xBook: Redesigning Privacy Control in Social xBook: Redesigning - - PowerPoint PPT Presentation

SLIDE 1

xBook: Redesigning Privacy Control in Social xBook: Redesigning Privacy Control in Social Networking Platforms Networking Platforms

Kapil Singh, Sumeer Bhola and Wenke Lee

SLIDE 2

2

Social networking is growing…

SLIDE 3

3

Privacy concerns are growing…

• More personal data being fed to social

networks

SLIDE 4

4

Privacy concerns are growing…

• More personal data being fed to social

networks

Op-Ed: Post a photo, wear a pirate hat on myspace, and say goodbye to your career

SLIDE 5

5

Privacy concerns are growing…

• More personal data being fed to social

networks

Mayor in MySpace photo flap asked to resign Op-Ed: Post a photo, wear a pirate hat on myspace, and say goodbye to your career

SLIDE 6

6

Privacy concerns are growing…

• More personal data being fed to social

networks

Hoover Police officers arrest Facebook burglary suspects Mayor in MySpace photo flap asked to resign Op-Ed: Post a photo, wear a pirate hat on myspace, and say goodbye to your career

SLIDE 7

7

Social Networks as Platforms

• Social networks now act as programming platforms:

third party applications.

• Integration with the platform

– Set of APIs allow an application to have access to user content and integrate into user’s profile

SLIDE 8

8

Social Platform Architecture

Trusted domain Application

SLIDE 9

9

Social Platform Architecture

No control over who can develop and deploy an application. No control over who can develop and deploy an application.

Trusted domain Application

SLIDE 10

10

Social Platform Architecture

No control over who can develop and deploy an application. No control over who can develop and deploy an application. Minimal or no control on what these applications can access. Minimal or no control on what these applications can access.

Trusted domain Application

SLIDE 11

11

Social Platform Architecture

No control over who can develop and deploy an application. No control over who can develop and deploy an application. Minimal or no control on what these applications can access. Minimal or no control on what these applications can access. No control on what an application can do with what it can access No control on what an application can do with what it can access. .

Trusted domain External entities (e.g. Ad agencies) Application

SLIDE 12

12

Current Affairs: Facebook

SLIDE 13

13

Current Affairs: Facebook

SLIDE 14

14

Facebook’s privacy policy is insufficient…

If you, your friends, or members of your network use any third-party applications developed using the Facebook Platform ("Platform Applications"), those Platform Platform Applications may access and share certain information about you Applications may access and share certain information about you with others with others in accordance with your privacy settings. You may opt-out of any sharing of certain or all information through Platform Applications on the Privacy Settings page. In addition, third party developers who have created and operate Platform Applications ("Platform Developers"), may also have access to your personal information (excluding you may also have access to your personal information (excluding your r contact information) if you permit Platform Applications to acce contact information) if you permit Platform Applications to access your data. ss your data. Before allowing any Platform Developer to make any Platform Application available to you, Facebook requires the Platform Developer to enter into an agreement which, among

• ther things, requires them to respect your privacy settings and strictly limits their

collection, use, and storage of your information. However, while we have undertaken contractual and technical steps to restrict possible misuse of such information by such Platform Developers, we of course cannot and do not guarantee that all Platform we of course cannot and do not guarantee that all Platform Developers will abide by such agreements. Please note that Developers will abide by such agreements. Please note that Facebook Facebook does not does not screen or approve Platform Developers and cannot control how suc screen or approve Platform Developers and cannot control how such Platform h Platform Developers use any personal information that they may obtain in Developers use any personal information that they may obtain in connection with connection with Platform Applications. Platform Applications. If you, your friends, or members of your network use any third-party applications developed using the Facebook Platform ("Platform Applications"), those Platform Platform Applications may access and share certain information about you Applications may access and share certain information about you with others with others in accordance with your privacy settings. You may opt-out of any sharing of certain or all information through Platform Applications on the Privacy Settings page. In addition, third party developers who have created and operate Platform Applications ("Platform Developers"), may also have access to your personal information (excluding you may also have access to your personal information (excluding your r contact information) if you permit Platform Applications to acce contact information) if you permit Platform Applications to access your data. ss your data. Before allowing any Platform Developer to make any Platform Application available to you, Facebook requires the Platform Developer to enter into an agreement which, among

• ther things, requires them to respect your privacy settings and strictly limits their

collection, use, and storage of your information. However, while we have undertaken contractual and technical steps to restrict possible misuse of such information by such Platform Developers, we of course cannot and do not guarantee that all Platform we of course cannot and do not guarantee that all Platform Developers will abide by such agreements. Please note that Developers will abide by such agreements. Please note that Facebook Facebook does not does not screen or approve Platform Developers and cannot control how suc screen or approve Platform Developers and cannot control how such Platform h Platform Developers use any personal information that they may obtain in Developers use any personal information that they may obtain in connection with connection with Platform Applications. Platform Applications.

SLIDE 15

15

Facebook applications

• Users need to trust the applications.
• Mistakes are made:

– “Top Friends” application allowed access to the profile of anyone using the application. – “We expect expect third-party apps to follow the rules the users set” – director at Facebook.

• Deliberate “mistakes” are made:

– “Google confirms Adsense ads, security problems in Facebook applications”

SLIDE 16

16

Facebook applications

• Users need to trust the applications.
• Mistakes are made:

– “Top Friends” application allowed access to the profile of anyone using the application. – “We expect expect third-party apps to follow the rules the users set” – director at Facebook.

• Deliberate “mistakes” are made:

– “Google confirms Adsense ads, security problems in Facebook applications”

No enforcement, because it is not possible in the No enforcement, because it is not possible in the current architecture! current architecture!

SLIDE 17

17

Our Goals

• Provide privacy protection for users’ data in

presence of third party applications.

– Prevent data leaks out to external entities. – Provide user-user access control (for data flowing through an application). – Protection of application’s proprietary data.

• No changes should be required on the browser side.
• The user should be oblivious to any design changes.

SLIDE 18

18

Our Solution: xBook

Trusted domain

SLIDE 19

19

Our Solution: xBook

• Pull the applications into the trusted

Pull the applications into the trusted xBook xBook domain. domain.

Trusted domain (xBook)

SLIDE 20

20

Our Solution: xBook

• Pull the applications into the trusted

Pull the applications into the trusted xBook xBook domain. domain.

• Monitor the applications at runtime in the browser.

Monitor the applications at runtime in the browser.

Trusted domain (xBook)

SLIDE 21

21

Our Solution: xBook

• Pull the applications into the trusted

Pull the applications into the trusted xBook xBook domain. domain.

• Monitor the applications at runtime in the browser.

Monitor the applications at runtime in the browser.

• Allow applications access to any user data, but

Allow applications access to any user data, but require require require require them to them to make use of that data explicit. make use of that data explicit.

Trusted domain (xBook)

Pre-declared access

SLIDE 22

22

Our Solution: xBook

• Pull the applications into the trusted

Pull the applications into the trusted xBook xBook domain. domain.

• Monitor the applications at runtime in the browser.

Monitor the applications at runtime in the browser.

• Allow applications access to any user data, but

Allow applications access to any user data, but require require require require them to them to make use of that data explicit. make use of that data explicit.

• Use information flow techniques to prevent data leaks by the

Use information flow techniques to prevent data leaks by the applications. applications.

External entities Trusted domain (xBook)

X

Pre-declared access

External entities

X

SLIDE 23

23

xBook Architecture

xbook Server Cloud

xBook User data

xBook

xBook xBook platform divided into client platform divided into client-

• side and server

side and server-

• side.

side.

SLIDE 24

24

xBook Architecture

xbook Server Cloud

xBook User data

xBook

App A App A

xBook xBook platform divided into client platform divided into client-

• side and server

side and server-

• side.

side. An application is split into multiple components. An application is split into multiple components.

SLIDE 25

25

X X

Evil Ad network Evil Ad network

xBook Architecture

xbook Server Cloud

xBook User data

xBook

App A App A

xBook xBook platform divided into client platform divided into client-

• side and server

side and server-

• side.

side. An application is split into multiple components. An application is split into multiple components. xBook xBook mediates all component communication. mediates all component communication.

SLIDE 26

26

xBook Application Design

Example Application Example Application Example Application Example Application

• Complete user information to create customized profile.

User profile

SLIDE 27

27

xBook Application Design

www.horoscope.com www.horoscope.com

Example Application Example Application Example Application Example Application

• Complete user information to create customized profile.
• Birthday to generate daily horoscope.

User profile

horoscope

birthday

SLIDE 28

28

xBook Application Design

www.horoscope.com www.horoscope.com

Example Application Example Application Example Application Example Application

• Complete user information to create customized profile.
• Birthday to generate daily horoscope.
• Address information to generate map.

User profile maps.google.com maps.google.com

horoscope

birthday

map

address

SLIDE 29

29

xBook Application Design

www.horoscope.com www.horoscope.com

Example Application Example Application Example Application Example Application

• Complete user information to create customized profile.
• Birthday to generate daily horoscope.
• Address information to generate map.

User profile maps.google.com maps.google.com

horoscope

birthday

map

address birthday address

SLIDE 30

30

Application Lifecycle

User User’ ’s view s view xBook xBook view view

Information provided by application

maps.goo maps.google.com gle.com addres address C3 C3 <n <non

• ne>

e> full p full profile ile C2 C2 www.horoscope.co www.horoscope.com bi birthd rthday ay C1 C1

• <n

<non

• ne>

e> C0 C0 External Entity External Entity Data Data Com Component nent

SLIDE 31

31

Application Lifecycle

Application’s manifest

User User’ ’s view s view xBook xBook view view

Information provided by application

maps.goo maps.google.com gle.com addres address www.horoscope.co www.horoscope.com bi birthd rthday ay External Entity External Entity Data Data maps.goo maps.google.com gle.com addres address C3 C3 <n <non

• ne>

e> full p full profile ile C2 C2 www.horoscope.co www.horoscope.com bi birthd rthday ay C1 C1

• <n

<non

• ne>

e> C0 C0 External Entity External Entity Data Data Com Component nent

SLIDE 32

32

Application Lifecycle

Application’s manifest

User User’ ’s view s view xBook xBook view view

Information provided by application

maps.goo maps.google.com gle.com addres address www.horoscope.co www.horoscope.com bi birthd rthday ay External Entity External Entity Data Data maps.goo maps.google.com gle.com addres address C3 C3 <n <non

• ne>

e> full p full profile ile C2 C2 www.horoscope.co www.horoscope.com bi birthd rthday ay C1 C1

• <n

<non

• ne>

e> C0 C0 External Entity External Entity Data Data Com Component nent

SLIDE 33

33

Application Lifecycle

User’s platform policies (eg. Access to friends) Component Labels

Application’s manifest

User User’ ’s view s view xBook xBook view view

Information provided by application

maps.goo maps.google.com gle.com addres address www.horoscope.co www.horoscope.com bi birthd rthday ay External Entity External Entity Data Data maps.goo maps.google.com gle.com addres address C3 C3 <n <non

• ne>

e> full p full profile ile C2 C2 www.horoscope.co www.horoscope.com bi birthd rthday ay C1 C1

• <n

<non

• ne>

e> C0 C0 External Entity External Entity Data Data Com Component nent

SLIDE 34

34

Client-side Confinement

• Components written in ADsafe

– ADsafe: Object capability subset of JavaScript

• Unsafe JavaScript features like global variables, eval, etc. are removed

from the subset.

– Prevents the component from having direct access to the DOM elements of the page.

• Access is provided indirectly by providing a capability to

the page services.

SLIDE 35

35

Client-side Confinement – DOM Isolation

C2 C2 C1 C1 C3 C3

User’s application view

SLIDE 36

36

Client-side Confinement – DOM Isolation

C2 C2 C1 C1 C3 C3

User’s application view

SLIDE 37

37

Client-side Confinement – EventListeners

Capture Phase Bubble Phase

Target e1

C2 C2 C3 C3 C1 C1

SLIDE 38

38

C1 C1 C2 C2

Client-side Confinement – EventListeners

Capture Phase Bubble Phase

Target e1 e2

C3 C3

A DOM element belonging to a component can receive an event only if:

• It lies in the path from the root of its component to the event’s target.
• the event target lies in the same component.

e3

SLIDE 39

39

Communication with external entities

maps.google.com maps.google.com

map

address address

Symmetric communication Symmetric communication

C3 C3

SLIDE 40

40

Communication with external entities

maps.google.com maps.google.com

map

address address ADS ADS AD links AD links

Symmetric communication Symmetric communication

C3 C3

SLIDE 41

41

Communication with external entities

Problem: C3 cannot communicate with the Ad links. Problem: C3 cannot communicate with the Ad links.

maps.google.com maps.google.com

map

address address ADS ADS AD links AD links

X

Symmetric communication Symmetric communication

C3 C3

SLIDE 42

42

Communication with external entities

maps.google.com maps.google.com address address

Asymmetric Communication Asymmetric Communication

C3 C3

SLIDE 43

43

Communication with external entities

maps.google.com maps.google.com ADS ADS

map

address address

Asymmetric Communication Asymmetric Communication

C3 C3 AD links AD links Unconfined Unconfined

SLIDE 44

44

Communication with external entities

maps.google.com maps.google.com ADS ADS

map

address address

Asymmetric Communication Asymmetric Communication

C3 C3 AD links AD links Unconfined Unconfined

SLIDE 45

45

Communication with external entities

maps.google.com maps.google.com ADS ADS

map

address address

Asymmetric Communication Asymmetric Communication

C3 C3 AD links AD links Unconfined Unconfined

SLIDE 46

46

xBook on Facebook

• Ported xBook as an application on Facebook.

– Facebook data feeds xBook’s user data – Available at http://apps.facebook.com/myxbook – Users need to trust only xBook as an application

SLIDE 47

47

xBook on Facebook

• Ported xBook as an application on Facebook.

– Facebook data feeds xBook’s user data – Available at http://apps.facebook.com/myxbook – Users need to trust only xBook as an application

• Incentives for application developers

– User attraction: Applications developed over xBook provide greater privacy guarantees! – Future potential: Porting xBook as an application on any social networking platform will automatically port all xBook applications.

SLIDE 48

48

Applications

• xBook provides APIs for development of third party

applications

– developed two sample applications to show the applicability of the APIs. – Overhead: 4.2% (horoscope), 3.1% (utility application)

SLIDE 49

49

The Labeling System: acts-for hierarchy

T u0 u1 . . . S(a0, u0) C(a0, u0) C(a0) S(a0) ┴

User labels get priority over application labels Server-side labels gets priority over client-side labels

SLIDE 50

50

S0

{ S(a { S(a0

0): }

): } S(a S(a0

0)

)

Sample xBook Flows

address

X X X X

u1 data u0 data

X X

C0

{ } { } C(a C(a0

0, u

, u0

0)

)

Internet C1

{ T: C(a { T: C(a0

0, u

, u0

0) }

) } C(a C(a0

0, u

, u0

0)

)

C3

{ T: C(a { T: C(a0

0, u

, u0

0),

), google google } } C(a C(a0

0, u

, u0

0)

)

S1

{ S(a { S(a0

0): ; T: C(a

): ; T: C(a0

0, u

, u0

0) }

) } S(a S(a0

0, u

, u0

0)

)

app data

{ S(a { S(a0

0): }

): }

X X

SLIDE 51

51

X X X X

C0

{ } { } C(a C(a0

0, u

, u0

0)

)

Internet

X X

C3

{ T: C(a { T: C(a0

0, u

, u0

0),

), google google } } C(a C(a0

0, u

, u0

0)

) address

S0

{ S(a { S(a0

0): }

): } S(a S(a0

0)

) L(server L(server, app0) , app0)

Sample xBook Flows

u1 data u0 data

C1

{ T: C(a { T: C(a0

0, u

, u0

0) }

) } C(a C(a0

0, u

, u0

0)

)

S1

{ S(a { S(a0

0): ; T: C(a

): ; T: C(a0

0, u

, u0

0) }

) } S(a S(a0

0, u

, u0

0)

)

app data

{ S(a { S(a0

0): }

): }

X X

L(server L(server, app0) , app0) L(server L(server, app0, user0) , app0, user0) L(client L(client, app0, user0) , app0, user0)

SLIDE 52

52

S0

{ S(a { S(a0

0): }

): } S(a S(a0

0)

)

X X

{ S(a { S(a0

0): }

): }

X X

C0

{ } { } C(a C(a0

0, u

, u0

0)

)

Internet

X X

C1

{ T: C(a { T: C(a0

0, u

, u0

0) }

) } C(a C(a0

0, u

, u0

0)

)

C3

{ T: C(a { T: C(a0

0, u

, u0

0),

), google google } } C(a C(a0

0, u

, u0

0)

) address

X X

Sample xBook Flows

u1 data u0 data

S1

{ S(a { S(a0

0): ; T: C(a

): ; T: C(a0

0, u

, u0

0) }

) } S(a S(a0

0, u

, u0

0)

)

app data

L(server L(server, app0, user0) , app0, user0)

SLIDE 53

53

Conclusions

• Presented a novel framework for improving user

privacy in social networks in view of third party applications.

• xBook allows applications to have access to any

user data, while still preventing them from leaking the data.

• A working prototype of the xBook system was

developed and is available online.

• Set of APIs are available for developing xBook

applications.

SLIDE 54

54

Thank You. Thank You. Thank You. Thank You. Questions? Questions? Questions? Questions? ksingh@cc.gatech.edu ksingh@cc.gatech.edu