The increasing availability of information about people's context makes it possible to deploy context-sensitive services, where access to resources provided or managed by a service is limited depending on a person's context. For example, a location-based service can require an individual to be at a particular location in order to let the individual use a printer or learn her friends' location. However, constraining access to a resource based on confidential information about a person's context could result in privacy violations. For instance, if access is constrained based on a person's location, granting or rejecting access will provide information about this person's location and could violate the person's privacy. We introduce an accesscontrol algorithm that avoids privacy violations caused by context-sensitive services. Our algorithm exploits the concepts of access-rights graphs, which represent all the information that needs to be collected in o...