Article

A comparison of two privacy policy languages: EPAL and XACML

Author:

Anne H. AndersonAuthors Info & Claims

SWS '06: Proceedings of the 3rd ACM workshop on Secure web services

Pages 53 - 60

https://doi.org/10.1145/1180367.1180378

Published: 03 November 2006 Publication History

Abstract

Current regulatory requirements in the U.S. and other countries make it increasingly important for Web Services to be able to enforce and verify their compliance with privacy policies. Structured policy languages can play a major role by supporting automated enforcement of policies and auditing of access decisions. This paper compares two policy languages that have been developed for use in expressing directly enforceable privacy policies -- the Enterprise Privacy Authorization Language (EPAL) and the OASIS Standard eXtensible Access Control Markup Language (XACML), together with its standard privacy profile.

References

[1]

Agrawal, R., Kini, A., LeFevre, K., Wang, A., Xu, Y., and Zhou, D., Managing Healthcare Data Hippocratically, ACM SIGMOD 2004, June 13-18, 2004, Paris, France.

Digital Library

[2]

Anderson, A., Comparing Two Privacy Policy Languages: EPAL and XACML, Sun Microsystems Laboratories Technical Report 2005-147, 2005; http://research.sun.com/techrep/2005/smli_tr-2005-147/TRCompareEPALandXACML.html.

[3]

Anderson, A., ed., Core and hierarchical role based access control (RBAC) profile of XACML v2.0; OASIS Standard, February 1, 2005; http://docs.oasisopen.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf.

[4]

Anderson, A., ed., Hierarchical resource profile of XACML v2.0, OASIS Standard, 1 February 2005; http://docs.oasisopen.org/xacml/2.0/access_control-xacml-2.0-hier-profilespec-os.pdf.

[5]

Anderson, A., and Lockhart, H., eds., SAML 2.0 profile of XACML v2.0, OASIS Standard, 1 February 2005; http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-profile-spec-os.pdf.

[6]

Anderson, A., ed., XACML References: Products and Deployments; http://docs.oasisopen.org/xacml/xacmlRefs.html#Products.

[7]

ANSI, Role Based Access Control; ANSI INCITS 359-2004.

[8]

Backes, M., Bagga, W., Karjoth, G., and Schunter, M., Efficient Comparison of Enterprise Privacy Policies, 2004 ACM Symposium on Applied Computing, March 2004.

Digital Library

[9]

Backes, M., Durmuth, M., and Karjoth, G., Unification in Privacy Policy Evaluation - Translating EPAL into Prolog, 5th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'04), 2004.

Digital Library

[10]

Barth, A., and Mitchell, J.C., Enterprise privacy promises and enforcement, ACM WITS'05, January 10, 2005, Long Beach, CA, USA.

Digital Library

[11]

Barth, A., Mitchell, J.C., and Rosenstein, J., Conflict and Combination in Privacy Policy Languages (Summary), Workshop on Privacy in the Electronic Society, 28 October 2004.

Digital Library

[12]

Brodie, C., Karat, C-M., and Karat, J., An Empirical Study of Natural Language Parsing of Privacy Policy Rules Using the SPARCLE Policy Workbench, Proceedings of the second symposium on Usable privacy and security SOUPS '06, July 2006.

Digital Library

[13]

European Union, Directive on Data Privacy, 1998; http://europa.eu.int/comm/justice_home/doc_centre/privacy/law/index_en.htm.

[14]

Hung, P.C.K., Ferrari, E., and Carminati, B., Towards Standardized Web Services Privacy Technologies, Proceedings of the IEEE International Conference on Web Services (ICWS'04), 2004.

Digital Library

[15]

IBM, Enterprise Privacy Authorization Language (EPAL), Version 1.2, 2003; http://www.w3.org/Submission/2003/SUBM-EPAL- 20031110/.

[16]

ISO/IEC, 10181-3:1966 Information technology -- Open Systems Interconnection -- Security frameworks for open systems: Access control framework, 1966.

[17]

Mbanaso, U., Cooper, G., Chadwick, D., and Proctor, S., Privacy Preserving Trust Authorization Framework Using XACML, International Symposium on a World of Wireless, Mobile and Multimedia Networks, 2006 (WoWMoM 2006), 26-29 June 2006.

Digital Library

[18]

Moses, T., ed., eXtensible Access Control Markup Language (XACML), Version 2.0; OASIS Standard, February 1, 2005; http://www.oasisopen.org/committees/tc_home.php?wg_abbrev=xacml.

[19]

Moses, T., ed., Privacy policy profile of XACML v2.0; OASIS Standard, February 1, 2005; http://docs.oasisopen.org/xacml/2.0/access_control-xacml-2.0-privacy_profile-spec-os.pdf.

[20]

Organization for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 23 September 1980; http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html.

[21]

Peyton, L., and Nozin, M., Tracking Privacy Compliance in B2B Networks, ACM Sixth International Conference on Electronic Commerce (ICEC'04), 2004.

Digital Library

[22]

Schläger, C., A Reference Model for Authentication and Authorization Infrastructures Respecting Privacy and Flexibility in b2c eCommerce, The First International Conference on Availability, Reliability and Security (ARES 2006), 20-22 April 2006.

Digital Library

[23]

Stufflebeam, W., Antón, A., He, Q., and Jain, N., Specifying Privacy Policies with P3P and EPAL: Lessons Learned, Proceedings of the 2004 ACM Workshop on Privacy in the Electronic Society (WPES'04), October 2004.

Digital Library

[24]

Sun Microsystems, Inc., Sun's XACML Open Source Implementation; freely available under a BSD license at http://sunxacml.sourceforge.net/.

[25]

U.S. Government Department of Health and Human Services, Health Insurance Portability and Accountability Act (HIPAA), 1996; http://aspe.hhs.gov/admnsimp/pl104191.htm.

[26]

U.S. Government Securities and Exchange Commission, Sarbanes-Oxley Act of 2002; http://www.sec.gov/about/laws/soa2002.pdf.

[27]

W3C, The Platform for Privacy Preferences 1.0 (P3P1.0) Specification, W3C Recommendation, 16 April 2002; http://www.w3.org/TR/P3P/.

[28]

W3C, XML Path Language (XPath) Version 1.0, W3C Recommendation, 16 November 1999; http://www.w3.org/TR/xpath.

[29]

W3C, XSL Transformations (XSLT) Version 1.0, W3C Recommendation, 16 November 1999; http://www.w3.org/TR/xslt.

[30]

Westerinen, A., Schnizlein, J., Strassner, J., et al., Terminology for Policy-Based Management, IETF RFC 3198, November 2001; http://www.ietf.org/rfc/rfc3198.txt.

Digital Library

[31]

Yavatkar, R., Pendarakis, D., and Guerin, R., A Framework for Policy-based Admission Control, IETF RFC 2753, January 2000; http://www.ietf.org/rfc/rfc2753.txt.

Digital Library

Cited By

Nguyen DAutrel FBouabdallah ADoyen G(2023)A Robust Approach for the Detection and Prevention of Conflicts in I2NSF Security PoliciesNOMS 2023-2023 IEEE/IFIP Network Operations and Management Symposium10.1109/NOMS56928.2023.10154304(1-7)Online publication date: 8-May-2023
https://doi.org/10.1109/NOMS56928.2023.10154304
Gebauer MMaschhur FLeschke NGrünewald EPallas F(2023)A ‘Human-in-the-Loop’ approach for Information Extraction from Privacy Policies under Data Scarcity2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW59978.2023.00014(76-83)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSPW59978.2023.00014
Bartsch JDehling TLauf FMeister SSunyaev A(2022)Let the Computer Say NO! The Neglected Potential of Policy Definition Languages for Data SovereigntySelbstbestimmung, Privatheit und Datenschutz10.1007/978-3-658-33306-5_22(449-468)Online publication date: 6-Apr-2022
https://doi.org/10.1007/978-3-658-33306-5_22
Show More Cited By

Index Terms

A comparison of two privacy policy languages: EPAL and XACML

Recommendations

Conflict and combination in privacy policy languages
WPES '04: Proceedings of the 2004 ACM workshop on Privacy in the electronic society

Many modern enterprises require methods for guaranteeing compliance with privacy legislation and announced privacy policies. IBM has proposed a formal language, the Enterprise Privacy Authorization Language (EPAL), for describing privacy policies ...
Efficient comparison of enterprise privacy policies
SAC '04: Proceedings of the 2004 ACM symposium on Applied computing

Enterprise privacy policies often reflect different legal regulations, promises made to customers, as well as more restrictive enterprise-internal practices. The notion of policy refinement is fundamental for privacy policies, as it allows one to check ...
PriPoCoG: Guiding Policy Authors to Define GDPR-Compliant Privacy Policies
Trust, Privacy and Security in Digital Business
Abstract
The General Data Protection Regulation (GDPR) makes the creation of compliant privacy policies a complex process. Our goal is to support policy authors during the creation of privacy policies, by providing them feedback on the privacy policy they ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SWS '06: Proceedings of the 3rd ACM workshop on Secure web services

November 2006

120 pages

ISBN:1595935460

DOI:10.1145/1180367

General Chair:
Ari Juels
RSA Laboratories
,
Program Chairs:
Ernesto Damiani
University of Milan, Italy
,
Alban Gabillon
University of Pau, France

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS06

Sponsor:

CCS06: 13th ACM Conference on Computer and Communications Security 2006

November 3, 2006

Virginia, Alexandria, USA

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

56
Total Citations
View Citations
1,318
Total Downloads

Downloads (Last 12 months)14
Downloads (Last 6 weeks)4

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Nguyen DAutrel FBouabdallah ADoyen G(2023)A Robust Approach for the Detection and Prevention of Conflicts in I2NSF Security PoliciesNOMS 2023-2023 IEEE/IFIP Network Operations and Management Symposium10.1109/NOMS56928.2023.10154304(1-7)Online publication date: 8-May-2023
https://doi.org/10.1109/NOMS56928.2023.10154304
Gebauer MMaschhur FLeschke NGrünewald EPallas F(2023)A ‘Human-in-the-Loop’ approach for Information Extraction from Privacy Policies under Data Scarcity2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW59978.2023.00014(76-83)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSPW59978.2023.00014
Bartsch JDehling TLauf FMeister SSunyaev A(2022)Let the Computer Say NO! The Neglected Potential of Policy Definition Languages for Data SovereigntySelbstbestimmung, Privatheit und Datenschutz10.1007/978-3-658-33306-5_22(449-468)Online publication date: 6-Apr-2022
https://doi.org/10.1007/978-3-658-33306-5_22
Patel ADebnath N(2022)Security Ontologies: An Investigation of Pitfall RateData Science with Semantic Technologies10.1002/9781119865339.ch7(179-197)Online publication date: 25-Oct-2022
https://doi.org/10.1002/9781119865339.ch7
Kebede MSileno GVan Engers T(2021)A Critical Reflection on ODRLAI Approaches to the Complexity of Legal Systems XI-XII10.1007/978-3-030-89811-3_4(48-61)Online publication date: 27-Nov-2021
https://doi.org/10.1007/978-3-030-89811-3_4
Verma DCalo SWitherspoon SManotas IBertino EJabal ACirincione GSwami APearson Gde Mel G(2019)Self-Generating Policies for Machine Learning in Coalition EnvironmentsGene Prediction10.1007/978-3-030-17277-0_3(42-65)Online publication date: 25-Apr-2019
https://doi.org/10.1007/978-3-030-17277-0_3
Qiao XWang LQin BChen HZhao S(2018)Privacy Protection Method Based on Access Control2018 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC)10.23919/APSIPA.2018.8659546(254-259)Online publication date: Nov-2018
https://doi.org/10.23919/APSIPA.2018.8659546
Anthonysamy PRashid AChitchyan RFerrario MPernici B(2017)Privacy requirementsProceedings of the 39th International Conference on Software Engineering: Software Engineering in Society Track10.1109/ICSE-SEIS.2017.3(13-22)Online publication date: 20-May-2017
https://dl.acm.org/doi/10.1109/ICSE-SEIS.2017.3
Kawada YYano KMizuno YTsuchiya TFujisaki Y(2017)Data access control for energy-related services in smart public infrastructuresComputers in Industry10.1016/j.compind.2017.03.00288:C(35-43)Online publication date: 1-Jun-2017
https://dl.acm.org/doi/10.1016/j.compind.2017.03.002
Karimi VAlencar PCowan D(2017)A formal modeling and analysis approach for access control rules, policies, and their combinationsInternational Journal of Information Security10.1007/s10207-016-0314-416:1(43-74)Online publication date: 1-Feb-2017
https://dl.acm.org/doi/10.1007/s10207-016-0314-4
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten