Security/Privacy Model
for Social Computing
By Chi Ben
Department of Computer and Information Sciences,
Florida A&M University
1333 Wahnish Way
308-A Banneker Technical Bldg.
Tallahassee, Florida 32307
Table of Contents





Definition of social networking sites
Potential threats
Real life examples
Related work
A proposed model
Social Network
 Nodes
 Individuals or organizations1
 Ties
 Connections
 Friendship, kinship, financial exchange,
knowledge or prestige1
Social Networking Sites/Services
(SNS)
 Definition:
Online communities
formed for people who
share common
interests/activities.
 Well-known
services:
Name
Area
Alexa Raning
Facebook
International
2
MySpace
International
11
hi5
India,
Portugal, etc
38
LinkedIn
International
59
Skyrock
French
speaking world
85
Mixi
Japan
90
Friendster
Southeast Asia
93
Kaixin001
China
102
Table 1: a list of most popular SNS
Fig. 1 Fast growing number of patent applications in social network
Social Network Sites/Services (SNS)
continued
 Mimicking in-person interactions
 Storing large amount of personal
information
 Violating the principle of least privilege5
 Users inclined to reveal private
info/activities to someone they know2
 Bringing security issues
Security issues from SNS
 Accidental data release
 Intentional use of private data for
marketing purposes
 Identity theft
 Worms and Adwares
 Phishing attacks
 And many more
A recent famous case:
 M16 chief’s wife blows his
cover on Facebook3
 Details on where they live
and work, their friends’
identities3
Sir John Sawer on the beach
in one of the family photos
Another case
 US Marines Ban Twitter, MySpace,
Facebook. Effective immediately. (As
of Aug 03, 2009 )
 Will last a year.
 A waiver is
possible.
Facebook’s new features
Facebook: change in geography
networks and new privacy features.
Work that is being done
 Matthew M. Lucas, and et al,
designed a Facebook application,
flyByNight.4
 Encrypts private information,
separates sensitive data from
Facebook servers and public access.
 Users must install a javascript client.
 The vulnerability of the flyByNight
server is unknown.
Work that is being done, cont’d
 Andrew Besmer, and et al, designed a
user-to-application policy, in addition
to existing user-to-user policy and
default application policy. Which
effectively limits the applications’
access to users private information.6
 Complex, time-consuming settings for
applications may impel users to skip
applying proper policies.
A User-Server-Agent Model
USER
View Audition Log
INDEPENDENT
INVESTIGATOR
(AGENT)
SERVER
A User-Server-Agent Model
 Server audits users’ activities
Audits all
access
information
 Log in time, duration, IP
addresses, access information
 Users can view activities
SERVER
related to their own accounts
 Agents can view all activities
of specified accounts
Provides
log upon
request
A User-Server-Agent Model
What a user sees
USER
Kevin’s visit
Bella’s visit
Sara’s visit
Mike’s visit
Dave’s visit
.
.
.
What an agent sees
Kevin
Kevin
Kevin
Kevin
INDEPENDENT
INVESTIGATOR
(AGENT)
visits
visits
visits
visits
.
.
.
Sara
Mike
Dave
Alice
A User-Server-Agent Model
Accepts
Investigation
Requests
Step I
Step III
Step II
Analyze
Information
On server
INDEPENDENT
INVESTGATOR
(AGENT)
Provides
Results to
User
A User-Server-Agent Model
 Agent receives decrypted request from user
 Alice sends request for concern about Kevin’s
activities
 Agent will see “03tn90a” and “01ad53h” in stead
of “Alice” and “Kevin”, in the request
 Agent connects to server, asks for
information on account 01ad53h
 After decryption server recognizes account
name is Kevin
A User-Server-Agent Model
 What action can an agent perform?
 Use combined policies to detect unusual
activities: IP address, multiple profiles access in
a short term, inactive socializing activities.
 How can an agent help a user?
 Simplest: suggest revoking “friend” label of
malicious users
 Suggest server take action on malicious
accounts
 Report to authorities when necessary
Conclusion
 Increasing use of SNS
 Security/privacy is a big issue
 User-Server-Agent model
Future work
 Investigate/watch privacy frequently
 Other functions will be added
References







1 http://en.wikipedia.org/wiki/Social_network
2 Gross, Ralph, Alessandro Acquisti, and H. John Heinz III. (2005). Information
Revelation and Privacy in Online SocialNetworks. Proceedings of the 2005 ACM
Workshop on Privacy in the Electronic Society, p. 71-80.
3 http://www.timesonline.co.uk/tol/news/uk/article6639521.ece
4 Matthew M. Lucas, Nikita Borisov. (2008). FlyByNight: mitigating the privacy
risks of social networking. WPES '08.
5 Saltzer J., Schroeder M., (1975). The Protection of Information in Computer
Systems. Proceedings of the IEEE 63(9), 1278–1308.
6 Andrew Besmer, Heather Richter Lipford, Mohamed Shehab, Gorrell Cheek.
(2009). Social applications: exploring a more secure framework. SOUPS '09.
7 Doug Gross, CNN. Facebook to lose geography networks, add privacy features.
http://www.cnn.com/2009/TECH/12/02/facebook.networks.changes/index.html
Thank you!