ABSTRACT
Many modern enterprises require methods for guaranteeing compliance with privacy legislation and announced privacy policies. IBM has proposed a formal language, the Enterprise Privacy Authorization Language (EPAL), for describing privacy policies rigorously. In this paper, we identify four desirable properties of a privacy policy language: guaranteed consistency, guaranteed safety, admitting local reasoning, and closure under combination. While EPAL achieves only one of these four goals, an extended language framework allows us to achieve three out of four, while retaining the basic EPAL framework of restricting access and imposing obligations on users of confidential information.
- A. Antón, Q. He, and D. Baumer. The complexity underlying JetBlue's privacy policy violations. IEEE Security & Privacy, 2004. To appear. Google ScholarDigital Library
- G. Karjoth and M. Schunter. A privacy policy model for enterprises. In 15th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, 2002. Google ScholarDigital Library
Index Terms
- Conflict and combination in privacy policy languages
Recommendations
A comparison of two privacy policy languages: EPAL and XACML
SWS '06: Proceedings of the 3rd ACM workshop on Secure web servicesCurrent regulatory requirements in the U.S. and other countries make it increasingly important for Web Services to be able to enforce and verify their compliance with privacy policies. Structured policy languages can play a major role by supporting ...
PriPoCoG: Guiding Policy Authors to Define GDPR-Compliant Privacy Policies
Trust, Privacy and Security in Digital BusinessAbstractThe General Data Protection Regulation (GDPR) makes the creation of compliant privacy policies a complex process. Our goal is to support policy authors during the creation of privacy policies, by providing them feedback on the privacy policy they ...
Access control policy combining: theory meets practice
SACMAT '09: Proceedings of the 14th ACM symposium on Access control models and technologiesMany access control policy languages, e.g., XACML, allow a policy to contain multiple sub-policies, and the result of the policy on a request is determined by combining the results of the sub-policies according to some policy combining algorithms (PCAs)...
Comments