The increasing availability of information about people's context
makes it possible to deploy context-sensitive services, where access
to resources provided or managed by a service is limited depending
on a person's context. For example, a location-based service can
require an individual to be at a particular location in order to let
the individual use a printer or learn her friends' location.
However, constraining access to a resource based on confidential
information about a person's context could result in privacy
violations.  For instance, if access is constrained based on a
person's location, granting or rejecting access will provide
information about this person's location and could violate the
person's privacy. We introduce an access-control algorithm that
avoids privacy violations caused by context-sensitive services. Our
algorithm exploits the concepts of access-rights graphs, which
represent all the information that needs to be collected in order to
make a context-sensitive access decision. Moreover, we introduce
hidden constraints, which keep some of this information secret and
thus allow for more flexible access control. We present a
distributed, certificate-based access-control architecture for
context-sensitive services that avoids privacy violations, a sample
implementation, and a performance evaluation.