Abstract
The protection of privacy is an increasing concern in today’s global infrastructure. One of the most important privacy protection principles states that personal information collected for one purpose may not be used for any other purpose without the specific informed consent of the person it concerns. Although users provide personal information for use in one specific context, they often have no idea on how such a personal information may be used subsequently.
In this paper, we introduce a new type of privacy policy, called data handling policy, which defines how the personal information release will be (or should be) dealt with at the receiving party. A data handling policy allows users to define simple and appropriate levels of control over who sees what information about them and under which circumstances.
Keywords
- Service Provider
- Access Control
- Personal Information
- Policy Language
- Access Control Policy
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Chapter PDF
References
Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: An xpath based preference language for P3P. In: Proc. of the 12th International World Wide Web Conference, Budapest, Hungary (May 2003)
Ahn, G.-J., Lam, J.: Managing privacy preferences in federated identity management. In: Proc. of the ACM Workshop on Digital Identity Management (In conjunction with 12th ACM Conference on Computer and Communications Security), Fairfax, VA, USA (November 2005)
Ardagna, C.A., Cremonini, M., Damiani, E., di Vimercati, S.d.C., Samarati, P.: Supporting location-based conditions in access control policies. In: Proc. of the ASIACCS 2006, Taipei, Taiwan (March 2006)
Ardagna, C.A., Damiani, E., di Vimercati, S.d.C., Samarati, P.: Towards privacy-enhanced authorization policies and languages. In: Proc. of the 19th Annual IFIP WG 11.3 Working Conference on Data and Applications Security (IFIP), Nathan Hale Inn, University of Connecticut, Storrs, USA (2005)
Ashley, P., Hada, S., Karjoth, G., Schunter, M.: E-p3p privacy policies and privacy authorization. In: Proc. of the ACM Workshop on Privacy in the Electronic Society (WPES 2002), Washington, DC, USA (November 2002)
Bettini, C., Jajodia, S., Sean Wang, X., Wijesekera, D.: Provisions and obligations in policy management and security applications. In: Proc. of the 28th VLDB Conference, Hong Kong, China (August 2002)
Bonatti, P.A., Olmedilla, D.: Driving and monitoring provisional trust negotiation with metapolicies. In: Proc. of the IEEE 6th International Workshop on Policies for Distributed Systems and Networks (POLICY 2005), Stockholm, Sweden (June 2005)
Bonatti, P.A., Samarati, P.: A unified framework for regulating access and information release on the web. Journal of Computer Security 10(3), 241–272 (2002)
Chandramouli, R.: Privacy protection of enterprise information through inference analysis. In: IEEE 6th International Workshop on Policies for Distributed Systems and Networks (POLICY 2005), Stockholm, Sweden (June 2005)
Cranor, L.F.: Web Privacy with P3P. O’Reilly & Associates, Sebastopol (2002)
eXtensible Access Control Markup Language (XACML) Version 2.0 pdf (February 2005), http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os
Gavriloaie, R., Nejdl, W., Olmedilla, D., Seamons, K., Winslett, M.: No registration needed: How to use declarative policies and negotiation to access sensitive resources on the semantic web. In: Bussler, C.J., Davies, J., Fensel, D., Studer, R. (eds.) ESWS 2004. LNCS, vol. 3053, pp. 342–356. Springer, Heidelberg (2004)
International security, trust, and privacy alliance (istpa), http://www.istpa.org/
Karjoth, G., Schunter, M.: Privacy policy model for enterprises. In: Proc. of the 15th IEEE Computer Security Foundations Workshop, Cape Breton, Nova Scotia, Canada (June 2002)
OASIS. Privacy Policy Profile of XACML (September 2004), http://docs.oasis-open.org/xacml/access_control-xacml-2_0-privacy_profile-spec-cd-01.pdf
Privacy and identity management for europe (PRIME), http://www.prime-project.eu.org/
Samarati, P., di Vimercati, S.d.C.: Access control: Policies, models, and mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, p. 137. Springer, Heidelberg (2001)
Thuraisingham, B.: Privacy constraint processing in a privacy-enhanced database management system. Data & Knowledge Engineering 55(2), 159–188 (2005)
World Wide Web Consortium. A P3P Preference Exchange Language 1.0 (APPEL1.0) (April 2002), http://www.w3.org/TR/P3P-preferences/
World Wide Web Consortium. The Platform for Privacy Preferences 1.1 (P3P1.1) Specification (July 2005), http://www.w3.org/TR/2005/WD-P3P11-20050701
Youssef, M., Atluri, V., Adam, N.R.: Preserving mobile customer privacy: An access control system for moving objects and customer profiles. In: Proc. of the 6th International Conference on Mobile Data Management, Ayia Napa, Cyprus (May 2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 IFIP International Federation for Information Processing
About this paper
Cite this paper
Ardagna, C.A., De Capitani di Vimercati, S., Samarati, P. (2006). Enhancing User Privacy Through Data Handling Policies. In: Damiani, E., Liu, P. (eds) Data and Applications Security XX. DBSec 2006. Lecture Notes in Computer Science, vol 4127. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11805588_16
Download citation
DOI: https://doi.org/10.1007/11805588_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-36796-3
Online ISBN: 978-3-540-36799-4
eBook Packages: Computer ScienceComputer Science (R0)