YaPPL - A Lightweight Privacy Preference Language for Legally Sufficient and Automated Consent Provision in IoT Scenarios

  • Max-R. UlbrichtEmail author
  • Frank Pallas
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11025)


In this paper, we present YaPPL—a Privacy Preference Language explicitly designed to fulfill consent-related requirements of the GDPR as well as to address technical givens of IoT scenarios. We analyze what criteria consent must meet in order to be legally sufficient and translate these into a formal representation of consent as well as into functional requirements that YaPPL must fulfill. Taking into account further nonfunctional requirements particularly relevant in the IoT context, we then derive a specification of YaPPL, which we prototypically implemented in a reusable software library and successfully instantiated in a proof of concept scenario, paving the way for viable technical implementations of legally sufficient consent mechanisms in the IoT.


Privacy preference language Internet of Things Consent 


  1. 1.
    Serializing data speed comparison: Marshal vs. JSON vs. Eval vs. YAML.
  2. 2.
    OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)Google Scholar
  3. 3.
    Online, Privacy: A Report to Congress. Technical report, FTC, June 1998Google Scholar
  4. 4.
    ISO/IEC 29100:2011 - Information technology - Security techniques - Privacy framework (2011)Google Scholar
  5. 5.
    eXtensible Access Control Markup Language (XACML) Version 3.0. OASIS Standard (2013)Google Scholar
  6. 6.
    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official J. Eur. Union L 119/1, pp. 1–88, April 2016Google Scholar
  7. 7.
    Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: XPref: a preference language for P3P. Comput. Networks 48(5), 809–827 (2005)CrossRefGoogle Scholar
  8. 8.
    Article 29 Data Protection Working Party: Opinion 15/2011 on the definition of consent. Technical report, July 2011Google Scholar
  9. 9.
    Article 29 Data Protection Working Party: Opinion 8/2014 on the on Recent Developments on the Internet of Things. Technical report 14/EN WP 223, September 2014Google Scholar
  10. 10.
    Article 29 Data Protection Working Party: Guidelines on Consent under Regulation 2016/679. Technical report WP259 rev.01 (2018)Google Scholar
  11. 11.
    Byun, J.W., Bertino, E., Li, N.: Purpose based access control of complex data for privacy protection. In: Proceedings of the Tenth ACM Symposium on Access Control Models and Technologies, SACMAT 2005, pp. 102–110. ACM, New York, NY, USA (2005).
  12. 12.
    Cranor, L., Langheinrich, M., Marchiori, M.: A P3P preference exchange language 1.0 (APPEL1.0). Technical report, World Wide Web Consortium (2002)Google Scholar
  13. 13.
    Cranor, L.F.: Web Pivacy with P3P. O’Reilly Media, Sebastopol (2002)Google Scholar
  14. 14.
    Eriksson, M., Hallberg, V.: Comparison between JSON and YAML for data serialization. Technical report, The School of Computer Science and Engineering Royal Institute of Technology (2011)Google Scholar
  15. 15.
    Ghani, N.A., Selamat, H., Sidek, Z.M.: Credential purpose-based access control for personal data protection. J. Web Eng. 14(3&4), 346–360 (2015)Google Scholar
  16. 16.
    Guinard, D., Trifa, V., Mattern, F., Wilde, E.: From the Internet of Things to the web of things: resource-oriented architecture and best practices. In: Uckelmann, D., Harrison, M., Michahelles, F. (eds.) Architecting the Internet of Things, pp. 97–129. Springer, Heidelberg (2011). Scholar
  17. 17.
    Henze, M., Hiller, J., Schmerling, S., Ziegeldorf, J.H., Wehrle, K.: CPPL: compact privacy policy language. In: Proceedings of the 2016 ACM on Workshop on Privacy in the Electronic Society, WPES 2016, pp. 99–110. ACM, New York(2016).
  18. 18.
    Kabir, M.E., Wang, H., Bertino, E.: A role-involved purpose-based access control model. Inf. Syst. Front. 14(3), 809–822 (2012)CrossRefGoogle Scholar
  19. 19.
    Kasem-Madani, S., Meier, M.: Security and privacy policy languages: a survey, categorization and gap identification (2015)Google Scholar
  20. 20.
    Mernik, M., Heering, J., Sloane, A.M.: When and how to develop domain-specific languages. ACM Comput. Surv. (CSUR) 37(4), 316–344 (2005)CrossRefGoogle Scholar
  21. 21.
    Nurseitov, N., Paulson, M., Reynolds, R., Izurieta, C.: Comparison of JSON and XML data interchange formats: a case study. In: Proceedings of the ISCA 22nd International Conference on Computer Applications in Industry and Engineering, CAINE 2009, pp. 157–162, San Francisco, California, USA (2009)Google Scholar
  22. 22.
    Reinfurt, L., Breitenbücher, U., Falkenthal, M., Leymann, F., Riegg, A.: Internet of Things patterns, pp. 1–21. ACM Press (2016)Google Scholar
  23. 23.
    Satyanarayanan, M.: The emergence of edge computing. Computer 50(1), 30–39 (2017). Scholar
  24. 24.
    Shi, W., Dustdar, S.: The promise of edge computing. Computer 49(5), 78–81 (2016). Scholar
  25. 25.
    Trabelsi, S., Sendor, J., Reinicke, S.: PPL: primelife privacy policy engine. In: 2011 IEEE International Symposium on Policies for Distributed Systems and Networks, pp. 184–185, June 2011.
  26. 26.
    Ulbricht, M.-R., Pallas, F.: CoMaFeDS - consent management for federated data sources. In: Proceedings of the 2016 IEEE International Conference on Cloud Engineering Workshops, pp. 106–111. IEEE, Berlin (2016).
  27. 27.
    Westin, A.F.: Privacy and Freedom. Atheneum, New York (1967)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.TU Berlin, Information Systems EngineeringBerlinGermany

Personalised recommendations