An Exploratory Mixed-methods Study on General Data Protection Regulation (GDPR) Compliance in Open-Source Software (ESEIW 2024 - ESEM Technical Papers Track)

Who

Lucas Franke, Huayu Liang, Sahar Farzanehpour, Aaron Brantly, James C. Davis, Chris Brown

Track

ESEIW 2024 ESEM Technical Papers

Time Zone

The program is currently displayed in (GMT+02:00) Brussels, Copenhagen, Madrid, Paris.

Use conference time zone: (GMT+02:00) Brussels, Copenhagen, Madrid, ParisSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Thu 24 Oct 2024 11:40 - 12:00 at Multimedia (B3 Building - Hall) - Open source software and repository mining Chair(s): Davide Taibi

Abstract

Background: Governments worldwide are considering textit{data privacy regulations}. These laws, such as the European Union’s General Data Protection Regulation (GDPR), require software developers to meet privacy-related requirements when interacting with users’ data. Prior research describes the impact of such laws on software development, but only for commercial software. Although open-source software is commonly integrated into regulated software, and thus must be engineered or adapted for compliance, we do not know how such laws impact open-source software development.

Aims: Understanding how data privacy laws affect open-source software development. We focused on the European Union’s GDPR, as it is the most prominent such law. We specifically investigated how GDPR compliance activities influence OSS developer activity (RQ1), how OSS developers perceive fulfilling GDPR requirements (RQ2), the most challenging GDPR requirements to implement (RQ3), and how OSS developers assess GDPR compliance (RQ4).

Method: We distributed an online survey to explore perceptions of GDPR implementations from open-source developers (N=56). To augment this analysis, we further conducted a repository mining study to analyze development metrics on pull requests (N=31,462) submitted to open-source GitHub repositories.

Results: Our results suggest GDPR policies complicate open-source development processes and introduce challenges for developers, primarily regarding the management of users’ data, implementation costs and time, and assessments of compliance. Moreover, we observed negative perceptions of GDPR from open-source developers and significant increases in development activity, in particular metrics related to coding and reviewing activity, on GitHub pull requests (PRs) related to GDPR compliance.

Conclusions: Our findings provide implications for improving data privacy policies, motivating the need for policy-related resources and automated tools to support data privacy regulation implementation and compliance efforts in open-source software.

Link to Preprint

https://arxiv.org/pdf/2406.14724

Lucas Franke

Virginia Tech

United States

Huayu Liang

Virginia Tech

United States

Sahar Farzanehpour

Virginia Tech

United States

Aaron Brantly

Virginia Tech

United States

James C. Davis

Purdue University

United States

Chris Brown

Virginia Tech

United States

Time Zone

The program is currently displayed in (GMT+02:00) Brussels, Copenhagen, Madrid, Paris.

Use conference time zone: (GMT+02:00) Brussels, Copenhagen, Madrid, ParisSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Thu 24 Oct
Displayed time zone: Brussels, Copenhagen, Madrid, Paris change

11:00 - 12:35	Open source software and repository miningESEM Technical Papers / ESEM Emerging Results, Vision and Reflection Papers Track at Multimedia (B3 Building - Hall) Chair(s): Davide Taibi University of Oulu

11:00 20m Full-paper		Sustaining Maintenance Labor for Healthy Open Source Software Projects through Human Infrastructure: A Maintainer Perspective ESEM Technical Papers Johan Linåker RISE Research Institutes of Sweden, Georg Link Bitergia, Kevin Lumbard Creighton University
11:20 20m Full-paper		Documenting Ethical Considerations in Open Source AI Models ESEM Technical Papers Haoyu Gao The University of Melbourne, Mansooreh Zahedi The Univeristy of Melbourne, Christoph Treude Singapore Management University, Sarita Rosenstock the University of Melbourne, Marc Cheong the University of Melbourne Pre-print
11:40 20m Full-paper		An Exploratory Mixed-methods Study on General Data Protection Regulation (GDPR) Compliance in Open-Source Software ESEM Technical Papers Lucas Franke Virginia Tech, Huayu Liang Virginia Tech, Sahar Farzanehpour Virginia Tech, Aaron Brantly Virginia Tech, James C. Davis Purdue University, Chris Brown Virginia Tech Pre-print
12:00 20m Full-paper		An Empirical Study of API Misuses of Data-Centric Libraries ESEM Technical Papers Akalanka Galappaththi University of Alberta, Sarah Nadi New York University Abu Dhabi, University of Alberta, Christoph Treude Singapore Management University Pre-print
12:20 15m Vision and Emerging Results		Automatic Categorization of GitHub Actions with Transformers and Few-shot Learning ESEM Emerging Results, Vision and Reflection Papers Track Phuong T. Nguyen University of L’Aquila, Juri Di Rocco University of L'Aquila, Claudio Di Sipio University of L'Aquila, Mudita Shakya University of L'Aquila, Davide Di Ruscio University of L'Aquila, Massimiliano Di Penta University of Sannio, Italy Pre-print