W3C home > Mailing lists > Public > public-p3p@w3.org > December 2003

Re: EPAL: Media Release Fictions Undermine Credibility

From: Matthias Schunter <mts@zurich.ibm.com>
Date: Thu, 11 Dec 2003 22:26:46 +0100
Message-Id: <>
To: Roger Clarke <Roger.Clarke@xamax.com.au>
Cc: public-p3p@frink.w3.org, pashley@au1.ibm.com

Hi Roger,

here are some basic facts on EPAL that may help you separate facts from 
- EPAL is a policy language. Like any other piece of XML, it does not 
enforce anything.
   However, it can be used to express fine-grained enterprise-internal 
policies that
   can then be read and enforced by EPAL-aware systems or middleware.
   EPAL has been designed to be easy to enforce.
- We have submitted EPAL as a member publication to W3C. We are currently 
   for partners to actually start a working group to standardize EPAL in W3C.
   See: http://www.w3.org/Submission/2003/SUBM-EPAL-20031110/
- An example enforcement engine for J2EE has been published at
- EPAL and P3P augment each other: EPAL is a fine-grained enterprise-internal
   privacy policy language while P3P is meant for customer-facing privacy 
   As a consequence, EPAL contains enterprise internals that would be 
abstracted away
   by the P3P notice (e.g., P3P does not specify what persons/group inside 
an enterprise
   can use what data but rather only specifies what the complete enterprise 
can do).
   fyi: I am a member of the P3P 1.1 group as well (this is how I received 
your mail).

If you want to get more (technical) information just send a note or call.
The business side of EPAL (non-technical questions) is covered by Steven 
Adler <adler1@us.ibm.com>.


At 05:06 PM 12/11/2003 +1100, Roger Clarke wrote:

>As a result of a prize that IBM's been awarded, I've had a look at IBM's 
>EPAL media release of 9 July 2003, at:
>The award citation also says that "On December 1, 2003, IBM announced it 
>was turning EPAL over to the World Wide Web Consortium (W3C) in the hopes 
>that it will become an international standard and will help automate 
>privacy management tasks, improve consumer trust and reduce the cost of 
>privacy compliance".  But IBM's site-search doesn't locate a media release 
>to that effect.
>(On searching my public-p3p archive, I see that Rigo has mentioned EPAL in 
>three emails over the last 9 months, including one that mentioned it being 
>presented in Sydney in September, at a conference adjacent to the World 
>Privacy Commissioners conference).
>Call me an inveterate sceptic by all means, but a quick analysis of the 
>information in the media release is as follows.
>The title of the media release refers to "A New Language to Automate 
>Privacy Compliance".
>The opening sentence calls EPAL "the first computer language to provide 
>enterprises with a way to automate the enforcement of privacy policies 
>among IT applications and systems".
>The 2nd para. repeats "automate compliance to those rules".
>The 3rd para. again refers to "automate tedious privacy management 
>tasks".  But by that stage the signal is becoming attenuated, because it's 
>unclear whether "building enforcement into enterprise applications" 
>requires work on the applications themselves, or just work using the EPAL 
>Finally, in the 4th para., we get a quotation from a named person rather 
>than impersonal IBM, and this says that EPAL is "to help automate the 
>enforcement".  So now we might be talking about something a little different.
>Let's resort to the real world of IT applications for a moment.
>It's a bit difficult to see how EPAL could "automate the enforcement of 
>privacy policies among IT applications and systems".  We're by definition 
>talking about 'legacy systems' here.
>Policies expressed using EPAL (or indeed P3P) could conceivably be used as 
>a tool for auditors checking applications for compliance with privacy 
>policy statements.  That could extend to the design of test-data sets, in 
>order to establish what the application actually does in instances that 
>the privacy policy declares as being variously black, white, and grey.
>EPAL could "automatically enforce" those policies/rules if the 
>applications were expressed in rule-form - in which case the addition of 
>rules that express the privacy policies would directly change the 
>processing of the next transaction that triggered any of the new rules.
>But I'm unaware of any mechanism whereby the expression of rules could 
>affect the algorithms expressed in 1st, 2nd, 3rd generation languages, or 
>even the functioning of applications expressed in 4th generation 
>delcarative languages:
>http://www.anu.edu.au/people/Roger.Clarke/SOS/SwareGenns.html (1991)
>Those are the languages in which virtually all applications are expressed.
>So the message has been garbled by public relations people.  And reporters 
>around the world are doubtless mis-reporting it, just as they were 
>supposed to do.  For example, Privacy Manager's award citation says that 
>EPAL "applies privacy rules across interconnected business systems".
>Even so, Arvind Krishna, vice president of security products, Tivoli 
>Software, appears to be responsible for the media release.  And it told 
>serious porkies (sorry:  Cockney rhyming slang:  'pork pie' => 'lie').  Or 
>would it be preferable for me to dissemble like IBM did, e.g. 'the media 
>release used language that could be interpreted as having been contrived 
>so as to convey a meaning that was considerably different from and more 
>interesting than the interpretation that a reasonable person who was 
>reasonably informed would have done'?
>The author of the underlying paper, Matthias Schunter, IBM Zurich Research 
>Laboratory appears to be not guilty.  His document says things like:
>"The **goals** for the EPAL language are the following.
>*   Provide the ability to encode an enterprise's privacy-related 
>data-handling policies and practices.
>*   A language that can be imported and enforced by a privacy-enforcement 
>"a privacy creation tool from one company may create an EPAL policy, and 
>**a privacy enforcement tool** from another company **may read-in the EPAL 
>policy and then enforce it**"
>Matthias Schunter's work I should read.  Although it would be nice if 
>there was an explanation as to precisely what this 'structured privacy 
>policy declaration language' does that P3P doesn't already do.  And we all 
>know how far short P3P has fallen from its original aspirations (to date! 
>I have to add 'to date'!).
>Some other bits from the media release, which *do* make sense:
>Enterprise Privacy Authorization Language (EPAL) is described as a "an XML 
>language that enables organizations to enforce P3P policies behind the 
>Web, among applications and databases".
>"A team of students at North Carolina State University has developed the 
>first tool to help developers leverage EPAL - the Privacy Authoring 
>Editor. The new tool helps companies author and edit privacy policies 
>using EPAL while allowing for the expression of richer and more complex 
>privacy rules than current standards allow.".
>The example that the media release provides as being able to be expressed 
>"in a language that applications and privacy management tools can 
>understand" is as follows:  "Members of the physician group can read 
>protected health information for the purpose of medical treatment, only if 
>the physician is the primary care physician and the patient or the 
>patient's family is notified in advance".
>I've done an amount of work in that particular area, summarised at:
>Roger Clarke              http://www.anu.edu.au/people/Roger.Clarke/
>Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
>                 Tel: +61 2 6288 1472, and 6288 6916
>mailto:Roger.Clarke@xamax.com.au         http://www.xamax.com.au/
>Visiting Professor in the eCommerce Program, University of Hong Kong
>Visiting Professor in the Baker Cyberspace Law & Policy Centre, U.N.S.W
>Visiting Fellow in Computer Science, Australian National University

-- Dr. Matthias Schunter <mts (at) zurich.ibm.com> ---
IBM Zurich Research Laboratory,   Ph. +41 (1) 724-8329
Fax +41-1-724-8953;      More info at www.schunter.org
PGP Fingerprint    989AA3ED 21A19EF2 B0058374 BE0EE10D
Received on Thursday, 11 December 2003 16:48:55 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:37:18 UTC