Abstract Privacy Policy Framework: Addressing Privacy Problems in SOA

  • Laurent Bussard
  • Ulrich Pinsdorf
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7039)


This paper argues that privacy policies in SOA needs a lifecycle model. We formalize the lifecycle of personal data and associated privacy policies in Service Oriented Architectures (SOA), thus generalizing privacy-friendly data handling in cross-domain service compositions. First, we summarize our learning in two research projects (PrimeLife and SecPAL for Privacy) by proposing generic patterns to enable privacy policies in SOA. Second, we map existing privacy policy technologies and ongoing research work to the proposed abstraction. This highlights advantages and shortcomings of existing privacy policy technologies when applied to SOA.


  1. 1.
    Ardagna, C.A., Cremonini, M., De Capitani di Vimercati, S., Samarati, P.: A privacy-aware access control system. J. Comput. Secur. 16(4), 369–397 (2008)CrossRefGoogle Scholar
  2. 2.
    Ardagna, C., De Capitani di Vimercati, S., Foresti, S., Paraboschi, S., Samarati, P.: Minimizing disclosure of private information in credential-based interactions: A graph-based approach. In: Proc. of the 2nd IEEE International Conference on Information Privacy, Security, Risk and Trust (PASSAT 2010), Minneapolis, Minnesota, USA (August 2010)Google Scholar
  3. 3.
    Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language, EPAL 1.2 (2003)Google Scholar
  4. 4.
    Becker, M.Y., Fournet, C., Gordon, A.D.: SecPAL: Design and semantics of a decentralized authorization language. Journal of Computer Security (2009)Google Scholar
  5. 5.
    Becker, M.Y., Mackay, J.F., Dillaway, B.: Abductive authorization credential gathering. In: IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY) (July 2009)Google Scholar
  6. 6.
    Becker, M.Y., Malkis, A., Bussard, L.: A Practical Generic Privacy Language. In: Jha, S., Mathuria, A. (eds.) ICISS 2010. LNCS, vol. 6503, pp. 125–139. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    Bussard, L., Nano, A., Pinsdorf, U.: Delegation of access rights in multi-domain service compositions. Identity in the Information Society 2(2), 137–154 (2009), Scholar
  8. 8.
    Bussard, L., Neven, G., Preiss, F.S.: Downstream usage control. In: IEEE Policy 2010 (July 2010)Google Scholar
  9. 9.
    ContentGuard: XrML 2.0 Technical Overview (2002),
  10. 10.
    Coulouris, G., Dollimore, J., Kindberg, T.: Distributed Systems. Concepts and Design, 4th edn. Addison Wesley (2005)Google Scholar
  11. 11.
    Hammer-Lahav, E.: RFC 5849: The OAuth 1.0 Protocol (2010),
  12. 12.
    Kagal, L., Abelson, H.: Access control is an inadequate framework for privacy protection. In: W3C Workshop on Privacy for Advanced Web APIs (July 2010)Google Scholar
  13. 13.
    Kantara Initiative: User managed initiative,
  14. 14.
    Microsoft: Rights Management Services (2009),
  15. 15.
    ODRL: Open Digital Rights Language (ODRL), version 1.1 (2002),
  16. 16.
    Pinsdorf, U., Bussard, L., Meissner, S., Schallaböck, J., Short, S.: Privacy in Service Oriented Architectures. In: Camenisch, J., Fischer-Huebner, S., Rannenberg, K. (eds.) Privacy and Identity Management for Life, pp. 383–411. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  17. 17.
    Pretschner, A., Schütz, F., Schaefer, C., Walter, T.: Policy evolution in distributed usage control. In: 4th Intl. Workshop on Security and Trust Management. Elsevier (June 2008)Google Scholar
  18. 18.
    PrimeLife Consortium: Draft 2nd design for policy languages and protocols (heartbeat: H5.3.2). Tech. rep. (July 2009)Google Scholar
  19. 19.
    PrimeLife Consortium: Second Release of the Policy Engine (D5.3.2). Tech. rep. (September 2010)Google Scholar
  20. 20.
    PrimeLife Consortium: Infrastructure for Privacy for Life (D6.3.2). Tech. rep (January 2011),
  21. 21.
    Rahman, S.T.: Analyzing Causes of Privacy Mismatches in Service Oriented Architecture. Master’s thesis, RWTH (2010)Google Scholar
  22. 22.
    Rissanen, E.: OASIS eXtensible Access Control Markup Language (XACML) Version 3.0. OASIS committee specification 01, OASIS (August 2010)Google Scholar
  23. 23.
    W3C: A P3P preference exchange language 1.0, APPEL1.0 (2002)Google Scholar
  24. 24.
    W3C: The platform for privacy preferences 1.1 (P3P1.1) specification (2006)Google Scholar
  25. 25.
    Wang, X.: MPEG-21 Rights Expression Language: Enabling Interoperable Digital Rights Management. IEEE MultiMedia 11(4), 84–87 (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Laurent Bussard
    • 1
  • Ulrich Pinsdorf
    • 1
  1. 1.European Microsoft Innovation CenterAachenGermany

Personalised recommendations