Electronic Markets

, Volume 24, Issue 2, pp 101–112 | Cite as

On the design of a privacy aware authorization engine for collaborative environments

  • Fotios I. GogoulosEmail author
  • Anna Antonakopoulou
  • Georgios V. Lioudakis
  • Aziz S. Mousas
  • Dimitra I. Kaklamani
  • Iakovos S. Venieris
Special Theme


Business networking has substantially reshaped common enterprise procedures and has paved the way for the development of ground-breaking information sharing patterns and inter-organizational cooperative practices. Yet, critical issues still stand unaddressed; privacy and sensitive information confidentiality implications threaten to diminish the economic and social benefits derived from online collaboration. Nevertheless, privacy preservation refers to a multidimensional and cross-disciplinary subject, accompanied by both legal as well as technical challenges. In this context, this paper describes the design of a privacy-aware decision engine operating within synergistic contexts. Decision making regarding the production of authorizations and information usage rules is founded on a detailed privacy context and the enforcement of a deductive reasoning algorithm. The proposed reasoning process spans two distinct phases, taking into account an a priori perspective of the system while at the same time maintaining responsiveness in dynamic contexts.


Privacy Authorization Decision engine Access control 

JEL classification



  1. Acquisti, A. (2010). The economics of personal data and the economics of privacy. OECD Conference Centre. WPISP-WPIE Roundtable.Google Scholar
  2. Antonakopoulou, A., Lioudakis, G. V., Gogoulos, F., Kaklamani, D. I., & Venieris, I. S. (2012). Leveraging access control for privacy protection: A survey. In G. Yee (Ed.), Privacy protection measures and technologies in business organizations: Aspects and standards (pp. 65–94). Hershey: IGI Global.Google Scholar
  3. Ardagna, C. A., Cremonini, M., Capitani, D., di Vimercati, S., & Samarati, P. (2008). A privacy-aware access control system. Journal of Computer Security, 16(4), 369–397.Google Scholar
  4. Bianchi, G., Boschi, E., Kaklamani, D. I., Koutsoloukas, E. A., Lioudakis, G. V., Oppedisano, F., et al. (2007). Towards privacy-preserving network monitoring: Issues and challenges. In Proceedings of the 18th Annual IEEE International Symposium on Personal Indoor and Mobile Radio Communications (PIMRC 2007).Google Scholar
  5. Bughin, J. (2008). The rise of enterprise 2.0. Journal of Direct, Data and Digital Marketing Practice, 9(3), 251–259. Palgrave Macmillan.CrossRefGoogle Scholar
  6. Camenisch, J., & Groß, T. (2008). Efficient attributes for anonymous credentials. In Proceedings of the 15th ACM conference on Computer and communications security (CCS ’08), (pp. 345–356). New York: ACM.Google Scholar
  7. Cavoukian, A., & Tapscott, D. (2006). Privacy and the enterprise 2.0. New Paradigm Learning Corporation, (pp. 1–26).Google Scholar
  8. Couppens, F., & Cuppens-Boulahia, N. (2008). Modeling contextual security policies. International Journal of Information Security, 7(4), 285–305.CrossRefGoogle Scholar
  9. Datta, P., & Chatterjee, S. (2011). Online consumer market inefficiencies and intermediation. SIGMIS Database, 42(2), 55–75. New York, USA: ACM.CrossRefGoogle Scholar
  10. European Opinion Research Group. (2011). Attitudes on data protection and electronic identity in the European Union. Technical Report Special Eurobarometer 359. European Commission. Bruxelles, Belgium.Google Scholar
  11. European Parliament and Council. (1995). Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal of the European Communities, L 281, 31–50.Google Scholar
  12. European Parliament and Council. (2002). Regulation 2195/2002/ EC of the European parliament and of the council on the common procurement vocabulary (CPV). Official Journal of the European Communities, L 340, 1–562.Google Scholar
  13. Fatema, K., Chadwick, D. W., & Lievens, S. (2011). A multi-privacy policy enforcement system. In Privacy and identity management for life, (pp. 297–310). Berlin: Springer.Google Scholar
  14. Ferreira A., Chadwick D., Farinha P., Correia R., Zao G., Chilro R., et al. (2009). How to securely break into RBAC: The BTG-RBAC Model. In Proceedings of the 2009 Annual Computer Security Applications Conference (ACSAC ’09). Washington, DC: IEEE Computer SocietyGoogle Scholar
  15. Finin, T., Joshi, A., Kagal, L., Niu, J., Sandhu, R. S., Winsborough, W., et al. (2008). ROWLBAC: Representing role based access control in OWL. In Proceedings of the 13th ACM Symposium on Access Control Models and Technologies (pp. 73–82). New York: ACM.Google Scholar
  16. Gogoulos, F., Antonakopoulou, A., Lioudakis, G. V., Mousas, A. S., Kaklamani, D. I., & Venieris, I. S. (2010). Privacy-aware access control and authorization in passive network monitoring infrastructures. In Computer and Information Technology (CIT), 2010 I.E. 10th International Conference on, (pp. 1114–1121). IEEE.Google Scholar
  17. Gogoulos, F., Antonakopoulou, A., Lioudakis, G. V., Kaklamani, D. I., & Venieris, I. S. (2013). Trust in an enterprise world: A survey. In M. M. Cruz-Cunha, F. Moreira, & J. Varajão (Eds.), Handbook of research on enterprise 2.0. Hershey: IGI Global.Google Scholar
  18. International Telecommunications Union. (2005). Information technology—open systems interconnection—the directory: Public-key and attribute certificate frameworks, ITU-T Recommendation X.509.Google Scholar
  19. Karjoth, G., Schunter, M., & Waidner, M. (2003). Platform for enterprise privacy practices: privacy-enabled management of customer data. In Proceedings of the 2nd international conference on Privacy enhancing technologies, (PET’02), (pp. 69–84). Berlin: Springer-Verlag.Google Scholar
  20. Koshutanski, H., & Maa, A. (2010). Interoperable semantic access control for highly dynamic coalitions. Security and Communication Networks, 3(6), 565–594.CrossRefGoogle Scholar
  21. Lioudakis, G. V., Gaudino, F., Boschi, E., Bianchi, G., Kaklamani, D. I., & Venieris, I. S. (2010). Legislation-aware privacy protection in passive network monitoring. In I. M. Portela & M. M. Cruz-Cunha (Eds.), Information communication technology law, protection and access rights: Global approaches and issues. New York: IGI Global Pubs.Google Scholar
  22. Marín Pérez, J. M., Bernabé, J. B., Alcaraz Calero, J. M., Garcia Clemente, F. J., Pérez, G. M., & Gómez Skarmeta, A. F. (2011). Semantic-based authorization architecture for grid. Future Generation Computer Systems, 27(1), 40–55.CrossRefGoogle Scholar
  23. Milojicic, D. (2008). Interview with Rich Friedrich, Dave Cohen, and Alex Dreiling. IEEE Internet Computing, 12(1), 10–13.CrossRefGoogle Scholar
  24. Mont, M. C. (2004). Dealing with privacy obligations: Important aspects and technical approaches. In Proceedings of the International Workshop on Trust and Privacy in Digital Business (TrustBus 2004) (LNCS 3184, pp. 120–131). Berlin: Springer Berlin/Heidelberg.Google Scholar
  25. Organization for Economic Co-operation and Development – OECD. (1980). Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.Google Scholar
  26. Organization for the Advancement of Structured Information Standards – OASIS. (2005). eXtensible Access Control Markup Language (XACML), Version 2.0.Google Scholar
  27. Österle, H., Fleisch, E., & Alt, R. (2000). Business networking: Shaping enterprise relationships on the internet. Berlin: Springer. ISBN: 3- 540- 66612- 5.CrossRefGoogle Scholar
  28. Pletscher, T. (2005). Companies and the regulatory jungle. In Proceedings of the 27th International Conference of Data Protection and Privacy Commissioners. Google Scholar
  29. Poullet, Y. (2006). The Directive 95/46/EC: ten years after. Computer Law and Security Report, 22(3), 206–217.CrossRefGoogle Scholar
  30. Schaub, F., Konings, B., Weber, M., & Kargl, F. (2012). Towards context adaptive privacy decisions in ubiquitous computing. In Pervasive Computing and Communications Workshops (PERCOM Workshops), IEEE International Conference on, (pp. 407–410). IEEE.Google Scholar
  31. Trabelsi, S., Njeh, A., Bussard, L., & Neven, G. (2010). The ppl engine: A symmetric architecture for privacy policy handling. In W3C Workshop on Privacy and data usage control, 4(5).Google Scholar
  32. Westerinen, A., Schnizlein, J., Strassner, J., Scherling, M., Quinn, B., Herzog, S., et al. (2001). RFC-3198: Terminology for policy-based management. Internet Engineering Task Force.Google Scholar
  33. Wohlgemuth, S., Echizen, I., Müller, G., & Sonehara, N. (2011). On privacy-compliant disclosure of personal data to third parties using digital watermarking. International Journal of Information Hiding and Multimedia Signal Processing, 2(3), 270–281.Google Scholar
  34. World Wide Web Consortium. (2004). OWL web ontology language overview, W3C Recommendation.Google Scholar

Copyright information

© Institute of Information Management, University of St. Gallen 2014

Authors and Affiliations

  • Fotios I. Gogoulos
    • 1
    Email author
  • Anna Antonakopoulou
    • 1
  • Georgios V. Lioudakis
    • 1
  • Aziz S. Mousas
    • 1
  • Dimitra I. Kaklamani
    • 1
  • Iakovos S. Venieris
    • 1
  1. 1.School of Electrical and Computer EngineeringNational Technical University of AthensAthensGreece

Personalised recommendations