Article

Efficient comparison of enterprise privacy policies

Authors:
Michael Backes

IBM Research

IBM Research
View Profile

,
Günter Karjoth

IBM Research

IBM Research
View Profile

,
Walid Bagga

Eurecom Institute, France

Eurecom Institute, France
View Profile

,
Matthias Schunter

IBM Research

IBM Research
View Profile

SAC '04: Proceedings of the 2004 ACM symposium on Applied computingMarch 2004Pages 375–382https://doi.org/10.1145/967900.967983

Published:14 March 2004Publication History

SAC '04: Proceedings of the 2004 ACM symposium on Applied computing

Pages 375–382

ABSTRACT

Enterprise privacy policies often reflect different legal regulations, promises made to customers, as well as more restrictive enterprise-internal practices. The notion of policy refinement is fundamental for privacy policies, as it allows one to check whether a company's policy fulfills regulations or adheres to standards set by customer organizations, to realize the "sticky policy paradigm" that addresses transferring data from one realm to another in a privacy-preserving way, and much more. Although well-established in theory, the problem of how to efficiently check whether one policy refines another has been left open in the privacy policy literature. We present a practical algorithm for this task, concentrating on those aspects that make refinement of privacy policies more difficult than, for example refinement for access control policies, such as a more sophisticated treatment of deny rules and a suitable way for dealing with obligations and conditions on context information.

References

P. Ashley, S. Hada, G. Karjoth, C. Powers, and M. Schunter. Enterprise Privacy Authorization Language (EPAL). Research Report RZ 3485, IBM Research, Mar. 2003.]]Google Scholar
P. Ashley, S. Hada, G. Karjoth, and M. Schunter. E-P3P privacy policies and privacy authorization. In Proc. 1st ACM Workshop on Privacy in the Electronic Society (WPES), pages 103--109, 2002.]] Google ScholarDigital Library
M. Backes, B. Pfitzmann, and M. Schunter. A toolkit for managing enterprise privacy policies. In European Symposium on Research in Computer Security (ESORICS), Lecture Notes in Computer Science 2808, pages 101--119. Springer, 2003.]]Google Scholar
C. Bettini, S. Jajodia, X. S. Wang, and D. Wijesekerat. Obligation monitoring in policy management. In Proc. 3rd IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY), pages 2--12, 2002.]] Google ScholarDigital Library
P. A. Bonatti, E. Damiani, S. De Capitani di Vimercati, and P. Samarati. A component-based architecture for secure data publication. In Proc. 17th Annual Computer Security Applications Conference, pages 309--318, 2001.]] Google ScholarDigital Library
A. Cavoukian and T. J. Hamilton. The Privacy Payoff: How successful businesses build customer trust. McGraw-Hill/Ryerson, 2002.]]Google Scholar
N. Damianou, N. Dulay, E. Lupo, and M. Sloman. The Ponder Policy Specification Language. In Policies for Distributed Systems and Networks (Policy 2001), Lecture Notes in Computer Science 1995, pg. 18--39. Springer, 2001.]] Google ScholarDigital Library
S. Fischer-Hübner. IT-security and privacy: Design and use of privacy-enhancing security mechanisms, Lecture Notes in Computer Science 1958. Springer, 2002.]]Google Scholar
S. Jajodia, M. Kudo, and V. S. Subrahmanian. Provisional authorization. In Proc. E-commerce Security and Privacy, pages 133--159. Kluwer Academic Publishers, 2001.]]Google Scholar
G. Karjoth and M. Schunter. A privacy policy model for enterprises. In Proc. 15th IEEE Computer Security Foundations Workshop (CSFW), pages 271--281, 2002.]] Google ScholarDigital Library
G. Karjoth, M. Schunter, and M. Waidner. The platform for enterprise privacy practices -- privacy-enabled management of customer data. In Proc. Privacy Enhancing Technologies, Lecture Notes in Computer Science 2482, pages 69--84. Springer, 2002.]]Google Scholar
Platform for Privacy Preferences (P3P). W3C Recommendation, Apr. 2002. www.w3.org/TR/2002/REC-P3P-20020416/.]]Google Scholar
C. Ribeiro, A. Zuquete, P. Ferreira, and P. Guedes. SPL: An access control language for security policies with complex constraints. In Proc. Network and Distributed System Security Symposium (NDSS), pages 89--107, 2001.]]Google Scholar
TRUSTe. Privacy Certification. See www.truste.com.]]Google Scholar
eXtensible Access Control Markup Language (XACML). OASIS Committee Specification 1.0, Dec. 2002. www.oasis-open.org/committees/xacml.]]Google Scholar

Index Terms

Efficient comparison of enterprise privacy policies

Recommendations

A comparison of two privacy policy languages: EPAL and XACML
SWS '06: Proceedings of the 3rd ACM workshop on Secure web services

Current regulatory requirements in the U.S. and other countries make it increasingly important for Web Services to be able to enforce and verify their compliance with privacy policies. Structured policy languages can play a major role by supporting ...
Read More
Refinement checking for privacy policies

This paper presents a framework for analysis and comparison of privacy policies expressed in P3P (Platform for Privacy Preferences). In contrast to existing approaches to policy analysis, which focus on demonstrations of equality or equivalence of ...
Read More
Enterprise privacy promises and enforcement
WITS '05: Proceedings of the 2005 workshop on Issues in the theory of security

Several formal languages have been proposed to encode privacy policies, ranging from the Platform for Privacy Preferences (P3P), intended for communicating privacy policies to consumers over the web, to the Enterprise Privacy Authorization Language (...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SAC '04: Proceedings of the 2004 ACM symposium on Applied computing
March 2004
1733 pages
ISBN:1581138121
DOI:10.1145/967900
Conference Chair:
Hisham M. Haddad
Kennesaw State University
,
Program Chairs:
Andrea Omicini
Università degli Studi di Bologna a Cesena
,
Roger L. Wainwright
University of Tulsa
,
Publications Chair:
Lorie M. Liebrock
New Mexico Institute of Mining and Technology
Copyright © 2004 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 14 March 2004
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
policy comparison
privacy policy
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate1,650of6,669submissions,25%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 59
  Total Citations
  View Citations
- 1,744
  Total Downloads
- Downloads (Last 12 months)46
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Efficient comparison of enterprise privacy policies

SAC '04: Proceedings of the 2004 ACM symposium on Applied computing

ABSTRACT

References

Cited By

Index Terms

Recommendations

A comparison of two privacy policy languages: EPAL and XACML

Refinement checking for privacy policies

Enterprise privacy promises and enforcement