Book Chapters

Behavioral Advertising Ethics
Aaron K. Massey and Annie I. Antón
Information Assurance and Security Ethics in Complex Systems: Interdisciplinary Perspectives
Dr. Melissa Dark, ed., 2010, pp. 162-182.

Abstract: Behavioral advertising is a method for targeting advertisements to individuals based on behavior profiles, which are created by tracking user behavior over a period of time. Individually targeted advertising can significantly improve the effectiveness of advertising. However, behavioral advertising may have seri- ous implications for civil liberties such as privacy. In this chapter, we describe behavioral advertising ethics within the context of technological development, political and legal concerns, and traditional advertising practices. First, we discuss the developmental background of behavioral advertising tech- nologies, focusing on web-based technologies and deep packet inspection. Then, we consider the ethical implications with a primary focus on privacy of behavioral advertising technologies. Next, we overview traditional market research approaches taken to advertising ethics. Following that, we discuss the legal ethics of behavioral advertising. Finally, we summarize these cross-disciplinary concerns and provide some discussion on points of interest for future research.


Evaluating Existing Security and Privacy Requirements for Legal Compliance
Aaron K. Massey, Paul N. Otto, Lauren J. Hayward, and Annie I. Antón
Requirements Engineering: Volume 15, Issue 1, 2010, pp. 119-137.
Abstract DOI NCSU DOI Springer

Abstract: Governments enact laws and regulations to safeguard the security and privacy of their citizens. In response, requirements engineers must specify compliant system requirements to satisfy applicable legal security and privacy obligations. Specifying legally compliant requirements is challenging because legal texts are complex and ambiguous by nature. In this paper, we discuss our evaluation of the requirements for iTrust, an open-source Electronic Health Records system, for compliance with legal requirements governing security and privacy in the healthcare domain. We begin with an overview of the method we developed, using existing requirements engineering techniques, and then summarize our experiences in applying our method to the iTrust system. We illustrate some of the challenges that practitioners face when specifying requirements for a system that must comply with law and close with a discussion of needed future research focusing on security and privacy requirements.


Assessing the Accuracy of Legal Implementation Readiness Decisions
Aaron K. Massey, Ben Smith, Paul N. Otto, and Annie I. Antón
19th IEEE International Requirements Engineering Conference
Trento, Italy, September 2011.

Abstract:Software engineers regularly build systems that are required to comply with laws and regulations. To this end, software engineers must determine which requirements have met or exceeded their legal obligations and which requirements have not. Requirements that have met or exceeded their legal obligations are legally implementation ready, whereas requirements that have not met or exceeded their legal obligations need further refinement. Research is needed to better understand how to support software engineers in making these determinations. In this paper, we describe a case study in which we asked graduate-level software engineering students to assess whether a set of software requirements for an electronic health record system met or exceeded their corresponding legal obligations as expressed in regulations created pursuant to the U.S. Health Insurance Portability and Accountability Act (HIPAA). We compare the assessment made by graduate students with an assessment made by HIPAA compliance subject matter experts. Additionally, we contrast these results with those generated by a legal requirements triage algorithm. Our findings suggest that the average graduate-level software engineering student is ill-prepared to write legally compliant software with any confidence and that domain experts are an absolute necessity. Our findings also indicate the potential utility of legal requirements metrics in aiding software engineers as they make legal compliance decisions.


Prioritizing Legal Requirements
Aaron K. Massey, Paul N. Otto, and Annie I. Antón
Second International Workshop on Requirements Engineering and Law
Atlanta, Georgia, September 2009.

Abstract: Requirements prioritization is used in the early phases of software development to determine the order in which requirements should be implemented. Requirements are not all equally important to the final software system because time constraints, expense, and design can each raise the urgency of implementing some requirements before others. Laws and regulations can make requirements prioritization particularly challenging due to the high costs of noncompliance and the substantial amount of domain knowledge needed to make prioritization decisions. In the context of legal requirements, implementation order ideally should be influenced by the laws and regulations governing a given software system. In this paper, we present a prioritization technique for legal requirements. We apply our technique on a set of 63 functional requirements for an open-source electronic health records system that must comply with the U.S. Health Insurance Portability and Accountability Act.

A Requirements-based Comparison of Privacy Taxonomies
Aaron K. Massey and Annie I. Antón
First International Workshop on Requirements Engineering and Law
Barcelona, Spain, September 2008.

Abstract: Understanding the nature of privacy regulation is a challenge that requirements engineers face when building software systems in financial, healthcare, government, or other sensitive industries. Requirements engineers have begun to model privacy requirements based on taxonomic classifications of privacy. Independently, legal research has modeled privacy harms in a taxonomic fashion. In this paper, we compare a requirements engineering taxonomy of privacy protections and vulnerabilities to a legal taxonomy of privacy harms. We seek to determine the extent to which the concepts and terminology are consistent between the two taxonomies. A consistent, standard vocabulary for privacy concepts for both requirements engineers and lawyers will improve the common understanding of privacy concepts, legal traceability and compliance auditing. We conclude that the taxonomies we analyzed are reasonably compatible. We believe this compatibility indicates that a taxonomic understanding of privacy is a promising area of research for requirements engineers.


Aligning Requirements with HIPAA in the iTrust System
Aaron K. Massey, Paul N. Otto, and Annie I. Antón
16th IEEE International Requirements Engineering Conference
Barcelona, Spain, September 2008.

Abstract: We describe a case study in which we evaluated an open-source Electronic Health Record (EHR) system’s requirements for compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA). Our findings suggest that legal compliance must be requirements-driven, while establishing due diligence under the law must be test-driven.

Copyright Notice:

Papers published by the Institute of Electrical and Electronics Engineers, Inc. (IEEE) are Copyright © 2008-2012 by IEEE. Personal use of this material is permitted. However, permission to reprint or republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

Papers published by the Association for Computing Machinery, Inc. (ACM) are Copyright © 2008-2012 by ACM. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage, the copyright notice, the title of publication and its date appear, and notice is given that copying is by permission of ACM, Inc. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee.