Security and Privacy in Online Social Networks

The explosive growth of Online Social Networks (OSNs) over the past few years has redefined the way people interact with existing friends and especially make new friends. OSNs have also become a great new marketplace for trade among the users. However, the associated privacy risks make users vulnerable to severe privacy threats. In this dissertation, we design protocols for private distributed social proximity matching and a private distributed auction based marketplace framework for OSNs. In particular, an OSN user looks for matching profile attributes when trying to broaden his/her social circle. However, revealing private attributes is a potential privacy threat. Distributed private profile matching in OSNs mainly involves using cryptographic tools to compute profile attributes matching privately such that no participating user knows more than the common profile attributes. In this work, we define a new asymmetric distributed social proximity measure between two users in an OSN by taking into account the weighted profile attributes (communities) of the users and that of their friends’. For users with different privacy requirements, we design three private proximity matching protocols with increasing privacy levels. Our protocol with highest privacy level ensures that each user’s proximity threshold is satisfied before revealing any matching information. The use of e-commerce has exploded in the last decade along with the associated security and privacy risks. Frequent security breaches in the e-commerce service providers’ centralized servers compromise consumers’ sensitive private and financial information. Besides, a consumer’s purchase history stored in those servers can be used to reconstruct the consumer’s profile and for a variety of other privacy intrusive purposes like directed marketing. To this end, we propose a secure and private distributed auction framework called SPA, based on decentralized online social networks (DOSNs) for the first time in the literature. The participants in SPA require no trust among each other, trade anonymously, and the security and privacy of the auction is guaranteed. The efficiency, in terms of communication and computation, of proposed private auction protocol is at least an order of magnitude better than existing distributed private auction protocols and is suitable for marketplace with large number of participants

Pretty Private Group Management

Group management is a fundamental building block of today's Internet applications. Mailing lists, chat systems, collaborative document edition but also online social networks such as Facebook and Twitter use group management systems. In many cases, group security is required in the sense that access to data is restricted to group members only. Some applications also require privacy by keeping group members anonymous and unlinkable. Group management systems routinely rely on a central authority that manages and controls the infrastructure and data of the system. Personal user data related to groups then becomes de facto accessible to the central authority. In this paper, we propose a completely distributed approach for group management based on distributed hash tables. As there is no enrollment to a central authority, the created groups can be leveraged by various applications. Following this paradigm we describe a protocol for such a system. We consider security and privacy issues inherently introduced by removing the central authority and provide a formal validation of security properties of the system using AVISPA. We demonstrate the feasibility of this protocol by implementing a prototype running on top of Vuze's DHT

Group-Level Frameworks for Data Ethics, Privacy, Safety and Security in Digital Environments

In today\u27s digital age, the widespread collection, utilization, and sharing of personal data are challenging our conventional beliefs about privacy and information security. This thesis will explore the boundaries of conventional privacy and security frameworks and investigate new methods to handle online privacy by integrating groups. Additionally, we will examine approaches to monitoring the types of information gathered on individuals to tackle transparency concerns in the data broker and data processor sector. We aim to challenge traditional notions of privacy and security to encourage innovative strategies for safeguarding them in our interconnected, dispersed digital environment. This thesis uses a multi-disciplinary approach to complex systems, drawing from various fields such as data ethics, legal theory, and philosophy. Our methods include complex systems modeling, network analysis, data science, and statistics. As a first step, we investigate the limits of individual consent frameworks in online social media platforms. We develop new security settings, called distributed consent, that can be used in an online social network or coordinated across online platforms. We then model the levels of observability of individuals on the platform(s) to measure the effectiveness of the new security settings against surveillance from third parties. Distributed consent can help to protect individuals online from surveillance, but it requires a high coordination cost on the part of the individual. Users must also decide whether to protect their privacy from third parties and network neighbors by disclosing security settings or taking on the burden of coordinating security on single and multiple platforms. However, the coordination burden may be more appropriate for systems-level regulation. We then explore how groups of individuals can work together to protect themselves from the harms of misinformation on online social networks. Social media users are not equally susceptible to all types of misinformation. Further, diverse groups of social media communities can help protect one another from misinformation by correcting each other\u27s blind spots. We highlight the importance of group diversity in network dynamics and explore how natural diversity within groups can provide protection rather than relying on new technologies such as distributed consent settings. Finally, we investigate methods to interrogate what types of personal data are collected by third parties and measure the risks and harms associated with aggregating personal data. We introduce methods that provide transparency into how modern data collection practices pose risks to data subjects online. We hope that the collection of these results provides a humble step toward revealing gaps in privacy and security frameworks and promoting new solutions for the digital age

Towards inferring communication patterns in online social networks

Grup de recerca: Security of Networks and Distributed Applications (SENDA)The separation between the public and private spheres on online social networks is known to be, at best, blurred. On the one hand, previous studies have shown how it is possible to infer private attributes from publicly available data. On the other hand, no distinction exists between public and private data when we consider the ability of the online social network (OSN) provider to access them. Even when OSN users go to great lengths to protect their privacy, such as by using encryption or communication obfuscation, correlations between data may render these solutions useless. In this article, we study the relationship between private communication patterns and publicly available OSN data. Such a relationship informs both privacy-invasive inferences as well as OSN communication modelling, the latter being key toward developing effective obfuscation tools. We propose an inference model based on Bayesian analysis and evaluate, using a real social network dataset, how archetypal social graph features can lead to inferences about private communication. Our results indicate that both friendship graph and public traffic data may not be informative enough to enable these inferences, with time analysis having a non-negligible impact on their precision

BFF: A tool for eliciting tie strength and user communities in social networking services

The final publication is available at Springer via http://dx.doi.org/ 10.1007/s10796-013-9453-6The use of social networking services (SNSs) such as Facebook has explosively grown in the last few years. Users see these SNSs as useful tools to find friends and interact with them. Moreover, SNSs allow their users to share photos, videos, and express their thoughts and feelings. However, users are usually concerned about their privacy when using SNSs. This is because the public image of a subject can be affected by photos or comments posted on a social network. In this way, recent studies demonstrate that users are demanding better mechanisms to protect their privacy. An appropriate approximation to solve this could be a privacy assistant software agent that automatically suggests a privacy policy for any item to be shared on a SNS. The first step for developing such an agent is to be able to elicit meaningful information that can lead to accurate privacy policy predictions. In particular, the information needed is user communities and the strength of users' relationships, which, as suggested by recent empirical evidence, are the most important factors that drive disclosure in SNSs. Given the number of friends that users can have and the number of communities they may be involved on, it is infeasible that users are able to provide this information without the whole eliciting process becoming confusing and time consuming. In this work, we present a tool called Best Friend Forever (BFF) that automatically classifies the friends of a user in communities and assigns a value to the strength of the relationship ties to each one. We also present an experimental evaluation involving 38 subjects that showed that BFF can significantly alleviate the burden of eliciting communities and relationship strength.This work has been partially supported by CONSOLIDER-INGENIO 2010 under grant CSD2007-00022, and TIN 2008-04446 and PROMETEO II/2013/019 projects. This article has been developed as a result of a mobility stay funded by the Erasmus Mundus Programme of the European Comission under the Transatlantic Partnership for Excellence in Engineering - TEE Project.López Fogués, R.; Such Aparicio, JM.; Espinosa Minguet, AR.; García-Fornes, A. (2014). BFF: A tool for eliciting tie strength and user communities in social networking services. Information Systems Frontiers. 16:225-237. https://doi.org/10.1007/s10796-013-9453-6S22523716Blondel, V.D., Guillaume, J.L., Lambiotte, R., Lefebvre, E. (2008). Fast unfolding of communities in large networks. Journal of Statistical Mechanics: Theory and Experiment, 2008(10), P10008.Boyd, D., & Hargittai, E. (2010). Facebook privacy settings: who cares? First Monday, 15(8).Burt, R. (1995). Structural holes: the social structure of competition. Harvard University Pr.Culotta, A., Bekkerman, R., McCallum, A. (2004). Extracting social networks and contact information from email and the web.Ellison, N., Steinfield, C., Lampe, C. (2007). The benefits of facebook friends: social capital and college students use of online social network sites. Journal of Computer-Mediated Communication, 12(4), 1143–1168.Fang, L., & LeFevre, K. (2010). Privacy wizards for social networking sites. In Proceedings of the 19th international conference on World wide web (pp. 351–360). ACM.Fortunato, S. (2010). Community detection in graphs. Physics Reports, 486(3-5), 75–174.Gilbert, E., & Karahalios, K. (2009). Predicting tie strength with social media. In Proceedings of the 27th international conference on human factors in computing systems (pp. 211–220). ACM.Girvan, M., & Newman, M. (2002). Community structure in social and biological networks. Proceedings of the National Academy of Science, 99(12), 7821.Granovetter, M. (1973). The strength of weak ties. American Journal of Sociology, 1360–1380.Gross, R., & Acquisti, A. (2005). Information revelation and privacy in online social networks. In Proceedings of the 2005 ACM workshop on privacy in the electronic society (pp. 71–80). ACM.Johnson, M., Egelman, S., Bellovin, S. (2012). Facebook and privacy: it’s complicated. In Proceedings of the eighth symposium on usable privacy and security (p. 9). ACM .Kahanda, I., & Neville, J. (2009). Using transactional information to predict link strength in online social networks. In Proceedings of the third international conference on weblogs and social media (ICWSM).Lancichinetti, A., & Fortunato, S. (2009). Community detection algorithms: a comparative analysis. Physical Review E, 80, 056–117.Lancichinetti, A., Fortunato, S., Kertsz, J. (2009). Detecting the overlapping and hierarchical community structure in complex networks. New Journal of Physics, 11(3), 033–015.Lin, N., Ensel, W., Vaughn, J. (1981). Social resources and strength of ties: Structural factors in occupational status attainment. American Sociological Review, 393–405.Lipford, H., Besmer, A., Watson, J. (2008). Understanding privacy settings in facebook with an audience view. In Proceedings of the 1st conference on usability, psychology, and security (pp. 1–8). Berkeley: USENIX Association.Liu, G., Wang, Y., Orgun, M. (2010). Optimal social trust path selection in complex social networks. In Proceedings of the 24th AAAI conference on artificial intelligence (pp. 139–1398). AAAI.Matsuo, Y., Mori, J., Hamasaki, M., Nishimura, T., Takeda, H., Hasida, K., Ishizuka, M. (2007). Polyphonet: an advanced social network extraction system from the web. Web Semantics: Science, Services and Agents on the World Wide Web, 5(4), 262–278. World Wide Web Conference 2006 Semantic Web Track.Murukannaiah, P., & Singh, M. (2011). Platys social: relating shared places and private social circles. Internet Computing IEEE, 99, 1–1.Quercia, D., Lambiotte, R., Kosinski, M., Stillwell, D., Crowcroft, J. (2012). The personality of popular facebook users. In Proceedings of the ACM 2012 conference on computer supported cooperative work (CSCW’12).Rosvall, M., & Bergstrom, C. (2008). Maps of random walks on complex networks reveal community structure. Proceedings of the National Academy of Sciences, 105(4), 1118–1123.Sharma, G., Qiang, Y., Wenjun, S., Qi, L. (2013). Communication in virtual world: Second life and business opportunities. Information Systems Frontiers, 15(4), 677–694.Shen, K., Song, L., Yang, X., Zhang, W. (2010). A hierarchical diffusion algorithm for community detection in social networks. In 2010 international conference on cyber-enabled distributed computing and knowledge discovery (CyberC) (pp. 276–283). IEEE.Sierra, C., & Debenham, J. (2007). The LOGIC negotiation model. In AAMAS ’07: proceedings of the 6th international joint conference on autonomous agents and multiagent systems (pp. 1–8). ACM.Staddon, J., Huffaker, D., Brown, L., Sedley, A. (2012). Are privacy concerns a turn-off?: engagement and privacy in social networks. In Proceedings of the eighth symposium on usable privacy and security (p. 10). ACM.Strater, K., & Lipford, H.R. (2008). Strategies and struggles with privacy in an online social networking community. In Proceedings of the 22nd British HCI group annual conference on people and computers: culture, creativity, interaction, BCS-HCI ’08 (Vol. 1, pp. 111–119). Swinton: British Computer Society.Wellman, B., & Wortley, S. (1990). Different strokes from different folks: Community ties and social support. American Journal of Sociology, 558–588.Wiese, J., Kelley, P., Cranor, L., Dabbish, L., Hong, J., Zimmerman, J. (2011). Are you close with me? are you nearby? investigating social groups, closeness, and willingness to share. In Proceedings of the 13th international conference on Ubiquitous computing (pp. 197–206). ACM.Xiang, R., Neville, J., Rogati, M. (2010). Modeling relationship strength in online social networks. In Proceedings of the 19th international conference on World wide web (pp. 981–990). ACM

A Generic Framework for Enforcing Security in Distributed Systems

A large extent of today's computer programs is distributed. For instance, services for backups, file storage, and cooperative work are now typically managed by distributed programs. The last two decades also brought a variety of services establishing social networks, from exchanging short messages to sharing personal information to dating. In each of the services, distributed programs process and store sensitive information about their users or the corporations their users work for. Secure processing of the sensitive information is essential for service providers. For instance, businesses are bound by law to take security measures against conflicts of interest. Beyond legal regulations, service providers are also pressed by users to satisfy their demands for security, such as the privacy of their profiles and messages in online social networks. In both instances, the prospect of security violations by a service provider constitutes a serious disadvantage and deters potential users from using the service. The focus of this thesis is on enabling service providers to secure their distributed programs by means of run-time enforcement mechanisms. Run-time enforcement mechanisms enforce security in a given program by monitoring, at run-time, the behavior of the program and by intervening when security violations are about to occur. Enforcing security in a distributed program includes securing the behavior of the individual agents of the distributed program as well as securing the joint behavior of all the agents. We present a framework for enforcing security in distributed programs. The framework combines tools and techniques for the specification, enforcement, and verification of security policies for distributed programs. For the specification of security policies, the framework provides the policy language CoDSPL. For generating run-time enforcement mechanisms from given security policies and applying these mechanisms to given distributed programs, the framework includes the tool CliSeAu. For the verification of generated enforcement mechanisms, the framework provides a formal model in the process algebra CSP. All three, the policy language, the tool, and the formal model allow for the distributed units of enforcement mechanisms to cooperate with each other. For supporting the specification of cooperating units, the framework provides two techniques as extensions of CoDSPL: a technique for specifying cooperation in a modular fashion and a technique for effectively cooperating in presence of race conditions. Finally, with the cross-lining technique of the framework, we devise a general approach for instrumenting distributed programs to apply an enforcement mechanism whose units can cooperate. The particular novelty of the presented framework is that the cooperation to be performed can be specified by the security policies and can take place even when the agents of the distributed program do not interact. This distinguishing feature of the framework enables one to specify and enforce security policies that employ a form of cooperation that suits the application scenario: Cooperation can be used when one's security requirements cannot be enforced in a fully decentralized fashion; but the overhead of cooperation can be avoided when no cooperation is needed. The case studies described in this thesis provide evidence that our framework is suited for enforcing custom security requirements in services based on third-party programs. In the case studies, we use the framework for developing two run-time enforcement mechanisms: one for enforcing a policy against conflicts of interest in a storage service and one for enforcing users' privacy policies in online social networks with respect to the sharing and re-sharing of messages. In both case studies, we experimentally verify the enforcement mechanisms to be effective and efficient, with an overhead in the range of milliseconds