Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Privacy-aware access control with trust management in web service


With the significant development of mobile commerce, privacy becomes a major concern for both customers and enterprises. Although data generalization can provide significant protection of an individual’s privacy, over-generalized data may render data of little value or useless. In this paper, we devise generalization boundary techniques to maximize data usability while, minimizing disclosure of privacy. Inspired by the fact that the permissible generalization level results in a much finer level access control, we propose a privacy-aware access control model in web service environments. We also analyze how to manage a valid access process through a trust-based decision and ongoing access control policies. The extensive experiments on both real-world and synthetic data sets show that the proposed privacy aware access control model is practical and effective.

This is a preview of subscription content, log in to check access.


  1. 1.

    Adam, N.R., Worthmann, J.C.: Security-control methods for statistical databases: a comparative study. CSUR 21(4), 515–556 (1989)

  2. 2.

    Agrawal, R., Evmievski, A., Srikant, R.: Information sharing across private databases. In: Proc. of the 2003 ACM SIGMOD Int. Conf. on Management of Data. ACM Press (2003)

  3. 3.

    Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic databases. In: Proceedings of the 28th International Conference on Very Large Databases (VLDB) (2002)

  4. 4.

    Ashley, P., Powers, C.S., Schunter, M.: Privacy promises, access control, and privacy management. In: Third International Symposium on Electronic Commerce (2002)

  5. 5.

    Byun, J.W., Bertino, E.: Micro-views, or on how to protect privacy while enhancing data usability: concepts and challenges. SIGMOD Rec. 35(1), 9–13 (2006)

  6. 6.

    Byun, J.W., Bertino, E., Li, N.: Purpose Based Access Control for Privacy Protection in Relational Database Systems. Technical Report 2004-52, Purdue University (2004)

  7. 7.

    Byun, J.W., Bertino, E., Li, N.: Purpose based access control of complex data for privacy protection. In: Symposium on Access Control Model And Technologies (SACMAT) (2005)

  8. 8.

    Dong, X., Madhavan, J., Nemes, E.: Reference reconciliation in complex information spaces. In: ACM International Conference on Management of Data (SIGMOD) (2005)

  9. 9.

    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed nist standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)

  10. 10.

    Jajodia, S., Sandhu, R.: Toward a multilevel secure relational data model. In: ACM International Conference on Management of Data (SIGMOD), pp. 50–59. ACM Press, New York (1991)

  11. 11.

    LeFevre, K., Agrawal, R., Ercegovac, V., Ramakrishnan, R., Xu, Y., DeWitt, D.: Disclosure in hippocratic databases. In: The 30th International Conference on Very Large Databases (VLDB) (2004)

  12. 12.

    Lin, C., Varadharajan, V.: Trust enhanced security for mobile agents. In: Proc of the 7th IEEE International Conference on E-Commerce Technology, CEC 2005, Germany, July 2005. ISBN 0-7695-2277-7; ISSN 1530-1354 (2005)

  13. 13.

    Sandhu, R.: Role hierarchies and constraints for lattice-based access controls. In: European Symposium on Research in Security and Privacy (1996)

  14. 14.

    Sandhu, R., Chen, F.: The multilevel relational data model. ACM Trans. Inf. Syst. Secur. 1(1), 93–132 (1998)

  15. 15.

    Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role based access control models. IEEE Computer 29(2), 38–47 (1996)

  16. 16.

    Sarawagi, S., Bhamidipaty, A.: Interactive deduplication using active learning. In: ACM International conference on Knowledge discovery and data mining (SIGKDD) (2002)

  17. 17.

    Seamons, K., Winslett, M., Yu, T.: Limiting the disclosure of access control policies during automated trust negotiation. In: Proc. of NDSS’01, pp. 109–125. IEEE Press (2001)

  18. 18.

    Sun, X., Wang, H., Li, J., Truta, T.M.: Enhanced P-sensitive K-anonymity models for privacy preserving data publishing. Transactions on Data Privacy (TDP) 1(2), 53–66 (2008)

  19. 19.

    Sun, X., Wang, H., Li, J.: L-diversity based dynamic update for large time-evolving microdata. Australasian Conference on Artificial Intelligence (AI) 2008, 461–469 (2008)

  20. 20.

    Sweeney, L.: Achieving k-anonymity privacy protection using generalization and suppression. International Journal on Uncertainty, Fuzziness, and Knowledge-based Systems (IJUFKS) 10(5), 571–588 (2002)

  21. 21.

    Tumer, A., Dogac, A., Toroslu, H.: A semantic based privacy framework for web services. In: Proc. of ESSW’03 (2003)

  22. 22.

    Wang, Y., Vassileva, J.: Trust and reputation model in collaborative networks. In: Proc. 3rd IEEE Int. Conf. Collaborative Computing, pp. 150–157 (2003)

  23. 23.

    Westin, A.: E-Commerce and Privacy: What Net Users Want. Technical Report, Louis Harris & Associates (1998)

  24. 24.

    Westin, A.: Freebies and Privacy: What Net Users Think. Technical Report, Opinion Research Corporation (1999)

  25. 25.

    World Wide Web Consortium (W3C). A P3P Preference Exchange Language 1.0 (APPEL 1.0). Available at www.w3.org/TR/P3P-preferences

  26. 26.

    World Wide Web Consortium (W3C). Platform for Privacy Preferences (P3P). Available at www.w3.org/P3P

Download references

Author information

Correspondence to Min Li or Xiaoxun Sun.

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Li, M., Sun, X., Wang, H. et al. Privacy-aware access control with trust management in web service. World Wide Web 14, 407–430 (2011). https://doi.org/10.1007/s11280-011-0114-8

Download citation


  • access control
  • privacy protection
  • generalization boundary