Protecting privacy in system design: the electronic voting case

The purpose of the paper is to present Privacy Safeguard (PriS) a formal security requirements engineering methodology which, incorporates privacy requirements in the system design process and to demonstrate its applicability in an e‐voting case.

PriS provides a methodological framework for addressing privacy‐related issues during system development. It provides a set of concepts for formally expressing privacy requirements (authentication, authorisation, identification, data protection, anonymity, pseudonymity, unlinkability and unobservability) and a systematic way‐of‐working for translating these requirements into system models. The main activities of the PriS way‐of‐working are: elicit privacy‐related goals, analyse the impact of privacy goals on processes, model affected processes using privacy process patterns and identify the technique(s) that best support/implement the above‐process patterns.

Analysis of a number of well known privacy‐enhancing technologies, as well as of existing security requirement engineering methodologies, pinpoints the gap between system design methodologies and technological solutions. To this end, PriS provides an integrated approach for matching privacy‐related requirements to proper implementation techniques. Experimentation with the e‐voting case suggests that PriS has a high degree of applicability on internet systems that wish to provide services that ensure users privacy, such as anonymous browsing, untraceable transactions, etc.

The paper proposes a new methodology for addressing privacy requirements during the design process. Instead of prescribing a single solution, PriS guides developers to choose the most appropriate implementation techniques for realizing the identified privacy issues. In addition, due to its formal definition it facilitates control of the accuracy and precision of the results and enables the development of automated tools for assisting its application.