Enterprise privacy promises and enforcement

From Tetherless World Wiki

\begin{bibtex}

@inproceedings{Barth-Mitchell-05,

author = {Adam Barth and John C. Mitchell},
title = {Enterprise privacy promises and enforcement},
booktitle = {WITS '05: Proceedings of the 2005 workshop on Issues in
the theory of security},
year = {2005},
isbn = {1-58113-980-2},
pages = {58--66},
location = {Long Beach, California},
doi = {http://doi.acm.org/10.1145/1045405.1045412},
publisher = {ACM},
address = {New York, NY, USA},
abstract = {Several formal languages have been proposed to encode
privacy policies, ranging from the Platform for Privacy Preferences
(P3P), intended for communicating privacy policies to consumers over
the web, to the Enterprise Privacy Authorization Language (EPAL),
intended to enable policy enforcement within an enterprise. However,
current technology does not allow an enterprise to determine whether
its detailed, internal enforcement policy meets its published privacy
promises. We present a data-centric, unified model for privacy,
equipped with a modal logic for reasoning about permission inheritance
across data hierarchies. We use this model to critique two privacy
preference languages (APPEL and XPref), to justify P3P's policy
summarization algorithm, and to connect privacy policy languages, such
as EPAL. Specifically, we characterize when one policy enforces
another and provide an algorithm for generating the most specific
privacy promises, at a given level of detail, guaranteed by a more
detailed enforcement policy.},
topic = {Privacy}
}

\end{bibtex}