17-12-2012, 04:09 PM
A Report On ENFORCING ACCESS CONTROL IN SOCIAL NETWORK SITES
A Report On ENFORCING.docx (Size: 158.12 KB / Downloads: 28)
Abstract
Confidentiality and data handling are important issues for social network users. Ideally, access control enforcement should not depend on the social networking provider but should be under the control of the user. In this paper, we propose a practical, SNS platform-independent solution, for social network users to control their data. We develop concepts that are general enough to describe access control restrictions for different SNS platforms. Our architecture uses encryption to enforce access control for users’ private information based on their privacy preferences. We have implemented our model as a Firefox extension.
INTRODUCTION
Social network sites (SNS) are extremely popular and useful tool for people to share information. At the same time, SNS are dangerous due to the possibly unwanted disclosure of information. This happens because it is hard to control who accesses which information. SNS providers offer some mechanisms to enforce access control, but this model requires users to rely on the provider, who may not always be trustworthy. We propose a model and a solution to address this problem, by providing users with a tool to control their own data by means of encryption.
AUDIENCE SEGREGATION
While even privacy aware SNS users want to share selected information with a selected audience groups, they might want to make the information visible only to a limited audience by creating a white-list. This is referred to as audience segregation.
While sharing information, social network users face a privacy and usability paradox. On the one hand, the access control mechanisms provided by social networking sites are often extremely coarse; On the other hand, with the growth of the presented privacy configuration options, there is the potentialfor misconfiguration, and outright conflict between different configuration settings.
Moreover, the social network provider has still access to all of their personal data. In this paper, we present our research work on a mechanism and a prototype that allows not only for the definition of access control rules for audience segregation, but also for the support of their enforcement.
To support the definition of access control rules we develop concepts that are general enough to describe access control rights for a variety of different social networking sites. We also investigate different means for enforcing access control using encryption techniques. We implemented a Firefox extension that provides the enforcement mechanism.
The extension knows about the users’ access control preferences and enforces it using encryption techniques. For the future we plan to integrate the extension with different social networking sites to automatically obtain a list of a user’s connections and their grouping into different audiences. This should reduce the configuration and key management effort that users need to invest before being able to use our system.
RELATED WORK
The need for selective access control has been identified within previous works on Social Network Sites. These works try to raise awareness for the need for privacy in social networks. This might lead to social network providers improving their service and privacy enforcement mechanisms to take the social network users’ privacy needs into consideration. Famous social network sites, such as Facebook and MySpace, already present mechanisms to enforce users’ adjustable privacy preferences, by labeling data to limit access control as private, public or visible by group of friends.
This means have been introduced, in Facebook, due to some privacy activist groups complains, on the News feed options. Thus, in this case, Facebook by having access to all the information that each user posts, may utilize it in their business model by offering targeted advertisement. There has been some research and work done in the area of protecting private information within social network sites.
The project Lockr was initiated by a group of researchers from University of Toronto, and offers social network users’ access control of their sharing data by hiding and mapping the selected information into third-party storage. As an example, images could be hidden in a storage server like Picasa6. The main concern with the Lockr extension is the need to rely on trusted third party storage for the hidden information.
This issue was raised by the NOYB that encrypts personal information using a pseudo-random substitution cipher. The cipher replaces a personal data entry with a pseudo randomly selected substitution taken from a public dictionary. However, their approach works only for encrypting personal data from a relatively small domain, and does not allow encrypting free text entries such as frequently found in a social network.
ATTACKER MODEL – VARIOUS ATTACKS THAT ARE HAPPENING ON SOCIAL NETWORK PLATFORMS
The 1st decade of the 21st century saw the popularization of the Internet and the growth of web services that facilitate participatory information sharing and collaboration. In pace with ever increasing popularity of Social Network Sites (SNS), the critical privacy flaws of these applications got into focus of media in the last decade. Specifically, Social Network Sites (SNS), allow users to interact with others in an unprecedented way. Recently, SNSs, more than just web applications, have become part of human culture and how society interacts. News agencies, big and small companies, governments, famous personalities and the general population all use SNSs to interact with each other. The centralized aggregation of personal user data has been identified as a fundamental problem in social networking giants like Facebook, Twitter and Google +.
Social network users unknowingly reveal certain personal information that malicious attackers could profit from to perpetrate significant privacy breaches. According to a report by Sophos in the year 2010 the malware attacks and spam attacks in the social network sites (SNS) had increased by 70%. Social Networking Sites made it rendered convenient to use even when moving through smart phones and this had made it vulnerable to attacks. Social networking sites are the mines of the attackers where they could get as many personal information of a user, and because of that the attacks on social networking sites are increasing day by day. As shown by some researchers simple information of place of birth that a user gives in their user profiles could be used by the hackers to get their Social Security Number (SSN) in US. Photo albums may also contain sensitive information about the user, like places she usually goes to, whether or not she is on vacation and who are some of her closest friends and family members. Sometimes sensitive information even comes embedded in the photo as metadata. Also some of the other users stalk the profile of girls for getting their photos for other immoral activities like morphing and all. The shocking thing is that even the social network provider, whom the users trust to store their personal data safely are making attacks on the user data for many business and security purposes.
ACCESS CONTROL ENFORCEMENT
The cryptographic techniques are used here in order to enforce the access control. The cryptographic technique used here in the prototype application is the OpenPGP standard to keep the users’ data confidential. OpenPGP or Open Pretty Good Privacy is the most widely used e-mail encryption standard whole around the world. One other nice feature of the OpenPGP standard is its support for encrypting to multiple recipients using the hybrid encryption, by encrypting the data using a random generated secret key and then encrypting the random secret with all the public keys of the set of users in the selected audience.
OpenPGP uses both symmetric &asymmetric encryption techniques in encrypting a document. According to this encryption technique, every user will have a public key and a private key and a content which is encrypted using the public key could be decrypted only using the secret key of that user and vice versa. Every user will share their public key with the world and will keep the private key as secret in their local machines. There are key servers whole around the world and so when a connection is made between two users their public keys are shared and are added to the key rings of the users. When a user wants to send information to another user, he encrypts it with the public key of the other user and will send the data to the user. As only the receiver have the secret key with which that data could be decrypted none others could decrypt the data and thus the data will be confidential. As social network provider could get only a cipher text after decryption done by the prototype application they can’t get into any of the users’ data.
CONCLUSION
A system is designed and implemented which allows users to define and enforce selective access control policies for data published on social network sites. By using a PKI encryption scheme, such as OpenPGP users’ data could be kept confidential, even towards the SNS operator, by means of encryption. Through the integration into a Firefox extension encrypted content is automatically decrypted by the browser of authorized users. The extension also allows for the definition of groups and for the encryption of content under the keys of all group members. Our extension is simple and aims at striking the difficult balance between usability and privacy for general users. The extension was tested on a social network site test bed created by Elgg and in other social network sites, like Facebook and MySpace.