Privacy Bills of Materials (PriBOM): A Transparent Privacy Information Inventory for Collaborative Privacy Notice Generation in Mobile App Development

Zhen Tao; Shidong Pan; Zhenchang Xing; Xiaoyu Sun; Omar Haggag; John Grundy; Jingjie Li; Liming Zhu

Privacy Bills of Materials (PriBOM): A Transparent Privacy Information Inventory for Collaborative Privacy Notice Generation in Mobile App Development

Authors: Zhen Tao (CSIRO's Data61 & Australian National University), Shidong Pan (CSIRO's Data61 & Australian National University), Zhenchang Xing (CSIRO's Data61 & Australian National University), Xiaoyu Sun (Australian National University), Omar Haggag (Monash University), John Grundy (Monash University), Jingjie Li (University of Edinburgh), Liming Zhu (CSIRO’s Data61 & UNSW)

Volume: 2025
Issue: 4
Pages: 392–409
DOI: https://doi.org/10.56553/popets-2025-0136

Download PDF

Abstract: Privacy regulations mandate that developers must provide authentic and comprehensive privacy notices, e.g., privacy policies or labels, to inform users of their apps’ privacy practices. However, due to a lack of knowledge of privacy requirements, developers often struggle to create accurate privacy notices, especially for sophisticated mobile apps with complex features and in crowded development teams. To address these challenges, we introduce PriBOM (Privacy Bills of Materials), a systematic software engineering approach that leverages different development team roles to better capture and coordinate mobile app privacy information. PriBOM facilitates transparency-centric privacy documentation and specific privacy notice creation, enabling traceability and trackability of privacy practices. We present a pre-fill of PriBOM based on static analysis and privacy notice analysis techniques. We explore the perceived usefulness of PriBOM through a human evaluation with 150 diverse participants. The role of PriBOM in enhancing privacy-related communication is well received with 83.33% agreement, suggesting that PriBOM could serve as a significant solution for providing privacy support in DevOps for mobile apps.

Keywords: Transparency, Usable Privacy, Mobile Applications, Privacy Policy, Privacy Paradox

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.