Privacy by Evidence: A Methodology to develop privacy-friendly software applications

In an increasingly connected world, a diversity of data is collected from the environment and its inhabitants. Because of the richness of the information, privacy becomes an important requirement. Although there are principles and rules, there is still a lack of methodologies to guide the integration of privacy guidelines into the development process. Methodologies like the Privacy by Design (PbD) are still vague and leave many open questions on how to apply them in practice. In this work we propose a new concept, called Privacy by Evidence (PbE), in the form of a software development methodology to provide privacy-awareness. Given the difficulty in providing total privacy in many applications, we propose to document the mitigations in form of evidences of privacy, aiming to increase the confidence of the project. To validate its effectiveness, PbE has been used during the development of four case studies: a smart metering application; a people counting and monitoring application; an energy efficiency monitoring system; and a two factor authentication system. For these applications, the teams were able to provide seven, five, five, and four evidences of privacy, respectively, and we conclude that PbE can be effective in helping to understand and address the privacy protection needs when developing software. (C) 2019 Elsevier Inc. All rights reserved.