A comparison of two privacy policy languages: EPAL and XACML

Current regulatory requirements in the U.S. and other countries make it increasingly important for Web Services to be able to enforce and verify their compliance with privacy policies. Structured policy languages can play a major role by supporting automated enforcement of policies and auditing of access decisions. This paper compares two policy languages that have been developed for use in expressing directly enforceable privacy policies -- the Enterprise Privacy Authorization Language (EPAL) and the OASIS Standard eXtensible Access Control Markup Language (XACML), together with its standard privacy profile.

[1]  D. Istance Organization for Economic Co-operation and Development , 1966, Nature.

[2]  Clare-Marie Karat,et al.  An empirical study of natural language parsing of privacy policy rules using the SPARCLE policy workbench , 2006, SOUPS '06.

[3]  James Clark,et al.  XSL Transformations (XSLT) Version 1.0 , 1999 .

[4]  Barbara Carminati,et al.  Towards standardized Web services privacy technologies , 2004, Proceedings. IEEE International Conference on Web Services, 2004..

[5]  G. I. Kustova,et al.  From the author , 2019, Automatic Documentation and Mathematical Linguistics.

[6]  Michael Backes,et al.  Unification in privacy policy evaluation - translating EPAL into Prolog , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[7]  John C. Mitchell,et al.  Conflict and combination in privacy policy languages , 2004, WPES '04.

[8]  Michael Backes,et al.  Efficient comparison of enterprise privacy policies , 2004, SAC '04.

[9]  David W. Chadwick,et al.  Privacy preserving trust authorization framework using XACML , 2006, 2006 International Symposium on a World of Wireless, Mobile and Multimedia Networks(WoWMoM'06).

[10]  John C. Mitchell,et al.  Enterprise privacy promises and enforcement , 2005, WITS '05.

[11]  Marc Langheinrich,et al.  The platform for privacy preferences 1.0 (p3p1.0) specification , 2002 .

[12]  Roch Guérin,et al.  A Framework for Policy-based Admission Control , 2000, RFC.

[13]  E. F. Michiels,et al.  ISO/IEC 10181-4:1995 Information technology Open Systems Interconnection Security frameworks for open systems: Non-repudiation framework , 1996 .

[14]  Rakesh Agrawal,et al.  Managing healthcare data hippocratically , 2004, ACM SIGMOD Conference.

[15]  Andrea Westerinen,et al.  Terminology for Policy-Based Management , 2001, RFC.

[16]  José A. Montenegro,et al.  A reference model for Authentication and Authorisation Infrastructures respecting privacy and flexibility in b2c eCommerce , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[17]  Adam Barth,et al.  Conflict and Combination in Privacy Policy Languages (Summary) , 2004 .

[18]  Liam Peyton,et al.  Tracking privacy compliance in B2B networks , 2004, ICEC '04.

[19]  Neha Jain,et al.  Specifying privacy policies with P3P and EPAL: lessons learned , 2004, WPES '04.

[20]  William J. Kirsch,et al.  The protection of privacy and transborder flows of personal data: the work of the Council of Europe, the Organization for Economic Co-operation and Development and the European Economic Community , 1982, Legal Issues of Economic Integration.

[21]  A. Policy Review of the 2002 Department of Health and Human Service Notice of Proposed Rule Making for The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Regulations , 2002 .