Efficient comparison of enterprise privacy policies

Enterprise privacy policies often reflect different legal regulations, promises made to customers, as well as more restrictive enterprise-internal practices. The notion of policy refinement is fundamental for privacy policies, as it allows one to check whether a company's policy fulfills regulations or adheres to standards set by customer organizations, to realize the "sticky policy paradigm" that addresses transferring data from one realm to another in a privacy-preserving way, and much more. Although well-established in theory, the problem of how to efficiently check whether one policy refines another has been left open in the privacy policy literature. We present a practical algorithm for this task, concentrating on those aspects that make refinement of privacy policies more difficult than, for example refinement for access control policies, such as a more sophisticated treatment of deny rules and a suitable way for dealing with obligations and conditions on context information.

[1]  André Zúquete,et al.  SPL: An Access Control Language for Security Policies and Complex Constraints , 2001, NDSS.

[2]  Günter Karjoth,et al.  A privacy policy model for enterprises , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[3]  S. Fischer-h bner IT-Security and Privacy: Design and Use of Privacy-Enhancing Security Mechanisms , 2001 .

[4]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[5]  Sushil Jajodia,et al.  Obligation monitoring in policy management , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[6]  Ernesto Damiani,et al.  A component-based architecture for secure data publication , 2001, Seventeenth Annual Computer Security Applications Conference.

[7]  Paul Ashley,et al.  E-P3P privacy policies and privacy authorization , 2002, WPES '02.

[8]  Birgit Pfitzmann,et al.  A Toolkit for Managing Enterprise Privacy Policies , 2003, ESORICS.

[9]  Michael Waidner,et al.  Platform for Enterprise Privacy Practices: Privacy-Enabled Management of Customer Data , 2002, Privacy Enhancing Technologies.