Multilateral Privacy Requirements Analysis in Online Social - - PowerPoint PPT Presentation

Multilateral Privacy Requirements Analysis in Online Social Networks

Seda Gürses COSIC, K.U. Leuven

• 18. February, 2011

CRID University of Namur, Belgium

SPION

security and priv acy in

• nline social networks

K.U. Leuven (COSIC, DistriNet, ICRI, HMDB), Vrije Universiteit Brussel (SMIT), University

• f Ghent (Onderwijskunde), Carnegie Melon

University (Heinz College)

responsibilization

accountability

SPION

security and priv acy in

• nline social networks

trust, reputation and access control identity management legal frameworks anonymous communication feedback and awareness systems behavioral aspects

http://www.cosic.esat.kuleuven.be/spion

• utline
• introduction to privacy requirements
• stakeholder analysis: service provider
• SNS access control design
• feedback and awareness systems

privacy?

• what is privacy?
• what are privacy requirements?
• in security engineering: confidentiality

• nline social networks (SNS)

• nline social networks

2004

Facebook created

1m

Facebook in

Highschools

friends friends of friends all facebook users the entire Internet

1m 5m

2006

Facebook available to the

PUBLIC(pg13)

1m 5m 12m

2006

Facebook available to the

PUBLIC(pg13) xss attacks

1m 5m 12m

2006

Facebook available to the

PUBLIC(pg13) xss attacks

newsfeed

1m 5m 12m

2006

Facebook available to the

PUBLIC(pg13)

newsfeed protests 740.000

xss attacks

1m 5m 12m

2007

Facebook API

protests 740.000

newsfeed

1m 5m 12m 50m

2007

Facebook API Mobile

protests 740.000

newsfeed

1m 5m 12m 50m

2007

Facebook API Mobile BEACON

protests 740.000

newsfeed

1m 5m 12m 50m

2007

Facebook API Mobile BEACON

protests 50.000 in 3 days

protests 740.000

newsfeed

1m 5m 12m 50m

2007

Facebook API Mobile BEACON

protests 50.000 in 3 days

bans

protests 740.000

newsfeed

1m 5m 12m 50m

2007

Facebook API Mobile BEACON

protests 50.000 in 3 days

bans

breastfeeding

protests 740.000

newsfeed

1m 5m 12m 50m

2007

Facebook API Mobile BEACON

protests 50.000 in 3 days

memorilization

bans

protests 740.000

newsfeed

1m 5m 12m 50m

breastfeeding

2008

Facebook API Mobile BEACON

bans

Canadian Privacy Commissioner

protests 740.000

newsfeed

1m 5m 12m 50m 100m

2008

Canadian Privacy Commissioner

LIVE FEED

popularity algorithm

protests 740.000

newsfeed

Facebook API Mobile BEACON

bans

1m 5m 12m 50m 100m

2008

Canadian Privacy Commissioner

LIVE FEED

popularity algorithmprotests

1.600.000

protests 740.000

newsfeed

Facebook API Mobile BEACON

bans

1m 5m 12m 50m 100m

2009

LIVE FEED

protests

1.600.000

protests 740.000

newsfeed

Facebook API Mobile BEACON

bans

cyberbullying

unlimited license to user content

1m 5m 12m 50m 100m 350m

2009

LIVE FEED

protests

1.600.000

protests 740.000

newsfeed

Facebook API Mobile BEACON

bans

cyberbullying

unlimited license to user content

protests

1m 5m 12m 50m 100m 350m

2009

LIVE FEED

protests

1.600.000

protests 740.000

newsfeed

Facebook API Mobile BEACON

bans

cyberbullying

unlimited license to user content

user voting

protests

1m 5m 12m 50m 100m 350m

2009

LIVE FEED

protests

1.600.000

protests 740.000

newsfeed

Facebook API Mobile BEACON

bans

cyberbullying

unlimited license to user content

user voting

protests

friends lists

1m 5m 12m 50m 100m 350m

2009

LIVE FEED

protests

1.600.000

protests 740.000

newsfeed

Facebook API Mobile BEACON

bans

cyberbullying

unlimited license to user content

user voting

protests

friends lists

Canadian Privacy Commissioner

1m 5m 12m 50m 100m 350m

2009

LIVE FEED

protests

1.600.000

protests 740.000

newsfeed

Facebook API Mobile BEACON

bans

cyberbullying

unlimited license to user content

user voting

protests

friends lists

Canadian Privacy Commissioner

1m 5m 12m 50m 100m 350m

2010

LIVE FEED

protests

1.600.000

protests 740.000

newsfeed

Facebook API Mobile BEACON

bans

user voting

protests

friends lists

facebook

google

1m 5m 12m 50m 100m 350m 400m

LIVE FEED

protests

1.600.000

protests 740.000

newsfeed

Facebook API Mobile BEACON

bans

user voting

protests

friends lists

facebook

google

CONNECTIONS

1m 5m 12m 50m 100m 350m

2010

400m

LIVE FEED

protests

1.600.000

protests 740.000

newsfeed

Facebook API Mobile BEACON

bans

user voting

protests

friends lists

facebook

google

CONNECTIONS

chat leak

1m 5m 12m 50m 100m

2010

400m

LIVE FEED

protests

1.600.000

protests 740.000

newsfeed

Facebook API Mobile BEACON

bans

user voting

protests

friends lists

CONNECTIONS

NOYB

FACECLOAK

SCRAMBLE

1m 5m 12m 50m 100m

2010

400m

LIVE FEED

protests

1.600.000

protests 740.000

newsfeed

Facebook API Mobile BEACON

bans

user voting

protests

friends lists

CONNECTIONS

1m 5m 12m 50m 100m

2010

400m

LIVE FEED

protests

1.600.000

protests 740.000

newsfeed

Facebook API Mobile BEACON

bans

user voting

protests

friends lists

CONNECTIONS

1m 5m 12m 50m 100m

2010

400m

LIVE FEED

protests

1.600.000

protests 740.000

newsfeed

Facebook API Mobile BEACON

bans

user voting

protests

friends lists

CONNECTIONS

1m 5m 12m 50m 100m

2010

500m

NHS reveals data to Facebook

Discriminatory Behavioral Profiling User IDs revealed to Third Parties

Homeland Security friends Aliens

• all of these are (somehow) about privacy and

the design of the system

• how do we deal with these issues when

developing systems?

• specifically: during requirements engineering

multilateral privacy requirements engineering

• reconcile:
• privacy notions (legal & surveillance studies)
• privacy solutions (computer science)
• in a social context (online SNS)
• multilaterally
• during requirements engineering

privacy requirements definition

lack of universality lack of satisfiability subjectivity legal compliance contrivability environmental factors counter - factuality temporality agonism negotiability

multilateral privacy requirements engineering

• reconcile:
• privacy notions (legal & surveillance studies)
• privacy solutions (computer science)
• in a social context (online SNS)
• multilaterally
• during requirements engineering

solutions from privacy research

data confidentiality anonymous communications PPDM/PPDP IDMS Differential Privacy Privacy Policy Languages Feedback and Awareness Systems

privacy research paradigms

privacy as confidentiality the right to be let alone.

Warren & Brandeis (1890) hiding information and identity

privacy research paradigms

privacy as confidentiality the right to be let alone.

Warren & Brandeis (1890) hiding information and identity

privacy as control

separation of identities, data protection principles right of the individual to decide what information about himself should be communicated to

• thers and under what
• circumstances. (Westin 1970)

privacy research paradigms

privacy as confidentiality the right to be let alone.

Warren & Brandeis (1890) hiding information and identity

privacy as control

separation of identities, data protection principles right of the individual to decide what information about himself should be communicated to

• thers and under what
• circumstances. (Westin 1970)

privacy as practice

the freedom from unreasonable constraints on the construction of

• ne’s own identity (Agre, 1999)

privacy research paradigms

privacy as confidentiality

hiding information and identity

privacy as control

separation of identities, data protection principles

privacy as practice

multilateral privacy requirements engineering

• reconcile:
• privacy notions (legal & surveillance studies)
• privacy solutions (computer science)
• in a social context (online SNS)
• multilaterally
• during requirements engineering

case study

Social Network Services web-based systems communication

• riented

wide audience many stakeholders short development cycles global privacy concerns proprietary systems

multilateral privacy requirements engineering

• reconcile:
• privacy notions (legal & surveillance studies)
• privacy solutions (computer science)
• in a social context (online SNS)
• multilaterally
• during requirements engineering

multilaterality

users SNS providers DP authorities user groups

SNS providers

stakeholder artifacts privacy policy legally binding socially constructed defining roles & responsibilities

actively and collectively produced exchanged & consumed govern usage

method

template analysis

analyze textual data codes to construct template relationships between themes

SNS and TPA providers of interest

facebook

• rkut

myspace

playfish

zynga

• verview of findings
• two coders
• total 68 codes in SNS PP

, 43 in TPA PP

• 5 main themes (privacy concerns)
• personal information, data protection and policy definition
• user control of information
• user interactions and information
• advertisement and third parties
• internet safety, minors and underage users

• verview of findings
• two coders
• total 68 codes in SNS PP

, 43 in TPA PP

• 5 main themes (privacy concerns)
• personal information, data protection and policy definition
• user control of information
• user interactions and information
• advertisement and third parties
• internet safety, minors and underage users

privacy data protection

non-absolute relational contextual

• pacity of the individual

procedural safeguards

accountability

transparency

privacy policy definition

PP

SNS Provider

user

data

privacy policy definition

PP

SNS Provider

user

data

data

data

privacy policy definition

PP

SNS Provider

User1

data

User2 User3

data

data

data

data

privacy policy definition

PP

SNS Provider

User1

data

User2 User3

data

data

data

data

privacy policy definition

PP

SNS Provider

User1

data

User2 User3

data

data

data

data

privacy policy definition

PP

SNS Provider

User1

data

User2 User3

data

data

data

data

t0 t∞

privacy is control over your personal information

personal information in SNS

PII (USA) personal information (EU)

(information theoretical/ statistical) anonymity

privacy as control

PP

SNS Provider

User1

data

User2 User3

data

data

data

data

privacy as control

PP

SNS Provider

User1

data

User2 User3

data

data

data

data

privacy as control

PP

SNS Provider

User1

data

data

data

privacy as control

PP

SNS Provider

User1

data

privacy as control

PP

SNS Provider

User1

content uploaded by user traffic data

SNS design

Relational Information (RI)

Transitive Access Control (TAC)

Relational Information (RI)

information on SNS that is controlled by

• r related to many

P Rel Q R

Controllers = {P ,Q,R}

Relational Information

Transitive Access Control (TAC)

topology based access control where profiles in vicinity co-determine access

alice’s friends of friends can access her information

Transitive Access Control

alice’s friends of friends can access her information

Transitive Access Control

alice’s friends of friends can access her information

Transitive Access Control

privacy policy definition

PP

SNS Provider

User1

content uploaded by user traffic data RI

user attributes

user control?

PP

SNS Provider

User1

data

User2 User3

data

data

data

data

u

conclusions

• privacy concerns of SP:
• data protection compliance
• frame privacy as control (min. set of data)
• increase trust in providers
• paradox:
• sharing = collaborative (design supported)

practice

• privacy = individual responsibility and control of

information

compliance?

• DP success: (semi) transparency of data

collection, processing and distribution practices

• DP fail: interpreted to the advantage of the

service providers

• responsibilize the users
• false perception of control
• minimize accountability and transparency
• push responsibility to third parties (vice versa)

personal data?

• Definition of Personal Data does not address
• collaborative/relational information
• does not fit a matrix of personal data
• statistical inference
• surveillance: control populations by categorizing individuals and

• no protection of anonymous data
• anonymous communications
• anonymized datasets
• consent -> identification -> increased surveillance -> endanger

future improvements

• expand definition of personal information on SNS
• beware of relational information
• increase scope of “control”
• include traffic data, data from third parties, cookie use
• enable sharing of data that bypasses the SP
• beware: facebook has censored proponents of this vision
• avoid privacy policy jungle
• accountability and transparency
• better security and (transparent) access control
• demand collaborative privacy control

questions?

Contact: Seda Gürses seda@esat.kuleuven.be Cosic, K.U. Leuven, Belgium