Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy & access policies in Social networks

Published bySteven Boone Modified over 6 years ago

Similar presentations

Presentation on theme: "Privacy & access policies in Social networks"— Presentation transcript:

1 Privacy & access policies in Social networks
Systems Security Engineering Hayoon Hen 1

2 Privacy vs. Security Security helps enforce privacy policies
Privacy: Privacy is about keeping wanted information. what information goes where? Security: protection against unauthorized access Security helps enforce privacy policies 2

3 Main Problem : Privacy on OSN– Does it matter?
Online Social Networks with millions of users are the popular and useful tool for people to share information. OSN have dramatically raised concern on private leakage . Users share personal identifying information about themselves-physical, mental, cultural, and social attributes , but don’t have a clear idea of who access their private information . Users do this often believe that such information accessible to the OSN and maybe their “friends" on that OSN. In reality, the set of entities that can have access to their private information is large and diverse: third-party domains, advertisers ,data aggregators, members in the OSN who are not friends of the user, and external applications. Under OSN domain its hard to control who accesses which information. 3

4 “Characterizing privacy on Online Social Networks”
“Characterizing privacy on Online Social Networks” Balachander Krishnamurthy & Craig E.Wills Main Idea: Examine popular OSNs from a viewpoint of characterizing privacy leakage (facebook & mySpace) Goals: - identify the narrow set of private information that users really need to share to get specific interactions on OSN. - see how to reduce privacy leakage while still enabling access to all the features of a OSN including use external application. Steps: user privacy control : description of the various private info of user in OSN and who can access them. user privacy settings : examination if users change their privacy settings when allowed. use of third party domain : study the aggregation user-data by third-party domains privacy protection : tailoring the actual privacy info needed for specific interactions in the OSN to see how OSN can provide privacy protection. 4

5 User privacy control : The various private info of user in OSN :
Thumbnail- user name (first & last) and photo Greater Profile– interests ,relationships List of Friends– the list of the user friends User Generated Content- photos, videos , and links Comments- status updates, comments ,tags . OSN’s common privileges groups allows to see the private info : The user , The user’s friends , to all users. e.g : “friends + network “ is the default Facebook settings to view a users greater profile , content, and comments all users is the default for the thumbnail and list of friends of the user default settings in mySpace is that all users have access to all other users information. Most OSN don’t provide any range of privacy settings for some of the privacy groups by default a user does not control who has access to their information on these sites unless they explicitly control their privacy settings 5

6 User privacy settings :
The default privacy settings for OSN allowing strangers in the OSN to access user’s information Earlier studies found : Facebook : 75% of 200 users (London) have their full profile viewable by other users in the network MySpace : 79% of 3050 retained their default settings –profile ,friends , comment and contents viewable to all. Different approach examine our research – study facebook using its 506 regional networks (U.S.A) that represent geographical areas : Based on default settings, viewing the profile is allowed for all users in the same network while viewing the list of friends is allowed for all Facebook users . e.g: in New-York region 78% the list of friends is allowed for all Facebook users Results: *Users appear to place a higher value on the privacy of their profile info compare to their list of friends * There is still a significant portion of OSN users who have not changed their default setting and allow to unknown users to view their private information *negative connection between the use of privacy settings and network size across the regional networks-”as the size of the net is smaller as the view precents are higher.”-Users in smaller networks are less concerned in making private info available 6

7 Use of Third-Party domains :
A potential source of privacy leakage is the tracking of user actions by third-party advertisers and data aggregators : These third-party domains often act as data aggregators of a user's travels on the web. OSN unlike most Web sites get the users log into their sites and store personal information about themselves on these sites. If OSN sites are also making use of third-party domains that are tracking user visits to these and other Web sites then there is an even greater potential for privacy loss. Session definition : 1. Login to site with user/pass view friends content look at the friend profile sent friend message/comment return to user home look at members in net/group logout from site 5 sessions executed for the test on each OSN indicate where the third-party domain was used in the majority of the 5 sessions executed at the given OSN . These third-party domain are associate not only between OSNs but also with traditional web-sites. The Results expose the huge concern as OSN users being tracked and clearly identified themselves by login into the OSN and provide the OSN with personal information. 7

8 Privacy Protection: Users are generally unaware of who has access to their private information on OSNs Most of popular applications on OSNs like Facebook do not need complete access to the private information of users. The research suggest an rules of how OSN can provide privacy protection by tailoring the actual privacy info needed for specific interactions in the OSN : We need a way to count the exact percent of private info that are actually needed for a user to interact with and make full use of the various features of a OSN. Limiting access to just friends or those in a network is not enough. OSNs must clearly indicate the minimum of private information needed for a particular set of interactions: - If an external application requires access to list of friends and nothing else, then the default should be that minimum. - If additional features of the application require access to other bits of private information then access to the supremum of the information could be enabled, and no more. Such metrics would allow to compare various OSNs and let the users decide how comfortable they are with the privacy information that is being shared. 8

9 Some of the Shocking Facts & Conclusions
55% - 90% of users in OSNs still allow their profile information to be viewable 80% - 97% of users allow their set of friends to be viewed Negative correlation between regional network size in Facebook and the use of these privacy settings to limit access - Users in smaller networks are less concerned in making private info available Much like traditional Web sites, third-party domains track user activity pervasively in OSNs. Worried ? You should Be !! ANY SOLUTIONS?? 9

10 “Enforcing Access Control in Social Network sites”
“Enforcing Access Control in Social Network sites” Filipe Beato, Markulf Kohlweiss, and Karel Wouterser Main Idea : SNS providers offer some mechanisms to enforce access control, but that’s requires the users to rely on the provider - who may not always be trustworthy. Goals: providing a tool (mechanism and a prototype ) for OSN users which allow them to control their own data by means of encryption. - implemented a Firefox extension that provides the enforcement mechanism, The extension knows about the users’ access control preferences and enforces it using encryption techniques. Steps : Related works : Presentation of previous works on privacy improvement technologic in OSN . Attacker Model : Description of The attacker model to the research approach The research solution : Description the solution system and the implementation details. 10

11 Related works: Famous social network sites, such as Facebook and MySpace, already present mechanisms to enforce users privacy preferences, by labelling data to limit access control as private, public or visible by group of friends. But the provider is also an option as attacker -Facebook by having access to all the information that each user posts, may utilize it in their business model by offering targeted advertisement. The Lockr Project– offer social networks users access control of their sharing data by hiding and mapping their selected info in a third-party storage. (e.g -photos can be store in Picasa servers ) Problem – need to rely on a trusted third-party storage. The NOYB Project- offer to encrypt personal info using pseudo-random substation cipher. Problem – relatively for small domain not as detailed as OSN . (too much data to encrypt) The flyByNight Project – offer to store it in facebook servers as encrypted form. problem-not secure against active attack by facebook. Common gap – lack of selective access control !! The researchers offer application which rely on the user side and have no dependencies from any OSN as its entirely client side dependent . 11

12 Attacker Model: Social network users are exposed to the following attackers: - the social network provider, - the friends of the users in the social network - users that are registered in the social network but do not belong to their circle of friends. Users may want to shield their data from certain users, that are directly or not connected to them. However providers are the strongest attacker. OSN providers have access to all users private info – they can use it for several purposes , e.g : -Massive targeting adverting -behavior analysis by using data mining techniques -OSN can share their users info with large companies or research groups -OSN can provide access for government for surpervision purposes. 12

13 The research solution Idea : allowing users to define on-client preferences and encrypt the content posted into the server controlled by the provider, users will assure that their personal data will be readable only for a selective audience. Model : A tree structure of the user profile node – categories the OSN user profile in 2 type classes : 1.connections classes – classify the OSN user connection such as friends, family or Co-Workers. 2.Content classes - classify the OSN user content data such as hobbies, family or work. The mapping between connections and content classes define the access control right. e.g : when a new info item is introduced in a content class, all members that belong to a connection class and have the access rights to the content will have access to the new item. -when a new connection is added to a connection class it will have access to all info items to which his peers also have access The access control done by the user itself ,using the prototype app on the client side -> the OSN provider wont learn who has access right to what. 13

14 With this approach its possible for the OSN user to define his privacy statement and define access to users or classes: e.g : All the members of the “Friends” class have access to all the documents from the social network users “Hobbies” class. 14

15 using the OpenPGP standart
Implementation : using the OpenPGP standart -The OpenPGP standart chose since its support for encrypting to multiple recipients by encrypting the content with random secret, and the secret with all the public keys of the set of users . -Whenever a new connection between two OSN users established , these users exchange their public key , the share public keys are then store locally and compose the user’s circle of trust . -The openPGP public key can also be retrieve from an online key server by name or mapping as a FireFox extension: -the app developed as a FireFox extension that allows client-side access control enforcement for independent platform. -with the extension users are able to execute control over their data with no third-party influence. 15

16 How is it work? when the user adds new data into the OSN , some privacy options are given by the app in order to automatically define the selective list for the content to be posted to them. The access control then enforced for a selective individual or group in the trusted circle and posted into the OSN. For reading protected content that has been posted in the OSN, the user has to be given access by the content owner when the content has been posted. The app looking parses the website and search for encrypted , openPGP , part of text . If the user have read access the app automatically decrypt the content and present the unencrypted data to the user, by rewriting the webpage. Otherwise the text data is indicate as non-authorized content. add new data read data 16

17 Now I’m the only controller of My private info
Great !! Now I’m the only controller of My private info But am I really going to define “circle” of trust for each post? Before each photo uploading? Not fun – its OSN !!! ANY IDEAS ??? 17

18 “Privacy Wizard for Social Networking Sites”
“Privacy Wizard for Social Networking Sites” Lujun Fang & Kristen leFevre Main Idea: build a template for the design of OSN “privacy wizard” which build a machine learning model that describes a particular user preference and then use this model to configure the user’s privacy settings auto. Goals : the goal of a privacy wizard is to auto config a user’s privacy settings using only a small amount of effort from the OSN user. Steps : wizard overview : description of requirements and design of a general wizard. active learning wizard : developing an active learning wizard which implement the privacy-prefernces model using machine learning. model visualization&modification :description a set of visualization and modification for advances users (users who don’t trust/like a machine learning) evaluation : experiment on 45 real user to evaluate the wizard. 18

19 Wizard Overview : Wizard Challenges : Low effort,high accuracy–the user input should be simple in form and quantity limited. the settings chosen by the wizard should accuracy reflect the user true privacy preference. Graceful Degradation –as the user provide more input the accuracy of the resulting settings should improve. Visible data – the wizard may also use info that it can gather and process auto. Wizard generic FrameWork: User input-the wizard ask input from the user regarding his privacy preference, which can quit answer any time . Feature extraction-using the input the wizard selects a feature domain X,a user friend can describe as a vector of x’s. Privacy-preference model-using the extracted features and user input the wizard build a model which is use to auto configure the user privacy settings. 19

20 Active learning Wizard :
Building a privacy-preference model : the model can be viewed as a binary classifier: Features extraction-2 main types of features : Community structures – common group in user OSN (clustered nodes) call community ,each extracted community can be regard as a Boolean feature. (Gi=1 if friend is part of community i ) other profile info – Gender (M,F) ,Age, Education, Work, Relationship status ,politics and regional views. In order to achieve high accuracy : Uncertainly sampling process – Sampling phase- initially all the user friends are unlabeled during each round the wizard select for the user the most k uncertain friends to label , and ask the user to label the. Classifier phase- when a new friend added by the user the model-classifier should predict the new friend witout any additional input from the user after the friend added the wizard should use the new labels + the original input without wasting the original labels 20

21 the model using a feature vector (x) represents a specific friend predict (NB, decision-tree, KNN,any classification algorithm ) the friends privacy label . The privacy wizard get input from the user by ask him label a preferences (allow or deny) for specific (item or friend) pairs (i,f) . Its important the wizard “ask the right questions” or request from the user to labeling informative friends. the wizard by the classifier use the labeled friends to build the actual classifier which use to configure the user settings. 21

22 Model visualization & modification
Advanced users may want to understand the logic behind the result configuration additional tools set to visualize and update the classifier learn by the wizard –decision tree classifier : Each interior node represent binary condition (hometown = NY) each leaf contain a decision (allow or deny) each node correspond to a set of labeled friends whose satisfy the condition from root the proportion of the node shows how much represent the labeled friends among all friends that satisfy the condition : Visualization may cause the user to label more friends : unlabeled friends of a node would be display to the user when a node is clicked. 22

23 evaluation In order to evaluate the wizard , 45 real facebook users took part in experiment which design to check : How effective is the wizard compare to other policy tools ? Two sets of questions filled by the users : Whether the user like to share data item (date of birth, address , relationship ,photos, politic/religion views, posts) with all friends , some of the friends, none: -For each data item that the user want to share with some friends – asked for the listed allowed friends (allow,deny) Measuring the effort vs accuracy Using 3 types of classifiers active (as the wizard), decision tree and brute force shows wizard is the most effective in reducing the user effort while producing high accuracy : 23

24 2. Which features are the most useful to predict preferences
2. Which features are the most useful to predict preferences? Five different combination of features compared with 3 type of scoring calculation (Sstatic,Sdynamic,Spred): Communities – the grouped structure of a user OSN Profile these – gender, age , education , work ,relationship , politics/regional views Activity these –”fan” pages , events, tagged photo Non common-profile and activity features. The results indicate that the community structure of a user OSN net is the most valuable recourse to modeling of user . 24

25 Summary : OSN privacy leakage is the most huge concern spot on net due to its dramatically raise and exposers to 3 party domain, data aggregators ,advertises and external application who can trail the private data of the user for many purposes. The first article examine the size of the main problem and suggest as an idea for the OSN provider to give by default the minimum access which required for the specific external app . As a solution for the issue The second article suggest allowing users to define on-client preferences and encrypt the content posted into the server controlled by the provider, users will assure that their personal data will be readable only for a selective audience. Since the solution of selective access control is not user friendly due to the fact OSN is for fun and also really manually WA need to do - The third article give the solution of privacy wizard which which build a machine learning model that describes a particular user preference and then use this model to configure the user’s privacy settings auto. Privacy leakage under OSN is hard to be control – but solutions exist ! We showed both here while definitely the wizard is much better – let the machine learning to modeling the user instead of sisyphean work  25

26 The End hope u it ..

Download ppt "Privacy & access policies in Social networks"

Similar presentations

Privacy Wizards for Social Networking Sites Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/01/17 1.

Privacy Wizards for Social Networking Sites Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/01/17 1.
Social Media Networking Sites Charlotte Jenkins Designing the Social Web 06-10-2011.

Social Media Networking Sites Charlotte Jenkins Designing the Social Web
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Taking the Headache out of. Reach your sphere of influence on a daily basis – AT NO COST? Reconnect with friends and stay in touch with family – AT NO.

Taking the Headache out of. Reach your sphere of influence on a daily basis – AT NO COST? Reconnect with friends and stay in touch with family – AT NO.
Creating Online Class Communities Jennifer Dorman Discovery Education

Creating Online Class Communities Jennifer Dorman Discovery Education
Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense

Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense
Digital Certificates. What is a Digital Certificate? A digital certificate is the equivalent of your business card in the e-commerce world. It says who.

Digital Certificates. What is a Digital Certificate? A digital certificate is the equivalent of your business card in the e-commerce world. It says who.
You can customize your privacy settings. The privacy page gives you control over who can view your content. At most only your friends, their friends and.

You can customize your privacy settings. The privacy page gives you control over who can view your content. At most only your friends, their friends and.
Copyright ©: 1995-2011 SAMSUNG & Samsung Hope for Youth. All rights reserved Tutorials The internet: Social networks and communities Suitable for: Improver.

Copyright ©: SAMSUNG & Samsung Hope for Youth. All rights reserved Tutorials The internet: Social networks and communities Suitable for: Improver.
Identity Management Report By Jean Carreon and Marlon Gonzales.

Identity Management Report By Jean Carreon and Marlon Gonzales.
FACEBOOK IS THE BEST THING THAT EVER HAPPENED TO FRIENDSHIP WHY I LIKE FACEBOOK! By Mike Matthews.

FACEBOOK IS THE BEST THING THAT EVER HAPPENED TO FRIENDSHIP WHY I LIKE FACEBOOK! By Mike Matthews.
Visiting Angels Presenter: Social Angel Facebook.com/VisitingAngelsCorporate Social Care.

Visiting Angels Presenter: Social Angel Facebook.com/VisitingAngelsCorporate Social Care.
Georgios Kontaxis‡, Michalis Polychronakis‡, Angelos D. Keromytis‡, and Evangelos P.Markatos* ‡Columbia University and *FORTH-ICS USENIX-SEC (August, 2012)

Georgios Kontaxis‡, Michalis Polychronakis‡, Angelos D. Keromytis‡, and Evangelos P.Markatos* ‡Columbia University and *FORTH-ICS USENIX-SEC (August, 2012)
Presented by: Sanketh Beerabbi University of Central Florida.

Presented by: Sanketh Beerabbi University of Central Florida.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Evaluating & Maintaining a Site Domain 6. Conduct Technical Tests Dreamweaver provides many tools to assist in finalizing and testing your website for.

Evaluating & Maintaining a Site Domain 6. Conduct Technical Tests Dreamweaver provides many tools to assist in finalizing and testing your website for.
Protecting Yourself on Social Media – Friend Requests And Messages.

Protecting Yourself on Social Media – Friend Requests And Messages.
Bloom Cookies: Web Search Personalization without User Tracking Authors: Nitesh Mor, Oriana Riva, Suman Nath, and John Kubiatowicz Presented by Ben Summers.

Bloom Cookies: Web Search Personalization without User Tracking Authors: Nitesh Mor, Oriana Riva, Suman Nath, and John Kubiatowicz Presented by Ben Summers.
Facebook for Beginners One Session Class. What will you learn today? What can you do on Facebook? Creating a profile Privacy Connecting with friends Sending.

Facebook for Beginners One Session Class. What will you learn today? What can you do on Facebook? Creating a profile Privacy Connecting with friends Sending.
Identifying “Best Bet” Web Search Results by Mining Past User Behavior Author: Eugene Agichtein, Zijian Zheng (Microsoft Research) Source: KDD2006 Reporter:

Identifying “Best Bet” Web Search Results by Mining Past User Behavior Author: Eugene Agichtein, Zijian Zheng (Microsoft Research) Source: KDD2006 Reporter:

Similar presentations

Ads by Google