ABSTRACT
As computing becomes more ubiquitous and Internet use continues to rise, it is increasingly important for organizations to construct accurate and effective privacy policies that document their information handling and usage practices. Most privacy policies are derived and specified in a somewhat ad-hoc manner, leading to policies that are of limited use to the consumers they are intended to serve. To make privacy policies more readable and enforceable, two privacy policy specification languages have emerged, P3P and EPAL. This paper discusses a case study in which the authors systematically formalized two real and complex, healthcare website privacy statements, and measured the results against well-known requirements engineering criteria.
- A.I. Antón, J.B. Earp, D. Bolchini, Q. He, C. Jensen and W. Stufflebeam. The Lack of Clarity in Financial Privacy Policies and the Need for Standardization, IEEE Security & Privacy, 2(2), pp. 36--45, 2004. Google ScholarDigital Library
- A.I. Antón, J.B. Earp and A. Reese, Goal Mining to Examine Health Care Privacy Policies, NCSU Technical Report TR-2001-10, 6 November 2001. Google ScholarDigital Library
- P. Ashley, S. Hada, G. Karjoth, C. Powers and M. Schunter. Enterprise Privacy Authorization Language (EPAL 1.1) Specification. IBM Research Report. http://www.zurich.ibm.com/security/enterprise-privacy/epal. 2003.Google Scholar
- L. Cranor, B. Dobbs, G. Hogben, J. Humphrey, M. Langheinrich, M. Marchiori, M. Presler-Marshall, J. Reagle, M. Schunter, D.A. Stampley, R. Wenning. The Platform for Privacy Preferences 1.1 (P3P1.1) Specification, http://www.w3.org/TR/P3P11. W3C Working Draft 27 April 2004.Google Scholar
- CIGNA HealthCare. Public Online Privacy Statement. http://www.cigna.com/general/privacy/public.html. Accessed June 2004.Google Scholar
- CIGNA HealthCare. Notice of Privacy Practices. http://www.cigna.com/general/privacy/healthcare/ standard.html. Accessed June 2004.Google Scholar
- N. Jain, A.I. Antón, W.H. Stufflebeam and Q. He. Security and Privacy Requirements Analysis Tool (SPRAT) Software Requirements Specification, NCSU CSC Technical Report TR-2004-7, February 24, 2004.Google Scholar
- S. Robertson and J. Robertson. Mastering the Requirements Process. Addison-Wesley. New York, 1999. Google ScholarDigital Library
- William H. Stufflebeam, Annie I. Antón, Qingfeng He, and Neha Jain. Specifying Privacy Policies with P3P and EPAL: Lessons Learned. NCSU Technical Report #TR-2004-19. June 17, 2004.Google ScholarDigital Library
Index Terms
- Specifying privacy policies with P3P and EPAL: lessons learned
Recommendations
E-P3P privacy policies and privacy authorization
WPES '02: Proceedings of the 2002 ACM workshop on Privacy in the Electronic SocietyEnterprises collect large amounts of personal data from their customers. To ease privacy concerns, enterprises publish privacy statements that outline how data is used and shared. The Platform for Enterprise Privacy Practices (E-P3P) defines a fine-...
A Comparative Study of Privacy Mechanisms and a Novel Privacy Mechanism [Short Paper]
Information and Communications SecurityAbstractPrivacy of PII(Personally Identifiable Information) on the Internet is a major concern of a netizen. On the Internet different service providers are supposed to publish their own privacy policies but understanding of these policies is a major ...
Enterprise privacy promises and enforcement
WITS '05: Proceedings of the 2005 workshop on Issues in the theory of securitySeveral formal languages have been proposed to encode privacy policies, ranging from the Platform for Privacy Preferences (P3P), intended for communicating privacy policies to consumers over the web, to the Enterprise Privacy Authorization Language (...
Comments