Caprice: a tool for engineering adaptive privacy

In a dynamic environment where context changes frequently, users’ privacy requirements can also change. To satisfy such changing requirements, there is a need for continuous analysis to discover new threats and possible mitigation actions. A frequently changing context can also blur the boundary between public and personal space, making it difficult for users to discover and mitigate emerging privacy threats. This challenge necessitates some degree of self-adaptive privacy management in software applications. This paper presents Caprice - a tool for enabling software engineers to design systems that discover and mitigate contextsensitive privacy threats. The tool uses privacy policies, and associated domain and software behavioural models, to reason over the contexts that threaten privacy. Based on the severity of a discovered threat, adaptation actions are then suggested to the designer. We present the Caprice architecture and demonstrate, through an example, that the tool can enable designers to focus on specific privacy threats that arise from changing context and the plausible category of adaptation action, such as ignoring, preventing, reacting, and terminating interactions that threaten privacy.