ABSTRACT
Current regulatory requirements in the U.S. and other countries make it increasingly important for Web Services to be able to enforce and verify their compliance with privacy policies. Structured policy languages can play a major role by supporting automated enforcement of policies and auditing of access decisions. This paper compares two policy languages that have been developed for use in expressing directly enforceable privacy policies -- the Enterprise Privacy Authorization Language (EPAL) and the OASIS Standard eXtensible Access Control Markup Language (XACML), together with its standard privacy profile.
- Agrawal, R., Kini, A., LeFevre, K., Wang, A., Xu, Y., and Zhou, D., Managing Healthcare Data Hippocratically, ACM SIGMOD 2004, June 13-18, 2004, Paris, France. Google ScholarDigital Library
- Anderson, A., Comparing Two Privacy Policy Languages: EPAL and XACML, Sun Microsystems Laboratories Technical Report 2005-147, 2005; http://research.sun.com/techrep/2005/smli_tr-2005-147/TRCompareEPALandXACML.html.Google Scholar
- Anderson, A., ed., Core and hierarchical role based access control (RBAC) profile of XACML v2.0; OASIS Standard, February 1, 2005; http://docs.oasisopen.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf.Google Scholar
- Anderson, A., ed., Hierarchical resource profile of XACML v2.0, OASIS Standard, 1 February 2005; http://docs.oasisopen.org/xacml/2.0/access_control-xacml-2.0-hier-profilespec-os.pdf.Google Scholar
- Anderson, A., and Lockhart, H., eds., SAML 2.0 profile of XACML v2.0, OASIS Standard, 1 February 2005; http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-profile-spec-os.pdf.Google Scholar
- Anderson, A., ed., XACML References: Products and Deployments; http://docs.oasisopen.org/xacml/xacmlRefs.html#Products.Google Scholar
- ANSI, Role Based Access Control; ANSI INCITS 359-2004.Google Scholar
- Backes, M., Bagga, W., Karjoth, G., and Schunter, M., Efficient Comparison of Enterprise Privacy Policies, 2004 ACM Symposium on Applied Computing, March 2004. Google ScholarDigital Library
- Backes, M., Durmuth, M., and Karjoth, G., Unification in Privacy Policy Evaluation - Translating EPAL into Prolog, 5th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'04), 2004. Google ScholarDigital Library
- Barth, A., and Mitchell, J.C., Enterprise privacy promises and enforcement, ACM WITS'05, January 10, 2005, Long Beach, CA, USA. Google ScholarDigital Library
- Barth, A., Mitchell, J.C., and Rosenstein, J., Conflict and Combination in Privacy Policy Languages (Summary), Workshop on Privacy in the Electronic Society, 28 October 2004. Google ScholarDigital Library
- Brodie, C., Karat, C-M., and Karat, J., An Empirical Study of Natural Language Parsing of Privacy Policy Rules Using the SPARCLE Policy Workbench, Proceedings of the second symposium on Usable privacy and security SOUPS '06, July 2006. Google ScholarDigital Library
- European Union, Directive on Data Privacy, 1998; http://europa.eu.int/comm/justice_home/doc_centre/privacy/law/index_en.htm.Google Scholar
- Hung, P.C.K., Ferrari, E., and Carminati, B., Towards Standardized Web Services Privacy Technologies, Proceedings of the IEEE International Conference on Web Services (ICWS'04), 2004. Google ScholarDigital Library
- IBM, Enterprise Privacy Authorization Language (EPAL), Version 1.2, 2003; http://www.w3.org/Submission/2003/SUBM-EPAL- 20031110/.Google Scholar
- ISO/IEC, 10181-3:1966 Information technology -- Open Systems Interconnection -- Security frameworks for open systems: Access control framework, 1966.Google Scholar
- Mbanaso, U., Cooper, G., Chadwick, D., and Proctor, S., Privacy Preserving Trust Authorization Framework Using XACML, International Symposium on a World of Wireless, Mobile and Multimedia Networks, 2006 (WoWMoM 2006), 26-29 June 2006. Google ScholarDigital Library
- Moses, T., ed., eXtensible Access Control Markup Language (XACML), Version 2.0; OASIS Standard, February 1, 2005; http://www.oasisopen.org/committees/tc_home.php?wg_abbrev=xacml.Google Scholar
- Moses, T., ed., Privacy policy profile of XACML v2.0; OASIS Standard, February 1, 2005; http://docs.oasisopen.org/xacml/2.0/access_control-xacml-2.0-privacy_profile-spec-os.pdf.Google Scholar
- Organization for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 23 September 1980; http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html.Google Scholar
- Peyton, L., and Nozin, M., Tracking Privacy Compliance in B2B Networks, ACM Sixth International Conference on Electronic Commerce (ICEC'04), 2004. Google ScholarDigital Library
- Schläger, C., A Reference Model for Authentication and Authorization Infrastructures Respecting Privacy and Flexibility in b2c eCommerce, The First International Conference on Availability, Reliability and Security (ARES 2006), 20-22 April 2006. Google ScholarDigital Library
- Stufflebeam, W., Antón, A., He, Q., and Jain, N., Specifying Privacy Policies with P3P and EPAL: Lessons Learned, Proceedings of the 2004 ACM Workshop on Privacy in the Electronic Society (WPES'04), October 2004. Google ScholarDigital Library
- Sun Microsystems, Inc., Sun's XACML Open Source Implementation; freely available under a BSD license at http://sunxacml.sourceforge.net/.Google Scholar
- U.S. Government Department of Health and Human Services, Health Insurance Portability and Accountability Act (HIPAA), 1996; http://aspe.hhs.gov/admnsimp/pl104191.htm.Google Scholar
- U.S. Government Securities and Exchange Commission, Sarbanes-Oxley Act of 2002; http://www.sec.gov/about/laws/soa2002.pdf.Google Scholar
- W3C, The Platform for Privacy Preferences 1.0 (P3P1.0) Specification, W3C Recommendation, 16 April 2002; http://www.w3.org/TR/P3P/.Google Scholar
- W3C, XML Path Language (XPath) Version 1.0, W3C Recommendation, 16 November 1999; http://www.w3.org/TR/xpath.Google Scholar
- W3C, XSL Transformations (XSLT) Version 1.0, W3C Recommendation, 16 November 1999; http://www.w3.org/TR/xslt.Google Scholar
- Westerinen, A., Schnizlein, J., Strassner, J., et al., Terminology for Policy-Based Management, IETF RFC 3198, November 2001; http://www.ietf.org/rfc/rfc3198.txt. Google ScholarDigital Library
- Yavatkar, R., Pendarakis, D., and Guerin, R., A Framework for Policy-based Admission Control, IETF RFC 2753, January 2000; http://www.ietf.org/rfc/rfc2753.txt. Google ScholarDigital Library
Index Terms
- A comparison of two privacy policy languages: EPAL and XACML
Recommendations
Conflict and combination in privacy policy languages
WPES '04: Proceedings of the 2004 ACM workshop on Privacy in the electronic societyMany modern enterprises require methods for guaranteeing compliance with privacy legislation and announced privacy policies. IBM has proposed a formal language, the Enterprise Privacy Authorization Language (EPAL), for describing privacy policies ...
PriPoCoG: Guiding Policy Authors to Define GDPR-Compliant Privacy Policies
Trust, Privacy and Security in Digital BusinessAbstractThe General Data Protection Regulation (GDPR) makes the creation of compliant privacy policies a complex process. Our goal is to support policy authors during the creation of privacy policies, by providing them feedback on the privacy policy they ...
Enterprise privacy promises and enforcement
WITS '05: Proceedings of the 2005 workshop on Issues in the theory of securitySeveral formal languages have been proposed to encode privacy policies, ranging from the Platform for Privacy Preferences (P3P), intended for communicating privacy policies to consumers over the web, to the Enterprise Privacy Authorization Language (...
Comments