Privacy Injector — Automated Privacy Enforcement Through Aspects

  • Chris Vanden Berghe
  • Matthias Schunter
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4258)


Protection of personal data is essential for customer acceptance. Even though existing privacy policies can describe how data shall be handled, privacy enforcement remains a challenge. Especially for existing applications, it is unclear how one can effectively ensure correct data handling without completely redesigning the applications. In this paper we introduce Privacy Injector, which allows us to add privacy enforcement to existing applications.

Conceptually Privacy Injector consists of two complementary parts, namely, a privacy metadata tracking and a privacy policy enforcement part. We show how Privacy Injector protects the complete life cycle of personal data by providing us with a practical implementation of the “sticky policy paradigm.” Throughout the collection, transformation, disclosure and deletion of personal data, Privacy Injector will automatically assign, preserve and update privacy metadata as well as enforce the privacy policy. As our approach is policy-agnostic, we can enforce any policy language that describes which actions may be performed on which data.


Input Vector Privacy Policy Personal Data Policy Language Output Vector 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic databases. In: Proceedings of the 28th Int’l Conf. on Very Large Databases (VLDB), Hong Kong (2002)Google Scholar
  2. 2.
    Backes, M., Bagga, W., Karjoth, G., Schunter, M.: Efficient comparison of enterprise privacy policies. In: 19th ACM Symposium on Applied Computing, Special Track Security, Nicosia, Cyprus (2004)Google Scholar
  3. 3.
    Backes, M., Pfitzmann, B., Schunter, M.: A toolkit for managing enterprise privacy policies. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 162–180. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Bettini, C., Jajodia, S., Wang, X.S., Wijesekerat, D.: Obligation monitoring in policy management. In: Proceedings of the 3rd IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY), pp. 2–12 (2002)Google Scholar
  5. 5.
    Bonatti, P.A., Damiani, E., De Capitani di Vimercati, S., Samarati, P.: A component-based architecture for secure data publication. In: Proceedings of the 17th Annual Computer Security Applications Conference, pp. 309–318 (2001)Google Scholar
  6. 6.
    Booch, G., Rumbaugh, J., Jacobson, I.: The Unified Modeling Language User Guide. Addison-Wesley, Reading (1998)Google Scholar
  7. 7.
    Damianou, N., Dulay, N., Lupo, E., Sloman, M.: The ponder policy specification language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–39. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Egelman, S., Cranor, L., Chowdhury, A.: An analysis of p3p-enabled web sites among top-20 search results. In: Proceedings of the Eighth International Conference on Electronic Commerce (2006)Google Scholar
  9. 9.
    Filman, R., Elrad, T., Clarke, S., Akşit, M.: Aspect-Oriented Software Development. Addison-Wesley, Reading (2004)Google Scholar
  10. 10.
    Fischer-Hübner, S. (ed.): IT-Security and Privacy. LNCS, vol. 1958. Springer, Heidelberg (2001)MATHGoogle Scholar
  11. 11.
    Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley, Reading (1995)Google Scholar
  12. 12.
    IBM. Declarative privacy monitoring. Web page at:
  13. 13.
    Jajodia, S., Kudo, M., Subrahmanian., V.S.: Provisional authorization. In: Proceedings of the E-commerce Security and Privacy, pp. 133–159. Kluwer Academic Publishers, Dordrecht (2001)Google Scholar
  14. 14.
    Karjoth, G., Schunter, M.: A privacy policy model for enterprises. In: Proceedings of the 15th IEEE Computer Security Foundations Workshop (CSFW), pp. 271–281 (2002)Google Scholar
  15. 15.
    Karjoth, G., Schunter, M., Van Herreweghen, E.: Enterprise privacy practices vs. privacy promises - how to promise what you can keep. In: 4th IEEE International Workshop on Policies for Distributed Systems and Networks (Policy 2003), Lake Como, Italy, pp. 135–146 (2003)Google Scholar
  16. 16.
    Karjoth, G., Schunter, M., Waidner, M.: The platform for enterprise privacy practices – privacy-enabled management of customer data. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 69–84. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. 17.
    Kiczales, G., Hilsdale, E., Hugunin, J., Kersten, M., Palm, J., Griswold, W.G.: An overview of AspectJ. In: Knudsen, J.L. (ed.) ECOOP 2001. LNCS, vol. 2072, pp. 327–355. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    Kiczales, G., Lamping, J., Menhdhekar, A., Maeda, C., Lopes, C., Loingtier, J.-M., Irwin, J.: Aspect-oriented programming. In: Akşit, M., Matsuoka, S. (eds.) Proceedings of the European Conference on Object-Oriented Programming, vol. 1241, pp. 220–242. Springer, Berlin, Heidelberg, and New York (1997)Google Scholar
  19. 19.
    Myers, A., Liskov, B.: Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering and Methodology, 410–442 (2000)Google Scholar
  20. 20.
    Myers, A.C.: JFlow: Practical mostly-static information flow control. In: Proceedings of the Symposium on Principles of Programming Languages, pp. 228–241 (1999)Google Scholar
  21. 21.
    Oasis. eXtensible Access Control Markup Language (XACML). Web page at:
  22. 22.
    Platform for Privacy Preferences (P3P). W3C Recommendation (April 2002),
  23. 23.
    Parnas, D.L.: On the criteria to be used in decomposing systems into modules (1972)Google Scholar
  24. 24.
    Pietraszek, T., Venden Berghe, C.: Defending against injection attacks through context-sensitive string evaluation. In: Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID 2005), pp. 124–145 (2005)Google Scholar
  25. 25.
    AspectJ Project. The AspectJ home page, Web page at:
  26. 26.
    Hibernate Project. Hibernate, Web page at:
  27. 27.
    Ribeiro, C., Zuquete, A., Ferreira, P., Guedes, P.: SPL: An access control language for security policies with complex constraints. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2001)Google Scholar
  28. 28.
    Sabelfeld, A., Myers, A.: Language-based information-flow security (2003)Google Scholar
  29. 29.
    Sweene, L.: k-anonymity: A model for protecting privacy. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems 10(5), 557–570 (2002)CrossRefMathSciNetGoogle Scholar
  30. 30.
    Watchfire. Watchfire, Web page at:
  31. 31.
    De Win, B., Piessens, F., Joosen, W., Verhanneman, T.: On the importance of the separation-of-concerns principle in secure software engineering. In: Proceedings of the ACSA Workshop on the Application of Engineering Principles to System Security Design, pp. 1–10 (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Chris Vanden Berghe
    • 1
    • 2
  • Matthias Schunter
    • 1
  1. 1.Zurich Research LaboratoryIBM ResearchRüschlikonSwitzerland
  2. 2.Katholieke Universiteit LeuvenLeuvenBelgium

Personalised recommendations