Analysis of Privacy Policies to Enhance Informed Consent

  • Raúl Pardo
  • Daniel Le MétayerEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11559)


In this paper, we present an approach to enhance informed consent for the processing of personal data. The approach relies on a privacy policy language used to express, compare and analyze privacy policies. We describe a tool that automatically reports the privacy risks associated with a given privacy policy in order to enhance data subjects’ awareness and to allow them to make more informed choices. The risk analysis of privacy policies is illustrated with an IoT example.



This work has been partially funded by the ANR project CISC (Certification of IoT Secure Compilation) and by the Inria Project Lab SPAI.

Supplementary material


  1. 1.
    Ardagna, C.A., De Capitani di Vimercati, S., Samarati, P.: Enhancing user privacy through data handling policies. In: Damiani, E., Liu, P. (eds.) DBSec 2006. LNCS, vol. 4127, pp. 224–236. Springer, Heidelberg (2006). Scholar
  2. 2.
    Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language (EPAL). IBM Research (2003)Google Scholar
  3. 3.
    Azraoui, M., Elkhiyaoui, K., Önen, M., Bernsmed, K., De Oliveira, A.S., Sendor, J.: A-PPL: an accountability policy language. In: Garcia-Alfaro, J., et al. (eds.) DPM/QASA/SETOP -2014. LNCS, vol. 8872, pp. 319–326. Springer, Cham (2015). Scholar
  4. 4.
    Baier, C., Katoen, J.: Principles of Model Checking. MIT Press, Cambridge (2008)zbMATHGoogle Scholar
  5. 5.
    Barrett, C., Tinelli, C.: Satisfiability modulo theories. In: Clarke, E., Henzinger, T., Veith, H., Bloem, R. (eds.) Handbook of Model Checking, pp. 305–343. Springer, Cham (2018). Scholar
  6. 6.
    Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual integrity: framework and applications. In: Proceedings of the 27th IEEE Symposium on Security and Privacy, S&P 2006, pp. 184–198 (2006)Google Scholar
  7. 7.
    Becker, M., Malkis, A., Bussard, L.: S4P: a generic language for specifying privacy preferences and policies. Research report, Microsoft Research (2010)Google Scholar
  8. 8.
    Cunche, M., Le Métayer, D., Morel, V.: A generic information and consent framework for the IoT. Research report RR-9234, Inria (2018).
  9. 9.
    DeYoung, H., Garg, D., Jia, L., Kaynar, D.K., Datta, A.: Experiences in the logical specification of the HIPAA and GLBA privacy laws. In: Proceedings of the 2010 ACM Workshop on Privacy in the Electronic Society, WPES 2010, pp. 73–82 (2010)Google Scholar
  10. 10.
    Du, S., Ibrahim, M., Shehata, M.S., Badawy, W.M.: Automatic license plate recognition (ALPR): a state-of-the-art review. IEEE Trans. Circuits Syst. Video Technol. 23(2), 311–325 (2013)CrossRefGoogle Scholar
  11. 11.
    Electronic Fountrier Foundatino (EFF): Automated License Plate Readers (ALPR) (2017).
  12. 12.
    Emami-Naeini, P., et al.: Privacy expectations and preferences in an IoT world. In: Proceedings of the 13th Symposium on Usable Privacy and Security, SOUPS 2017, pp. 399–412 (2017)Google Scholar
  13. 13.
    Hilty, M., Pretschner, A., Basin, D., Schaefer, C., Walter, T.: A policy language for distributed usage control. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 531–546. Springer, Heidelberg (2007). Scholar
  14. 14.
    Holzmann, G.J.: The SPIN Model Checker - Primer and Reference Manual. Addison-Wesley, Boston (2004)Google Scholar
  15. 15.
    De, S.J., Le Métayer, D.: Privacy Risk Analysis. Morgan & Claypool Publishers, San Rafael (2016)CrossRefGoogle Scholar
  16. 16.
    De, S.J., Le Métayer, D.: Privacy risk analysis to enable informed privacy settings. In: 2018 IEEE European Symposium on Security and Privacy, Workshops, EuroS&P Workshops, pp. 95–102 (2018)Google Scholar
  17. 17.
    Métayer, D.: A formal privacy management framework. In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 162–176. Springer, Heidelberg (2009). Scholar
  18. 18.
    May, M.J., Gunter, C.A., Lee, I.: Privacy APIs: access control techniques to analyze and verify legal privacy policies. In: Proceedings of the 19th IEEE Computer Security Foundations Workshop, CSFW 2006, pp. 85–97. IEEE Computer Society (2006)Google Scholar
  19. 19.
    Pardo, R., Le Métayer, D.: Formal verification of legal privacy requirements (Submitted for Publication)Google Scholar
  20. 20.
    Park, J., Sandhu, R.S.: The UCON\({}_{\text{ ABC }}\) usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004)CrossRefGoogle Scholar
  21. 21.
    Pretschner, A., Hilty, M., Basin, D.A.: Distributed usage control. Commun. ACM 49(9), 39–44 (2006)CrossRefGoogle Scholar
  22. 22.
    Reagle, J., Cranor, L.F.: The platform for privacy preferences. Commun. ACM 42(2), 48–55 (1999)CrossRefGoogle Scholar
  23. 23.
  24. 24.
    Robinson, A.J., Voronkov, A.: Handbook of Automated Reasoning, vols. 1 and 2. Elsevier, Amsterdam (2001)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  1. 1.Univ Lyon, Inria, INSA Lyon, CITIVilleurbanneFrance

Personalised recommendations