Security and Privacy in Online Social Networks

The explosive growth of Online Social Networks (OSNs) over the past few years has redefined the way people interact with existing friends and especially make new friends. OSNs have also become a great new marketplace for trade among the users. However, the associated privacy risks make users vulnerable to severe privacy threats. In this dissertation, we design protocols for private distributed social proximity matching and a private distributed auction based marketplace framework for OSNs. In particular, an OSN user looks for matching profile attributes when trying to broaden his/her social circle. However, revealing private attributes is a potential privacy threat. Distributed private profile matching in OSNs mainly involves using cryptographic tools to compute profile attributes matching privately such that no participating user knows more than the common profile attributes. In this work, we define a new asymmetric distributed social proximity measure between two users in an OSN by taking into account the weighted profile attributes (communities) of the users and that of their friends’. For users with different privacy requirements, we design three private proximity matching protocols with increasing privacy levels. Our protocol with highest privacy level ensures that each user’s proximity threshold is satisfied before revealing any matching information. The use of e-commerce has exploded in the last decade along with the associated security and privacy risks. Frequent security breaches in the e-commerce service providers’ centralized servers compromise consumers’ sensitive private and financial information. Besides, a consumer’s purchase history stored in those servers can be used to reconstruct the consumer’s profile and for a variety of other privacy intrusive purposes like directed marketing. To this end, we propose a secure and private distributed auction framework called SPA, based on decentralized online social networks (DOSNs) for the first time in the literature. The participants in SPA require no trust among each other, trade anonymously, and the security and privacy of the auction is guaranteed. The efficiency, in terms of communication and computation, of proposed private auction protocol is at least an order of magnitude better than existing distributed private auction protocols and is suitable for marketplace with large number of participants

Efficient location privacy-aware forwarding in opportunistic mobile networks

This paper proposes a novel fully distributed and collaborative k-anonymity protocol (LPAF) to protect users’ location information and ensure better privacy while forwarding queries/replies to/from untrusted location-based service (LBS) over opportunistic mobile networks (OppMNets. We utilize a lightweight multihop Markov-based stochastic model for location prediction to guide queries toward the LBS’s location and to reduce required resources in terms of retransmission overheads. We develop a formal analytical model and present theoretical analysis and simulation of the proposed protocol performance. We further validate our results by performing extensive simulation experiments over a pseudo realistic city map using map-based mobility models and using real-world data trace to compare LPAF to existing location privacy and benchmark protocols. We show that LPAF manages to keep higher privacy levels in terms of k-anonymity and quality of service in terms of success ratio and delay, as compared with other protocols, while maintaining lower overheads. Simulation results show that LPAF achieves up to an 11% improvement in success ratio for pseudorealistic scenarios, whereas real-world data trace experiments show up to a 24% improvement with a slight increase in the average delay

Server-Aided Privacy-Preserving Proximity Testing

Proximity testing is at the core of many Location-Based online Services (LBS) which we use in our daily lives to order taxis, find places of interest nearby, connect with people. Currently, most such services expect a user to submit his location to them and trust the LBS not to abuse this information, and use it only to provide the service. Existing cases of such information being misused (e.g., by the LBS employees or criminals who breached its security) motivates the search for better solutions that would ensure the privacy of user data, and give users control of how their data is being used.In this thesis, we address this problem using cryptographic techniques. We propose three cryptographic protocols that allow two users to perform proximity testing (check if they are close enough to each other) with the help of two servers.In the papers 1 and 2, the servers are introduced in order to allow users not to be online at the same time: one user may submit their location to the servers and go offline, the other user coming online later and finishing proximity testing. The drastically improves the practicality of such protocols, since the mobile devices that users usually run may not always be online. We stress that the servers in these protocols merely aid the users in performing the proximity testing, and none of the servers can independently extract the user data.In the paper 3, we use the servers to offload the users\u27 computation and communication to. The servers here pre-generate correlated random data and send it to users, who can use it to perform a secure proximity testing protocol faster. Paper 3, together with the paper 2, are highly practical: they provide strong security guarantees and are suitable to be executed on resource-constrained mobile devices. In fact, the work of clients in these protocols is close to negligible as most of the work is done by servers

PRUB: A Privacy Protection Friend Recommendation System Based on User Behavior

The fast developing social network is a double-edged sword. It remains a serious problem to provide users with excellent mobile social network services as well as protecting privacy data. Most popular social applications utilize behavior of users to build connection with people having similar behavior, thus improving user experience. However, many users do not want to share their certain behavioral information to the recommendation system. In this paper, we aim to design a secure friend recommendation system based on the user behavior, called PRUB. The system proposed aims at achieving fine-grained recommendation to friends who share some same characteristics without exposing the actual user behavior. We utilized the anonymous data from a Chinese ISP, which records the user browsing behavior, for 3 months to test our system. The experiment result shows that our system can achieve a remarkable recommendation goal and, at the same time, protect the privacy of the user behavior information

Private and secure distribution of targeted advertisements to mobile phones

Online Behavioural Advertising (OBA) enables promotion companies to effectively target users with ads that best satisfy their purchasing needs. This is highly beneficial for both vendors and publishers who are the owners of the advertising platforms, such as websites and app developers, but at the same time creates a serious privacy threat for users who expose their consumer interests. In this paper, we categorize the available ad-distribution methods and identify their limitations in terms of security, privacy, targeting effectiveness and practicality. We contribute our own system, which utilizes opportunistic networking in order to distribute targeted adverts within a social network. We improve upon previous work by eliminating the need for trust among the users (network nodes) while at the same time achieving low memory and bandwidth overhead, which are inherent problems of many opportunistic networks. Our protocol accomplishes this by identifying similarities between the consumer interests of users and then allows them to share access to the same adverts, which need to be downloaded only once. Although the same ads may be viewed by multiple users, privacy is preserved as the users do not learn each other's advertising interests. An additional contribution is that malicious users cannot alter the ads in order to spread malicious content, and also, they cannot launch impersonation attacks

The Prom Problem: Fair and Privacy-Enhanced Matchmaking with Identity Linked Wishes

In the Prom Problem (TPP), Alice wishes to attend a school dance with Bob and needs a risk-free, privacy preserving way to find out whether Bob shares that same wish. If not, no one should know that she inquired about it, not even Bob. TPP represents a special class of matchmaking challenges, augmenting the properties of privacy-enhanced matchmaking, further requiring fairness and support for identity linked wishes (ILW) – wishes involving specific identities that are only valid if all involved parties have those same wishes. The Horne-Nair (HN) protocol was proposed as a solution to TPP along with a sample pseudo-code embodiment leveraging an untrusted matchmaker. Neither identities nor pseudo-identities are included in any messages or stored in the matchmaker’s database. Privacy relevant data stay within user control. A security analysis and proof-of-concept implementation validated the approach, fairness was quantified, and a feasibility analysis demonstrated practicality in real-world networks and systems, thereby bounding risk prior to incurring the full costs of development. The SecretMatch™ Prom app leverages one embodiment of the patented HN protocol to achieve privacy-enhanced and fair matchmaking with ILW. The endeavor led to practical lessons learned and recommendations for privacy engineering in an era of rapidly evolving privacy legislation. Next steps include design of SecretMatch™ apps for contexts like voting negotiations in legislative bodies and executive recruiting. The roadmap toward a quantum resistant SecretMatch™ began with design of a Hybrid Post-Quantum Horne-Nair (HPQHN) protocol. Future directions include enhancements to HPQHN, a fully Post Quantum HN protocol, and more

Investigating the Privacy vs. Forwarding Accuracy Tradeoff in Opportunistic Interest-Casting

Many mobile social networking applications are based on a ``friend proximity detection" step, according to which two mobile users try to jointly estimate whether they have friends in common, or share similar interests, etc. Performing ``friend proximity detection" in a privacy-preserving way is fundamental to achieve widespread acceptance of mobile social networking applications. However, the need of privacy preservation is often at odds with application-level performance of the mobile social networking application, since only obfuscated information about the other user\u27s profile is available for optimizing performance. noindent In this paper, we study for the first time the fundamental tradeoff between privacy preservation and application-level performance in mobile social networks. More specifically, we consider a mobile social networking application for opportunistic networks called interest-casting. In the interest-casting model, a user wants to deliver a piece of information to other users sharing similar interests (``friends"), possibly through multi-hop forwarding. In this paper, we propose a privacy-preserving friend proximity detection scheme based on a protocol for solving the Yao\u27s ``Millionaire\u27s Problem", and we introduce three interest-casting protocols achieving different tradeoffs between privacy and accuracy of the information forwarding process. The privacy vs. accuracy tradeoff is analyzed both theoretically, and through simulations based on a real-world mobility trace. The results of our study demonstrate for the first time that privacy preservation is at odds with forwarding accuracy, and that the best tradeoff between these two conflicting goals should be identified based on the application-level requirements