Zurich Research Laboratory
MATH & COMPUTER SCIENCE
Business optimization
Business process transformation
Systems management
Cryptography
	Data encryption & key management
	Foundations
	Privacy & identity management
		Federated identity management
		Enterprise privacy architecture
Secure systems
Governance & security management

Contact
	Phil Janson

IBM Enterprise Privacy Architecture (EPA)

Project overview

Enterprises use privacy statements to promise privacy to customers and to set up their internal policies for dealing with employee and other personal data. The focus of this work is a comprehensive methodology for managing and enforcing these promises throughout an enterprise.

This includes three main elements:

1.	An overall architecture for enterprise privacy.
2.	A formal language for formalizing privacy policies, together with suitable operations for typical usage.
3.	An architecture for privacy enforcement throughout an enterprise.

We will now describe these building blocks in more detail.

EPA Pyramid: Strategy, Controls, Practices, and Architecture The IBM Enterprise Privacy Architecture is a methodology for enterprises to provide an enhanced and well-defined level of privacy to their customers. This includes privacy-friendly business processes, privacy-enabling security technology, and enterprise privacy management.

Privacy-friendly business processes are derived from ordinary business processes by minimizing the data needed to provide the desired services. This may include switching to equivalent service alternatives that require less personal data. It may also utilize privacy-enabled security technology.

Even with privacy-friendly business processes and security technology, enterprises still collect a certain amount of personal data. In order to protect the privacy of the consumers, a privacy-enabled enterprise will promise fair information practices to its customers. These are stated in a privacy policy and can be formalized using P3P. Enterprise privacy management is a privacy-enabled way to manage the collected data of an enterprise while enforcing the privacy promises that have already been made.

IBM Enterprise Privacy Authorization Language (EPAL)

EPAL and Submission to W3C, 2003.

One part of our research is to develop a formal language for defining enterprise privacy practices. Enterprises promise a certain level of privacy to their customers using privacy statements or the Platform for Privacy Preferences (P3P). The formal language can then be used to formalize these promises. By automated enforcement of these enterprise-specific privacy practices, enterprises are able to uphold the promises they have made.

A privacy policy describes the privacy practices as well as the opt-in and opt-out choices of an individual. Policies are then associated with all data collected by an enterprise. This "sticky policy paradigm" mandates that the policy sticks to the data, travels with it, and can be used to decide how the data can be used. By separating application- and enterprise-dependent deployment information from the actual policies, E-P3P policies can be used to control the flow and usage of data within and among enterprises.

The sticky policy paradigm necessitates certain operations on the policies of an enterprise, such as comparing whether data can be forwarded to another enterprise that has its own policy. We develop a toolbox of such operations.

Component architecture for enforcing privacy policies

Another part of our research is to define an architecture that enforces policies throughout an enterprise. This includes a policy evaluation engine as well as privacy-enabled resource monitors that enforce the policy for a variety of resources.

Cooperations

·	IBM IGS Security and Privacy Consulting Practice
·	XML Access Control Team at the IBM Tokyo Research Lab
·	IBM Tivoli Privacy Manager Team

Links

·	IBM Enterprise Privacy Authorization Language (EPAL) - Specification
·	IBM Enterprise Privacy Authorization Language (EPAL) - XML Schema

Resources

[1]	M. Hondo, T. Nadalin, R. Nagaratnam, M. Kudo, G. Karjoth, B. Pfitzmann, M. Schunter Position Paper: Privacy Policies as a Component of Policy-enabled Governance; W3C Workshop on Languages for Privacy Policy Negotiation and Semantics-Driven Enforcement, Oct. 2006.
[2]	Ch. Vanden Berghe, M. Schunter Privacy Injector - Automated Privacy Enforcement Through Aspects; Privacy Enhancing Technologies 2006, 99-117.
[3]	M. Nelson, M. Schunter, M. McCullough, J. Bliss Trust on Demand -- Enabling Privacy, Security, Transparency, and Accountability in Distributed Systems; 33rd Research Conference on Communication, Information and Internet Policy (TPRC), Sept. 2005, Arlington, USA.
[4]	M. Backes, M. Duermuth, R. Steinwandt An Algebra for Composing Enterprise Privacy Policies, 9th European Symposium on Research in Computer Security (ESORICS 2004), LNCS 3193, Springer-Verlag, Berlin 2004, 33-52.
[5]	M. Backes, M. Duermuth, G. Karjoth Unification in Privacy Policy Evaluation - Translating EPAL to Prolog. 5th IEEE Intern. Workshop on Policies for Distributed Systems and Networks (POLICY), 2004.
[6]	M. Backes, W. Bagga, G. Karjoth, M. Schunter Efficient Comparison of Enterprise Privacy Policies, to appear 19th ACM Symposium on Applied Computing, Special Track "Security", Nicosia, Cyprus, March 2004.
[7]	M. Backes, B. Pfitzmann, M. Schunter A Toolkit for Managing Enterprise Privacy Policies, 8th European Symposium on Research in Computer Security (ESORICS 2003), LNCS 2808, Springer-Verlag, Berlin 2003, 162-180. copyright Springer-Verlag, Berling Heidelberg 2003. Won Award for Outstanding Research in Privacy Enhancing Technologies 2004.
[8]	G. Karjoth, M. Schunter, E. Van Herreweghen, M. Waidner Amending P3P for Clearer Privacy Promises; Trust and Privacy in Digital Business -- TrustBus 03. In 14th Intíl Workshop on Database and Expert Systems Applications (DEXA), IEEE Press, Prague, 2003, 445-449.
[9]	G. Karjoth, M. Schunter, E. Van Herreweghen Enterprise Privacy Practices vs. Privacy Promises -- How to Promise What You Can Keep; 4th IEEE International Workshop on Policies for Distributed Systems and Networks (Policy ’03), 2003, 135-146.
[10]	P. Ashley, M. Schunter The Platform for Enterprise Privacy Practices, Information Security Solutions Europe (ISSE), Paris, 2002.v
[11]	P. Ashley, M. Schunter, C. Powers From Privacy Promises to Privacy Management --- A New Approach for Enforcing Privacy Throughout an Enterprise, ACM New Security Paradigms Workshop (NSPW), Virginia Beach VA, 2002.
[12]	G. Karjoth, M. Schunter A Privacy Policy Model for Enterprises, 15th IEEE Computer Security Foundations Workshop, Toronto, 2002.
[13]	G. Karjoth, M. Schunter, M. Waidner Platform for Enterprise Privacy Practices, Privacy-enhancing Technologies (PET), San Francisco, 2002.
[14]	G. Karjoth, M. Schunter, M. Waidner Privacy-enabled Services for Enterprises; Workshop on Trust and Privacy in e-Business (TrustBus), Aix-en-Provence, 2002.
[15]	G. Karjoth, M. Schunter, M. Waidner Unternehmensweites Datenschutzmanagement; In "Datenschutz als Wettbewerbsvorteil", Vieweg, 2002.