When using electronic services, people are often asked to provide personal information. This raises many privacy issues. To gain the trust of the user, service providers can use privacy policy languages such as P3P to declare the purpose and usage of this personal information. User agents can compare these policies to privacy preferences of a user and warn the user if his privacy is threatened. This paper extends two languages: P3P and APPEL. It makes it possible to refer to certified data and credentials. This allows service providers to define the minimal level of assurance. It is also shown how different ways of disclosure (exact, blurred, verifiably encrypted, ...) can be specified to achieve more privacy friendly policies. Last, the paper describes a privacy agent that makes use of the policies to automate privacy friendly information disclosure.


Service Provider Information Structure Privacy Policy Information Disclosure User Agent 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Camenisch, J., Van Herreweghen, E.: Design and Implementation of the Idemix Anonymous Credential System. In: Proc. 9th ACM Conf. Computer and Comm. Security (2002)Google Scholar
  2. 2.
    Brands, S.: Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy (2000)Google Scholar
  3. 3.
    Camenisch, J., Sommer, D., Zimmermann, R.: A general certification framework with applications to privacy-enhancing certificate infrastructures. Tech. Rep. RZ 3629, IBM Zurich Research Laboratory (July 2005)Google Scholar
  4. 4.
    Gevers, S., De Decker, B.: Automating privacy friendly information disclosure. Tech. Rep. CW441, Katholieke Universiteit Leuven (May 2006)Google Scholar
  5. 5.
    Yee, G., Korba, L.: Semi-Automated Derivation of Personal Privacy Policies. In: IRMA 2004: Proceedings of the 2004 Information Resources Management Association International Conference (2004)Google Scholar
  6. 6.
    AT&T Privacy Bird http://www.privacybird.com/
  7. 7.
    JRC P3P Resource Centre, http://p3p.jrc.it/
  8. 8.
  9. 9.
    Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: An XPath based preference language for P3P. In: Proc. of the 12th Intl. World Wide Web Conference (2003)Google Scholar
  10. 10.
    Kagal, L., Finin, T., Joshi, A.: A policy based approach to security for the semantic web. In: Proceedings of the 2nd International Semantic Web Conference (2003)Google Scholar
  11. 11.
    Li, J., Li, N., Winsborough, W.H.: Automated trust negotiation using cryptographic credentials. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (2005)Google Scholar
  12. 12.
    The Enterprise Privacy Authorization Language (EPAL 1.1), http://www.zurich.ibm.com/security/enterprise-privacy/epal/
  13. 13.
    Housley, R., Ford, W., Polk, W., Solo, D.: RFC 2459: Internet X.509 Public Key Infrastructure Certificate and CRL ProfileGoogle Scholar
  14. 14.
    Platform for Privacy Preferences (P3P) Project, http://www.w3.org/P3P/
  15. 15.
    A P3P Preference Exchange Language 1.0 (APPEL1.0), http://www.w3.org/TR/P3P-preferences/

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Steven Gevers
    • 1
  • Bart De Decker
    • 1
  1. 1.Department of Computer ScienceK.U.LeuvenLeuvenBelgium

Personalised recommendations