OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: IBM Develops New Language for Writing Privacy Policies

This was on The Cryptography Mailing List.  EPAL uses XACML.


>From eSecurity Planet --

IBM Develops New Language for Writing Privacy Policies
By John Desmond

IBM has developed a programming language designed to automate the writing
of privacy policies, with contributions from a research lab in Zurich and
customers of the IBM Tivoli Privacy Manager in the U.S.

The Enterprise Privacy Authorization Language (EPAL) builds on the
Platform for Privacy Preferences (P3P) specification delivered by the
World Wide Web Consortium in April 2002, by providing an XML language that
can be used to enforce privacy policies among applications and databases.

"Some of the feedback we have received form customers has been that
Privacy Manager is great but it has limitations in the policies that can
be expressed," says Phil Fritz, product manager with IBM Tivoli. The work
in Zurich that began about 18 months ago is now being coordinated with the
customer feedback to make the end result more responsive to the market.

EPAL is able to express conditions, such as, the user is not allowed to
see a piece of data unless the user is a police officer with a valid
search warrant. Or, a primary care physician cannot see the patient's
medical data without permission from the patient. Or, no one can see the
data unless the following conditions are present, then list them.

In addition to government regulations around privacy driving compliance,
the consolidation of applications and databases ongoing in many companies
is having the unintended consequence of making it more difficult for
permitted users to get to data they are authorized to see.

"Companies need a way to virtualize the enforcement of views on data,
while lowering their administrative costs," Fritz says.

IBM is not yet marketing EPAL as a commercial product, but plans to submit
the language for standardization in coming months. Tivoli Privacy Manager
will be adding support for EPAL as well.

Students at North Caroline State University, who collaborated with IBM
researchers on EPAL, used it to developer a tool called the Privacy
Authoring Editor, which helps companies author and edit privacy policies
using EPAL. The tool is currently available on SourceForge.net, the Web
site for open source code and applications, at

Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]