Abstract
Enterprises collect a large amount of personal data about their customers. Even though enterprises promise privacy to their customers using privacy statements or P3P, there is no methodology to enforce these promises throughout and across multiple enterprises. This article describes the Platform for Enterprise Privacy Practices (E-P3P), which defines technology for privacy-enabled management and exchange of customer data. Its comprehensive privacy-specific access control language expresses restrictions on the access to personal data, possibly shared between multiple enterprises. E-P3P separates the enterprise-specific deployment policy from the privacy policy that covers the complete life cycle of collected data. E-P3P introduces a viable separation of duty between the three “administrators” of a privacy system: The privacy officer designs and deploys privacy policies, the security officer designs access control policies, and the customers can give consent while selecting opt-in and opt-out choices.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
M. Abrams. Renewed understanding of access control policies. In 16th National Computer Security Conference, pages 87–96, 1993.
K. Beznosov: Information Enterprise Architectures: Problems and Perspectives. School of Computer Science, PhD Thesis, Florida International University, June 2000.
P. Bonatti, E. Damiani, S. De Capitani di Vimercati, and P. Samarati. An access control system for data archives. In 16th IFIP-TC11 International Conference on Information Security. Paris, France, June 2001.
K. Bohrer and B. Holland (eds.): The Customer Profile Exchange (CPexchange) Specification; Version 1.0, International Digital Enterprise Alliance, October 20, 2000 (from http://www.cpexchange.org).
S. Fischer-Hübner: IT-Security and Privacy. Lecture Notes in Computer Science 1958, Springer-Verlag, 2001.
S. Hada and M. Kudo. XML Access Control Language: Provisional Authorization for XML Documents, Tokyo Research Laboratory, IBM Research, October 16, 2000 (from http://www.trl.ibm.com/projects/xml/xacl/).
S. Jajodia, M. Kudo, and V S. Subrahmanian. Provisional authorization. In A. Ghosh, editor, E-commerce Security and Privacy, pages 133–159. Klu wer Academic Publishers, 2001. Also published in Workshop on Security and Privacy in E-Commerce (WSPEC), 2000.
G. Karjoth and M. Schunter. A Privacy Policy Model for Enterprises. In 15th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, 2002.
M. Kudo and S. Hada. XML Document Security based on Provisional Authorizations. In 7th ACM Conference on Computer and Communications Security, pages 87–96, 2000.
C. J. McCollum, J. R. Messing, and L. Notargiacomo. Beyond the pale of MAC and DAC-defining new forms of access control. In IEEE Symposium on Security and Privacy, pages 190–200, 1990.
The Platform for Privacy Preferences 1.0 (P3P1.0) Specification, W3C Recommendation, 16 April 2002 (from http://www.w3.org/TR/2002/REC-P3P-20020416/).
R. Sandhu, E. Coyne, H. Feinstein, and C. Youman: Role-based Access Control Models, IEEE Computer, 28/2 (1996) 38–47.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Karjoth, G., Schunter, M., Waidner, M. (2003). Platform for Enterprise Privacy Practices: Privacy-Enabled Management of Customer Data. In: Dingledine, R., Syverson, P. (eds) Privacy Enhancing Technologies. PET 2002. Lecture Notes in Computer Science, vol 2482. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36467-6_6
Download citation
DOI: https://doi.org/10.1007/3-540-36467-6_6
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00565-0
Online ISBN: 978-3-540-36467-2
eBook Packages: Springer Book Archive