Design and Implementation of a Policy-Based Privacy Authorization System

  • HyangChang Choi
  • SeungYong Lee
  • HyungHyo Lee
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3975)


In the Internet era, enterprises want to use personal information of their own or other enterprises’ subscribers, and even provide it to other enterprises for their profit. On the other hand, subscribers to Internet enterprises expect their privacy to be securely protected. Therefore, a conflict between enterprises and subscribers can arise in using personal information for the enterprises’ benefits. In this paper, we introduce a privacy policy model and propose a policy-based privacy authorization system. The privacy policy model is used for authoring privacy policies and the privacy authorization system renders the authorization decision based on the privacy policies. In the proposed system, policies for enterprises and subscribers are described in XACML, an XML-based OASIS standard language for access control policies. In addition, we show the details of how the procedure of the privacy authorization and conflict resolution is processed in the proposed system.


Personal Information Privacy Policy Privacy Protection Access Control Policy Access Mode 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Magnuson, G., Reid, P.: Privacy and Identity Management Survey. In: IAPP Conference (2004)Google Scholar
  2. 2.
    Privacy and Security Best Practices. Liberty Alliance Project (2003)Google Scholar
  3. 3.
    Who Goes There?: Authentication Through the Lens of Privacy. Computer Science and Telecommunications Board (2003),
  4. 4.
    PRIME: Privacy and Identity Management for Europe Date of preparation. PRIME Project (2004),
  5. 5.
    Sun’s XACML Implementation. SUN (2005),
  6. 6.
    eXtensible Access Control Markup Language. OASIS (2005),
  7. 7.
    Choi, H.-C., Lee, S.-Y., Lee, H.-H.: PIMS: An Access-Control based Privacy Model for Identity Management Systems. GESTS International Transaction on Computer Science and Engineering 9(1) (2005) (ISSN 1738-6438)Google Scholar
  8. 8.
    Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise Privacy Authorization Language (EPAL 1.2). W3C (2003),
  9. 9.
    Yee, G., Korba, L.: An Agent Architecture for E-Services Privacy Policy Compliance. Advanced Information Networking and Application (2005)Google Scholar
  10. 10.
    Cranor, L.F.: Web Privacy with P3P. O’Reilly, Sebastopol (2002)Google Scholar
  11. 11.
    Lu, C.: P3P in the Context of Legislation and Education. Sensitive Information in a Wired World (2003)Google Scholar
  12. 12.
    XML SPY. Altova (2004),
  13. 13.
    Ashley, P., Hada, S., Karjoth, G., Schunter, M.: E-P3P, Privacy Policies and Privacy Authorization. WPES (November 2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • HyangChang Choi
    • 1
  • SeungYong Lee
    • 1
  • HyungHyo Lee
    • 2
  1. 1.Dept. of Information SecurityChonnam National UniversityGwangjuKorea
  2. 2.Div. of Information and ECWonkwang UniversityIksanKorea

Personalised recommendations