Reducing Privacy Code Review Overhead With Privacy-Relevant Methods

:::info
Authors:

Feiyang Tang
Bjarte M. Østvold

:::

Table Of Links

Abstract

1 Introduction

2 Background

3 Privacy-Relevant Methods

4 Identifying API Privacy-relevant Methods

5 Labels for Personal Data Processing

6 Process of Identifying Personal Data

7 Data-based Ranking of Privacy-relevant Methods

8 Application to Privacy Code Review

9 Related Work

Conclusion, Future Work, Acknowledgement And References

Abstract

Privacy code review is a critical process that enables developers and legal experts to ensure compliance with data protection regulations. However, the task is challenging due to resource constraints. To address this, we introduce the concept of privacy-relevant methods — specific methods in code that are directly involved in the processing of personal data. We then present an automated approach to assist in code review by identifying and categorizing these privacy-relevant methods in source code. Using static analysis, we identify a set of methods based on their occurrences in 50 commonly used libraries.

We then rank these methods according to their frequency of invocation with actual personal data in the top 30 GitHub applications. The highest-ranked methods are the ones we designate as privacy-relevant in practice. For our evaluation, we examined 100 opensource applications and found that our approach identifies fewer than 5% of the methods as privacy-relevant for personal data processing. This reduces the time required for code reviews. Case studies on Signal Desktop and Cal.com further validate the effectiveness of our approach in aiding code reviewers to produce enhanced reports that facilitate compliance with privacy regulations.

Introduction

In the realm of software development, privacy code reviews have become indispensable, especially with the advent of stringent data protection regulations like the General Data Protection Regulation (GDPR). Unlike security code reviews, which focus on existing security flaws or vulnerabilities, privacy code reviews are concerned with the ethical and lawful handling of personal data. Although there may be overlaps, such as in access control, the primary objectives of these two types of reviews are distinct: security reviews aim to prevent unauthorized access, while privacy reviews aim for compliance with data protection principles. Privacy code reviews involve a systematic process where source code is inspected to trace the flow of personal data.

Equipped with program analysis tools, reviewers categorize these flows and detail how personal data is processed. This analysis serves as a comprehensive guide for compliance checks and aids Data Protection Officers (DPOs) in fulfilling their responsibilities. The process is illustrated in Figure 1. However, the challenge arises from the complexity and sheer volume of modern codebases, making it difficult to identify instances where personal data is processed.

Recent studies [6, 7] have examined tools for identifying personal data, but less focus has been placed on data that is dynamically changing or in active use. While categorizations exist for personal data itself, taxonomies of the processing code are lacking. Developing a understanding of the diverse ways data can be handled would illuminate processing activities and facilitate compliance reporting like records of processing activities (ROPA) and data protection impact assessments (DPIA). Since reviewing entire codebases is time-consuming, targeting reports to highlight the most relevant aspects could better serve reviewers and streamline the compliance process. The goal should be

providing clarity on key data handling activities without getting lost in an elaborate labeling framework. In light of these challenges, we propose an automated approach to enhance the efficiency and effectiveness of privacy code reviews. Our approach focuses on identifying privacy-relevant methods — specifically, Java methods or JavaScript functions commonly found in popular libraries — that are involved in the processing of personal data. By doing so, we can pinpoint instances in real-world applications where these privacy-relevant methods are invoked to handle personal data.

This paper addresses the following research questions:

How to identify privacy-relevant methods in commonly used libraries that potentially process personal data?
How to categorize such privacy-relevant methods based on their actual usage in real-world applications? To answer these questions, we make the following contributions:
We present a novel static analysis technique specifically designed to identify methods in source code that are involved in the processing of personal data. (Section 4)
We develop a set of labels for categorizing personal data and the methods that process them, thereby providing a structured approach to understanding how personal data is processed in code. (Sections 5 and 6)
We apply our approach to a set of popular open-source applications. Through this, we rank privacy-relevant methods based on their frequency of occurrence, thereby identifying those that are most critical for privacy considerations. (Section 7)
We provide insights to code reviewers by highlighting frequently used methods relevant to privacy, based on our large-scale study and specific case studies. This approach streamlines the review process, enabling a more focused and efficient identification of potential privacy risks. (Section 8) Our evaluation of 100 open-source applications indicates that our approach identifies fewer than 5% of methods involved in personal data processing as privacy-relevant methods. This enables reviewers to focus only on the identified relevant code, thereby expediting privacy code reviews.