{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,10]],"date-time":"2026-06-10T03:52:53Z","timestamp":1781063573873,"version":"3.54.1"},"publisher-location":"New York, NY, USA","reference-count":61,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,11,26]],"date-time":"2023-11-26T00:00:00Z","timestamp":1700956800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Research Fund KU Leuven Belgium"},{"name":"Flemish Research Programme Cybersecurity Belgium"},{"name":"CyberExcellence programme of the Walloon Region Belgium"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,11,26]]},"DOI":"10.1145\/3603216.3624962","type":"proceedings-article","created":{"date-parts":[[2023,11,23]],"date-time":"2023-11-23T01:38:42Z","timestamp":1700703522000},"page":"17-29","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["From Privacy Policies to Privacy Threats: A Case Study in Policy-Based Threat Modeling"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-6558-2062","authenticated-orcid":false,"given":"Yana","family":"Dimova","sequence":"first","affiliation":[{"name":"KU Leuven, Leuven, Belgium"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-3816-3675","authenticated-orcid":false,"given":"Mrunmayee","family":"Kode","sequence":"additional","affiliation":[{"name":"KU Leuven, Leuven, Belgium"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1188-1590","authenticated-orcid":false,"given":"Shirin","family":"Kalantari","sequence":"additional","affiliation":[{"name":"KU Leuven, Leuven, Belgium"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0950-9490","authenticated-orcid":false,"given":"Kim","family":"Wuyts","sequence":"additional","affiliation":[{"name":"KU Leuven, Leuven, Belgium"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7710-5092","authenticated-orcid":false,"given":"Wouter","family":"Joosen","sequence":"additional","affiliation":[{"name":"KU Leuven, Leuven, Belgium"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5035-0576","authenticated-orcid":false,"given":"Jan Tobias","family":"M\u00fchlberg","sequence":"additional","affiliation":[{"name":"Universit\u00e9 libre de Bruxelles, Brussels, Belgium"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2023,11,26]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Abby. 2020. WhatsApp Pay: what is happening with WhatsApp not-so-new payment feature? https:\/\/www.sprintsandsneakers.com\/ en\/blog\/whatsapp-pay-what-is-happening-with-whatsapp-not-sonew- payment-feature\/. (2020)."},{"key":"e_1_3_2_1_2_1","volume-title":"Fundamentals of computer security technology","author":"Amoroso Edward G","unstructured":"Edward G Amoroso. 1994. Fundamentals of computer security technology. Prentice-Hall, Inc., USA."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/3442381.3450048"},{"key":"e_1_3_2_1_4_1","volume-title":"PolicyLint: Investigating Internal Privacy Policy Contradictions on Google Play. In 28th USENIX Security Symposium (USENIX Security 19)","author":"Andow Benjamin","year":"2019","unstructured":"Benjamin Andow, Samin Yaseer Mahmud, Wenyu Wang, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Tao Xie. 2019. PolicyLint: Investigating Internal Privacy Policy Contradictions on Google Play. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 585--602. https: \/\/www.usenix.org\/conference\/usenixsecurity19\/presentation\/andow"},{"key":"e_1_3_2_1_5_1","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Andow Benjamin","year":"2020","unstructured":"Benjamin Andow, Samin Yaseer Mahmud, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Serge Egelman. 2020. Actions Speak Louder than Words: Entity-Sensitive Privacy Policy and Data Flow Analysis with PoliCheck. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, Online, 985--1002. https: \/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/andow"},{"key":"e_1_3_2_1_6_1","unstructured":"Shakuntala Banaji Ramnath Bhat Anushi Agarwal Nihal Passanha and Mukti Sadhana Pravin. 2019. WhatsApp vigilantes: An exploration of citizen reception and circulation of WhatsApp misinformation linked to mob violence in India. (2019)."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/3366423.3380262"},{"key":"e_1_3_2_1_8_1","unstructured":"Tom Bateman. 2021. WhatsApp rewrites its Europe privacy policy after a record \"225 million GDPR fine. URL: https:\/\/www.euronews.com\/next\/2021\/11\/22\/whatsapp-rewrites-itseurope- privacy-policy-after-a-record-225-million-gdpr-fine last checked on 1-03--2023. (2021)."},{"key":"e_1_3_2_1_9_1","unstructured":"WhatsApp blog. 2017. Building for People and Now Businesses. https:\/\/blog.whatsapp.com\/building-for-people-and-nowbusinesses. (2017)."},{"key":"e_1_3_2_1_10_1","unstructured":"WhatsApp blog. 2018. Introducing the WhatsApp Business App. https:\/\/blog.whatsapp.com\/introducing-the-whats-app-businessapp. (2018)."},{"key":"e_1_3_2_1_11_1","unstructured":"Zoe Braiterman Adam Shostack Jonathan Marcil Stephen de Vries Irene Michlin Kim Wuyts Robert Hurlbut Brook S.E. Schoenfield Fraser Scott Matthew Coles Chris Romeo Alyssa Miller Izar Tarandach Avi Douglen and Marc French. 2023. Threat Modeling Manifesto. https:\/\/www.threatmodelingmanifesto.org\/. (2023)."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2021-0019"},{"key":"e_1_3_2_1_13_1","unstructured":"WhatsApp Business. 2023. Ads That Click to WhatsApp. https: \/\/business.whatsapp.com\/products\/ads-that-click-to-whatsapp. (2023)."},{"key":"e_1_3_2_1_14_1","first-page":"12","article-title":"Privacy by design: The 7 foundational principles. Information and privacy commissioner of Ontario","volume":"5","author":"Ann Cavoukian","year":"2009","unstructured":"Ann Cavoukian et al. 2009. Privacy by design: The 7 foundational principles. Information and privacy commissioner of Ontario, Canada 5 (2009), 12.","journal-title":"Canada"},{"key":"e_1_3_2_1_15_1","unstructured":"WhatsApp Help Center. 2023. Learn more about participating countries. https:\/\/faq.whatsapp.com\/1293279751500598. (2023)."},{"key":"#cr-split#-e_1_3_2_1_16_1.1","unstructured":"CJEU. 2023. Judgment - 12\/01\/2023 - \u00d6sterreichische Post (Informations relatives aux destinataires de donn\u00e9es personnelles) Case C-154\/21. https:\/\/curia.europa.eu\/juris\/document\/document.jsf"},{"key":"#cr-split#-e_1_3_2_1_16_1.2","unstructured":"jsessionid=B86B29EE5A0B7D09F49A5B21579C1FED?text=&docid= 269146&pageIndex=0&doclang=en&mode=lst&dir=&occ=first& part=1&cid=5598222. (2023)."},{"key":"e_1_3_2_1_17_1","volume-title":"Decision of the Data Protection Commission made pursuant to Section 111 of the Data Protection Act","author":"Comission Data Protection","year":"2018","unstructured":"Data Protection Comission. 2021. Decision of the Data Protection Commission made pursuant to Section 111 of the Data Protection Act, 2018 and Articles 60 and 65 of the General Data Protection Regulation. https:\/\/edpb.europa.eu\/system\/files\/2021-09\/dpc_final_decision_ redacted_for_issue_to_edpb_01-09--21_en.pdf. (2021)."},{"key":"e_1_3_2_1_18_1","unstructured":"Data Protection Comission. 2022. Data Protection Commission announces conclusion of inquiry into WhatsApp. https:\/\/dataprotection.ie\/en\/news-media\/data-protectioncommission- announces-conclusion-inquiry-whatsapp. (2022)."},{"key":"e_1_3_2_1_19_1","unstructured":"Data Protection Comission. 2022. Data Protection Commission announces conclusion of two inquiries into Meta Ireland. https:\/\/dataprotection.ie\/en\/news-media\/data-protectioncommission- announces-conclusion-two-inquiries-meta-ireland. (2022)."},{"key":"e_1_3_2_1_20_1","unstructured":"Data Protection Comission. 2023. Data Protection Commission announces conclusion of inquiry into Meta Ireland. https: \/\/dataprotection.ie\/en\/news-media\/press-releases\/Data-Protection- Commission-announces-conclusion-of-inquiry-into-Meta-Ireland. (2023)."},{"key":"e_1_3_2_1_21_1","volume-title":"We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy. CoRR abs\/1808.05096","author":"Degeling Martin","year":"2018","unstructured":"Martin Degeling, Christine Utz, Christopher Lentzsch, Henry Hosseini, Florian Schaub, and Thorsten Holz. 2018. We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy. CoRR abs\/1808.05096 (2018), 20. arXiv:1808.05096 http:\/\/arxiv. org\/abs\/1808.05096"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1007\/s00766-010-0115-7"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/3559613.3563200"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/2619091"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978313"},{"key":"e_1_3_2_1_26_1","first-page":"1","article-title":"Regulation (EU) 2016\/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC (General Data Protection Regulation)","author":"European Parliament and Council of the European Union.","year":"2016","unstructured":"European Parliament and Council of the European Union. 2016. Regulation (EU) 2016\/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC (General Data Protection Regulation). O.J. L 119 (2016), p. 1--88. https:\/\/eur-lex.europa.eu\/eli\/reg\/2016\/679\/oj","journal-title":"O.J."},{"key":"e_1_3_2_1_27_1","volume-title":"Proceedings of the Twelfth USENIX Conference on Usable Privacy and Security (SOUPS '16)","author":"Gluck Joshua","year":"2016","unstructured":"Joshua Gluck, Florian Schaub, Amy Friedman, Hana Habib, Norman Sadeh, Lorrie Faith Cranor, and Yuvraj Agarwal. 2016. How Short is Too Short? Implications of Length and Framing on the Effectiveness of Privacy Notices. In Proceedings of the Twelfth USENIX Conference on Usable Privacy and Security (SOUPS '16). USENIX Association, USA, 321--340."},{"key":"e_1_3_2_1_28_1","volume-title":"Polisis: Automated Analysis and Presentation of Privacy Policies Using Deep Learning. In 27th USENIX Security Symposium (USENIX Security 18)","author":"Harkous Hamza","year":"2018","unstructured":"Hamza Harkous, Kassem Fawaz, R\u00e9mi Lebret, Florian Schaub, Kang G. Shin, and Karl Aberer. 2018. Polisis: Automated Analysis and Presentation of Privacy Policies Using Deep Learning. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 531--548. https:\/\/www.usenix.org\/conference\/usenixsecurity18\/ presentation\/harkous"},{"key":"e_1_3_2_1_29_1","volume-title":"The evolution of India's data privacy regime","author":"IAPP.","year":"2021","unstructured":"IAPP. 2022. The evolution of India's data privacy regime in 2021. https:\/\/iapp.org\/news\/a\/the-evolution-of-indias-data-privacyregime- in-2021\/. (2022)."},{"key":"e_1_3_2_1_30_1","unstructured":"IAPP. 2022. India's Digital Personal Data Protection Bill 2022: Does it overhaul the former PDPB? https:\/\/iapp.org\/news\/a\/indias-digitalpersonal- data-protection-bill-2022-does-it-overhaul-the-formerpdpb\/. (2022)."},{"key":"e_1_3_2_1_31_1","volume-title":"ISO\/PC 317","author":"International Organization for Standardization, TC","year":"2023","unstructured":"International Organization for Standardization, TC: ISO\/PC 317. 2023. ISO 31700--1:2023: Consumer protection - Privacy by design for consumer goods and services. (2023)."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3466722"},{"key":"e_1_3_2_1_33_1","volume-title":"25th USENIX Security Symposium (USENIX Security 16)","author":"Lerner Ada","year":"2016","unstructured":"Ada Lerner, Anna Kornfeld Simpson, Tadayoshi Kohno, and Franziska Roesner. 2016. Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX, 997--1013. https:\/\/www.usenix.org\/conference\/ usenixsecurity16\/technical-sessions\/presentation\/lerner"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3178876.3186087"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2020-0004"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3308560.3316738"},{"key":"e_1_3_2_1_37_1","unstructured":"Meta. 2023. Meta's global data center fleet. https:\/\/datacenters.atmeta. com\/all-locations\/. (2023)."},{"key":"e_1_3_2_1_38_1","unstructured":"Meta Platforms. 2023. WhatsApp. https:\/\/www.whatsapp.com\/. (2023)."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","unstructured":"Govind Singh Rajpurohit and Raj Kumar Yadav. 2021. A Socio-Legal Analysis of WhatsApp Privacy Policy 2021 in India: A Contemporary Study. (2021) 8 pages. https:\/\/doi.org\/10.2139\/ssrn.3850579","DOI":"10.2139\/ssrn.3850579"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/2906388.2906392"},{"key":"e_1_3_2_1_41_1","unstructured":"Jennifer Shore and Jill Steinman. 2015. Did you really agree to that? The evolution of Facebook's privacy policy. (2015) 37 pages."},{"key":"e_1_3_2_1_42_1","volume-title":"Threat modeling: Designing for security","author":"Shostack Adam","unstructured":"Adam Shostack. 2014. Threat modeling: Designing for security. John Wiley & Sons, USA."},{"key":"e_1_3_2_1_43_1","volume-title":"Number of monthly active WhatsApp users worldwide from","year":"2013","unstructured":"Statista. 2023. Number of monthly active WhatsApp users worldwide from April 2013 to March 2020. https:\/\/www.statista.com\/statistics\/ 260819\/number-of-monthly-active-whatsapp-users\/. (2023)."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-57959-7"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"crossref","unstructured":"Isabel Wagner. 2022. Privacy Policies Across the Ages: Content and Readability of Privacy Policies 1996--2021. (2022). arXiv:cs.CR\/2201.08739","DOI":"10.1145\/3590152"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/3590152"},{"key":"e_1_3_2_1_47_1","unstructured":"WhatsApp. 2016. WhatsApp Privacy Policy. https:\/\/www.whatsapp. com\/legal\/privacy-policy-eea\/revisions\/20160825. (2016)."},{"key":"e_1_3_2_1_48_1","unstructured":"WhatsApp. 2018. WhatsApp Payments Privacy Policy - India. https:\/\/www.whatsapp.com\/legal\/payments\/india\/privacy-policy\/ revisions\/20180709. (2018)."},{"key":"e_1_3_2_1_49_1","unstructured":"WhatsApp. 2018. WhatsApp Payments Privacy Policy - India. https:\/\/www.whatsapp.com\/legal\/payments\/india\/privacy-policy\/ revisions\/20180709. (2018)."},{"key":"e_1_3_2_1_50_1","unstructured":"WhatsApp. 2018. WhatsApp Privacy Policy. https:\/\/www.whatsapp. com\/legal\/privacy-policy-eea\/revisions\/20180424. (2018)."},{"key":"e_1_3_2_1_51_1","unstructured":"WhatsApp. 2019. WhatsApp Privacy Policy. https:\/\/www.whatsapp. com\/legal\/privacy-policy\/revisions\/20191219. (2019)."},{"key":"e_1_3_2_1_52_1","unstructured":"WhatsApp. 2020. WhatsApp India Payments Privacy Policy. https:\/\/www.whatsapp.com\/legal\/payments\/india\/privacy-policy\/ revisions\/20201121. (2020)."},{"key":"e_1_3_2_1_53_1","unstructured":"WhatsApp. 2020. WhatsApp India Payments Privacy Policy. https: \/\/www.whatsapp.com\/legal\/payments\/india\/privacy-policy. (2020)."},{"key":"e_1_3_2_1_54_1","unstructured":"WhatsApp. 2021. WhatsApp Privacy Policy. https:\/\/www.whatsapp. com\/legal\/privacy-policy. (2021)."},{"key":"e_1_3_2_1_55_1","unstructured":"WhatsApp. 2021. WhatsApp Privacy Policy. https:\/\/www.whatsapp. com\/legal\/privacy-policy-eea\/revisions\/20210104. (2021)."},{"key":"e_1_3_2_1_56_1","unstructured":"Wikipedia. 2023. WhatsApp: Controversies and Critique. https:\/\/en. wikipedia.org\/wiki\/WhatsApp#Controversies_and_criticism. (2023)."},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSPW51379.2020.00047"},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/3389685"},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/3127519"},{"key":"e_1_3_2_1_60_1","volume-title":"POLICYCOMP: Counterpart Comparison of Privacy Policies Uncovers Overbroad Personal Data Collection Practices. In 32nd USENIX Security Symposium (USENIX Security 23)","author":"Zhou Lu","year":"2023","unstructured":"Lu Zhou, Chengyongxiao Wei, Tong Zhu, Guoxing Chen, Xiaokuan Zhang, Suguo Du, Hui Cao, and Haojin Zhu. 2023. POLICYCOMP: Counterpart Comparison of Privacy Policies Uncovers Overbroad Personal Data Collection Practices. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA, 1073--1090. https:\/\/www.usenix.org\/conference\/usenixsecurity23\/ presentation\/zhou-lu"}],"event":{"name":"CCS '23: ACM SIGSAC Conference on Computer and Communications Security","location":"Copenhagen Denmark","acronym":"CCS '23","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 22nd Workshop on Privacy in the Electronic Society"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3603216.3624962","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3603216.3624962","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T22:49:11Z","timestamp":1750286951000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3603216.3624962"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,26]]},"references-count":61,"alternative-id":["10.1145\/3603216.3624962","10.1145\/3603216"],"URL":"https:\/\/doi.org\/10.1145\/3603216.3624962","relation":{},"subject":[],"published":{"date-parts":[[2023,11,26]]},"assertion":[{"value":"2023-11-26","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}