Bibliographic Information (EPAL 1.1 Version 1.83)
Enterprise Privacy Authorization Language (EPAL 1.1). IBM Research Report. EPAL Version 1.1: v 1.83, 2003/06/17. Copyright (c) 2000-2003 International Business Machines Corporation. Edited by Matthias Schunter (IBM Zurich Research Laboratory, Switzerland). Authors: Paul Ashley (IBM Tivoli Software), Satoshi Hada (IBM Research), Günter Karjoth (IBM Research), Calvin Powers (IBM Tivoli Software, USA), Matthias Schunter (IBM Research). Latest public version URL: http://www.zurich.ibm.com/security/enterprise-privacy/epal. Appendix 7: "Complete XML Schema for EPAL."
[Adapted from the EPAL Version "1.1" (v 1.83) specification Abstract: "This is the Enterprise Privacy Authorization Language (EPAL) technical specification. EPAL is a formal language for writing enterprise privacy policies to govern data handling practices in IT systems according to fine-grained positive and negative authorization rights. It concentrates on the core privacy authorization while abstracting data models and user-authentication from all deployment details such as data model or user-authentication.
An EPAL policy defines lists of hierarchies of data-categories, user-categories, and purposes, and sets of (privacy) actions, obligations, and conditions. user-categories are the entities (users/groups) that use collected data (e.g., travel expense department or tax auditor). Data-categories define different categories of collected data that are handled differently from a privacy perspective (e.g., medical-record vs. contact-data). Purposes model the intended service for which data is used (e.g., processing a travel expense reimbursement or auditing purposes).
Actions model how the data is used (e.g., disclose vs. read). Obligations define actions that must be taken by the environment of EPAL (e.g., delete after 30 days or get consent). Conditions are Boolean expressions that evaluate the context (e.g., "the user-category must be an adult" or "the user-category must be the primary care physician of the data-subject").
These elements are then used to formulate privacy authorization rules that allow or deny actions on data-categories by user-categories for certain purposes under certain conditions while mandating certain obligations. In order to allow for general rules and exceptions, EPAL rules are sorted by descending precedence. E.g., a rule about a particular employee can be inserted before the rule about the department in order to implement an exception.
From the Announcement
The Enterprise Privacy Authorization Language (EPAL) is an important leap forward in privacy-enabling technology, giving developers the power to extend specific privacy rules across internal business systems then automate compliance to those rules. Current privacy specifications, such as the Platform for Privacy Preferences (P3P), which was released by the World Wide Web Consortium in April 2002, communicate privacy policies from business applications to consumer applications. EPAL goes one step further, providing an XML language that enables organizations to enforce P3P policies behind the Web, among applications and databases.
By building enforcement into enterprise applications, companies can automate tedious privacy management tasks. By automating these often laborious and complex business processes, companies can reduce costs and increase productivity.
"With EPAL, organizations finally have a sophisticated language to help automate the enforcement of the privacy policies they've put in place to protect consumer data," says Arvind Krishna, vice president of security products, Tivoli Software, IBM. "With EPAL and other privacy innovations, developers can enhance consumer trust and better demonstrate how their organizations' privacy obligations are being kept."
IBM plans to submit EPAL for standardization within the next few months. IBM plans to add EPAL support to IBM's enterprise privacy management software, IBM Tivoli Privacy Manager.
EPAL is designed to make it easier for enterprises to translate their privacy policies into machine-readable descriptions of data handling procedures. For instance, EPAL lets developers express a natural language statement such as "Members of the physician group can read protected health information for the purpose of medical treatment, only if the physician is the primary care physician and the patient or the patient's family is notified in advance" in a language that applications and privacy management tools can understand.
Like other IBM privacy technologies and software, EPAL's evolution has been influenced by customer feedback. IBM's Privacy Management Advisory Council, a 25-member group that includes industry leaders such as eBay, Fidelity Investments, Marriott International and others, has evaluated the new language and offered valuable insight into industry requirements.
"A team of students at North Carolina State University has developed the first tool to help developers leverage EPAL -- the Privacy Authoring Editor. The new tool helps companies author and edit privacy policies using EPAL while allowing for the expression of richer and more complex privacy rules than current standards allow. The students developed the Privacy Authoring Editor as an open source project, so that as the EPAL specification evolves, other members of the open source community can update the editor to match the specification. The Privacy Authoring Editor is currently available on SourceForget.net... The purpose of the EPAL Editor is to allow users to specify complex EPAL privacy policies using natural language constructs through a GUI interface... The EPAL Editor v1.0 requires the Apache Xerces distribution to run. To run the EPAL Editor type: java -cp '<location>EPALEditor.jar;<location>xerces.jar' privacyauthoringeditor.PrivacyAuthoringEditor where <location> is the location on the local filesystem of the required JAR files..." See the file listing for the 2003-07-01 (ZIP) distribution.
The IBM news story "New Security Specification to Advance Web Services" from April 2003 references a WS-Privacy specification, proposed as part of the IBM/Microsoft/Versign road map "Security in a Web Services World." This road map "describes an evolutionary approach to security and defines additional, related Web services security capabilities within the framework established by the WS-Security specification Organizations can incorporate the new specifications, as needed, into the different levels of their Web services applications." The IBM document says "WS-Privacy will define how Web services state and implement privacy practices." The Roadmap Security in a Web Services World describes the proposed privacy model of 'WS-Privacy' thus: "Organizations creating, managing, and using Web services will often need to state their privacy policies and require that incoming requests make claims about the senders' adherence to these policies. By using a combination of WS-Policy, WS-Security, and WS-Trust, organizations can state and indicate conformance to stated privacy policies. This [WS-Privacy] specification will describe a model for how a privacy language may be embedded into WS-Policy descriptions and how WS-Security may be used to associate privacy claims with a message. Finally, this specification will describe how WS-Trust mechanisms can be used to evaluate these privacy claims for both user preferences and organizational practice claims."
Anthony Nadalin of IBM is quoted in an interview of May 2004: "[Based upon the WS-Security roadmap] we sketched out drafts of these other specifications, such as WS-Policy, WS-Secure Conversation, WS-Trust, WS-Privacy, and WS-Authorization. As you know we submitted the original [WS-Security] spec to OASIS... now we have a refined process that the partners or the authors go through, which is: we will create the specification, we will hold workshops on the specification, we will do some interoperability of the specification and then submit that specification to a standards body. And our intent is to submit all the specifications royalty free... We have taken WS-Trust and WS-Secure Conversation, [and] WS-Federation through some workshops, and in the process of doing some interoperability now between those specifications. And so what you'll see an update of the specifications soon, and then we'll look for some feedback and potentially bringing them to a standards body by the end of the year... Now, Privacy [WS-Privacy] and [WS-]Authorization have not been published yet. We're looking to publish these this year..." See "WS-Security Becoming Key Part of IBM Middleware," Q&A with IBM's Anthony Nadalin and Joe C. Anthony, in Web Services Pipeline (May 24, 2004).
- Announcement 2003-07-09: "IBM Introduces New Language to Automate Privacy Compliance. North Carolina State University Team Develops Editor for Enterprise Privacy Authorization Language."
- EPAL Reader's Guide to the Documentation
- Enterprise Privacy Authorization Language (EPAL 1.1)
- XML Schema for EPAL 1.1
- EPAL XML Schema files V1.1 (snapshot)
- SourceForge Project: EPAL Editor.
- EPAL Editor Project Home Page
- Declarative Privacy Monitoring for Tivoli Privacy Manager. A technology preview that includes an implementation of EPAL. See also the Reference Monitor for Tivoli Privacy Manager.
- Feedback and comments: send email to Matthias Schunter.
- IBM Privacy Research Institute
- "IBM's Enterprise Privacy Authorization Language (EPAL)." News story 2003-05-09.
- "Enterprise Privacy Authorization Language (EPAL)" - Main reference page.
- Security, Privacy, and Personalization. General references.