1 on protecting private information in social networks: a proposal bo luo 1 and dongwon lee 2 1 the...
TRANSCRIPT
1
On Protecting Private Information in Social Networks:
A ProposalBo Luo1 and Dongwon Lee2
1 The University of Kansas, [email protected] The Pennsylvania State University, [email protected]
2
Motivation
• Online social networks• Getting very popular (e.g. Facebook: 68M unique visitors, 1.2B
visits)
• Various types of communities
– General (e.g. Facebook; MySpace)
– Business/professional (e.g. LinkedIn)
– Alumni
– Leisure
– Healthcare (e.g. SoberCircle; PatientsLikeMe)
• People socialize with friends• But also adversaries!
3
Motivation• Privacy vulnerabilities in online social networks
• Huge amount of personal information available over various types of social network sites.
• Users are not fully aware of the risks.• Adversaries use various techniques to collect such information.
– E.g. information retrieval and search engine
• News stories• Facebook Stalkers [Dubow, USA Today,
2007]• Gadgets and add-ons read user profiles
[Irvin, USA Today, 2008]• How Not to Lose Face on Facebook, for
Professors. [Young, Chronicle, 2009]• .
4
Privacy vulnerabilities• Threat 1: out-of-context information disclosure
• Users present information to a “context” (e.g. targeted readers)• Implicit assumption
– Information stays in the context– This is wrong!
• Out-of-context information disclosure– Wrong configuration– Mal-functioning code– Users’ misunderstanding
• Examples• Adversaries could simply register for forums to access many information.• Messages in a “closed” email-based community is archived and accessible to
everyone.• Gadgets and add-ons read user profiles
Alice
IT Professionals
Profile:nameEmailphone
Message:I’m moving to….
register
5
P
Bob
Profile ……
Network
P
Bob
Profile ……
Network
Privacy vulnerabilities
• Threat 2: In-network information aggregation• User share information in social networks
• Implicit assumption: “a small piece of personal information is not a big deal”
• Adversaries collect all the pieces of information associated with a user.
• Adversaries aggregate all the information pieces.
• Significant amount of privacy!
• In-network information aggregation attack.
NetworkProfile ……
6
• Threat 3: cross-network information aggregation• User participates in multiple networks• Different levels of privacy concerns.• Adversaries use evidences to link profiles
from different SN sites– Attribute– Neighborhood– Similar posts– Propagation
• Adversaries collects all the private information across multiple SN sites
• Cross-network information aggregation
Privacy vulnerabilities
Network
P
Bob
Profile ……
NetworkProfile ……
L
B23
Profile ……
Network
M
@#$!
Profile ……
Network
M
@#$!
Profile ……
Network
L
B23
Profile ……
Network
P
Bob
Profile ……
Network
7
Goals and solutions at a glance• Goal: prevent users from unwanted information disclosure,
especially from the three threats.
• Users should be able to socialize.• We cannot prevent users from sharing information
• Honest-but-curious observer• Honest: no phishing, no spam, no hacking
• Curious: very aggressive in seeking information
– Registers for social networks
– Uses search engines
– Manipulates information
• Our goal:• Protect users from honest-but-curious observers
8
Design goals
• Enable users to describe a privacy plan——How they allow their private information items to be disclosed• Solution: privacy models
• Alert users when they share information over social networks• Solution: passive monitor
• Monitor private information over various social networks to make sure that they are not violated• Solution: active monitor
9
Online social networks
• We define two properties to describe online social networks• Openness level
– How information in a social network could be accessed
– E.g. OL=public – everyone can access;
– E.g. OL=registration-required – all registered users can access, but not search engines.
• Access equivalency group
– Social networks with identical openness level belongs to a group.
10
Private information model
• We define two private information models• Multi-level model
• Private information items are managed in hierarchically organized categories
• Information flow from lower level (less private) to higher level (more private)
– E.g. when user trusts SN with level 3, s/he also trusts SN with levels 1 and 2
• Simple model
• Easy for users to understand
• Less descriptive
Level n-1
Level 3
…...
Level 1
private public
Level n
AIM screen name, leisure email
hobbies
education background
name, office phone, work email
spouse's name, kids’ name, home phone
Level 2
health issues, medical history, SSN
DOB
11
Private information model
• Discretionary model—— a set-based model• Private information items are organized into sets
• Private information items in one set could be released together
• Private information item may belong to multiple sets
• Private information disclosure model• Formally describes:
– out-of-context information disclosure
– information aggregation attacks
under discretionary model.
• Details: please refer to the paper
D(N1)name, office phone, work email
D(N2)screen name 1;leisure email 1
D(N3)screen name 2work email
D(N4)health issues, screen name 3
13
Privacy sandbox
• Picks a privacy model• Allows users to describe their privacy plan in the
model, i.e. how they want to arrange private information items• E.g. define privacy information sets under discretionary model
• Define how sets could be released to social networks with different openness level.
• Keeps privacy plans
14
Passive monitor
• Passive monitor • is triggered when users send information to social networks
• Alerts users
– who can access the submitted information
– Openness level
– Access equivalency group
• Checks against the privacy plan
• Keeps a local log of private information disclosure
– For future use
15
Remote Component and Active monitor• Remote component
• Actively collects personal information from various social networks
• Simulates in-network and cross-network information aggregation
• Stores information in a data repository
• Active monitor• Compares users’ privacy plans with
– Local log
– Remote data repository
– Search engine results
• Checks for discrepancy
– Warns user about unwanted information disclosure
16
Conclusion
• In this paper, we• present privacy vulnerabilities over social networks, especially
information aggregation attacks
• model social networks and private information disclosure from access control perspective
• describe information aggregation attacks in the model
• propose our initial design of a privacy monitor
• This is our preliminary proposal• Further analysis and implementation is on-going• Thanks a lot!