Enterprise privacy policies often reflect different legal regulations, promises made to customers, as well as more restrictive enterprise-internal practices. The notion of policy refinement is fundamental for privacy policies, as it allows one to check whether a company's policy fulfills regulations or adheres to standards set by customer organizations, to realize the "sticky policy paradigm" that addresses transferring data from one realm to another in a privacy-preserving way, and much more. Although well-established in theory, the problem of how to efficiently check whether one policy refines another has been left open in the privacy policy literature. We present a practical algorithm for this task, concentrating on those aspects that make refinement of privacy policies more difficult than, for example refinement for access control policies, such as a more sophisticated treatment of deny rules and a suitable way for dealing with obligations and conditions on context information.
Efficient comparison of enterprise privacy policies
SAC 2004, ACM symposium on Applied computing, March 14-17, 2004, Nicosia, Cyprus / Published in Proceedings of the 2004 ACM symposium on Applied computing, ISBN:1-58113-812-1
Type:
Conference
City:
Nicosia
Date:
2004-03-14
Department:
Digital Security
Eurecom Ref:
1356
Copyright:
© ACM, 2004. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in SAC 2004, ACM symposium on Applied computing, March 14-17, 2004, Nicosia, Cyprus / Published in Proceedings of the 2004 ACM symposium on Applied computing, ISBN:1-58113-812-1 http://dx.doi.org/10.1145/967900.967983
See also:
PERMALINK : https://www.eurecom.fr/publication/1356
