A Practical Generic Privacy Language

  • Moritz Y. Becker
  • Alexander Malkis
  • Laurent Bussard
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6503)


We present a declarative language with a formal semantics for specifying both users’ privacy preferences and services’ privacy policies. Expressiveness and applicability are maximized by keeping the vocabulary and semantics of service behaviours abstract. A privacy-compliant data-handling protocol for a network of communicating principals is described.


Privacy Policy Logic Programming User Preference Federal Trade Commission Query Evaluation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Antón, A., Earp, J., Bolchini, D., He, Q., Jensen, C., Stufflebeam, W., et al.: The lack of clarity in financial privacy policies and the need for standardization. In: IEEE Symposium on Security & Privacy, pp. 36–45 (2004)Google Scholar
  2. 2.
    Ardagna, C.A., Cremonini, M., di Vimercati, S.D.C., Samarati, P.: A privacy-aware access control system. Journal of Computer Security 16(4), 369–397 (2008)CrossRefGoogle Scholar
  3. 3.
    Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise Privacy Authorization Language (EPAL 1.2). Technical report, IBM (November 2003)Google Scholar
  4. 4.
    Barth, A., Datta, A., Mitchell, J., Nissenbaum, H.: Privacy and contextual integrity: Framework and applications. In: IEEE Symposium on Security and Privacy (2006)Google Scholar
  5. 5.
    Barth, A., Mitchell, J.: Enterprise privacy promises and enforcement. In: Proceedings of the 2005 Workshop on Issues in the Theory of Security, pp. 58–66. ACM, New York (2005)Google Scholar
  6. 6.
    Beatty, P., Reay, I., Dick, S., Miller, J.: P3P adoption on e-Commerce web sites: a survey and analysis. IEEE Internet Computing, 65–71 (2007)Google Scholar
  7. 7.
    Becker, M.Y.: SecPAL formalisation and extensions. Technical Report MSR-TR-2009-127, Microsoft Research (2009)Google Scholar
  8. 8.
    Becker, M.Y., Fournet, C., Gordon, A.D.: Design and semantics of a decentralized authorization language. In: IEEE Computer Security Foundations Symposium (2007)Google Scholar
  9. 9.
    Becker, M.Y., Malkis, A., Bussard, L.: S4P: A Generic Language for Specifying Privacy Preferences and Policies. Technical Report MSR-TR-2010-32, Microsoft Research (2010)Google Scholar
  10. 10.
    Becker, M.Y., Nanz, S.: The role of abduction in declarative authorization policies. In: Hudak, P., Warren, D.S. (eds.) PADL 2008. LNCS, vol. 4902, pp. 84–99. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  11. 11.
    Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A.D., Maffeis, S.: Refinement types for secure implementations. In: Computer Security Foundations Symposium (2008)Google Scholar
  12. 12.
    Bettini, C., Jajodia, S., Wang, X., Wijesekera, D.: Obligation monitoring in policy management. In: Policies for Distributed Systems and Networks (2002)Google Scholar
  13. 13.
    Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: IEEE Symposium on Security and Privacy, pp. 164–173 (1996)Google Scholar
  14. 14.
    Casassa Mont, M., Beato, F.: On parametric obligation policies: Enabling privacy-aware information lifecycle management in enterprises. In: IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 51–55 (2007)Google Scholar
  15. 15.
    Cranor, L., Dobbs, B., Egelman, S., Hogben, G., Humphrey, J., Langheinrich, M., Marchiori, M., Presler-Marshall, M., Reagle, J., Schunter, M., Stampley, D.A., Wenning, R.: The Platform for Privacy Preferences 1.1 (P3P1.1) Specification. W3C (November 2006)Google Scholar
  16. 16.
    Cranor, L., Langheinrich, M., Marchiori, M.: A P3P Preference Exchange Language 1.0. W3C (April 2002),
  17. 17.
    Dietrich, S.W.: Extension tables: Memo relations in logic programming. In: Furukawa, K., Fujisaki, T., Tanaka, H. (eds.) Logic Programming 1987. LNCS, vol. 315, pp. 264–272. Springer, Heidelberg (1988)Google Scholar
  18. 18.
    Hochheiser, H.: The platform for privacy preference as a social protocol: An examination within the U.S. policy context. ACM Transactions on Internet Technologys 2(4) (2002)Google Scholar
  19. 19.
    Irwin, K., Yu, T., Winsborough, W.H.: On the modeling and analysis of obligations. In: Computer and Communications Security (2006)Google Scholar
  20. 20.
    Itai, A., Makowsky, J.A.: Unification as a complexity measure for logic programming. Journal of Logic Programming 4(2) (1987)Google Scholar
  21. 21.
    Jensen, C., Potts, C.: Privacy policies as decision-making tools: an evaluation of online privacy notices. In: Human Factors in Computing Systems (2004)Google Scholar
  22. 22.
    Ni, Q., Bertino, E., Lobo, J.: An obligation model bridging access control policies and privacy policies. In: Access Control Models and Technologies (2008)Google Scholar
  23. 23.
    OASIS. eXtensible Access Control Markup Language (XACML) Version 2.0 core specification (2005),
  24. 24.
    Stufflebeam, W.H., Antón, A.I., He, Q., Jain, N.: Specifying privacy policies with P3P and EPAL: lessons learned. In: Workshop on Privacy in the Electronic Society (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Moritz Y. Becker
    • 1
  • Alexander Malkis
    • 2
  • Laurent Bussard
    • 3
  1. 1.Microsoft ResearchUK
  2. 2.IMDEA SoftwareSpain
  3. 3.EMICGermany

Personalised recommendations