Abstract
Privacy is a prime concern in today’s information society. To protect the privacy of individuals, enterprises must follow certain privacy practices while collecting or processing personal data. In this chapter we look at the setting where an enterprise collects private data on its website, processes it inside the enterprise and shares it with partner enterprises. In particular, we analyse three different privacy systems that can be used in the different stages of this lifecycle. One of them is the audit logic, recently introduced, which can be used to keep data private while travelling across enterprise boundaries. We conclude with an analysis of the features and shortcomings of these systems.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
EU Parliament and Council: The data protection directive (95/46/EC) (1995)
EU Parliament and Council: Directive on privacy and electronic communications (2002/58/EC) (2002)
S. Byers, L.F. Cranor, D. Kormann: Automated analysis of P3P-enabled web sites. In: Proc. Int. Conf. on Electronic Commerce (ICEC). (2003) pp. 326–338
L. Cranor, M. Langheinrich, M. Marchiori, M. Presler-Marshall, J. Reagle: The Platform for Privacy Preferences 1.0 (P3P 1.0) specification — W3C recommendation 16 april 2002. http://w3.org/TR/P3P (2002)
G. Karjoth, M. Schunter, M. Waidner: Platform for enterprise privacy practices: Privacy-enabled management of customer data. In R. Dingledine, P.F. Syverson eds.: Proc. Int. Workshop on Privacy Enhancing Technologies (PET). Lectures in Computer Science, Springer (2002) pp. 69–84
J.G. Cederquist, R. Corin, M.A.C. Dekker, S. Etalle, J.I. den Hartog: An audit logic for accountability. In Winsborough, W., Sahai, A., eds.: Proc. Int. Workshop on Policies for Distributed Systems and Networks (POLICY), IEEE Computer Society Press (2005) pp. 34–43
A.R. Beresford, F. Stajano: Location Privacy in Pervasive Computing. IEEE Pervasive Computing 2(1) (2003) pp. 46–55
H. Hochheiser: The platform for privacy preference as a social protocol: An examination within the U.S. policy context. ACM Transactions on Internet Technology (TOIT) 2(4) (2002) pp. 276–306
T. Yu, N. Li, A.I. Antón: A formal semantics for P3P. In: Proc. Workshop On Secure Web Service (SWS), ACM Press (2004) pp. 1–8
M. Schunter, E.V. Herreweghen, M. Waidner: Expressive Privacy promises-how to improve P3P. W3C Workshop on the Future of P3P (2002)
J. Cattlet: Open letter to P3P developers. http://junkbusters.com/standards.html (1999)
P. Ashley, S. Hada, G. Karjoth, M. Schunter: E-P3P privacy policies and privacy authorization. In Samarati, P., ed.: Proc. Workshop on Privacy in the Electronic Society (WPES), ACM Press (2002) pp. 103–109
P. Ashley, S. Hada, G. Karjoth, M. Schunter: (Enterprise privacy authorization language (EPAL 1.2)-W3C member submission 10 november 2003)
M. Backes, B. Pfitzmann, M. Schunter: A toolkit for managing enterprise privacy policies. In Gollmann, D., Snekkenes, E., eds.: Proc. European Symp. on Research in Computer Security (ESORICS), Springer (2003) pp. 162–180
G. Karjoth, M. Schunter, E.V. Herreweghen: Translating privacy practices into privacy promises-how to promise what you can keep. In: Proc. Int. Workshop on Policies for Distributed Systems and Networks (POLICY), IEEE Computer Society Press (2003) pp. 135–146
S. Jajodia, P. Samarati, V.S. Subrahmanian, E. Bertino: A unified framework for enforcing multiple access control policies. In Peckham, J., ed.: Proc. Int. Conf. on Management of Data (SIGMOD), ACM Press (1997) pp. 474–485
J. Park, R. Sandhu: Towards usage control models: Beyond traditional access control. In E. Bertino ed.: Proc. Symp. on Access Control Models and Technologies (SACMAT), ACM Press (2002) pp. 57–64
R. Sandhu, P. Samarati: Access control: Principles and practice. IEEE Communications Magazine 32(9) (1994) pp. 40–48
C.N. Chong, R. Corin, S. Etalle, P.H. Hartel, W. Jonker, Y.W. Law: Licens-eScript: A novel digital rights language and its semantics. In K. Ng, C. Busch, P. Nesi eds.: Proc. Int. Conf. on Web Delivering of Music (WEDELMUSIC), IEEE Computer Society Press (2003) pp. 122–129
C. Conrado, M. Petkovic, M. van der Veen, W. van der Velde: Controlled sharing of personal content using digital rights management. In E. Fernández-Medina, J.C. Hernández, L.J. García eds.: Proc. Int. Workshop On Security in Information Systems (WOSIS) (2005) pp. 173–185
C.N. Chong, Z. Peng, P.H. Hartel: Secure audit logging with tamper-resistant hardware. In Gritzalis, D., di Vimercati, S.D.C., Samarati, P., Katsikas, S.K., eds.: IFIP Int. Conf. on Information Security and Privacy in the Age of Uncertainty (SEC), Springer (2003) pp. 73–84
L. Cranor, M. Langheinric, M. Marchiori: A P3P preference exchange language 1.0 (APPEL 1.0) (2002)
O. Lassila, R.P. Swick: Resource Description Framework (RDF) Model and Syntax Specification — W3C Recommendation 22 February 1999 (2002)
S. Jajodia, P. Samarati, M.L. Sapino, V.S. Subrahmanian: Flexible support for multiple access control policies. ACM Transactions on Database Systems 26(2) (2001) pp. 214–260
S. Jajodia, M. Kudo, S. Subrahmanian: Provisional authorization. (In: Proc. 1st Int. Workshop on Security and Privacy in E-Commerce (WSPEC))
OASIS Access Control TC: eXtensible Access Control Markup Language (XACML) Version 2.0 — Oasis Standard, 1 Feb 2005 (2005)
A. Anderson: Comparison of two privacy languages: EPAL and XACML. Sun Technical Report TR-2005-147 (2005)
W.H. Stufflebeam, A.I. Antón, Q. He, N. Jain: Specifying privacy policies with P3P and EPAL: lessons learned. In: Proc. Workshop on Privacy in the Electronic Society (WPES). (2004) p. 35
J. Park, R. Sandhu: Originator control in usage control. In: Proc. Int. Workshop on Policies for Distributed Systems and Networks (POLICY), Washington, DC, USA, IEEE Computer Society (2002) p. 60
M. Abadi: Logic in access control. In Kolaitis, P.G., ed.: Proc. Symp. on Logic in Computer Science (LICS), IEEE Computer Society Press (2003) pp. 228–233
A.W. Appel, E.W. Felten: Proof-carrying authentication. In Tsudik, G., ed.: Proc. Conf. on Comp. and Comm. Sec. (CCS), ACM Press (1999) pp. 52–62
R.L. Rivest, B. Lampson: SDSI — A simple distributed security infrastructure. Presented at CRYPTO’96 Rumpsession (1996)
N. Li, B.N. Grosof, J. Feigenbaum: Delegation logic: A logic-based approach to distributed authorization. ACM Transactions on Information and System Security (TISSEC) 6(1) (2003) pp. 128–171
V. Shmatikov, C.L. Talcott: Reputation-based trust management. Journal of Computer Security 13(1) (2005) pp. 167–190
J.Y. Halpern, V. Weissman: Using first-order logic to reason about policies. In Focardi, R., ed.: Proc. Computer Security Foundations Workshop (CSFW), IEEE Computer Society Press (2003) pp. 187–201
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Dekker, M., Etalle, S., den Hartog, J. (2007). Privacy Policies. In: Petković, M., Jonker, W. (eds) Security, Privacy, and Trust in Modern Data Management. Data-Centric Systems and Applications. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-69861-6_25
Download citation
DOI: https://doi.org/10.1007/978-3-540-69861-6_25
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69860-9
Online ISBN: 978-3-540-69861-6
eBook Packages: Computer ScienceComputer Science (R0)