EPAL: Media Release Fictions Undermine Credibility from Roger Clarke on 2003-12-11 (public-p3p@w3.org from December 2003)

From: Roger Clarke <Roger.Clarke@xamax.com.au>
Date: Thu, 11 Dec 2003 17:06:40 +1100
To: public-p3p@frink.w3.org
Cc: mts@zurich.ibm.com (Matthias Schunter)
Message-Id: <p05200f01bbfda428ae96@[192.168.123.167]>
As a result of a prize that IBM's been awarded, I've had a look at 
IBM's EPAL media release of 9 July 2003, at:
http://www-306.ibm.com/software/swnews/swnews.nsf/n/ades5pakbu?OpenDocument&Site=default

The award citation also says that "On December 1, 2003, IBM announced 
it was turning EPAL over to the World Wide Web Consortium (W3C) in 
the hopes that it will become an international standard and will help 
automate privacy management tasks, improve consumer trust and reduce 
the cost of privacy compliance".  But IBM's site-search doesn't 
locate a media release to that effect.

(On searching my public-p3p archive, I see that Rigo has mentioned 
EPAL in three emails over the last 9 months, including one that 
mentioned it being presented in Sydney in September, at a conference 
adjacent to the World Privacy Commissioners conference).


Call me an inveterate sceptic by all means, but a quick analysis of 
the information in the media release is as follows.

The title of the media release refers to "A New Language to Automate 
Privacy Compliance".

The opening sentence calls EPAL "the first computer language to 
provide enterprises with a way to automate the enforcement of privacy 
policies among IT applications and systems".

The 2nd para. repeats "automate compliance to those rules".

The 3rd para. again refers to "automate tedious privacy management 
tasks".  But by that stage the signal is becoming attenuated, because 
it's unclear whether "building enforcement into enterprise 
applications" requires work on the applications themselves, or just 
work using the EPAL language.

Finally, in the 4th para., we get a quotation from a named person 
rather than impersonal IBM, and this says that EPAL is "to help 
automate the enforcement".  So now we might be talking about 
something a little different.


Let's resort to the real world of IT applications for a moment.

It's a bit difficult to see how EPAL could "automate the enforcement 
of privacy policies among IT applications and systems".  We're by 
definition talking about 'legacy systems' here.

Policies expressed using EPAL (or indeed P3P) could conceivably be 
used as a tool for auditors checking applications for compliance with 
privacy policy statements.  That could extend to the design of 
test-data sets, in order to establish what the application actually 
does in instances that the privacy policy declares as being variously 
black, white, and grey.

EPAL could "automatically enforce" those policies/rules if the 
applications were expressed in rule-form - in which case the addition 
of rules that express the privacy policies would directly change the 
processing of the next transaction that triggered any of the new 
rules.

But I'm unaware of any mechanism whereby the expression of rules 
could affect the algorithms expressed in 1st, 2nd, 3rd generation 
languages, or even the functioning of applications expressed in 4th 
generation delcarative languages:
http://www.anu.edu.au/people/Roger.Clarke/SOS/SwareGenns.html (1991)

Those are the languages in which virtually all applications are expressed.

So the message has been garbled by public relations people.  And 
reporters around the world are doubtless mis-reporting it, just as 
they were supposed to do.  For example, Privacy Manager's award 
citation says that EPAL "applies privacy rules across interconnected 
business systems".

Even so, Arvind Krishna, vice president of security products, Tivoli 
Software, appears to be responsible for the media release.  And it 
told serious porkies (sorry:  Cockney rhyming slang:  'pork pie' => 
'lie').  Or would it be preferable for me to dissemble like IBM did, 
e.g. 'the media release used language that could be interpreted as 
having been contrived so as to convey a meaning that was considerably 
different from and more interesting than the interpretation that a 
reasonable person who was reasonably informed would have done'?



The author of the underlying paper, Matthias Schunter, IBM Zurich 
Research Laboratory appears to be not guilty.  His document says 
things like:

"The **goals** for the EPAL language are the following.
*   Provide the ability to encode an enterprise's privacy-related 
data-handling policies and practices.
*   A language that can be imported and enforced by a 
privacy-enforcement system"

"a privacy creation tool from one company may create an EPAL policy, 
and **a privacy enforcement tool** from another company **may read-in 
the EPAL policy and then enforce it**"

Matthias Schunter's work I should read.  Although it would be nice if 
there was an explanation as to precisely what this 'structured 
privacy policy declaration language' does that P3P doesn't already 
do.  And we all know how far short P3P has fallen from its original 
aspirations (to date! I have to add 'to date'!).


Some other bits from the media release, which *do* make sense:

Enterprise Privacy Authorization Language (EPAL) is described as a 
"an XML language that enables organizations to enforce P3P policies 
behind the Web, among applications and databases".

"A team of students at North Carolina State University has developed 
the first tool to help developers leverage EPAL - the Privacy 
Authoring Editor. The new tool helps companies author and edit 
privacy policies using EPAL while allowing for the expression of 
richer and more complex privacy rules than current standards allow.".

The example that the media release provides as being able to be 
expressed "in a language that applications and privacy management 
tools can understand" is as follows:  "Members of the physician group 
can read protected health information for the purpose of medical 
treatment, only if the physician is the primary care physician and 
the patient or the patient's family is notified in advance".

I've done an amount of work in that particular area, summarised at:
http://www.anu.edu.au/people/Roger.Clarke/EC/eConsent.html


-- 
Roger Clarke              http://www.anu.edu.au/people/Roger.Clarke/

Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                 Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke@xamax.com.au            http://www.xamax.com.au/

Visiting Professor in the eCommerce Program, University of Hong Kong
Visiting Professor in the Baker Cyberspace Law & Policy Centre, U.N.S.W
Visiting Fellow in Computer Science, Australian National University
Received on Thursday, 11 December 2003 01:19:21 UTC