The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
SEARCH | ABOUT | INDEX | NEWS | CORE STANDARDS | TECHNOLOGY REPORTS | EVENTS | LIBRARY
SEARCH
Advanced Search
ABOUT
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors

NEWS
Cover Stories
Articles & Papers
Press Releases

CORE STANDARDS
XML
SGML
Schemas
XSL/XSLT/XPath
XLink
XML Query
CSS
SVG

TECHNOLOGY REPORTS
XML Applications
General Apps
Government Apps
Academic Apps

EVENTS
LIBRARY
Introductions
FAQs
Bibliography
Technology and Society
Semantics
Tech Topics
Software
Related Standards
Historic
Last modified: January 20, 2005
Enterprise Privacy Authorization Language (EPAL)

Overview

Provisional note 2004-06-18: On June 07, 2004, Zero-Knowledge Systems Inc. (ZKS) announced that it was filing motions in a grievance against IBM relating to IP in the Enterprise Privacy Authorization Language (EPAL), previously instantiated in ZKS' Privacy Rights Markup Language (PRML) and the joint ZKS/IBM Enterprise Privacy Markup Language (EPML), co-authored by Shane Velan and Roger McFarlane of ZKS. In view of the universally acknowledged need for good privacy standards and implementations, we hope this matter will be resolved soon. Under such conditions it may be that certain content referenced or adapted in this topical document, or in links made from this document, would be unwelcome to the IP owners; rectification can be made in the document contents upon request, as is the standing policy for this public access informational website. -rcc/ed

"The Enterprise Privacy Authorization Language (EPAL) is a formal language to specify fine-grained enterprise privacy policies. It concentrates on the core privacy authorization while abstracting from all deployment details such as data model or user-authentication." [from the Reader's Guide to the Documentation 2003-05]

The EPAL Working Group exists to develop a interoperability language for the representation of data handling policies and practices within and between privacy-enabled enterprise tools, which serve to (1) enable organizations to be demonstrably compliant with their stated policies; (2) reduce overhead and the cost of configuring and enforcing data handling policies; and (3) leverage existing standards and technologies... The goals for the EPAL language are the following. [1] Provide the ability to encode an enterprise's privacy-related data-handling policies and practices; [2] A language that can be imported and enforced by a privacy-enforcement systems..." [from the v1.74 Mission Statement and Objectives]

On November 10, 2003 IBM submitted the Enterprise Privacy Authorization Language (EPAL) technical specification version 1.2 to W3C under royalty free license terms; W3C acknowledged receipt of EPAL in December 2003.

[July 09, 2003]   IBM Releases Updated Enterprise Privacy Authorization Language (EPAL) Specification.    Updated XML schemas and documentation have been published for IBM's Enterprise Privacy Authorization Language (EPAL) specification, defining an "interoperability language for exchanging privacy policy in a structured format between applications or enterprises." EPAL Version 1.1 [Release 1.83] is now supported by an open source Privacy Authoring Editor developed by a team of students at North Carolina State University, enabling companies to "author and edit privacy policies using EPAL while allowing for the expression of richer and more complex privacy rules than current standards allow." EPAL is designed as "a formal language to specify fine-grained enterprise privacy policies. It concentrates on the core privacy authorization while abstracting from all deployment details such as data model or user-authentication. The Platform for Privacy Preferences (P3P) specification released by the World Wide Web Consortium in April 2002 supports the communication of privacy policies from business applications to consumer applications. EPAL goes one step further, providing an XML language that enables organizations to enforce P3P policies behind the Web, among applications and databases."

Specification Abstract

[Version 1] "This is the Enterprise Privacy Authorization Language (EPAL) technical specification. EPAL is a formal language for writing enterprise privacy policies to govern data handling practices in IT systems according to fine-grained positive and negative authorization rights. It concentrates on the core privacy authorization while abstracting data models and user-authentication from all deployment details such as data model or user-authentication."

"An EPAL policy defines lists of hierarchies of data-categories, data-users, and purposes, and sets of (privacy) actions, obligations, and conditions. Data-users are the entities (users/groups) that use collected data (e.g., travel expense department or tax auditor). Data-categories define different categories of collected data that are handled differently from a privacy perspective (e.g., medical-record vs. contact-data). Purposes model the intended service for which data is used (e.g., processing a travel expense reimbursement or auditing purposes)."

"Actions model how the data is used (e.g., disclose vs. read). Obligations define actions that must be taken by the environment of EPAL (e.g., delete after 30 days or get consent). Conditions are Boolean expressions that evaluate the context (e.g., 'the data-user must be an adult' or 'the data-user must be the primary care physician of the data-subject')."

These elements are then used to formulate privacy authorization rules that allow or deny actions on data-categories by data-users for certain purposes under certain conditions while mandating certain obligations.

EPAL aims at formalizing enterprise-internal privacy policies. While P3P formalizes privacy promises to be advertized (i.e., business to consumer), EPAL formalizes privacy authorization for actual enforcement within an enterprise or for business-to-business privacy control. Feedback and comments are welcome and should be sent to Matthias Schunter (mts@zurich.ibm.com). [Version 1.74 published abstract]

Bibliographic information (version 1.74): Enterprise Privacy Authorization Language (EPAL). Edited by Matthias Schunter (IBM Zurich Research Laboratory, Switzerland). IBM Research Report. Date: 2003/05/05. Latest public version URL: http://www.zurich.ibm.com/security/enterprise-privacy/epal. Authors: Paul Ashley (IBM Tivoli Software), Satoshi Hada (IBM Research), Günter Karjoth (IBM Research), Calvin Powers (IBM Tivoli Software, USA), Matthias Schunter (IBM Research). Appendix 7 provides the complete XML Schema for EPAL. Earlier versions: version 1.74 has [simply a] changed copyright notice. Version 1.73 was published as IBM Research Report RZ 3485 (#93951), 02/26/2003 updated 03/03/2003. Version 1.72 was the first stable version, published on the IBM website at www.zurich.ibm.com. Note: The earlier copyright notice (version 1.73) included: "LIMITED DISTRIBUTION NOTICE. This Research Report has been issued for early dissemination of its contents. Its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). Some reports are available at http://domino.watson.ibm.com/library/Cyberdig.nsf/home.

From IBM Privacy Research Institute overview: "Most consumer-oriented privacy policies (for example those expressed in W3C's P3P standard) are formulated in very broad terms. Enforcing such a policy within an enterprise requires a much more detailed policy. We are developing a policy language called EPAL (Enterprise Privacy Authorization Language) that enables enterprises to describe their privacy practices in addition to the opt-in and opt-out choices of their customers. Policies are associated with all data collected; this 'sticky' policy paradigm mandates that policy sticks to the data, travels with it, and can be used to decide how the data can be used. By separating application- and enterprise-dependent deployment information from the actual policies, our privacy policies can be used to control the flow and usage of data within and across enterprises..." [2003-05-09]

Relationship of EPAL to other specifications: Appendix 6 of the [version 1.74] specification provides a "Technological Context of EPAL" with reference to W3C's P3P, CPExchange, and XACML. Excerpts: (1) A P3P policy may contain the purposes, the recipients, the retention period, and a textual explanation of why this data is needed. P3P defines standardized categories for each kind of information included in a policy. Unlike P3P, EPAL defines the privacy-practices that are implemented inside an enterprise. Since this depends on internal details of the enterprise, it results in much more detailed policies that can be enforced and audited automatically. However, the resulting privacy guarantees can sometimes be simplified as a P3P promise that is offered for the users of the services... (2) The Customer Profile Exchange Specification defines a data format for disclosing customer data from one party (customer/enterprise) to another... The main focus of CPExchange lies in standardizing the data exchange format. The privacy meta-information is less expressive than EPAL. Consequently, data disclosed using CPExchange may be controlled with EPAL policies instead of using their privacy meta-data. (3) XACML is a general purpose and extensible access control language. Access control is a tool to define and later decide whether a user U is allowed to perform an action A on an object O..." Note 2005-01: XACML 1.0 lacked a privacy-specific notion of purposes. With the publication of XACML Version 2.0, there is a new Privacy Profile of XACML. See also "The Relationship Between XACML and P3P Privacy Policies."

The 2003 W3C P3P and Enterprise Privacy Policy Workshop CFP noted: "...One proposal for Enterprise Privacy languages that has come to the attention of the Workshop co-chairs is the Enterprise Privacy Authorization Language (EPAL)... EPAL policies can be used as templates, exchanged with business partners, ported to different applications within and between enterprises for complex purpose-based data authorization and privacy policy enforcement. As such, EPAL is not only for web-based application policy enforcement, but can be used in a wide range of enterprise application and database systems for systemic privacy policy and data authorization enforcement, template creation, and policy exchange... On the third day [of the W3C P3P Workshop], the EPAL session will explore various industry use case scenarios and regulatory templates for EPAL policies and enforcement scenarios. The goal is to present EPAL capabilities in a public forum and to collect interest and feedback on the idea of a more fine grained Enterprise Privacy Language (like EPAL e.g.). It will also discuss which follow-up will be appropriate in this sector..."

At the IBM IAA User Group and Insurance Solutions Conference (May 5-7, 2003), Kathy Bohrer's privacy session three specific research efforts that have immediate or near term applicability: "the [IBM] Enterprise Privacy Architecture (EPA), the Enterprise Privacy Authorization Language (EPAL), and the J2EE Servlet Privacy Monitor. An overview of the Tivoli Privacy Manager product is also provided. The Tivoli Privacy Manager product enables an enterprise to define policies, manage consent, and monitor or enforce conformance to the policies and consent information. The Enterprise Privacy Architecture is used by IBM Global Services to provide a detailed approach to understanding and addressing privacy issues in an enterprise, from initial business planning through IT solutions. The Enterprise Privacy Authorization Language is designed to be a companion to the Platform for Privacy Preferences (P3P). It defines XML for expressing enterprise privacy policies at the level of detail needed to audit and enforce policies internally..." See the IBM Privacy Research Institute.

Principal URLs

Articles, Papers, News

  • [July 19, 2004] "A Comparison of EPAL and XACML." By Anne Anderson (Sun Microsystems, Inc). Technical Report. Version 1.18. Updated July 12, 2004 or later. "Two events have recently occurred that raise questions about the relationship between two policy languages: IBM's Enterprise Privacy Authorization Language (EPAL) and the OASIS Standard eXtensible Access Control Markup Language (XACML). IBM submitted EPAL 1.2 to the W3C for consideration as a privacy policy language standard. XACML, which is already an approved standard, also supports privacy policies. Some press and analyst reports have presented EPAL as not only the best available privacy policy language, but also as the best general authorization and access control policy language, sometimes without even mentioning XACML. Questions that need to be answered include: (1) What are the differences between EPAL 1.2 and XACML? (2) Which language is better for expressing privacy policies? (3) Which language is better for expressing access control policies? (4) Should EPAL become a standard? This document compares EPAL and XACML to show where the two languages differ. The differences are used to compare the strengths and weaknesses of each language for expressing privacy policies and authorization or access control policies. Conclusions, including answers to the questions above, are presented at the end... [Conclusion] XACML is both a more comprehensive access control policy language than EPAL 1.2, and a full-featured privacy policy language. It has the important features required by both types of policies, including major features not supported by EPAL 1.2. It has been publicly reviewed and formally analyzed. In addition, it is already an approved OASIS Standard, has an excellent open source implementation (non-viral BSD license), has multiple publicly available implementations, and has a community of users and developers who are continuing to expand, improve, and apply the language. Since EPAL adds no significant functionality, and in particular no new privacy-specific functionality, to what is already supported in XACML, and since XACML contains significant additional functionality, and since XACML has already been accepted as an OASIS Standard, there is no reason to standardize EPAL. Multiple, competing "standards" that address the same problem space, particularly when they are so similar, are a detriment to the industry... The OASIS XACML Technical Committee has minuted an interest in inviting the EPAL authors to work with the XACML TC, and the TC co-chairs have issued this invitation..."

  • [June 11, 2004] "Motion to Institute Proceedings. Statement of Claim by Zero-Knowledge Systems Inc. against IBM." June 08, 2004. Referenced from the p2pnet.net News story. Details in this case are provided by Synomos in an article "EPML Dispute: Official Court Filings and Supporting Documents." The ZKS complaint references a PRML Specification (June 2001) as well as an EPML Specification (February 04, 2004) [cache]

  • [June 11, 2004] "Canadian Firms Sues IBM for $5M." In p2pnet.net News (June 11, 2004). "IBM says its Enterprise Privacy Authorization Language (EPAL) is, 'a formal language to specify fine-grained enterprise privacy policies. It concentrates on the core privacy authorization while abstracting from all deployment details such as data model or user-authentication.' Canada's Zero-Knowledge Systems, however, says EPAL is based on ZNS technology and is now suing IBM for $5.1 million (almost $7 million Canadian) for alleged copyright infringement behalf of ZNS' Synomos Inc, once its Enterprise Privacy Unit... ZKS claims EPAL is based on work Synomos did with IBM between June 2001 and February 2002, 'to develop an XML privacy language standard, PRML (Privacy Rights Markup Language)..."

  • [June 10, 2004] "Lawsuit Questions IBM's Ownership of EPAL Standard. Zero-Knowledge Systems Files Lawsuit in Canada." By Paul Roberts. In InfoWorld (June 10, 2004). "Zero-Knowledge Systems Inc. of Montreal filed the lawsuit Superior Court of Quebec Monday. The company is seeking an injunction to stop IBM from continuing to distribute and license EPAL, as well as C$7 million ($5 million) in damages, according to Craig Silverman, a company spokesman. IBM spokesman Cas Purdy declined to comment on the case, citing a corporate policy that prohibits comment on ongoing or pending legal matters. IBM unveiled EPAL in July 2003, saying that the language, which is based on XML (Extensible Markup Language), would make it easier for software application developers to build features into applications for managing data security and privacy. EPAL allows organizations to render privacy policies in a language that machines can read, and to protect data according to those policies as it is passed from system to system within an organization. EPAL will replace tedious, manual processes for implementing data privacy policies, according to IBM. IBM plans to add EPAL support to its enterprise privacy management software, IBM Tivoli Privacy Manager, the company said. In December 2003, IBM submitted a draft of EPAL to the World Wide Web Consortium (W3C) to develop, hoping to turn it into a standard that will help automate privacy management tasks, improve consumer trust and reduce the cost of privacy compliance..."

  • [June 07, 2004] "Zero-Knowledge Systems Inc., On Behalf of Synomos Inc., Files Motion to Institute Proceedings Against IBM." - "Zero-Knowledge Systems (ZKS), on behalf of its subsidiary Synomos Inc., today filed a Motion to Institute Proceedings against International Business Machines Corporation (IBM) in the Superior Court of Quebec, District of Montreal. The motion outlines copyright infringement under the Canadian Copyright Act and a violation of the Civil Code of Quebec on the part of IBM in relation to joint work completed by the companies. The Motion details the joint work done by ZKS' Enterprise Privacy Unit (now known as Synomos Inc.) and IBM from June 2001 to February 2002 towards the creation of an XML-based language standard for writing enterprise privacy policies. This work was based on the Privacy Rights Markup Language (PRML) that ZKS had previously created and then shared with IBM under a Confidential Disclosure Agreement. The joint work of both parties on PRML led to the creation of the Enterprise Privacy Markup Language 1.0 Specification on February 4, 2002. As a result, ZKS and IBM are co-owners of the copyrights to this work. This specification is the basis upon which IBM created its Enterprise Privacy Authorization Language, which it then published, publicized, submitted, and licensed to the World Wide Web Consortium without acknowledging ZKS' contribution, and without the license, authority or consent of ZKS as required by law. More information on the action can be found [online]... ZKS is a leading provider of value-added services solutions for ISPs, broadband providers, telcos, and MSOs. ZKS' Synbridge is helping industry-leading ISPs generate new revenue and significantly lower the costs associated with supporting and bringing new subscriber services to market. ZKS is headquartered in Montreal, Canada, with offices in North America, Europe, and Australia..."

  • "Unification in Privacy Policy Evaluation — Translating EPAL to Prolog." By Michael Backes, Markus Duermuth, and Guenter Karjoth. [To appear in] Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 2004) (New York, USA, June 2004)

  • [December 04, 2003]   IBM Submits EPAL Version 1.2 Privacy Specification to W3C.    W3C has acknowledged receipt of IBM's Enterprise Privacy Authorization Language (EPAL) Version 1.2 as a Member Submission request. The specification includes two parts: a prose description of syntax and semantics, with formal definition of the EPAL syntax presented in an XML Schema. The EPAL technical specification defines a "formal language for writing enterprise privacy policies to govern data handling practices in IT systems according to fine-grained positive and negative authorization rights. It concentrates on the core privacy authorization while abstracting data models and user-authentication from all deployment details such as data model or user-authentication. EPAL is thus an interoperability language for exchanging privacy policy in a structured format between applications or enterprises, supporting the ability to encode an enterprise's privacy-related data-handling policies and practices and providing a language that can be imported and enforced by a privacy-enforcement systems. The goal of EPAL is: (1) to enable organizations to be demonstrably compliant with their stated policies; (2) to reduce overhead and the cost of configuring and enforcing data handling policies; and (3) to leverage existing standards and technologies. Whereas the W3C Platform for Privacy Preferences (P3P) Recommendation defines a global terminology that can be used to describe the privacy promises of an enterprise, EPAL aims at formalizing enterprise-internal privacy policies, which requires a fine-grained vocabulary; it also includes a fine-grained hierarchy of purposes for which an enterprise collects data." While EPAL is not in scope for the W3C P3P 1.1 Specification Working Group as currently chartered, the submission will be brought to the attention of the P3P Coordination Group, the P3P community, W3C's AC, and the PET community.

  • "IBM Introduces New Language to Automate Privacy Compliance. North Carolina State University Team Develops Editor for Enterprise Privacy Authorization Language." Announcement 2003-07-09.

  • "Enabling Trust in e-Business: Research in Enterprise Privacy Technologies. By Michael Waidner. From breakout session "PETs Today, PETS Tomorrow," 11th CACR Information Security Workshop [and] 3rd Annual Privacy and Security Workshop, November 7-8, 2002, The Faculty Club, 41 Willcocks Street, University of Toronto. See the coded examples for EPAL enterprise privacy policies. [cache]

  • [February 04, 2002] Enterprise Privacy Markup Language (EPML) 1.0 Specification." Edited by Matthias Schunter (IBM Research) and Shane Velan (ZKS). Authors: Paul Ashley (IBM), Roger McFarlane (ZKS), Martin Presler-Marshall (IBM), Matthias Schunter (IBM Research), Shane Velan (ZKS). Last Call Working Draft. 04-February-2002. This Version: 'spec.htm'. Latest Version: 'no baseline document is ready yet'. Previous Version: 'spec.htm'. Copyright (c) Zero-Knowledge Systems Inc. and International Business Machines Corp. 57 pages. Referenced by Synomos, Inc. in an article "EPML Dispute: Official Court Filings and Supporting Documents." Summary: "The Enterprise Privacy Markup Language (EPML) is a standard interoperability language for expressing a privacy policy in a structured format. EPML is under development by the EPML Working Group, a consortium of partners. The intention is to pursue acceptance of the EPML 1.0 Specification by a standards organization. This document formally describes EPML, including concepts, syntax, and semantics. To help readers understand the structure and capabilities of the language, it will be presented in several forms. First, a non-technical Primer includes the design considerations of EPML, provides a brief overview of EPML, and places EPML in context relative to the most relevant standards. The Architecture is a technical description of the components of a data-management system designed to leverage the interoperability of EPML and the formal requirements of EPML and the associated tools which support EPML. Finally, the detailed syntax of the language is described using UML static diagrams, extracts from the EPML XML Schema, and examples of EPML. Finally, the formal definition of the EPML syntax is given by the XML Schema for EPML as an appendix... The EPML Working Group exists to develop an accepted standard interoperability language for the representation of data handling policies and practices within and between privacy-enabled enterprise tools, which serve to (1) enable organizations to be demonstrably compliant with their stated policies; (2) reduce operational overhead and the cost of configuring and enforcing data handling policies; and (3) leverage existing standards and technologies... EPML contains a condition language based on XACL..."

  • [June 2001] Privacy Rights Markup Language Specification (PRML). Version 0.9. June 2001. Copyright (c) 2001 Zero-Knowledge Systems Inc. 37 pages. Section 8.4 presents the PRML XML DTDs. Referenced by Synomos, Inc. in an article "EPML Dispute: Official Court Filings and Supporting Documents." "PRML is an XML-based language that allows for the definition of objects- roles, operations, data groups, subjects, purposes, constraints, actions and transformations- and a mechanism for linking these objects together to form PRML privacy declarations. A Declaration specifies that a role can do an operation on a data group belonging to a subject for a purpose if (optionally) certain constraints are satisfied. It can also optionally specify that an action should take place immediately after this occurs and that the data element should be subject to a transformation before the operation can occur. A privacy policy is a collection of such PRML declarations... A PRML document is composed of four sections: the RDF Header, the Object Dictionary, the Data Schema and the Declaration Set..."


Hosted By
OASIS - Organization for the Advancement of Structured Information Standards

Sponsored By

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation

Primeton

XML Daily Newslink
Receive daily news updates from Managing Editor, Robin Cover.

 Newsletter Subscription
 Newsletter Archives
Globe Image

Document URI: http://xml.coverpages.org/epal.html  —  Legal stuff
Robin Cover, Editor: robin@oasis-open.org