Modeling PLA Variation of Privacy-Enhancing Personalized SystemsScott A. Hendrickson∗, Yang Wang∗, Andr´e van der Hoek, Richard N. Taylor, Alfred KobsaInstitute of Software ResearchUniversity of California, IrvineIrvine, CA 92697 USA{shendric, yangwang, andre, taylor, kobsa}@uci.eduAbstractPrivacy-enhancing personalized (PEP) systems addressindividual users’ privacy preferences as well as privacylaws and regulations. Building such systems entails model-ing two different domains: (a) privacy constraints as man-dated by law, voluntary self-regulation, or users’ individ-ual privacy preferences, and modeled by legal profession-als, and (b) software architectures as dictated by availablesoftware components and modeled by software architects.Both can evolve independently, e.g., as new laws go intoeffect or new components become available. In prior work,we proposed modeling PEP systems using a product line ar-chitecture (PLA). However, with an extensional PLA, thesedomain models became strongly entangled making it diffi-cult to modify one without inadvertently affecting the other.This paper evaluates an approach towards modeling bothdomains within an intensional PLA. We find evidence thatthis results in a clearer separation between the two domainmodels, making each easier to evolve and maintain.1 IntroductionTo provide personalized services such as customized rec-ommendations, a personalized website collects and usesusers’ personal data, which raises various privacy concerns[17]. We use the term privacy constraints to denote users’privacy preferences as well as privacy laws and regulationsthat are in effect. We call personalized systems that ad-dress these privacy constraints privacy-enhancing person-alized (PEP) systems. Modeling such systems concerns ex-pressing two different domain models: privacy constraintsand their interdependencies, as managed by legal profes-sionals; and the structural features of a software architec-ture, as managed by software architects. We refer to thesemodels as the privacy model and software model, respec-∗First authors listed in alphabetical order.tively. Both can evolve independently: The privacy modelcan evolve as new laws or self-regulations are put into effector new user privacy preferences arise. The software modelcan evolve when new components become available.In prior work [28], we found that privacy constraints mayaffect the admissibility of certain components or featuresin a PEP system. Therefore, different sets of privacy con-straints may lead to different architectures of a PEP system.Based on this finding, we proposed modeling a PEP systemas a product line architecture (PLA) [29]. Doing so allows aPEP system to dynamically select a product architecture foreach user based on their current privacy constraints, whichcan change over time.Currently, PLA modeling approaches are predominantlyextensional, i.e., they model a single, monolithic archi-tecture that simultaneously represents all possible prod-ucts using variation points and guards of some form, e.g.,[27][13][8][25]. These approaches could be viewed as“configurable architectures”, where an architect obtains anindividual product architecture by resolving each variationpoint based upon a selection of desired attributes. Whilethese approaches adequately model PLA variation, they suf-fer from a sizable mismatch between conceptual variability(i.e., the features through which architects logically viewand interpret product differences) and actual variability (i.e.,the modeling constructs through which the logical differ-ences must be expressed). As a result, the actual model ex-hibits a high degree of redundancy, scattering and tanglingof the conceptual model it represents making it difficult tointerpret and modify [14].Alternatively, intensional [5] approaches are gainingground, e.g., [14][2][1][7]. With intensional approaches,product architectures are composed from different modelingconstructs that represent features at some level. Our previ-ous work presented an intensional approach where an ar-chitect composes product architectures from a collection ofchange sets and is guided by constraints expressed as rela-tionships [14]. Together, change sets and relationships formthe basis for modeling features and feature models.Our earlier work found that the structural features of afeature model are better expressed using change sets andrelationships than the modeling constructs of an extensionalapproach [14]. This paper extends our earlier work in twoways. First, we apply the intensional approach to a do-main where a conceptual model exists, that of the privacyconstraints, and where product configurations cannot prac-tically be predefined and must instead be dynamically cre-ated. Second, we show evidence that a PLA-based PEP sys-tem is easier to maintain when represented using an inten-sional approach than when represented using an extensionalapproach.In the remainder of this paper, we briefly explain sev-eral background concepts in Section 2. We then describethe motivating example PEP system used for our compar-ative analysis in Section 3. Thereafter, we present how tomodel the system extensionally and intensionally in Sec-tion 4. Subsequently, in Section 5, we introduce three com-mon evolution scenarios of PEP systems and show how bothmodeling approaches would adapt to these changes. Wethen discuss insights gained from our evaluation in Sec-tion 6. Finally, we discuss related work in Section 7 andconclude in Section 8.2 BackgroundThe work presented in this paper relies on concepts frompersonalization and privacy, software architecture and con-figuration management. We introduce these concepts here.2.1 Personalization and PrivacyAdvantages of web personalization have been demon-strated for both online customers (e.g., getting personalizedcontent) and vendors (better customer retention) [6]. How-ever, numerous opinion polls and empirical studies haverevealed that Internet users have considerable concerns re-garding the disclosure of their personal data to websites,and the monitoring of their Internet activities (see [17] foran overview). Most privacy laws that have emerged in re-sponse are applicable only within the boundaries of the cor-responding country, e.g., Germany. However, some privacylaws may be applicable beyond a country’s border so longas the services are provided to its citizens and permanentresidents, e.g., the Australian privacy law. Laws, along withindustry