Enforcing P3P Policies Using a Digital Rights Management System

  • Farzad Salim
  • Nicholas Paul Sheppard
  • Rei Safavi-Naini
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4776)


The protection of privacy has gained considerable attention recently. In response to this, new privacy protection systems are being introduced. SITDRM is one such system that protects private data through the enforcement of licenses provided by consumers. Prior to supplying data, data owners are expected to construct a detailed license for the potential data users. A license specifies whom, under what conditions, may have what type of access to the protected data.

The specification of a license by a data owner binds the enterprise data handling to the consumer’s privacy preferences. However, licenses are very detailed, may reveal the internal structure of the enterprise and need to be kept synchronous with the enterprise privacy policy. To deal with this, we employ the Platform for Privacy Preferences Language (P3P) to communicate enterprise privacy policies to consumers and enable them to easily construct data licenses. A P3P policy is more abstract than a license, allows data owners to specify the purposes for which data are being collected and directly reflects the privacy policy of an enterprise.


Privacy Policy Mapping Rule Data Owner Access Control Model Digital Right Management 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Barth, A., Mitchell, J.C.: Enterprise privacy promises and enforcement. In: WITS 2005: Proceedings of the 2005 Workshop on Issues in the Theory of Security, Long Beach, California, pp. 58–66. ACM Press, New York (2005)CrossRefGoogle Scholar
  2. 2.
    Bormans, J., Hill, K.: International standards organization. Information technology - multimedia framework (MPEG-21) - part 5: Rights expression language. ISO/IEC 21000-5:2004Google Scholar
  3. 3.
    Bucker, A., Haase, B., Moore, D., Keller, M., Koblinger, O., Wu, H.-F.: IBM tivoli privacy manager solution design and best practices. In: Redbooks (2002)Google Scholar
  4. 4.
    Catlett, J.: Open letter to P3P developers and replies. In: ACM Conference on Computers, Freedom and Privacy, pp. 157–164. ACM Press, New York (2000)Google Scholar
  5. 5.
    Coyle, K.: P3P: Pretty poor privacy? a social analysis of the platform for privacy preferences (P3P)Google Scholar
  6. 6.
    Cranor, L., Langheinrich, M., Marchiori, M., Presler-Marshall, M.: The platform for privacy preferences 1.0 (P3P 1.0) specification (2002)Google Scholar
  7. 7.
    Cranor, L.F., Arjula, M., Guduru, P.: Use of a P3P user agent by early adopters. In: WPES, pp. 1–10 (2002)Google Scholar
  8. 8.
    Cranor, L.F., Langheinrich, M., Marchiori, M.: A P3P preference exchange language 1.0 (APPEL 1.0). In: W3C Working Draft (2002)Google Scholar
  9. 9.
    Karjoth, G., Schunter, M., Herreweghen, E.V.: Translating privacy practices into privacy promises: How to promise what you can keep. In: POLICY 2003: Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, p. 135. IEEE Computer Society, Washington, DC (2003)CrossRefGoogle Scholar
  10. 10.
    Karjoth, G., Schunter, M., Waidner, M.: Privacy-enabled services for enterprises. In: Hameurlain, A., Cicchetti, R., Traunmüller, R. (eds.) DEXA 2002. LNCS, vol. 2453, pp. 483–487. Springer, Heidelberg (2002)Google Scholar
  11. 11.
    Kenny, S., Korba, L.: Applying digital rights management systems to privacy rights management. Computers & Security 21(7), 648–664 (2002)CrossRefGoogle Scholar
  12. 12.
    Research Report 3485: IBM Research. Enterprise Privacy Authorization Language (EPAL) (2003)Google Scholar
  13. 13.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)Google Scholar
  14. 14.
    Schaad, A., Moffett, J., Jacob, J.: The role-based access control system of a european bank: a case study and discussion. In: SACMAT 2001: Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies, pp. 3–9. ACM Press, New York (2001)CrossRefGoogle Scholar
  15. 15.
    Sheppard, N.P., Safavi-Naini, R.: Protecting privacy with the MPEG-21 IPMP framework. In: 6th Workshop on Privacy Enhancing Technologies, pp. 152–171 (2006)Google Scholar
  16. 16.
    Stufflebeam, W.H., Antón, A.I., He, Q., Jain, N.: Specifying privacy policies with P3P and EPAL: lessons learned. In: WPES, p. 35 (2004)Google Scholar
  17. 17.
    Yu, T., Li, N., Anton, A.I.: A formal semantics for P3P. In: SWS 2004: Proceedings of the 2004 Workshop on Secure Web Service, pp. 1–8. ACM Press, New York (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Farzad Salim
    • 1
  • Nicholas Paul Sheppard
    • 1
  • Rei Safavi-Naini
    • 2
  1. 1.School of Computer Science and Software Engineering, University of Wollongong, NSW 2522Australia
  2. 2.Department of Computer Science, University of Calgary, 2500 University Drive, NW, Calgary T2N IN4Canada

Personalised recommendations