IBM takes aim at automating privacy enforcement

Its new XML-based language could help companies better enforce privacy policies

A new programming language announced by IBM last week promises to help companies automate the enforcement of corporate privacy policies.

IBM's XML-based Enterprise Privacy Authorization Language (EPAL) can be used to build privacy-related rules and conditions, said Steve Adler, an IBM marketing manager. For instance, privacy policies could be written and attached to each record in a customer database. The policies then travel wherever the data goes and can be used to control the manner in which the data is accessed and used.

EPAL builds on the World Wide Web Consortium's Platform for Privacy Preferences Protocol (P3P), Adler said. P3P allows privacy preferences that are expressed in plain text to be turned into a digital or machine-readable code. It's used widely in browsers to accept or block a Web site's request for information based on a user's privacy preferences.

P3P Comparison

But P3P doesn't allow developers to set conditions or give them a way to express negative rules—telling what a user can't do, for instance, Adler said. In contrast, "EPAL provides this positive and negative language that allows you to articulate what people are allowed to do or not allowed to do with data," he said.

"Its much more robust than P3P because it gives you a way to prevent data from being used in a [noncompliant] manner," said Larry Ponemon, director of the Ponemon Institute, a privacy think tank based in Tucson, Ariz.

"EPAL allows companies to use language that not only can describe an activity but also help enforce that activity," said Scott Shipman, privacy counsel at eBay Inc. "To date, no language has supported that second component."

EBay is a member of IBM's Privacy Management Advisory Council, which has evaluated the new language. The 25-member group also includes companies such as Marriott International Inc. and Fidelity Investments.

It's too early to say whether companies will need to make changes in their existing applications to take advantage of an EPAL environment, Shipman said. That will become clearer only as more tools become available for EPAL, he noted.

IBM's own approach has been to use what it calls "monitors" for linking new and existing applications to its Tivoli privacy management software. The approach allows developers to build privacy rules and audit reporting into applications without having to hard-code changes.

EPAL will allow companies to set and enforce far more specific rules related to the manner in which data is accessed and shared, said Fred Cohen, an analyst at Burton Group in Midvale, Utah.

The downside is that the more rules a company builds around its data with EPAL, the more complex the environment is likely to get, he added.

"Its one thing to have a system with five or six rules. But to express something like HIPAA compliance may take thousands of rules," Cohen said, referring to the Health Insurance Portability and Accountability Act. "There are all sorts of things that could go wrong."

IBM's EPAL announcement builds on the company's emerging privacy management initiative. Since last fall, IBM has been selling a P3P-based technology called Tivoli Privacy Manager that's aimed at helping companies comply with privacy rules. The technology allows companies to take a written privacy policy and convert it into digital form, deploy the policy to specific IT systems and applications, and then monitor access to data in accordance with the policy. EPAL is the language through which automatic enforcement can take place.

New Products

IBM's Privacy Management Tools

Reference Monitor for Tivoli Privacy Manager

Declarative Privacy Monitoring for Tivoli Privacy Manager

The monitors link new and existing applications to privacy management software, eliminating the need to hard-code privacy functions into each application.

Copyright © 2003 IDG Communications, Inc.

Shop Tech Products at Amazon