I built a prototype pipeline called Privacy-SATD Miner to explore how self-admitted technical debt relates to privacy. It is an early-stage side project, not a finished tool, built to understand the methodology rather than produce publishable results.
What it does
Self-Admitted Technical Debt (SATD) refers to comments like TODO or FIXME where developers acknowledge incomplete or flawed work. Researchers at TU Hamburg (Díaz Ferreyra et al., MSR 2024) showed that some SATD instances leak security-sensitive information and mapped them to CWE vulnerability types.
This prototype applies the same keyword-based detection approach, but looks for privacy-related signals: comments referencing GDPR, consent, anonymization, data retention, or personal data handling. Detected instances are stored for review, and a basic mapping to GDPR articles is included.
How it works
The pipeline is written in Python and runs on a conda environment. It searches GitHub repositories using keyword matching, filters candidate comments, and integrates with Label Studio for manual review. The idea is that two annotators could validate whether a comment genuinely reflects privacy debt. The infrastructure is set up to support future ML classification, but no model has been trained yet.
There is also a simple dashboard that visualizes keyword distributions and GDPR article coverage across scanned repositories.
Current status
This is a work-in-progress. It mines comments, filters candidates, and produces labeled outputs for review, but it has not been validated on a large-scale dataset and no formal evaluation has been done. I built it to learn the SATD detection workflow hands-on, and it remains an ongoing exploration.