Abstract
In the Internet era, enterprises want to use personal information of their own or other enterprises’ subscribers, and even provide it to other enterprises for their profit. On the other hand, subscribers to Internet enterprises expect their privacy to be securely protected. Therefore, a conflict between enterprises and subscribers can arise in using personal information for the enterprises’ benefits. In this paper, we introduce a privacy policy model and propose a policy-based privacy authorization system. The privacy policy model is used for authoring privacy policies and the privacy authorization system renders the authorization decision based on the privacy policies. In the proposed system, policies for enterprises and subscribers are described in XACML, an XML-based OASIS standard language for access control policies. In addition, we show the details of how the procedure of the privacy authorization and conflict resolution is processed in the proposed system.
This research was supported by the MIC(Ministry of Information and Communication), Korea, under the ITRC(Information Technology Research Center) support program supervised by the IITA(Institute of Information Technology Assessment).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Magnuson, G., Reid, P.: Privacy and Identity Management Survey. In: IAPP Conference (2004)
Privacy and Security Best Practices. Liberty Alliance Project (2003)
Who Goes There?: Authentication Through the Lens of Privacy. Computer Science and Telecommunications Board (2003), http://www.nap.edu/catalog/10656.html
PRIME: Privacy and Identity Management for Europe Date of preparation. PRIME Project (2004), http://www.prime-project.eu.org/
Sun’s XACML Implementation. SUN (2005), http://sunxacml.sourceforge.net/
eXtensible Access Control Markup Language. OASIS (2005), http://www.oasis-open.org
Choi, H.-C., Lee, S.-Y., Lee, H.-H.: PIMS: An Access-Control based Privacy Model for Identity Management Systems. GESTS International Transaction on Computer Science and Engineering 9(1) (2005) (ISSN 1738-6438)
Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise Privacy Authorization Language (EPAL 1.2). W3C (2003), http://www.w3.org/Submission/2003/SUBM-EPAL-20031110
Yee, G., Korba, L.: An Agent Architecture for E-Services Privacy Policy Compliance. Advanced Information Networking and Application (2005)
Cranor, L.F.: Web Privacy with P3P. O’Reilly, Sebastopol (2002)
Lu, C.: P3P in the Context of Legislation and Education. Sensitive Information in a Wired World (2003)
XML SPY. Altova (2004), http://www.xml.com/pub/p/15
Ashley, P., Hada, S., Karjoth, G., Schunter, M.: E-P3P, Privacy Policies and Privacy Authorization. WPES (November 2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Choi, H., Lee, S., Lee, H. (2006). Design and Implementation of a Policy-Based Privacy Authorization System. In: Mehrotra, S., Zeng, D.D., Chen, H., Thuraisingham, B., Wang, FY. (eds) Intelligence and Security Informatics. ISI 2006. Lecture Notes in Computer Science, vol 3975. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11760146_12
Download citation
DOI: https://doi.org/10.1007/11760146_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-34478-0
Online ISBN: 978-3-540-34479-7
eBook Packages: Computer ScienceComputer Science (R0)