<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Archiving and Interchange DTD v1.0 20120330//EN" "JATS-archivearticle1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta />
    <article-meta>
      <title-group>
        <article-title>Usage Control for Decentralized Systems</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author">
          <string-name>Ines Akaichi</string-name>
          <email>ines.akaichi@wu.ac.at</email>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="editor">
          <string-name>Policy, Usage Control, Reasoning, Semantic Web, Administration, Decentralized Systems</string-name>
        </contrib>
        <aff id="aff0">
          <label>0</label>
          <institution>Institute for Information Systems &amp; New Media, Vienna University of Economics and Business</institution>
          ,
          <addr-line>Vienna</addr-line>
          ,
          <country country="AT">Austria</country>
        </aff>
      </contrib-group>
      <pub-date>
        <year>2022</year>
      </pub-date>
      <abstract>
        <p>In decentralized environments, software platform providers face various legislative challenges including, but not limited to, the need to adhere to legal requirements with respect to privacy (e.g. data protection legislation) and copyright (e.g. copyright legislation) when it comes to sharing data and digital assets. In addition, data owners are reluctant to share their data with decentralized systems, as often they have no control over how their data are used. In order to enable software platform providers to manage data and digital assets appropriately and to provide more control to data and digital asset owners, policy-based usage control could be used to make sure that consumers handle data according to privacy preferences, licenses, regulatory requirements, among others. In this research proposal, we investigate the application of policy-based usage control in decentralized environments to address the challenges of controlling the use of data and assets. In particular, we address the challenges related to the specification of usage control policies, the enforcement of the respective policies, and the usability of the tools that are used to administer them.</p>
      </abstract>
    </article-meta>
  </front>
  <body>
    <sec id="sec-1">
      <title>1. Introduction</title>
      <p>
        Modern decentralized systems, such as the Internet of Things (IoT), virtual data spaces, and
distributed knowledge graph applications face a variety of challenges from a data and digital
asset management perspective. According to Pretschner [
        <xref ref-type="bibr" rid="ref1">1</xref>
        ], data owners are reluctant to share
their data with decentralized systems, as often they have no control over how their data are
used. Additionally, Park and Sandhu [
        <xref ref-type="bibr" rid="ref2">2</xref>
        ] highlight that the sharing of data in decentralized
environments goes beyond traditional access control, as existing solutions do not provide control
over data usage once access to the data has been granted. Technologies that aim to address this
challenge, which are usually classified as usage control or policy-based usage control, aim to
ensure that data consumers handle data according to usage policies stipulated by data owners.
Generally speaking, usage control is a generic term for data management software that supports
data protection, copyright, and/or various legislative and institutional policies in a variety of
domains, including, but not limited to, mobile software, cloud computing, industry 4.0, IoT, and
collaborative software.
Problem statement. In our proposal, we address the problem of policy specification,
enforcement and administration in decentralized usage control. While the majority of usage
control policy languages are built according to domain-specific requirements, it is unclear
whether existing domain/use case-specific proposals could be used for usage control
in the general sense, where a single system may need to support privacy preferences,
regulatory requirements, licensing, among others. Moving to the semantic web
community, researchers have proposed various general-purpose policy languages that have not
previously been explored in the context of usage control. Therefore, it is also unclear
how these policy languages can be used to provide adequate support for the common
structures encountered in usage control requirements in decentralized environments.
Contributions. In this proposal, we investigate the development of a unified and flexible
policy language that supports diferent types of usage control policies in various domains.
Semantic technologies could potentially be used to develop a common policy model
that can support privacy preferences, regulatory requirements, licensing, among others.
Semantic technologies are particularly well suited for policy specification, as ontologies
and vocabularies can be used to formalize policy concepts and rules in an extensible
manner [
        <xref ref-type="bibr" rid="ref3">3</xref>
        ]. Additionally, we plan to include an enforcement framework by using the
semantics of our policy language in order to automatically check for policy adherence
in decentralized environments. Finally, we plan to demonstrate the suitability of our
proposal by integrating our framework to the SOLID1 project, which currently only
supports access control.
      </p>
      <p>Paper structure. The remainder of this research proposal is structured as follows: in Section
2, we present related work. In Section 3, we outline the working hypothesis that underlies
our research proposal. Next, in Section 4, we present our progress made to date. In
Section 5, we describe the methodology that guides our research aside to our work plan.</p>
      <p>Finally, we conclude our work in Section 6.</p>
    </sec>
    <sec id="sec-2">
      <title>2. Related Work</title>
      <p>
        The term usage control was first introduced by Park and Sandhu [
        <xref ref-type="bibr" rid="ref2">2</xref>
        ] whose research focus on
supporting the continuous monitoring of digital asset usage in dynamic distributed
environments. Over the years, researchers have proposed various usage control conceptual models
(cf. [
        <xref ref-type="bibr" rid="ref2 ref4">4, 2</xref>
        ]), policy languages and frameworks (cf. [
        <xref ref-type="bibr" rid="ref5 ref6">5, 6</xref>
        ]). Other works focused on enforcing the
respective policies, via proactive or reactive mechanisms that aim to prevent security breaches
and policy violations (cf. [
        <xref ref-type="bibr" rid="ref5 ref7">5, 7</xref>
        ]).
      </p>
      <p>
        When it comes to the semantic web community, researchers proposed general policy
languages and frameworks, such as KaoS [
        <xref ref-type="bibr" rid="ref8">8</xref>
        ], Rei [
        <xref ref-type="bibr" rid="ref9">9</xref>
        ], and Protune [
        <xref ref-type="bibr" rid="ref10">10</xref>
        ] to govern and manage a
range of constraints (e.g. access control, privacy preferences, regulatory constraints) that are
encountered in a variety of distributed systems, such as multi-agent systems, computing grids,
enterprise information systems, and pervasive environments. More recent studies proposed policy
1The SOLID Project, https://solidproject.org/
languages tailored to support access control (cf. [
        <xref ref-type="bibr" rid="ref11 ref12">11, 12</xref>
        ]), privacy preferences (cf. [
        <xref ref-type="bibr" rid="ref13 ref14">13, 14</xref>
        ]),
licensing (cf. [
        <xref ref-type="bibr" rid="ref15 ref16">15, 16</xref>
        ]) and regulatory requirements (cf. [
        <xref ref-type="bibr" rid="ref13 ref17">13, 17</xref>
        ]).
      </p>
      <p>
        In usage control, the majority of policy languages (cf. DUPO [
        <xref ref-type="bibr" rid="ref4">4</xref>
        ], LUCON [
        <xref ref-type="bibr" rid="ref6">6</xref>
        ]) were developed
according to domain-specific requirements in relation to mobile software, cloud computing, IoT,
industry 4.0., networking, operating systems, and collaborative software . Whereas, the policy
languages that are meant to be domain-agnostic are either not validated using use cases (e.g.
OB-XACML [18]) or are only evaluated in a specific domain (e.g. IND 2UCE [
        <xref ref-type="bibr" rid="ref5">5</xref>
        ] and [19]). Hence,
it is unclear if the existing proposals could be used for usage control in the general sense, where
a single system may need to support privacy preferences, regulatory requirements, licenses,
among others. While on one hand, general semantic policy languages can be used to express
a variety of constraints, it is also unclear how these policy languages can be used to provide
adequate support for the common structures encountered in usage control requirements (e.g.
normative rules, obligation bound to condition, obligations states, system and environmental
conditions, condition updates). On the other hand, tailored policy languages are bound to the
constraints for which they were developed and only cover requirements that are encountered
in their respective areas.
      </p>
    </sec>
    <sec id="sec-3">
      <title>3. Gap &amp; Hypothesis</title>
      <p>Building on the existing challenge in the field of usage control, we see the need for a general
policy language and framework that allows for the expression of diferent types of policies in
decentralized usage control and is not tied to specific applications. As pointed out by Akaichi
and Kirrane [20], a usage control framework is a comprehensive framework that allows for the
specification, enforcement and administration of usage policies. Accordingly, our framework
has to incorporate the following key components: (i) a formal machine-readable policy language
that is used to express usage control policies; (ii) an enforcement mechanism that can monitor
compliance with said policies; and (iii) an administration interface that can be used to manage
and monitor usage control policies.</p>
      <p>Additionally, growing dynamic environments, such as the web or IoT-based data sharing
systems, where new users continuously join, pose new challenges in terms of unpredictability
and dynamicity. Therefore, decentralized environments bring an additional set of considerations
from a usage control perspective with respect to: (i) controlling data that reside within multiple
systems; (ii) securing data sharing and usage; and (iii) enforcing policies across multiple systems.
As a result, the framework must also take into account the decentralized aspects of usage control.
To this end, we summarize the main hypothesis of our research proposal as follows:</p>
      <p>Efective decentralized usage control may be achieved by: (i) a
generalpurpose policy language that can support diferent domains and
applications of usage control; (ii) an enforcement mechanism that can address
the challenges of dynamicity and unpredictability in decentralized
environments ; and (iii) an administrative framework that ofers users more
control, trust and transparency over the use of their data.</p>
      <p>Our hypothesis leads to the following research questions:
1) To what extent do semantic web technologies improve the flexibility and extensibility
of usage control policy languages?
2)What are the most suitable mechanisms for enforcing usage control policies in decentralized
environments?
3) What are the most efective tools and techniques that can be used to provide data owners with
more control, trust and transparency with respect to how their data are being used?</p>
    </sec>
    <sec id="sec-4">
      <title>4. Preliminary Results</title>
      <p>In an efort to establish an overview of what has been done in the field of usage control, a
fundamental step was to gather and compare the predominant approaches to usage control,
i.e., frameworks, found in the literature. To conduct this comparison, an initial task was to
examine the diferent requirements that have been used to guide the development of various
usage control solutions. The requirements were then used to compare existing frameworks in
order to assess their overall completeness.</p>
      <p>To this end, in our survey paper on usage control [20], which is submitted to a journal and is
currently under review, we outline the following key contributions: (i) a taxonomy of usage
control requirements brought from the literature. The taxonomy, which is depicted in Figure 1,
is divided into three high level dimensions of requirements regarding policy-based usage control,
i.e. the specification and representation of the policy language, the enforcement mechanisms
used to enforce and manage usage policies throughout the usage process, and the robustness
of the overall solution; (ii) the results of a qualitative comparison of the predominant usage
control proposals; and (iii) various challenges and opportunities for the decentralized usage
control domain that were derived from our comparison.</p>
    </sec>
    <sec id="sec-5">
      <title>5. Methodology &amp; Work Plan</title>
      <p>To answer our research questions, we adopt the design science research methodology (DSRM)
presented by [21]. Design science research is a paradigm focused on improving disciplinary
knowledge based on the development of innovative artifacts. In Figure 2, we present our process
model for conducting our research, which consists of the following activities:
Identify Problem &amp; Motivate. This activity defines the research motivation by pinpointing
existing problems and gaps in a specific research area. To this end, our review article [ 20]
outlined the state of the art in decentralized usage control and identified various gaps with
respect to the specification, enforcement, and administration of policies.</p>
      <p>
        Define Objectives of a Solution. The objectives of a solution can be deduced from the
problem definition. In our research, the objectives represent the requirements collected in the
literature whereby a usage control solution is expected to address. Thus, we used the set of
requirements to identify gaps in the domain by analyzing solutions and to what extent they
cover these requirements. The full list of requirements is depicted in Figure 1.
Design &amp; Development. In this activity, artifacts are created. The challenges and
opportunities presented in our overview paper drive the development of new artifacts, while the
requirements determine the desired functionality of these artifacts. In our proposal, the
following artifacts are to be considered:
A usage control policy language. We plan to develop a general purpose usage control policy
language based on deontic operators with extended capability to include domain specific
knowledge using semantic web technologies. Inspired by diferent policy languages
[
        <xref ref-type="bibr" rid="ref16 ref9">9, 22, 16</xref>
        ], we began developing the Usage Control Policy (UCP) language designed on
the basis of deontic concepts (i.e., permission, prohibition, obligation, and dispensation)
and constraints or conditions on data usage. In addition, the policy language is built
on top of domain ontologies, which provides flexibility in expressing diferent types of
usage control policies. The initial version of our Usage Control Policy language only
supports very simple conditions. Concretely, we plan to examine the suitability of various
ifne-grained conditions, such as actions that are bounded by cardinality, temporal, or
spatial restrictions and conditions that are tightly coupled to various actors and/or goals.
Further, the expression and representation of deontic states is an important step to ensure
continuous monitoring and enforcement of data usage. Hence, we want to investigate
the proper way to encode deontic states and their evolution during a usage process, for
example to monitor the life cycle of obligations in order to check whether they are fulfilled
or not by the end users. Finally, we want to study the expressiveness of various obligations
and conditions and how they can be efectively structured into various policy profiles
using Description Logic (DL) together with well-understood semantics and complexity.
An enforcement framework. We plan to develop an enforcement framework that is able
to leverage of the shelf reasoners, such as HermiT and FaCT++. Inspired by the works
of [
        <xref ref-type="bibr" rid="ref10 ref9">9, 10</xref>
        ], the DL based policy profiles together with the reasoning engine will be used
to automatically check the compliance of data usage against usage control policies. To
this end, we plan to leverage DL deductive reasoning capabilities to reason about usage
control policies. As mentioned in [
        <xref ref-type="bibr" rid="ref13">13</xref>
        ], the advantage of using DL and consequently,
OWL2, is that the majority of the policy-reasoning tasks are decidable and tractable,
which is very important when making decisions regarding policy compliance in dynamic
environments. In addition, we plan to explore the suitability of enforcement strategies (e.g.
sticky policies [23], logs [24], data flow tracking tools [ 25]) that enable the enforcement
of decentralized usage control.
      </p>
      <p>Data empowerment tools and technologies. Empowering users means facilitating their
awareness through tools that give data owners more control, trust and transparency
over how their data are used. Thus, we plan to extend the SOLID technology, which is
initially used to manage access controls, by including usage control. We plan to build
on top of this technology an administration application, which is meant to empower
users by allowing them to share their preferences for how their data should be used,
transparently display system-related decisions and actions in terms of how their data is
actually used, and provide a secure and trusted environment for users to share their data,
among other things. To this end, we plan to explore various tools and techniques that can
be used to provide data owners with more control, trust, and transparency, such as using
transparency enhancement tools or trust management techniques. The development of
this interface will be guided by various design principles emerging from the literature
that are likely to support control, trust and transparency [26].</p>
      <p>Demonstration. This activity is used to demonstrate the efectiveness of artifacts in a given
context that supports various policies such as access control, licensing, privacy, etc. We plan to
evaluate the suitability of the artifacts by extending the SOLID technology to support usage
control, i.e., by integrating our usage control policy language and enforcement framework.
In particular, we plan to apply the resulting solution to various use cases provided by the
KnowGraphs2 project partners. For instance, the first use case originates from the IoT domain,
in which it describes a data sharing platform that connects users to various IoT devices [20].
The second use case is from the financial domain, depicting a market data supply chain where
diferent parties exchange data for financial instruments 3.</p>
      <p>Evaluation. This activity involves comparing the goals of a solution to the actual results
observed when using the artifact in the demonstration. The evaluation of the adequacy of the
policy language involves evaluating the expressiveness of the policy using the set of requirements
that involve the specification dimension. While, the evaluation of the enforcement framework
depends on using the set of requirements from the enforcement and robustness dimension. In
turn, the evaluation of the administration framework depends on a couple of usability testing
methods inspired by the work of legal and privacy researchers, which mainly involve user
studies.</p>
      <p>Communication. This activity concerns communicating the results of our research. In
our case, every artifact is mapped to a research article that will be submitted to journals and
conferences, as well as to draft specifications.</p>
    </sec>
    <sec id="sec-6">
      <title>6. Conclusion</title>
      <p>In this proposal, we explored the application of usage control in decentralized environments. Our
gap analysis in the area of usage control identified various challenges in terms of specification,
enforcement and administration of usage control policies. To this end, we discussed our research
questions, our approach to addressing these challenges, our preliminary results, our future
work, and the methodology that will guide our research.</p>
    </sec>
    <sec id="sec-7">
      <title>Acknowledgments</title>
      <p>This research is conducted under the supervision of Asst. Prof. Sabrina Kirrane and is funded
by the European Union Horizon 2020 research and innovation program under the Marie
Sklodowska-Curie grant agreement No 860801.
2The KnowGraphs Project, https://knowgraphs.eu/
3The Market Data Profile for ODRL, https://w3c.github.io/market-data-odrl-profile/md-odrl-profile.html
[18] D. Kateb, Y. Elrakaiby, T. Mouelhi, I. Rubab, Y. Le Traon, Towards a full support of
obligations in xacml, in: Risks and Security of Internet and Systems, Springer International
Publishing, Cham, 2014.
[19] L. C. P. Weber, T. Silva, A framework for usage control policy enforcement, Master’s thesis,
2010. Supervised by Pretschner, Alexander.
[20] I. Akaichi, S. Kirrane, Usage control specification, enforcement, and robustness: A survey,
2022. URL: https://arxiv.org/abs/2203.04800.
[21] K. Pefers, T. Tuunanen, M. Rothenberger, S. Chatterjee, A design science research
methodology for information systems research, J. Manage. Inf. Syst. 24 (2007).
[22] P. Bonatti, S. Kirrane, I. Petrova, L. Sauro, E. Schlehahn, SPECIAL Deliverable D2.5 Policy</p>
      <p>Language V2, Technical Report, H2020 Project, 2018. URL: https://specialprivacy.ercim.eu.
[23] D. Miorandi, A. Rizzardi, S. Sicari, A. Coen-Porisini, Sticky policies: A survey, IEEE</p>
      <p>Transactions on Knowledge and Data Engineering 32 (2020).
[24] P. Bonatti, S. Kirrane, A. Polleres, R. Wenning, Transparent personal data processing:
The road ahead, in: Computer Safety, Reliability, and Security. SAFECOMP, Springer
International Publishing, Cham, 2017.
[25] W. Hu, A. Ardeshiricham, R. Kastner, Hardware information flow tracking, ACM Comput.</p>
      <p>Surv. 54 (2021).
[26] S. Fischer-Hübner, J. Angulo, F. Karegar, T. Pulls, Transparency, privacy and trust
technology for tracking and controlling my data disclosures: Does this work?, in: IFIPTM,
2016.</p>
    </sec>
  </body>
  <back>
    <ref-list>
      <ref id="ref1">
        <mixed-citation>
          [1]
          <string-name>
            <given-names>A.</given-names>
            <surname>Pretschner</surname>
          </string-name>
          ,
          <article-title>An overview of distributed usage control - extended abstract</article-title>
          ,
          <source>in: Proceedings of the International Conference on Knowledge Engineering</source>
          ,
          <year>2009</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref2">
        <mixed-citation>
          [2]
          <string-name>
            <given-names>J.</given-names>
            <surname>Park</surname>
          </string-name>
          ,
          <string-name>
            <given-names>R.</given-names>
            <surname>Sandhu</surname>
          </string-name>
          ,
          <article-title>The uconabc usage control model</article-title>
          ,
          <source>ACM Trans. Inf. Syst. Secur</source>
          .
          <volume>7</volume>
          (
          <year>2004</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref3">
        <mixed-citation>
          [3]
          <string-name>
            <given-names>B.</given-names>
            <surname>Esteves</surname>
          </string-name>
          ,
          <string-name>
            <given-names>V.</given-names>
            <surname>Rodríguez-Doncel</surname>
          </string-name>
          ,
          <article-title>Analysis of ontologies and policy languages to represent information flows in gdpr</article-title>
          ,
          <year>2021</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref4">
        <mixed-citation>
          [4]
          <string-name>
            <given-names>Q. H.</given-names>
            <surname>Cao</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Giyyarpuram</surname>
          </string-name>
          ,
          <string-name>
            <given-names>R.</given-names>
            <surname>Farahbakhsh</surname>
          </string-name>
          ,
          <string-name>
            <given-names>N.</given-names>
            <surname>Crespi</surname>
          </string-name>
          ,
          <article-title>Policy-based usage control for a trustworthy data sharing platform in smart cities</article-title>
          ,
          <source>Future Generation Computer Systems</source>
          <volume>107</volume>
          (
          <year>2020</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref5">
        <mixed-citation>
          [5]
          <string-name>
            <given-names>C.</given-names>
            <surname>Jung</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Eitel</surname>
          </string-name>
          ,
          <string-name>
            <given-names>R.</given-names>
            <surname>Schwarz</surname>
          </string-name>
          ,
          <article-title>Enhancing cloud security with context-aware usage control policies</article-title>
          ,
          <source>Lecture Notes in Informatics (LNI)</source>
          ,
          <source>Proceedings - Series of the Gesellschaft fur Informatik (GI)</source>
          (
          <year>2014</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref6">
        <mixed-citation>
          [6]
          <string-name>
            <given-names>J.</given-names>
            <surname>Schütte</surname>
          </string-name>
          ,
          <string-name>
            <given-names>G. S.</given-names>
            <surname>Brost</surname>
          </string-name>
          ,
          <article-title>Lucon: Data flow control for message-based iot systems</article-title>
          , in: International Conference On Trust,
          <source>Security And Privacy In Computing And Communications/International Conference On Big Data Science</source>
          And Engineering (TrustCom/BigDataSE), IEEE, USA,
          <year>2018</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref7">
        <mixed-citation>
          [7]
          <string-name>
            <given-names>D.</given-names>
            <surname>Basin</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Harvan</surname>
          </string-name>
          ,
          <string-name>
            <given-names>F.</given-names>
            <surname>Klaedtke</surname>
          </string-name>
          , E. Zălinescu, Monpoly:
          <article-title>Monitoring usage-control policies</article-title>
          , in: International conference on runtime verification, Springer, Springer, Berlin, Heidelberg,
          <year>2011</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref8">
        <mixed-citation>
          [8]
          <string-name>
            <given-names>J. M.</given-names>
            <surname>Bradshaw</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Dutfield</surname>
          </string-name>
          ,
          <string-name>
            <given-names>P.</given-names>
            <surname>Benoit</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J. D.</given-names>
            <surname>Woolley</surname>
          </string-name>
          ,
          <article-title>Kaos: toward an industrial-strength open agent architecture</article-title>
          ,
          <year>1997</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref9">
        <mixed-citation>
          [9]
          <string-name>
            <given-names>L.</given-names>
            <surname>Kagal</surname>
          </string-name>
          ,
          <string-name>
            <given-names>T. W.</given-names>
            <surname>Finin</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Joshi</surname>
          </string-name>
          ,
          <article-title>A policy language for a pervasive computing environment</article-title>
          , in: International Workshop on Policies for
          <article-title>Distributed Systems and Networks (POLICY)</article-title>
          ,
          <source>IEEE Computer Society</source>
          , Los Alamitos, CA, USA,
          <year>2003</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref10">
        <mixed-citation>
          [10]
          <string-name>
            <given-names>P. A.</given-names>
            <surname>Bonatti</surname>
          </string-name>
          ,
          <string-name>
            <given-names>D.</given-names>
            <surname>Olmedilla</surname>
          </string-name>
          ,
          <article-title>Driving and monitoring provisional trust negotiation with metapolicies</article-title>
          ,
          <source>IEEE International Workshop on Policies for Distributed Systems and Networks</source>
          (
          <year>2005</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref11">
        <mixed-citation>
          [11]
          <string-name>
            <given-names>A.</given-names>
            <surname>Sambra</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Corlosquet</surname>
          </string-name>
          , Webid
          <volume>1</volume>
          .0
          <article-title>- web identity and discovery</article-title>
          , https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html,
          <year>2015</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref12">
        <mixed-citation>
          [12]
          <string-name>
            <given-names>S.</given-names>
            <surname>Steyskal</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Polleres</surname>
          </string-name>
          ,
          <article-title>Defining expressive access policies for linked data using the odrl ontology 2.0</article-title>
          , in:
          <source>Proceedings of the 10th International Conference on Semantic Systems</source>
          , Association for Computing Machinery, New York, NY, USA,
          <year>2014</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref13">
        <mixed-citation>
          [13]
          <string-name>
            <given-names>P.</given-names>
            <surname>Bonatti</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Kirrane</surname>
          </string-name>
          ,
          <string-name>
            <surname>I. Petrova</surname>
          </string-name>
          ,
          <string-name>
            <given-names>L.</given-names>
            <surname>Sauro</surname>
          </string-name>
          ,
          <article-title>Machine understandable policies and gdpr compliance checking</article-title>
          , KI - Künstliche
          <string-name>
            <surname>Intelligenz</surname>
          </string-name>
          (
          <year>2020</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref14">
        <mixed-citation>
          [14]
          <string-name>
            <given-names>D. Z. G.</given-names>
            <surname>Garcia</surname>
          </string-name>
          ,
          <string-name>
            <surname>M. B. F. de Toledo</surname>
          </string-name>
          ,
          <article-title>A web service privacy framework based on a policy approach enhanced with ontologies</article-title>
          ,
          <source>IEEE International Conference on Computational Science and Engineering - Workshops</source>
          (
          <year>2008</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref15">
        <mixed-citation>
          [15]
          <string-name>
            <given-names>T.</given-names>
            <surname>Pellegrini</surname>
          </string-name>
          , G. Havur,
          <string-name>
            <given-names>S.</given-names>
            <surname>Steyskal</surname>
          </string-name>
          ,
          <string-name>
            <given-names>O.</given-names>
            <surname>Panasiuk</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Fensel</surname>
          </string-name>
          ,
          <string-name>
            <given-names>V.</given-names>
            <surname>Mireles-Chavez</surname>
          </string-name>
          ,
          <string-name>
            <given-names>T.</given-names>
            <surname>Thurner</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Polleres</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Kirrane</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Schönhofer</surname>
          </string-name>
          ,
          <article-title>Dalicc: A license management framework for digital assets</article-title>
          ,
          <year>2019</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref16">
        <mixed-citation>
          [16]
          <issue>W3C</issue>
          ,
          <article-title>The open digital rights language (odrl</article-title>
          ), https://www.w3.org/TR/odrl-model/,
          <year>2018</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref17">
        <mixed-citation>
          [17]
          <string-name>
            <surname>M. D. Vos</surname>
            ,
            <given-names>S.</given-names>
          </string-name>
          <string-name>
            <surname>Kirrane</surname>
            ,
            <given-names>J.</given-names>
          </string-name>
          <string-name>
            <surname>Padget</surname>
            ,
            <given-names>K.</given-names>
          </string-name>
          <string-name>
            <surname>Satoh</surname>
          </string-name>
          ,
          <article-title>Odrl policy modelling and compliance checking</article-title>
          , in: RuleML+RR, Springer International Publishing, Cham,
          <year>2019</year>
          .
        </mixed-citation>
      </ref>
    </ref-list>
  </back>
</article>