{"id":"https://openalex.org/W4388925638","doi":"https://doi.org/10.1145/3603216.3624962","title":"From Privacy Policies to Privacy Threats: A Case Study in Policy-Based Threat Modeling","display_name":"From Privacy Policies to Privacy Threats: A Case Study in Policy-Based Threat Modeling","publication_year":2023,"publication_date":"2023-11-23","ids":{"openalex":"https://openalex.org/W4388925638","doi":"https://doi.org/10.1145/3603216.3624962"},"language":"en","primary_location":{"id":"doi:10.1145/3603216.3624962","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3603216.3624962","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 22nd Workshop on Privacy in the Electronic Society","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://lirias.kuleuven.be/retrieve/29c7e62b-91e2-4f4f-8cf4-21c05c5e89d6","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5050616031","display_name":"Yana Dimova","orcid":"https://orcid.org/0000-0001-6558-2062"},"institutions":[{"id":"https://openalex.org/I99464096","display_name":"KU Leuven","ror":"https://ror.org/05f950310","country_code":"BE","type":"education","lineage":["https://openalex.org/I99464096"]}],"countries":["BE"],"is_corresponding":false,"raw_author_name":"Yana Dimova","raw_affiliation_strings":["KU Leuven, Leuven, Belgium"],"raw_orcid":"https://orcid.org/0000-0001-6558-2062","affiliations":[{"raw_affiliation_string":"KU Leuven, Leuven, Belgium","institution_ids":["https://openalex.org/I99464096"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5093320909","display_name":"Mrunmayee Kode","orcid":"https://orcid.org/0009-0006-3816-3675"},"institutions":[{"id":"https://openalex.org/I99464096","display_name":"KU Leuven","ror":"https://ror.org/05f950310","country_code":"BE","type":"education","lineage":["https://openalex.org/I99464096"]}],"countries":["BE"],"is_corresponding":false,"raw_author_name":"Mrunmayee Kode","raw_affiliation_strings":["KU Leuven, Leuven, Belgium"],"raw_orcid":"https://orcid.org/0009-0006-3816-3675","affiliations":[{"raw_affiliation_string":"KU Leuven, Leuven, Belgium","institution_ids":["https://openalex.org/I99464096"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5060869114","display_name":"Shirin Kalantari","orcid":"https://orcid.org/0000-0002-1188-1590"},"institutions":[{"id":"https://openalex.org/I99464096","display_name":"KU Leuven","ror":"https://ror.org/05f950310","country_code":"BE","type":"education","lineage":["https://openalex.org/I99464096"]}],"countries":["BE"],"is_corresponding":false,"raw_author_name":"Shirin Kalantari","raw_affiliation_strings":["KU Leuven, Leuven, Belgium"],"raw_orcid":"https://orcid.org/0000-0002-1188-1590","affiliations":[{"raw_affiliation_string":"KU Leuven, Leuven, Belgium","institution_ids":["https://openalex.org/I99464096"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5055245410","display_name":"Kim Wuyts","orcid":"https://orcid.org/0000-0002-0950-9490"},"institutions":[{"id":"https://openalex.org/I99464096","display_name":"KU Leuven","ror":"https://ror.org/05f950310","country_code":"BE","type":"education","lineage":["https://openalex.org/I99464096"]}],"countries":["BE"],"is_corresponding":false,"raw_author_name":"Kim Wuyts","raw_affiliation_strings":["KU Leuven, Leuven, Belgium"],"raw_orcid":"https://orcid.org/0000-0002-0950-9490","affiliations":[{"raw_affiliation_string":"KU Leuven, Leuven, Belgium","institution_ids":["https://openalex.org/I99464096"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5054031138","display_name":"Wouter Joosen","orcid":"https://orcid.org/0000-0002-7710-5092"},"institutions":[{"id":"https://openalex.org/I99464096","display_name":"KU Leuven","ror":"https://ror.org/05f950310","country_code":"BE","type":"education","lineage":["https://openalex.org/I99464096"]}],"countries":["BE"],"is_corresponding":false,"raw_author_name":"Wouter Joosen","raw_affiliation_strings":["KU Leuven, Leuven, Belgium"],"raw_orcid":"https://orcid.org/0000-0002-7710-5092","affiliations":[{"raw_affiliation_string":"KU Leuven, Leuven, Belgium","institution_ids":["https://openalex.org/I99464096"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5111139756","display_name":"Jan Tobias M\u00fchlberg","orcid":null},"institutions":[{"id":"https://openalex.org/I132053463","display_name":"Universit\u00e9 Libre de Bruxelles","ror":"https://ror.org/01r9htc13","country_code":"BE","type":"education","lineage":["https://openalex.org/I132053463"]}],"countries":["BE"],"is_corresponding":false,"raw_author_name":"Jan Tobias M\u00fchlberg","raw_affiliation_strings":["Universit\u00e9 libre de Bruxelles, Brussels, Belgium"],"raw_orcid":"https://orcid.org/0000-0001-5035-0576","affiliations":[{"raw_affiliation_string":"Universit\u00e9 libre de Bruxelles, Brussels, Belgium","institution_ids":["https://openalex.org/I132053463"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":6,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":0.9238,"has_fulltext":true,"cited_by_count":5,"citation_normalized_percentile":{"value":0.75405472,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":94,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"17","last_page":"29"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9970999956130981,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12519","display_name":"Cybercrime and Law Enforcement Studies","score":0.9951000213623047,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/privacy-by-design","display_name":"Privacy by Design","score":0.6745918393135071},{"id":"https://openalex.org/keywords/internet-privacy","display_name":"Internet privacy","score":0.6464207172393799},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6416528224945068},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5829582810401917},{"id":"https://openalex.org/keywords/information-privacy","display_name":"Information privacy","score":0.5799420475959778},{"id":"https://openalex.org/keywords/privacy-policy","display_name":"Privacy policy","score":0.565864622592926},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.5525074005126953},{"id":"https://openalex.org/keywords/privacy-software","display_name":"Privacy software","score":0.5159995555877686},{"id":"https://openalex.org/keywords/perspective","display_name":"Perspective (graphical)","score":0.5049822926521301},{"id":"https://openalex.org/keywords/european-union","display_name":"European union","score":0.45690053701400757},{"id":"https://openalex.org/keywords/personally-identifiable-information","display_name":"Personally identifiable information","score":0.44891130924224854},{"id":"https://openalex.org/keywords/business","display_name":"Business","score":0.2450442910194397}],"concepts":[{"id":"https://openalex.org/C193934123","wikidata":"https://www.wikidata.org/wiki/Q7246028","display_name":"Privacy by Design","level":3,"score":0.6745918393135071},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.6464207172393799},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6416528224945068},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5829582810401917},{"id":"https://openalex.org/C123201435","wikidata":"https://www.wikidata.org/wiki/Q456632","display_name":"Information privacy","level":2,"score":0.5799420475959778},{"id":"https://openalex.org/C102938260","wikidata":"https://www.wikidata.org/wiki/Q1999831","display_name":"Privacy policy","level":3,"score":0.565864622592926},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.5525074005126953},{"id":"https://openalex.org/C509729295","wikidata":"https://www.wikidata.org/wiki/Q7246032","display_name":"Privacy software","level":3,"score":0.5159995555877686},{"id":"https://openalex.org/C12713177","wikidata":"https://www.wikidata.org/wiki/Q1900281","display_name":"Perspective (graphical)","level":2,"score":0.5049822926521301},{"id":"https://openalex.org/C2910001868","wikidata":"https://www.wikidata.org/wiki/Q458","display_name":"European union","level":2,"score":0.45690053701400757},{"id":"https://openalex.org/C169093310","wikidata":"https://www.wikidata.org/wiki/Q3702971","display_name":"Personally identifiable information","level":2,"score":0.44891130924224854},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.2450442910194397},{"id":"https://openalex.org/C105639569","wikidata":"https://www.wikidata.org/wiki/Q582577","display_name":"Economic policy","level":1,"score":0.0},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.0}],"mesh":[],"locations_count":3,"locations":[{"id":"doi:10.1145/3603216.3624962","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3603216.3624962","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 22nd Workshop on Privacy in the Electronic Society","raw_type":"proceedings-article"},{"id":"pmh:oai:lirias2repo.kuleuven.be:20.500.12942/725527","is_oa":true,"landing_page_url":"https://lirias.kuleuven.be/handle/20.500.12942/725527","pdf_url":"https://lirias.kuleuven.be/retrieve/29c7e62b-91e2-4f4f-8cf4-21c05c5e89d6","source":{"id":"https://openalex.org/S4306401954","display_name":"Lirias (KU Leuven)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I99464096","host_organization_name":"KU Leuven","host_organization_lineage":["https://openalex.org/I99464096"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Workshop on Privacy in the Electronic Society, Copenhagen, Denmark, 26 November 2023","raw_type":"info:eu-repo/semantics/acceptedVersion"},{"id":"pmh:oai:dipot.ulb.ac.be:2013/388445","is_oa":false,"landing_page_url":"http://hdl.handle.net/2013/ULB-DIPOT:oai:dipot.ulb.ac.be:2013/388445","pdf_url":null,"source":{"id":"https://openalex.org/S4306401063","display_name":"D\u00e9p\u00f4t institutionnel de l'Universit\u00e9 libre de Bruxelles (Universit\u00e9 Libre de Bruxelles)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I132053463","host_organization_name":"Universit\u00e9 Libre de Bruxelles","host_organization_lineage":["https://openalex.org/I132053463"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"In: WPES '23: Proceedings of the 22nd Workshop on Privacy in the Electronic Society. Association for Computing Machinery, New York","raw_type":"info:ulb-repo/semantics/openurl/proceeding"}],"best_oa_location":{"id":"pmh:oai:lirias2repo.kuleuven.be:20.500.12942/725527","is_oa":true,"landing_page_url":"https://lirias.kuleuven.be/handle/20.500.12942/725527","pdf_url":"https://lirias.kuleuven.be/retrieve/29c7e62b-91e2-4f4f-8cf4-21c05c5e89d6","source":{"id":"https://openalex.org/S4306401954","display_name":"Lirias (KU Leuven)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I99464096","host_organization_name":"KU Leuven","host_organization_lineage":["https://openalex.org/I99464096"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Workshop on Privacy in the Electronic Society, Copenhagen, Denmark, 26 November 2023","raw_type":"info:eu-repo/semantics/acceptedVersion"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16","score":0.7599999904632568}],"awards":[],"funders":[{"id":"https://openalex.org/F4320318621","display_name":"Waalse Gewest","ror":null},{"id":"https://openalex.org/F4320322308","display_name":"KU Leuven","ror":"https://ror.org/05f950310"}],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4388925638.pdf","grobid_xml":"https://content.openalex.org/works/W4388925638.grobid-xml"},"referenced_works_count":22,"referenced_works":["https://openalex.org/W572872720","https://openalex.org/W2060692877","https://openalex.org/W2116560806","https://openalex.org/W2208157769","https://openalex.org/W2535603283","https://openalex.org/W2724725557","https://openalex.org/W2744999500","https://openalex.org/W2788364416","https://openalex.org/W2885362917","https://openalex.org/W2945755626","https://openalex.org/W2999830435","https://openalex.org/W3012939329","https://openalex.org/W3049637327","https://openalex.org/W3080917700","https://openalex.org/W3094287401","https://openalex.org/W3100012422","https://openalex.org/W3135764500","https://openalex.org/W3154337097","https://openalex.org/W3176805682","https://openalex.org/W3179937365","https://openalex.org/W4307823782","https://openalex.org/W4362452929"],"related_works":["https://openalex.org/W2116878667","https://openalex.org/W3042284153","https://openalex.org/W2994243660","https://openalex.org/W2127837371","https://openalex.org/W2118333568","https://openalex.org/W2132024542","https://openalex.org/W2154524064","https://openalex.org/W576625533","https://openalex.org/W2465865879","https://openalex.org/W4247085996"],"abstract_inverted_index":{"Privacy":[0],"threat":[1,71,101,117],"modeling":[2,72,102,118],"is":[3],"a":[4,14,17,25,89,112,123],"systematic":[5],"approach":[6,79,161],"to":[7,43,67,80,95,168],"assess":[8],"potential":[9],"privacy":[10,22,93,116,173],"risks":[11,174],"which":[12,35],"are":[13],"consequence":[15],"of":[16,28,64,122,154],"given":[18],"system":[19,29,54,97,110],"design.":[20],"Eliciting":[21],"threats":[23,135],"requires":[24],"detailed":[26],"understanding":[27],"components":[30,37],"and":[31,73,99,132,147,156,159],"the":[32,53,61,106,120,128,144,152],"ways":[33],"in":[34,70,139],"these":[36],"interact.":[38],"This":[39],"makes":[40],"it":[41],"hard":[42],"impossible":[44],"for":[45,115],"any":[46],"user,":[47],"e.g.,":[48],"parties":[49],"who":[50],"interact":[51],"with":[52,137],"but":[55],"do":[56],"not":[57],"possess":[58],"knowledge":[59,167],"about":[60],"inner":[62],"workings":[63],"that":[65],"system,":[66],"meaningfully":[68],"engage":[69],"risk":[74],"assessment.":[75],"We":[76,104,126],"explore":[77],"an":[78],"address":[81],"this":[82],"problem":[83],"by":[84],"relying":[85],"on":[86],"information":[87],"from":[88,119],"system's":[90],"publicly":[91],"available":[92],"policies":[94],"derive":[96],"models":[98],"apply":[100,127],"analyses.":[103],"chose":[105],"WhatsApp":[107],"instant":[108],"messaging":[109],"as":[111],"case":[113],"study":[114,150],"perspective":[121],"\"regular\"":[124],"user.":[125],"LINDDUN":[129],"GO":[130],"methodology":[131],"evaluate":[133],"how":[134],"evolved":[136],"time":[138],"two":[140],"significant":[141],"territorial":[142],"areas,":[143],"European":[145],"Union":[146],"India.":[148],"Our":[149],"illustrates":[151],"impact":[153],"regulations":[155],"court":[157],"cases":[158],"our":[160],"may":[162],"aid":[163],"practitioners":[164],"without":[165],"inside":[166],"make":[169],"informed":[170],"choices":[171],"regarding":[172],"when":[175],"adopting":[176],"third-party":[177],"services.":[178]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":2},{"year":2024,"cited_by_count":2}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2023-11-23T00:00:00"}