Ubiquitous computing provides new types of information for which
access needs to be controlled. For instance, a person's current
location is a sensitive piece of information, and only authorized
entities should be able to learn it. We present several challenges
that arise for the specification and implementation of policies
controlling access to location information. For example, there can be
multiple sources of location information, policies need to be
flexible, conflicts between policies might occur, and privacy issues
need to be taken into account. Different environments handle these
challenges in a different way. We discuss the challenges in the
context of a hospital and a university environment. We show how our
design of an access control mechanism for a system providing people
location information addresses the challenges. Our mechanism can be
deployed in different environments. We demonstrate feasibility of our
design with an example implementation based on digital certificates.