Policies based privacy control mechanisms for social networking systems

1
Policies based privacy control mechanisms for
social networking systems

• Audumbar Chormale
• Advisor Dr. Anupam Joshi
• M.S. Thesis Defense

http//ebiquity.umbc.edu/
2
Motivation

• Increase in the user generated content on web
• Rise in the online interactions and content
  sharing among users
• More dynamic context
• Need to provide precise control over the
  conditions under which users can share their
  personal information

3
Problem statement

• Devise better privacy mechanisms to control the
  information flow in social networking systems.

4
Contributions

• Privacy control mechanism based on policy
  frameworks that are rich in semantic web
  technologies to control information flow in
  social networking applications. The privacy
  control mechanism
• Provides users of the system better control
  while sharing information than the state of the
  art systems
• Combines dynamic user context, For instance,
  current time, current location or current
  activity of the user

5
Introduction

• Increase in the popularity of social networking
  systems(SNS) such as Facebook, MySpace,
  LiveJournal etc.
• SNS allow creation of online profiles
• Photos, videos and favorite links
• Whats on your mind or status updates
• Content sharing with a huge list of friends and
  networks of friends

6
Mobile geo-social networking systems

• Availability of GPS functionality on phone
  devices like iPhone, HTC-G1 and network based
  positioning methods on internet
• Social network maps friends and their locations
  using Maps API on the web
• Content sharing relative to location and time
• Privacy is an important issue with the current
  systems like Google latitude, Loopt, Brightkite

7
Privacy issues in SNS

• Privacy concerns when, how and to what extent
  information about someone is communicated to
  others
• Distinguish among various peers in large network
  of friends
• Capture continuous changes in the contextual
  information about users
• Address privacy requirements subjective to
  individual

8
Semantic web and policies

• RDF and OWL
• Set of triples
• Precise specification of classes used by policy
  languages
• based on description logic, for which efficient
  reasoning systems are available
• Notation3
• expression of data and logic in the same language
• simple and consistent grammar, greater
  expressiveness, and is a compact and readable
  alternative to RDFs XML syntax
• allow rules to be integrated smoothly with RDF
• Policies based on semantic web technologies can
  better represent user context information and
  privacy preferences.

9
Architectural view of the system
10
Components of Privacy Framework

• Policy network ontology
• Integrates Rein and AIR policy ontology
• Rein policies to provide access control and AIR
  policies to provide justification to the
  inferences made
• Policies specified using N3 rules and Turtle
• Reasoning engine
• CWM, a forward chaining rule engine
• Pychinko, a forward chaining rule engine, written
  in Python, that implements Rete algorithm and
  allows for efficient processing of very large
  rule bases
• Supports a significant subset of the math,
  string, time and logic built-ins

11
Example of location access policy network ontology
Policy(N3)
Meta-Policy
policy language
policy
meta-policy
Policy Network Ontology
Resource (User-location)
Policy Language (loc-access)
Location-Access
access
Request Ontology
Request
Requester Credentials
requester
Valid
IsA
ans
Answer
IsA
InValid
12
Policy Description

• Privacy Policy follows Deny-Access approach.
• It specifies authorization logic. Authentication
  is performed separately in the system.
• What information user is willing to share
• Location information with accuracy level
• With whom
• Friends
• Group of friends
• Under what conditions
• Day and time of the week
• Location of the user, specifying the area in
  which user can be seen
• Accuracy level of the location information

13
Example Policies

• Example policies can be
• Share my location with teachers on weekdays only
  if I am in the university campus and only between
  9 am and 6 pm
• Share exact location with members of family group
  all the time, in all locations
• Do not share my location if user is at any of the
  sensitive locations
• Do not share my activity status with teachers on
  weekends
• Share my activity status with only close friends 

14
Example Policies Contd.

• Example of location access control policy Share
  my location with teachers on weekdays only if I
  am in the university campus and only between 9 am
  and 6 pm

15
Example Policies Contd.

• Example of location access control policy Share
  exact location with members
• of family group all the time, in all locations

16
Example Policies Contd.
Example of location access control policy Do not
share my location if user is at any of the
sensitive locations
17
Example Policies Contd.
Example of activity access control policy Do not
share my activity status with teachers on weekends
18
Example Policies Contd.
Example of activity access control policy Do not
share my location if user is at any of the
sensitive locations
19
Accountability
Example of Accountability Policy Checks the
compliance of location request with user's policy
20
Policy Execution

• User shares her protected resources and defines
  the privacy preferences
• System follows pull mechanism. All the different
  types of information sharing activities among
  participants are established by the privacy
  control module in the system.
• Whenever any participant makes a query, it is
  sent to the privacy control module which in turn
  processes the query by reasoning over the policy
  networks associated with the resource, and
  returns the valid answer to the query.
• Generalization is applied for the valid answers.

21
Steps involved in processing a query
22
Implementation details

• Client device is location aware device like GPS
  enabled phones or wi-fi enabled laptops
• Google maps to plot user and her friends
• User interface to define privacy preferences
• Connects with Facebook accounts to fetch profile
  information and find networks of friends
• Creates and stores policy ontology in persistent
  memory and reloads when required by reasoning
  engine

23
Implementation details
24
Implementation details

• Privacy Configuration User Interface

25
Results

• Summary of features of our system and their
  comparison with the state of the
• art systems

26
Performance

• Timing characteristics of various privacy rules
  with CWM and Pychinko.
• Policy1(location sharing rule with Math and time
  builtins),
• Policy 2 (activity sharing rule with Math and
  time builtins),
• Policy 3 (activity sharing without any builtins),
  Policy 4 (location sharing without any builtins).
  
• All timings shown are in milliseconds.

27
Conclusion and future work

• We have described the system architecture of the
  policy based system and its various components
  and discussed implementation considerations. We
  demonstrated few examples of the policy that
  state of the art system does not support.
• Future Work
• Improve scalability
• Evaluate the utility
• Predicting user privacy preferences

28
Contributions

• Privacy control mechanism based on policy
  frameworks that are rich in semantic web
  technologies to control information flow in
  social networking applications. The privacy
  control mechanism
• Provides users of the system better control
  while sharing information than the state of the
  art systems
• Combines dynamic user context, For instance,
  current time, current location or current
  activity of the user

29

• Thank you