An Algebra for Composing Enterprise Privacy Policies

Enterprise privacy enforcement allows enterprises to internally enforce a privacy policy that the enterprise has decided to comply to. An enterprise privacy policy often reflects different legal regulations, promises made to customers, as well as more restrictive internal practices of the enterprise. Further, it may allow customer preferences. To facilitate the compliance with different privacy policies when several parts of an organization or different enterprises cooperate, it is crucial to have tools at hand that allow for a practical management of varying privacy requirements.
We propose an algebra providing various types of operators for composing and restricting enterprise privacy policies like conjunction, disjunction and scoping, together with its formal semantics. We base our work on a superset of the syntax and semantics of IBM’s Enterprise Privacy Authorization Language (EPAL), which recently has been submitted to W3C for standardization. However, a detailed analysis of the expressiveness of EPAL reveals that, somewhat surprisingly, EPAL is not closed under conjunction and disjunction. To circumvent this problem, we identified the subset of well-founded privacy policies which enjoy the property that the result of our algebraic operations can be turned into a coherent privacy policy again. This enables existing privacy policy enforcement mechanisms to deal with our algebraic expressions. We further show that our algebra fits together with the existing notions of privacy policy refinement and sequential composition of privacy policies in a natural way.

By: Michael Backes, Markus Duermuth, and Rainer Steinwandt

Published in: in 2004


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to .