? It examines the circumstances in which State responsibility can be engaged as a result of selfregulation or privatized enforcement online. Part I of the study provides an overview and analysis of the relevant elements in the European and international fundamental rights framework that place limitations on privatized enforcement. Part II gives an assessment of specific instances of self-regulation or other instances of privatized enforcement in light of these elements

User evaluation of the performance of information systems

Information technologies (IT) are considered the primary survival factor for many organizations and the most critical success factor in businesses today. To justify the necessary investment in IT, user evaluation of information systems\u27 performance in organizations is a key consideration. This research investigated a comprehensive and convenient means for end users to assess this performance. Among the existing theories and models on the evaluation of information system performance based on intrinsic technological properties, the Web of System Performance (WOSP) model provides the most comprehensive basis for information system evaluation, and therefore merited further investigation. The research question was how well the eight WOSP performance criteria, namely functionality, usability, flexibility, reliability, security, extendibility, connectivity, and privacy, applied in the context of an individual evaluating one or more information systems for use by an organization. For this, it was important to show that, while these performance criteria were abstract concepts, they can be established and identified clearly, in a manner that is valid in the sense of the meaning and that users would consider important. Illustrative statements for each of the eight criteria were therefore obtained, which users were asked to evaluate. Next, it was necessary to show that users prefer the choice of the eight WOSP criteria to the current dominant instrument for evaluation when evaluating software. This was done using a preference questionnaire where subjects rated both the WOSP model and an alternative means of evaluation along various dimensions, the results being compared by statistical analysis. Finally, it was necessary to show that users rate at least three of the WOSP criteria as being important for evaluating information systems. For this, conjoint analysis was used. A browser was selected as the experimental software for this research. The results showed that users found illustrative statements clear, valid and important for the evaluation of browsers. They also preferred using the WOSP model for the evaluation of browsers over TAM, the current dominant model. Finally, while users attached different levels of importance to the various performance criteria for the selection of browsers, five of the criteria were important to a significant degree