Policies based privacy control mechanisms for social

networking systems

Audumbar ChormaleAdvisor: Dr. Anupam Joshi

M.S. Thesis Defense

http://ebiquity.umbc.edu/

2

Motivation

Increase in the user generated content on web

Rise in the online interactions and content sharing among users

More dynamic context Need to provide precise control over

the conditions under which users can share their personal information

3

Problem statement

Devise better privacy mechanisms to control the information flow in social networking systems.

4

Contributions

Privacy control mechanism based on policy frameworks that are rich in semantic web technologies to control information flow in social networking applications. The privacy control mechanism

Provides users of the system better control while sharing information than the state of the art systems

Combines dynamic user context, For instance, current time, current location or current activity of the user

5

Introduction

Increase in the popularity of social networking systems(SNS) such as Facebook, MySpace, LiveJournal etc.

SNS allow creation of online profiles Photos, videos and favorite links

‘What’s on your mind’ or status updates

Content sharing with a huge list of friends and networks of friends

6

Mobile geo-social networking systems

Availability of GPS functionality on phone devices like iPhone, HTC-G1 and network based positioning methods on internet

Social network maps friends and their locations using Maps API on the web

Content sharing relative to location and time

Privacy is an important issue with the current systems like Google latitude, Loopt, Brightkite

7

Privacy issues in SNS

Privacy concerns when, how and to what extent information about someone is communicated to others

Distinguish among various peers in large network of friends

Capture continuous changes in the contextual information about users

Address privacy requirements subjective to individual

8

Semantic web and policies RDF and OWL

Set of triples Precise specification of classes used by policy languages based on description logic, for which efficient reasoning

systems are available Notation3

expression of data and logic in the same language simple and consistent grammar, greater expressiveness, and

is a compact and readable alternative to RDF’s XML syntax allow rules to be integrated smoothly with RDF

Policies based on semantic web technologies can better represent user context information and privacy preferences.

9

Static knowledge about user profile, and networks of friends

Knowledge about dynamic user context like current activity, location

Privacy enforcement rules

Reasoning Engine

Network

Privacy Control Framework

Content Preferences

Content Aggregator

Social Media

Policy network ontology

Database

Architectural view of the system

10

Components of Privacy Framework

Policy network ontology Integrates Rein and AIR policy ontology Rein policies to provide access control and AIR

policies to provide justification to the inferences made

Policies specified using N3 rules and Turtle Reasoning engine

CWM, a forward chaining rule engine▪ Pychinko, a forward chaining rule engine, written in Python,

that implements Rete algorithm and allows for efficient processing of very large rule bases

Supports a significant subset of the math, string, time and logic built-ins

11

Example of location access policy network ontology

Policy(N3)

Resource(User-

location)

Meta-Policy

Policy Language

(loc-access)

policy

policy language meta-policy

RequestRequester Credentials

Location-Access

Answer

Valid

InValid

access

requester

ans IsA

IsA

Policy Network Ontology

Request Ontology

12

Policy Description

Privacy Policy follows Deny-Access approach.It specifies authorization logic. Authentication is

performed separately in the system. What information user is willing to share

Location information with accuracy level With whom

Friends Group of friends

Under what conditions Day and time of the week Location of the user, specifying the area in which user

can be seen Accuracy level of the location information

13

Example Policies

Example policies can be : Share my location with teachers on weekdays

only if I am in the university campus and only between 9 am and 6 pm

Share exact location with members of family group all the time, in all locations

Do not share my location if user is at any of the sensitive locations

Do not share my activity status with teachers on weekends

Share my activity status with only close friends 

14

Example Policies Contd.

Example of location access control policy: Share my location with teachers on weekdays only if I am in the university campus and only between 9 am and 6 pm

15

Example Policies Contd.

Example of location access control policy: Share exact location with membersof family group all the time, in all locations

16

Example Policies Contd.

Example of location access control policy: Do not share my location if user is at any of the sensitive locations

17

Example Policies Contd.

Example of activity access control policy: Do not share my activity status with teachers on weekends

18

Example Policies Contd.

Example of activity access control policy: Do not share my location if user is at any of the sensitive locations

19

Accountability

Example of Accountability Policy: Checks the compliance of location request with user's policy

20

Policy Execution

User shares her protected resources and defines the privacy preferences

System follows pull mechanism. All the different types of information sharing activities among participants are established by the privacy control module in the system.

Whenever any participant makes a query, it is sent to the privacy control module which in turn processes the query by reasoning over the policy networks associated with the resource, and returns the valid answer to the query.

Generalization is applied for the valid answers.

21

Steps involved in processing a query

Query

Form request and Assert required information

Authenticate Requester

Fetch knowledge about user

Execute Reasoning Engine

Apply generalization

Result

Assert Authorization Result

Figure 3. Steps involved in query processing

22

Implementation details

Client device is location aware device like GPS enabled phones or wi-fi enabled laptops

Google maps to plot user and her friends User interface to define privacy preferences Connects with Facebook accounts to fetch

profile information and find networks of friends

Creates and stores policy ontology in persistent memory and reloads when required by reasoning engine

23

Implementation details

24

Implementation details

Privacy Configuration User Interface

25

Results

Summary of features of our system and their comparison with the state of theart systems

26

Performance

Timing characteristics of various privacy rules with CWM and Pychinko. Policy1(location sharing rule with Math and time builtins), Policy 2 (activity sharing rule with Math and time builtins), Policy 3 (activity sharing without any builtins), Policy 4 (location sharing

without any builtins). All timings shown are in milliseconds.

27

Conclusion and future work We have described the system architecture

of the policy based system and its various components and discussed implementation considerations. We demonstrated few examples of the policy that state of the art system does not support.

Future Work: Improve scalability Evaluate the utility Predicting user privacy preferences

28

Contributions

Privacy control mechanism based on policy frameworks that are rich in semantic web technologies to control information flow in social networking applications. The privacy control mechanism

Provides users of the system better control while sharing information than the state of the art systems

Combines dynamic user context, For instance, current time, current location or current activity of the user

29

Thank you