Practical challenges of ODRL and potential courses of action Andrea Cimmino Juan Cano-Benito Raúl García-Castro Universidad Politécnica de Madrid Universidad Politécnica de Madrid Universidad Politécnica de Madrid Madrid, Spain Madrid, Spain Madrid, Spain andreajesus.cimmino@upm.es juan.cano@upm.es r.garcia@upm.es ABSTRACT The Open Digital Rights Language (ODRL) is a standard widely adopted to express privacy policies. This article presents several challenges identifed in the context of the European project AURO- RAL in which ODRL is used to express privacy policies for Smart Communities and Rural Areas. The article presents that some chal- lenges should be addressed directly by the ODRL standardisation group to achieve the best course of action, although others ex- ists. For others, the authors have presented a potential solution, in particular, for considering dynamic values coming from external data sources into privacy policies. Finally, the last challenge is an open research question, since it revolves around the interoperability of privacy policies that belong to diferent systems and that are expressed with diferent privacy languages. KEYWORDS Privacy, Open Digital Rights Language (ODRL), RDF Materialisation ACM Reference Format: Andrea Cimmino, Juan Cano-Benito, and Raúl García-Castro. 2023. Prac- tical challenges of ODRL and potential courses of action. In Companion Proceedings of the ACM Web Conference 2023 (WWW ’23 Companion), April 30śMay 04, 2023, Austin, TX, USA. ACM, New York, NY, USA, 4 pages. https://doi.org/10.1145/3543873.3587628 1 INTRODUCTION The use of digital content has increased dramatically in recent years, leading to the need for a standard way to manage the rights and permissions associated with that content [14]. The Open Digital Rights Language (ODRL) provides a solution to this need by ofering a common language for expressing and managing digital rights and obligations. ODRL is a widely adopted standard promoted by the W3C [6, 7]. However, to the authors’ knowledge, the adoption of this standard, and the documents and articles related to it, focus on how these policies can be expressed or how existing restrictions of rights and permissions can or cannot be written using ODRL [2, 3]. For example, they consider whether the General Data Protection Regulation (GDPR) can be expressed using ODRL and not how such a policy is evaluated or verifed. As a result, how these policies must be evaluated by a software system is a topic uncovered by Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for proft or commercial advantage and that copies bear this notice and the full citation on the frst page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specifc permission and/or a fee. Request permissions from permissions@acm.org. WWW ’23 Companion, April 30śMay 04, 2023, Austin, TX, USA © 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM. ACM ISBN 978-1-4503-9419-2/23/04. . . $15.00 https://doi.org/10.1145/3543873.3587628 the standard. Furthermore, the standard does not specify how to implement the operators and operands that can be stated within a privacy policy. In the context of the European project AURORAL 1 , the ODRL standard has been adopted in order to express privacy policies in Smart Communities and Rural Areas. In this context, two other additional challenges have been identifed. On the one hand, due to the dynamic nature of the data that belong to Smart Communities and Rural Areas the privacy policies need to consider information that is outside the policies themselves. For example, allowing to discover a certain source of data only during the night hours or if the requester is inside a certain geolocation. Expressing these kinds of policies is not currently possible using ODRL. Furthermore, the usage of ODRL policies in AURORAL has led to another challenge that revolves around scenarios in which diferent systems represent privacy policies using diferent languages, e.g., a system based on ODRL and SOLID [12]. In these cases, in which ways could these systems interoperate at the policy level? This article presents and explains these challenges in detail, and then the authors propose a discussion of which could be the best course of action to take for each of them; prioritising the good prac- tises and the standards. The remainder of this paper is structured as follows. Section 2 states and explains the challenges identifed by using ODRL in the AURORAL European project. Section 3 presents potential solutions to address the challenges presented. Section 4 presents a discussion of the challenges and their potential solutions. 2 CHALLENGES Although some articles have tackled the limitations of the ODRL as a vocabulary to express privacy policies [9]. In this article, the limitations identifed occur when an ODRL policy is evaluated and it must be chosen whether to grant or revoke access to specifc re- sources. Figure 1 shows a simplifed view of the ODRL Information Model 2.2 [7]. As can be observed, ODRL policies consist of a set of rules each of which is associated to a target and an action. Rules can be clas- sifed into permissions, duties, and prohibitions. Actions describe something that could happen to the target, directly or indirectly, if the set of constraints associated with a specifc rule are met. A constraint consists of two operands and an operator. The ODRL Vocabulary & Expression 2.2 [6], provides a set of defned Left- Operand 2 , RightOperand 3 , and Operator 4 . The ODRL Working Group has provided documents that specify how to express privacy policies or even best practises for this goal 5 . 1 https://www.auroral.eu/ 2 https://www.w3.org/TR/odrl-vocab/#term-LeftOperand 3 https://www.w3.org/TR/odrl-vocab/#term-RightOperand 4 https://www.w3.org/TR/odrl-vocab/#term-Operator 5 https://w3c.github.io/odrl/bp/ 1428