xBook: Redesigning Privacy Control in Social Networking Platforms
Kapil Singh
∗
Sumeer Bhola
∗
Wenke Lee
School of Computer Science Google School of Computer Science
Georgia Institute of Technology sumeer@acm.org Georgia Institute of Technology
ksingh@cc.gatech.edu wenke@cc.gatech.edu
Abstract
Social networking websites have recently evolved from
being service providers to platforms for running third
party applications. Users have typically trusted the so-
cial networking sites with personal data, and assume that
their privacy preferences are correctly enforced. However,
they are now being asked to trust each third-party applica-
tion they use in a similar manner. This has left the users’
private information vulnerable to accidental or malicious
leaks by these applications.
In this work, we present a novel framework for build-
ing privacy-preserving social networking applications that
retains the functionality offered by the current social net-
works. We use information flow models to control what
untrusted applications can do with the information they
receive. We show the viability of our design by means
of a platform prototype. The usability of the platform is
further evaluated by developing sample applications using
the platform APIs. We also discuss both security and non-
security challenges in designing and implementing such a
framework.
1 Introduction
Social networking sites have transformed the way peo-
ple express themselves on the Internet and have become
a door to the social life of many individuals. Users are
contributing more and more content to these sites in or-
der to express themselves as part of their profiles and to
contribute to their social circles online. While this builds
up the online identity for the user, it also leaves the data
vulnerable to be misused, as an example, for targeted ad-
vertising and sale.
More private data online has lead to growing privacy
concerns for the users, and some have faced extreme
repercussions for sharing their private information on
these networking sites. For example, students have been
fined for their online social behavior [29]; a mayor was
forced to resign because of a controversial Myspace pic-
ture [32]. There are numerous such cases, and these inci-
dents clearly underline the importance of privacy control
∗
Part of the work was done when the first author was an intern and
the second author was an employee at IBM Research T.J. Watson.
in social networks.
With the advent of Web 2.0 technologies, web appli-
cation development has become much more distributed
with a growing number of users acting as developers and
source of online content. This trend has also influenced
social networks that now act as platforms allowing de-
velopers to run third-party content on top of their frame-
work. Facebook opened up for third-party application
development by releasing its development APIs in May
2007 [22]. Since the release of the Facebook platform,
several other sites have joined the trend by supporting
Google’s OpenSocial [10], a cross-site social network de-
velopment platform.
These third-party applications further escalate the pri-
vacy concerns as user data is shared with these applica-
tions. Typically, there is no or minimal control over what
user information these applications are allowed to access.
In most cases, these applications are hosted on third party
servers that are difficult to monitor. As a result, it is not
feasible to police the data being leaked from the applica-
tion after the data is shared with the application. There
have been several reported cases where users’ private in-
formation was leaked by the applications, either due to
intentional leaks [21] or due to vulnerabilities in the ap-
plication [26].
Most social networking platforms, such as Facebook,
currently provide the applications with full access to user
profile information. This permission is granted in Face-
book when the user adds the application, which requires
the user to make a trust decision. Setting fine-grained ac-
cess control policies for an application, even if they were
supported, would be a complex task. Furthermore, access
control policies are not sufficient in enforcing the privacy
of an individual: once an application is permitted by a
user’s access control policy, it has possession of the user’s
data and can freely leak this information anytime for per-
sonal gains. For example, a popular Facebook applica-
tion, Compare Friends, that promised users’ privacy in
exchange for opinions on their friends later started sell-
ing this information [35].
In this paper, we are concerned with protecting the
users’ private information from leaks by third-party ap-
剩余17页未读,继续阅读
资源评论
tcczsw2014-02-08很有用,关于网络隐私
