IBM offers open-standard privacy language for identity management

As identity management continues to make inroads in the IT sector, IBM Corp. unveiled the latest contribution to the industry on Wednesday – an open-standard privacy language designed to provide the enterprise with a way to automate the enforcement of privacy policies in both applications and systems.

The new language is called Enterprise Privacy Authorization Language (EPAL), and is a means to express data-handling policies inside the enterprise, said Austin, Tex.-based Paul Fritz, product manager, Tivoli Software, IBM Corp.

EPAL goes one step further than the current privacy specification called Platform for Privacy Preferences (P3P), Fritz said. That specification was released by the World Wide Web Consortium (W3C) in April 2002 and was designed to communicate privacy policies from business applications to consumer applications.

“P3P is more concerned about advertising my policy to an individual…it’s not robust enough when used internally between applications inside an enterprise trying to implement a [privacy] policy,” he said. “What was lacking was a language that the enterprise could use internally to express its policies.”

The need for this type of language stems from the ever-changing rules and regulations associated with privacy issues, Fritz said, and from the growing need for organizations to follow strict rules and guidelines when it comes to corporate information. It also grows out of the need to build enforcement into enterprise applications so companies can automate management tasks.

For example, at one point it was enough for a company to know who had access to specific information, but now those companies need to know more detailed facts such as business motivation behind employees accessing certain information, Fritz added.

EPAL is a way to automate the enforcement of privacy policies and to express those data handling policies, he said.

While the company is going full throttle in publishing the language to garner feedback and awareness of it, Fritz said IBM is also setting the stage to making EPAL legitimate. In a statement, IBM said it would submit EPAL for standardization within the next few months.

It’s still a little early to get a sense of the impact this privacy language will have on the marketplace, Fritz said, adding that many companies are just starting to get a grasp of privacy regulations.

In related news, a team of students at North Carolina State University has developed the first tool to help developers leverage EPAL called the Privacy Authoring Editor. The tool helps companies create and edit privacy policies using IBM’s EPAL and is open for members of the open source community to update or match the specification, IBM said. The Privacy Authoring Editor is available at

IBM is online at