Overview

We are developing a framework to assess and improve the privacy and security of mobile health applications (apps) that collect and use personal health data. These apps, commonly used on smartphones and smart devices, have the potential to greatly improve access to healthcare. However, there are concerns about the privacy and protection of the sensitive user data they collect and generate. We recognize the need for a user-centered approach that ensures compliance with privacy regulations, enhances clarity in legal documents and app descriptions, and incorporates privacy and security measures during the app design process. The goal is to provide users with more control over their personal data while using health apps and to establish a framework that guides app developers in creating safe and transparent applications. The project's novelties include the development of

models to bridge the gap between regulatory requirements and technical specifications for handling personal medical data, and
a framework for privacy-focused analysis of mobile health apps that provides users with fine-grained transparency and control over their personal data.

The project's broader significance and importance lie in safeguarding user privacy and security in the increasingly prevalent use of health apps, which handle sensitive personal data. By addressing regulatory compliance, improving clarity in legal documents, and enhancing app design processes, this research ensures that users have control over their data and can make informed decisions. Ultimately, it promotes trust in health apps, encourages responsible development, and contributes to the advancement of privacy protection in the digital healthcare landscape.

The technical approach of this research involves developing natural language processing models capable of cross-genre entailment and inference, connecting the semantics of legal language to technical specifications in software design and development. These models help in identifying privacy vulnerabilities, from which the research derives privacy constraints and develops a formal privacy model with three key properties: completeness, minimality, and consistency. Finally, the research analyzes mobile health apps to check for conformity with the policy model. To ensure this analysis is performed for the entire data life cycle, a combination of advanced language models and domain-specific models of semantic similarity is used. These models help the framework to analyze mobile health apps in terms of privacy laws and empower users by providing them fine-grained control and transparency over their personal data. The expected advances due to this research include better comprehension of legal language by non-specialists and engineers, enhanced privacy-focused analysis of mobile apps, and enable users with clear information about data collections, necessity, and the ability to gain more control over their real-time personal data. Overall, it promotes user safety and privacy in the use of health applications. A project website will be hosted by the Department of Computer Science at Stony Brook University and regularly maintained and updated by the principal investigator. This website will provide access to publicly releasable data, research papers, conference and lecture material, and software products. The software products of this research will also be publicly available on development repositories (e.g., GitHub or Bitbucket).

Team

Ritwik Banerjee (Principal Investigator), Research Assistant Professor of Computer Science, Stony Brook University
Indrakshi Ray (Co-Investigator), Professor of Computer Science, Colorado State University
Chenlu Wang, Research Assistant (Computer Science, Stony Brook University)
Ethan Myers, Research Assistant (Computer Science, Colorado State University)