This work-in-progress (WIP) research-to-practice paper describes a work in progress by the authors to integrate appreciation of privacy, ethics, regulatory compliance, and research into Senior Project capstone experiences for Electrical and Computer Engineering. The student work focused on data quality assurance and de-identification topics to enhance quality, accuracy, completeness, consistency, and timeliness. Real-world data protection regulations grounded projects to meet ABET EAC Criterion 3 requirements for Student Outcome 2. Students explored the topics in a Project-Based Learning (PBL) format as a part of their senior project. In addition to implementing PBL, our focus for the senior project capstone is securing as many industrially sponsored projects as possible. This paper focuses on a few senior projects that are PBL, sponsored by industry, and emphasize data quality assurance and privacy protection techniques. We present a framework that meets assessment needs and uses project-based learning on a current topic of interest. The student findings offer insights into the theoretical and practical challenges and opportunities of implementing data quality assurance and de-identification techniques across different domains.
more »
« less
Promoting Privacy Considerations in Real-World Projects in Capstone Courses with Ideation Cards
Nearly all software built today impinges upon end-user privacy and needs to comply with relevant regulations. Therefore, there have been increasing calls for integrating considerations of compliance with privacy regulations throughout the software engineering lifecycle. However, software engineers are typically trained in the technical fields and lack sufficient knowledge and support for sociotechnical considerations of privacy. Privacy ideation cards attempt to address this issue by making privacy compliance understandable and actionable for software developers. However, the application of privacy ideation cards in real-world software projects has not yet been systemically investigated. The effectiveness of ideation cards as a pedagogical tool has not yet been examined either. We address these gaps by studying how teams of undergraduate students applied privacy ideation cards in capstone projects that involved building real-world software for industry sponsors. We found that privacy ideation cards fostered greater consideration and understanding of the extent to which the projects aligned with privacy regulations. We identified three main themes from student discussions of privacy compliance: (i) defining personal data; (ii) assigning responsibility for privacy compliance; and (iii) determining and exercising autonomy. The results suggest that application of the cards for real-world projects requires careful consideration of intersecting factors such as the stage at which the cards are used and the autonomy available to the developers. Pedagogically, ideation cards can facilitate low-level cognitive engagement (especially the cognitive processes of meaning construction and interpretation) for specific components within a project. Higher-level cognitive processes were comparatively rare in ideation sessions. These findings provide important insight to help enhance capstone instruction and to improve privacy ideation cards to increase their impact on the privacy properties of the developed software.
more »
« less
- Award ID(s):
- 2221870
- PAR ID:
- 10357451
- Date Published:
- Journal Name:
- ACM Transactions on Computing Education
- Volume:
- 21
- Issue:
- 4
- ISSN:
- 1946-6226
- Page Range / eLocation ID:
- 1 to 28
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
With the increase in the number of privacy regulations, small development teams are forced to make privacy decisions on their own. In this paper, we conduct a mixed-method survey study, including statistical and qualitative analysis, to evaluate the privacy perceptions, practices, and knowledge of members involved in various phases of the Software Development Life Cycle (SDLC). Our survey includes 362 participants from 23 countries, encompassing roles such as product managers, developers, and testers. Our results show diverse definitions of privacy across SDLC roles, emphasizing the need for a holistic privacy approach throughout SDLC. We find that software teams, regardless of their region, are less familiar with privacy concepts (such as anonymization), relying on self-teaching and forums. Most participants are more familiar with GDPR and HIPAA than other regulations, with multijurisdictional compliance being their primary concern. Our results advocate the need for role-dependent solutions to address the privacy challenges, and we highlight research directions and educational takeaways to help improve privacy-aware SDLC.more » « less
-
Privacy regimes are increasingly taking center stage for bringing up cases against violators or introducing new regulations to safeguard consumer rights. Health regulations mostly predate most of the generic privacy regulations. However, we still see how health entities fail to meet regulatory requirements. Prior work suggests that third-party code is responsible for a significant portion of these violations. Hence, we propose using Software Bills of Materials (SBOM) as an effective intervention for communicating compliance limitations and expectations surrounding third-party code to help developers make informed decisions.more » « less
-
Motivation: The increasing volume and frequency of cyberattacks have made it necessary that all computing professionals be proficient in security principles. Concurrently, modern technology poses greater threats to privacy, making it important that technological solutions be developed to respect end-user privacy preferences and comply with privacy-related laws and regulations. Just as considering security and privacy must be an integral part of developing any technological solution, teaching security and privacy ought to be a required aspect of computer science education. Objective: We set out to demonstrate that a project-based capstone experience provides an effective mechanism for teaching the foundations of security and privacy. Method: We developed ten learning modules designed to introduce and sensitize students to foundational sociotechnical concepts related to the security and privacy aspects of modern technology. We delivered the modules in the treatment sections of a two-term capstone course involving the development of software solutions for external clients. We asked the students in the course to apply the concepts covered in the modules to their projects. Control sections of the course were taught without the modules as usual. We evaluated the effectiveness of the modules by administering pre-treatment and post-treatment assessments of cybersecurity knowledge and collecting written student reflections after the delivery of each module. Results: We found that the students in the treatment condition exhibited statistically significant increases in their knowledge of foundational security and privacy concepts compared to those in the control condition without the modules. Further, student reflections indicate that they appreciated the content of the modules and were readily able to apply the concepts to their projects. Discussion: The modules we developed facilitate embedding the teaching of security and privacy within any project-based learning experience. Embedding cybersecurity instruction within capstone experiences can help create a software workforce that is more knowledgeable about sociotechnical cybersecurity principles.more » « less
-
Regulations outline high-level guidance or expectations for a profession or industry. Analyzing laws or regulations is one way a software developer would derive and document regulatory compliance requirements within their software design. However, ambiguities within regulations can make it challenging to define technical software design specifications for regulatory requirements. Further, due to the subjective nature of ambiguous phrasing within a law or regulation, the interpretation of the legal text can differ based on the interpreter’s perspective. Our study examines whether software developers can analyze regulatory ambiguities as a group using our modeling process and our online Ambiguity Heuristics Analysis Builder (AHAB) tool. Eleven participants formed three groups and modeled ambiguities within a regulation using our process and tool. Modeling regulatory ambiguity, while difficult for our participants, allowed them to communicate potential issues, ask meaningful questions, and deepen their knowledge of the regulation. Ambiguity modeling allows developers to articulate interpretation and compliance issues with the laws to other parties (i.e., lawyers) and document this requirement analysis step for future use. Documenting these intermediate steps is rarely highlighted in requirement analysis. However, it is useful to negotiate with regulators, avoid negligence, and show due diligence toward regulatory compliance. It can also lead to clarifying guidance software developers need to make better, more compliant choices during software design.more » « less