Existing privacy analyses predominantly rely on data flow diagrams (DFDs), which capture only syntactic data movement and fail to model semantic knowledge propagation and inference—thereby limiting the completeness of threat modeling. Method: This paper proposes a model-driven knowledge flow reasoning framework centered on the question “Who can know what?”, formally characterizing knowledge availability, mobility, and inferability across system entities. It introduces an incremental modeling mechanism that refines abstract views through formal transformations; encodes privacy requirements as knowledge prohibition rules; and integrates external compliance standards. Leveraging a domain-specific knowledge modeling language, logic-level knowledge flow specifications, and formal inference rules, the framework enables cross-layer knowledge leakage detection. Contribution/Results: The framework significantly enhances the formalization, verifiability, and engineering practicality of privacy analysis, providing a scalable, interpretable foundation for privacy compliance verification.

This paper proposes a reasoning framework for privacy properties of systems and their environments that can capture any knowledge leaks on different logical levels of the system to answer the question: which entity can learn what? With the term knowledge we refer to any kind of data, meta-data or interpretation of those that might be relevant. To achieve this, we present a modeling framework that forces the developers to explicitly describe which knowledge is available at which entity, which knowledge flows between entities and which knowledge can be inferred from other knowledge. In addition, privacy requirements are specified as rules describing forbidden knowledge for entities. Our modeling approach is incremental, starting from an abstract view of the system and adding details through well-defined transformations. This work is intended to complement existing approaches and introduces steps towards more formal foundations for privacy oriented analyses while keeping them as accessible as possible. It is designed to be extensible through schemata and vocabulary to enable compatibility with external requirements and standards.