Privacy policies

Enterprises today face the challenge of finding a balance between protecting their online resources on the one hand — requiring enterprises to collect more information about the users accessing these resources — and accommodating rising privacy demands from consumers and legislators on the other hand, forcing enterprises to collect as little information as possible, and to adequately protect the information they do collect.

The goal of this line of research is to develop a twofold combined access control and data-handling policy language. On the server's side, the policy expresses the conditions that users have to satisfy in order to access a resource, states the information that users have to reveal about themselves, and informs users how this information will be handled afterwards. On the client's side, the policy expresses which personal information the user is willing to reveal to whom, and how she expects her information to be handled afterwards.

Technically, we are developing a privacy-friendly and credential-based extension to XACML that satisfies the above requirements. This research is performed as part of the EU project PrimeLife.

1. Exploiting cryptography for privacy-enhanced access control. Claudio A. Ardagna, Jan Camenisch, Markulf Kohlweiss, Ronald Leenes, Gregory Neven, Bart Priem, Pierangela Samarati, Dieter Sommer, and Mario Verdicchio. To appear in Journal of Computer Security, 2009.