310 likes | 590 Views
Privacy in Online Social Networks. Sonia Jahid Department of Computer Science University of Illinois at Urbana-Champaign March 10, 2011. www.soniajahid.com. Outline. Statistics Privacy Issues Research on Online Social Network security and privacy flyByNight Persona EASiER NOYB.
E N D
Privacy in Online Social Networks Sonia Jahid Department of Computer Science University of Illinois at Urbana-Champaign March 10, 2011 www.soniajahid.com
Outline • Statistics • Privacy Issues • Research on Online Social Network security and privacy • flyByNight • Persona • EASiER • NOYB
Statistics Facebook Case: • More than 500 million active users • 50% of active users log on to Facebook in any given day • Average user has 130 friends • People spend over 700 billion minutes per month on Facebook • There are over 900 million objects that people interact with • Average user is connected to 80 community pages, groups and events • Average user creates 90 pieces of content each month • More than 30 billion pieces of content shared each month. [1] [2] [3]
Privacy Issues • Information leak by the Online Social Network (OSN) • Intentional • “You’ve Been Poked by University Police” • “More Advertising Issues on Facebook” • Accidental • “Facebook Revealed Private Email Addresses Last Night” • “Facebook suspends app that permitted peephole” • Attacks • Spam • Phishing • Oversharing • Stalking 60% users trust their friends 18% users trust the provider 6% users trust strangers [4, 5, 6, 7, 8, 9]
Privacy Policies • Isn’t privacy protected by policies? • Privacy policy changes over time • Confusing! • Leads to unwanted information leak to users! [10]
Research on Privacy in OSN Today’s Focus Cryptography
flyByNight: Mitigating the Privacy Risks of Social Networking Matthew M. Lucas, Nikita Borisov WPES, October 2008
Overview • A facebook application designed to encrypt and decrypt data with an aim to mitigate privacy risks in social networks. • Primary goal: • Hide information transferred through the OSN from the provider and the application server. • Key idea: • Encrypt sensitive data using JavaScript on the client side and send the cipher text to intended parties, i.e., facebook friends. • Uses • El-Gamal encryption • Proxy Cryptography
Architecture • Initialization • Client generates Public/Private key pair, password • Client transfers encrypted private key to flyByNight server, and saves in key Database • Send Data: • Client encrypts private data M with friends’ PK, and tags the encrypted data with friends’ ID, saves encrypted data in message Database on flyByNight server • Receive Data: • Client decrypts private key with password, decrypts M with the private key
One-to-Many Communication • User encrypts the data • User gives the ciphertext to a proxy • User generates a key for the proxy, and for the friend • Proxy transforms the ciphertext for an intended party using El-Gamal encryption
Discussion • One encryption per recipient • A partial solution
Persona: An Online Social Network with User-Defined Privacy Randy Baden, Adam Bender, Neil Spring, Bobby Bhattacharjee SIGCOMM 2009
Overview • A new architecture for OSN that provides privacy • Encryption, Distributed Storage • Key Idea: • Defines social relationships by attribute-key assignment • Encrypts data once for an attribute policy • Provides confidentiality through various cryptographic mechanisms • Stores user information in distributed storage • Provides OSN functionality as services
1 1 1 1 Cryptography (Background on Attribute-based Encryption) PK MSK Key Authority • Message1 can be viewed by • Professor OR (RA AND Security) Professor OR (RA AND Security) PK SKSarah Attribute: Professor, Architecture Professor OR (RA AND Security) SKSam Attribute: RA, Networking Professor OR (RA AND Security) Professor OR (RA AND Security)
Cryptography • Symmetric Keys (AES) • Data Encryption • Attribute-based Encryption (CPABE) • Distribute the AES keys for groups • Distribute RSA keys for group identities • Asymmetric (RSA) keys • Distribute attribute-secret key • Idea: • Generate Attribute Secret Key for U1: ASK1 • Encrypt ASK1 with PK1- EncPK1(ASK1) • Enc(M, K), ABE(K, policy, APK) U1: • Decrypt EncPK1(ASK1) with her RSA private key to get ASK1 • Use ASK1 to get K from ABE(K, policy, APK) • Use K to get M from Enc(M,K) A.APK colleague, neighbor friend, neighbor friend
Architecture • Data storage • Stored/retrieved through get/put • No authentication for get • Functionalities like wall, profile provided through a multiple reader/writer application • Users register for application • Users add ACL to the application page • Application page contains metadata, i.e., references to data • Encryption/Decryption done at client side using browser extension Post (data) Post (ref) ref Application Server (Wall) Storage Service authenticate Alice posts on Bob’s wall
Discussion • Persona does not support efficient revocation • Have to rekey rest of the group just to revoke one user from the group • Though it says distributed storage, physically it is implemented on the same server
EASiER: Encryption-based Access Control in Social Networks with Efficient Revocation Sonia Jahid, Prateek Mittal, and Nikita Borisov ASIACCS, March 2011 (to appear)
Overview • An ABE scheme to enhance privacy in OSN with support for efficient revocation • Supports complete or partial relationship revocation • Primary Goal: • Support efficient revocation in ABE for OSN for fine-grained access control • Key Idea: • Social relationships defined using attribute keys • Introduces a minimally trusted proxy • Rekeys the proxy each time some key is revoked
OR AND Colleague 1 Friend Neighbor Architecture PK, MK KeyProxy (Revoke u1, u2) (SK2) (SK3) (SK1) Proxy CTcomponent Modified CTcomponent u2 u3 u1 21
Discussion • Revoked users can not decrypt future data, and even past data assuming they do not store data. • EASiER efficiently supports the fine-grained access control in existing OSNs • EASiER can be used in any domain that implements ABE • EASiER does not support access delegation • The proxy has to forget old key
NOYB: Privacy in Online Social Networks SaikatGuha, Kevin Tang, and Paul Francis WOSN 2008
Overview • An architecture where user data is scattered and public, and a collection of other users’ data • Key Idea: • Encrypt user data such that the ciphertext follows semantic and statistical properties of legitimate data • Allow the service provider to work on ciphertext
Architecture • Uses out of band channel for key management • User data is divided into atoms • Atoms of similar type constitute a dictionary • Atoms are replaced with other atoms from the dictionary (Carol, F, 27) (Bob, M, 30) (Alice, F, 26) (Alice, F) (26) (Bob, M) (30) (Carol, F) (27) (Alice, F, 27) (Bob, M, 26)
Discussion • Hiding in the crowd • Needs character level substitution for unique values, e.g., email addresses
Conclusion • Online Social Networks need more privacy aware architecture • Lot of research work on OSN security and privacy • Privacy aware works include • Cryptography • Programming language-based access control enforcement • Decentralization of OSN Online Social Network in Real Life
References • Facebook Statistics • Facebook Statistics, Stats & Facts For 2011 • Infographic: Twitter Statistics, Facts & Figures • EDITORIAL: You've been poked by University police • More Advertising Issues on Facebook • Facebook Revealed Private Email Addresses Last Night • Facebook suspends app that permitted peephole • Social phishing, T. N. Jagatic, N. A. Johnson, M. Jakobsson • Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook,” Alessandro Acquisti and Ralph Gross. PET, 2006 • Facebook's Eroding Privacy Policy: A Timeline