Privacy in Social Networks

1

• Privacy in Social Networks
• CSCE 201

2
Reading

• Dwyer, Hiltz, Passerini, Trust and privacy
  concern within social networking sites A
  comparison of Facebook and MySpace,
  http//csis.pace.edu/dwyer/research/DwyerAMCIS200
  7.pdf
• Leaving 'Friendprints' How Online Social
  Networks Are Redefining Privacy and Personal
  Security, http//knowledge.wharton.upenn.edu/print
  er_friendly.cfm?articleid2262

3
Social Relationships

• Communication context changes social
  relationships
• Social relationships maintained through different
  media grow at different rates and to different
  depths
• No clear consensus which media is the best

4
Internet and Social Relationships

• Internet
• Bridges distance at a low cost
• New participants tend to like each other more
• Less stressful than face-to-face meeting
• People focus on communicating their selves
  (except a few malicious users)

5
Social Networks

• Description of the social structure between
  actors
• Connections various levels of social
  familiarities, e.g., from casual acquaintance to
  close familiar bonds
• Support online interaction and content sharing
• Current support for security is limited
• Users often do not use existing security features

6
Current Social Networks

• Access to personal data
• Hard-coded into the system
• Owners have system dependent access categories
• Common Access Categories
• Public
• Group Membership
• Friend
• No support for differentiating relationship
  closeness
• Friend connections must be symmetric, unlike
  reality

7
Social network analysis

• The mapping and measuring of relationships and
  flows between people, groups, organizations,
  computers or other information/knowledge
  processing entities
• The nodes in the network are the people and
  groups while the links show relationships or
  flows between the nodes

8
Security Privacy Issues

• Malware exploiting social networks
• Malicious banner ads
• Adware
• Phishing attacks
• Customizable scripts
• Facebooks attempt make visible relationship
  actions to entire social group
• Everyone reading everyones shared information

9
Behavioral Profiling

• SN users post personal information for friends,
  family, and the World
• Data Mining applications ? pattern of behavior
• Misuse of information
• Identity thefts
• Scam
• Phishing
• Etc.

10
Privacy?

• SN and privacy issues in early research stage
• Users tend to give out too much information
• Privacy thresholds vary by individuals
• What are the long term effects?

11
Users

• April, 2009 139.8 million visitors (12 increase
  from March)
• MySpace 71 million visitors
• Facebook 67.5 million visitors
• Twitter 17 million visitors
• Risk of third party applications!
• Facial recognition of friends of friends
• Relationships
• Targeted advertisement
• Marketing tools

12
Privacy Policies

• Difficult to understand
• No one reads privacy policies
• Voluntary release of personal data
• Social Network Signatures
• User names may change, family and friends are
  more difficult to change

13
Facebook or MySpace?

• Online survey to evaluate privacy concerns and
  trust influence
• Users are both site had similar privacy concerns
• Facebook users had more trust in Facebook and
  were willing to share identifying information
  with the site than MySpace users
• MySpace users had more experience to establish a
  new relationship via MySpace than Facebook users

14
What SN Users Can Do?

• Current Data Protection Methods
• Some systems support custom user groups
• Special additional permissions or restrictions
  may be applied
• Information visibility control is limited by the
  system.

15
Related Work

• Access Control Models for Social Networks
• Specify access rules based upon relationship
  type, relationship depth, and trust level
  (Carminati B., Ferrari E., and Perego A.
  Rule-Based Access Control for Social Networks.
  Proceedings OTM workshops, 2006)?
• Generate access control rules from plain English
  rules the user specifies and the content itself
  (Hart M., Johnson R., and Stent A. More Content
  Less Control Access Control in the Web 2.0. Web
  2.0 Security Privacy, 2007)?

16
Related Work

• Access Control Models for Social Networks
• Relationship-based access control that uses the
  relationship between an accessing user and an
  owner to create access control rules (Gates C.
  (2007). Access control requirements for web 2.0
  security and privacy. Web 2.0 security privacy,
  2007)?

17
Limitations of Current Access Control Support

• Current Social Network Access Limitations
• Access control flexibility limited to predefined
  groups that contain explicit lists of users.
• Current Academic Limitations
• Require too much work on behalf of the end-user
• Give insufficient details with regards to
  practicality

18
M.S. Thesis Contribution

• Brandon Barkley, RBAC for SN
• RBACSN (Role-Based Access Control for Social
  Networks)?
• Theoretical Definition of RBACSN
• Implementation of RBACSN

19
RBACSN Model

• RBACSN is based on the ANSI INCITS 359-2004 RBAC
  Standard
• Employs a modified limited role hierarchy to
  balance powerful functionality with ease of use
• Does not employ role membership constraints

20
RBAC Core Model

• Normally, a role is a job within an organization
• A user is a member of the service who attempts to
  access information
• A permission confers access to perform a specific
  operation on a specific set of objects
• A role provides a gateway for linking the
  collection of users to the collection of
  permissions through user-role and role-permission
  assignment structures
• One overarching set of roles for controlling
  access to the entire system

21
RBACSN Core Model

• A role is a collection of users based upon
  arbitrary criteria defined by the role owner
• Support for an anonymous user
• A data owner creates and administers roles to
  govern access to the objects he owns

22
Role Hierarchies in RBAC

• Partial Order
• Reflexive
• Transitive
• Anti-Symmetric
• General Hierarchy
• No restrictions
• Limited Hierarchy
• Each role has only one parent

23
Role Hierarchies in RBACSN

• Shares characteristics with limited hierarchies
  in the ANSI standard
• Partial ordering of roles
• Each role has only one parent
• Additional constraint
• There is one and only one role that has no parent
  forcing the hierarchy to form one complete tree

24
Role Membership in RBACSN

• Direct assignment
• Works exactly like assignment in RBAC
• Indirect assignment
• Can be based upon user attributes
• Age
• Gender
• Favourite Music
• Can be based upon a connection
• User network membership
• Friendship connection with owner
• Consist of a non-empty set of conditions

25
Advantages of RBACSN

• Models current social network security structures
• Can be transparent to social network users or
  presented explicitly
• Flexible role assignment mechanisms allow both
  very general and very specific roles
• Allows rules to be created based upon any
  arbitrary attribute of a user

26
Implementation

• Facebook Development Platform chosen over
  middle-ware
• Conforms to the Facebook TOS
• Provides an API to get useful information from
  the social network
• Solution potentially usable by a real community
• PHP4
• Chosen because of support of official client
  library
• Chosen instead of PHP5 because of increased
  server support
• Only supports public methods

27
Implementation

• Three layers
• Model Classes
• Support Classes
• User Interface

28
Model Classes

• Base Class
• User Class
• Role Class
• UserAttribute Class
• Permit Class
• Datum Class

29
Support Classes

• Database Class
• ObjectCollection Class
• Class Factory

30
User Interface

• Role Management
• Set Default Hierarchy
• Facebook, Myspace, Minimum
• Show Role Hierarchy
• Add or Delete Roles
• Edit Role
• Add or Remove Users
• Add or Remove User Attributes
• Add or Remove Permissions
• Change Name
• Profile Viewing
• Profile Editing

31
Sessions

• Activate all roles available for a user in each
  session
• Vary by implementation
• Generate a permission list on the first access
• Less database calls
• Less object overhead
• Set an expiration time (default 1 hour)?
• Expire a session if a role is modified in a way
  that affects the user

32
Permissions

• Types read, append, write, administrate
• Each build upon one another
• Applies to a single data object
• For some data, permission is inherited from a
  parent

33
Conclusions

• Theoretical Development
• RBACSN is capable of incorporating flexibility
  with the realities of current social networking
  technology
• Conforms to current security structures of major
  social networking sites
• Implementation
• Easy to use
• Extensible to future additional data types
• Work with existing social networks

34
Future Work

• Model
• Explore a way to implement multiple inheritance
  without compromising usability
• Find a user friendly way to present and resolve
  role conflicts
• Implementation
• Convert to PHP5 once it is more widely available
• Split model objects into core model objects and
  Facebook specific object attributes
• More complex user attributes

35
References

• 1 Facebook. (2008). Welcome to Facebook!
  Facebook. Retrieved May 8, 2008, from
  http//www.facebook.com.
• 2 MySpace. (2008). MySpace. Retrieved May 8,
  2008, from http//www.myspace.com.
• 3 Friendster. (2008). Friendster - Home.
  Retrieved May 8, 2008, from http//www.friendster
  .com.
• 4 Bebo. (n.d.). www.bebo.com. Retrieved May 8,
  2008, from http//www.bebo.com.
• 5 Facebook. (2008). Facebook Statistics.
  Retrieved May 8, 2008, from http//www.facebook.co
  m/press/info.php?statistics.
• 6 Barbarian. (2006, September 27). Debunking
  the MySpace myth of 100 million users.
  Retrieved May 8, 2008, from http//forevergeek.co
  m/articles/debunking_the_myspace_myth_of_100_milli
  on_users.php.

36
References

• 7 ANSI INCITS. (2004). ANSI INCITS 2004
  American national standard for role based access
  control. Retrieved May 8, 2008, from
  http//www.orbit-lab.org/attachment/wiki/internal/
  ANSI2BINCITS 2B359-2004.pdf?formatraw.
• 8 Facebook. (2008). Facebook Developers.
  Retrieved May 8, 2008, from http//developers.face
  book.com/.
• 9 Carminati B., Ferrari E., and Perego A.
  (2006). Rule-based access control for social
  networks. Proceedings OTM workshops, 2006.
  Retrieved May 8, 2008, from http//www.dicom.unins
  ubria.it/barbara.carminati/pubs/42781734.pdf.
• 10 Hay M., Miklau G., Jensen D., Weis P., and
  Srivastava S. (2007, March) Anonymizing social
  networks. Retrieved May 8, 2008, from
  http//www.cs.umass.edu/mhay/papers/hay-et-al-tr0
  719.pdf.

37
References

• 11 Backstrom L., Dwork C., and Kleinberg J.
  (2007) Wherefore art thou r3579x? Anonymized
  social networks, hidden patterns, and structural
  steganography. Proceedings of the 16th
  international conference on World Wide Web.
• 12 Zhou B. and Pei J. (2008). Preserving
  privacy in social networks against neighborhood
  attacks. In Proceedings of the 24th International
  Conference on Data Engineering.
• 13 Korolova A., Motwani R., Nabar S.U., and Xu
  Y. (2008) Link Privacy in Social Networks. In
  Proceedings of the 24th International Conference
  on Data Engineering.
• 14 Gates C. (2007). Access control requirements
  for web 2.0 security and privacy. Web 2.0
  security privacy, 2007. Retrieved May 8, 2008,
  from http//seclab.cs.rice.edu/w2sp/2007/papers/pa
  per-205-z_708.pdf.

38
References

• 15 Hart M., Johnson R., and Stent A. (2007).
  More content less control Access control in
  the web 2.0. Web 2.0 security privacy, 2007.
  Retrieved May 8, 2008 from http//seclab.cs.rice.
  edu/w2sp/2007/papers/paper-193-z_6706.pdf.

39

• Questions?