The excessive collection and processing of personal data by APPs has become a critical information security issue. Addressing this problem requires rigorous compliance auditing based on the purpose limitation principle in the Personal Information Protection Law. To tackle the lack of actionable standards, this study analyzes 63 privacy policies across 18 APP categories and develops a knowledge graph framework that connects legal requirements and technical implementations by converting unstructured policies into auditable semantic networks. Given the absence of fine-grained purpose classification standards, we establish a purpose taxonomy through LLM-assisted manual coding, integrating it with existing permission categories. The framework consists of two interconnected layers: (1) a data layer that extracts purpose and permission entities from policy texts through LLM-based extraction and manual verification, constructing a high-quality corpus (κ = 0.92) containing 2,155 annotated records for the structured representation of policy elements; and (2) a reasoning layer that quantifies “APP category-purpose-permission” associations via a four-layer Bayesian network, enabling necessity assessment of permissions and creating a three-tiered auditing standard (core-/scenario-/non-necessity). Case studies of 875 non-necessary permission records identify three dominant violations: incomplete purpose disclosure, undeclared permissions, and purpose-permission mismatches. Experimental evaluation further confirms the framework’s effectiveness and reliability, achieving an F1-score of 81.8% in purpose-permission association prediction and a Cohen’s Kappa of 0.89 in compliance auditing. This study advances the operationalization of the purpose limitation principle in privacy protection practices, with future work focusing on LLMs optimization to leverage our framework for large-scale automated privacy policy compliance auditing.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

A Knowledge Graph Framework for Purpose-Driven Privacy Policy Compliance Auditing

  • Hanchang Liu,
  • Ning Zhang,
  • Zekun Su

摘要

The excessive collection and processing of personal data by APPs has become a critical information security issue. Addressing this problem requires rigorous compliance auditing based on the purpose limitation principle in the Personal Information Protection Law. To tackle the lack of actionable standards, this study analyzes 63 privacy policies across 18 APP categories and develops a knowledge graph framework that connects legal requirements and technical implementations by converting unstructured policies into auditable semantic networks. Given the absence of fine-grained purpose classification standards, we establish a purpose taxonomy through LLM-assisted manual coding, integrating it with existing permission categories. The framework consists of two interconnected layers: (1) a data layer that extracts purpose and permission entities from policy texts through LLM-based extraction and manual verification, constructing a high-quality corpus (κ = 0.92) containing 2,155 annotated records for the structured representation of policy elements; and (2) a reasoning layer that quantifies “APP category-purpose-permission” associations via a four-layer Bayesian network, enabling necessity assessment of permissions and creating a three-tiered auditing standard (core-/scenario-/non-necessity). Case studies of 875 non-necessary permission records identify three dominant violations: incomplete purpose disclosure, undeclared permissions, and purpose-permission mismatches. Experimental evaluation further confirms the framework’s effectiveness and reliability, achieving an F1-score of 81.8% in purpose-permission association prediction and a Cohen’s Kappa of 0.89 in compliance auditing. This study advances the operationalization of the purpose limitation principle in privacy protection practices, with future work focusing on LLMs optimization to leverage our framework for large-scale automated privacy policy compliance auditing.