26-02-2013, 12:44 PM
Policy-by-Example for Online Social Networks
Policy-by-Example.pdf (Size: 1.31 MB / Downloads: 58)
ABSTRACT
We introduce two approaches for improving privacy policy
management in online social networks. First, we introduce
a mechanism using proven clustering techniques that assists
users in grouping their friends for group based policy management
approaches. Second, we introduce a policy management
approach that leverages a user's memory and opinion
of their friends to set policies for other similar friends. We
refer to this new approach as Same-As Policy Management.
To demonstrate the eectiveness of our policy management
improvements, we implemented a prototype Facebook application
and conducted an extensive user study. Leveraging
proven clustering techniques, we demonstrated a 23% reduction
in friend grouping time. In addition, we demonstrated
considerable reductions in policy authoring time using Same-
As Policy Management over traditional group based policy
management approaches. Finally, we presented user perceptions
of both improvements, which are very encouraging.
INTRODUCTION
Social networking sites are experiencing tremendous adoption
and growth. The internet and online social networks, in
particular, are a part of most people's lives. eMarketer1 reports
that in 2011, nearly 150 million US internet users will
interface with at least one social networking site per month.
eMarketer also reports that in 2011, 90% of internet users
ages 18-24 and 82% of internet users ages 25-34 will interact
with at least one social networking site per month. This
trend is increasing for all age groups. As the young population
ages, they will continue to leverage social media in their
daily lives. In addition, new generations will come to adopt
the internet and online social networks. These technologies
have become and will continue to be a vital component of
our social fabric which we depend on to communicate, interact
and socialize.
BACKGROUND
Current social networking platforms oer a simple policy
management approach. Security aware users are able to
specify policies for their prole objects. For example, my
work colleague is restricted from seeing my photos. But,
my trusted best friend from school may access all my information.
Facebook provides an optional mechanism that
allows users to create custom lists to organize friends and
set privacy restrictions. Similarly, Google+ allows users to
create Circles of friends, such as family, acquaintances, etc.,
where the user can apply policies based on these Circles.
Facebook also recently announced smart lists which automatically
group friends who live near by or attend the same
school. However, managing access for hundreds of friends is
still a very dicult and burdensome task [17]. In addition,
security unaware users typically follow an open and permissive
default policy. As a result, the potential for unwanted
information leakage is great [23]. We believe that current
capabilities to manage access to user prole information on
today's social networking platforms are inadequate.
Same-As Policy Management
In group based policy management, the user must rst
group their friends. After which, they must select group
permissions (setting the group policy). Finally, friend-level
exceptions to the group policy are set. A user's attention
(mental model) is focused in multiple areas. Whereas, in
Same-As Policy Management, the user's attention is focused
on a specic friend. The user leverages their memory and
opinion of a friend to set policies for other like friends. In
essence, we use a friend recognition approach, with minimal
task interruptions, to aid the user in setting policies. A
representative friend is selected (Same-As Example Friend),
prole object permissions are assigned to this example friend
and other similar friends (Same-As Friends) are associated
with the same set of object permissions. Figure 4 illustrates
our model; the Same-As Example Friend is depicted in front
of the user's other similar friends who have been assigned the
same set of object permissions.
Same-As Policy Management
We compared the policy authoring times between Group
Based Policy Management (hereafter referred to as Group
Based) and Same-As Policy Management (hereafter referred
to Same-As). Our results are summarized in the Policy
Authoring Time section of Table 3 and illustrated in Figure
8(a). In analyzing these results, we found that there is
statistical signicance across all user categories, i.e., Unconcerned
Users (p = 0:036), Pragmatists (p < 0:001) and Fundamentalists
(p =< 0:001). Overall, Same-As outperformed
Group Based in policy authoring time. Across the board,
we observed more than a two-fold decrease in the amount
of time it took a user to author their policy. One factor
attributing to this reduction is the steps involved in authoring
a policy. Group Based approaches have three distinct
steps: 1) group friends, 2) set group policy and 3) assign
friend-level exceptions to the group policy. Using this approach,
the user rst focuses on the friend's relationship in
order to group them appropriately. Next, the user switches
their attention to the group in order to set the group policy.
Finally, the user switches their attention back to the friend
in order to set any friend-level exceptions to the group policy.
Whereas, using our Same-As approach and visual policy
editor, the user simply leverages their memory and opinion
of a friend to set policies for other similar friends. As a
result, users can author policies in less time and thus ease
the burden associated with managing their online privacy
settings.
CONCLUSION
In this paper, we introduced two approaches to improving
privacy policy management in online social networks. First,
we presented an approach, leveraging proven clustering techniques,
that assists users in grouping their friends for policy
management purposes. Our approach demonstrated reduced
grouping times and improvements in ease of use over traditional
group based policy management approaches. Second,
we introduced Same-As PolicyManagement, which leverages
a user's memory and opinion of their friends to set policies
for other similar friends. Our visual policy editor uses
friend recognition and minimal task interruption to obtain
substantial reductions in policy authoring times. In addition,
Same-As Policy Management was positively perceived
by users over traditional group based policy management
approaches.