Abstract
Recent years have seen unprecedented growth in the popularity of social network systems, with Facebook being an archetypical example. The access control paradigm behind the privacy preservation mechanism of Facebook is distinctly different from such existing access control paradigms as Discretionary Access Control, Role-Based Access Control, Capability Systems, and Trust Management Systems. This work takes a first step in deepening the understanding of this access control paradigm, by proposing an access control model that formalizes and generalizes the privacy preservation mechanism of Facebook. The model can be instantiated into a family of Facebook-style social network systems, each with a recognizably different access control mechanism, so that Facebook is but one instantiation of the model. We also demonstrate that the model can be instantiated to express policies that are not currently supported by Facebook but possess rich and natural social significance. This work thus delineates the design space of privacy preservation mechanisms for Facebook-style social network systems, and lays out a formal framework for policy analysis in these systems.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
boyd, d.m., Ellison, N.B.: Social network sites: Definition, history, and scholarship. Journal of Computer-Mediated Communication 13(1), 210–230 (2008)
Barka, E.S., Sandhu, R.S.: Framework for role-based delegation models. In: Proceedings of the 16th Annual Computer Security Applications Conference (ACSAC 2000), New Orleans, Louisiana, USA (December 2000)
Crampton, J., Khambhammettu, H.: Delegation in role-based access control. International Journal of Information Security 7(2), 123–136 (2008)
Graham, G.S., Denning, P.J.: Protection: Principles and practices. In: Proceedings of the 1972 AFIPS Spring Joint Computer Conference, Alantic City, New Jersey, USA, May 1972, vol. 40, pp. 417–429 (1972)
Li, N., Tripunitara, M.V.: On safety in discretionary access control. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P 2005), Oakland, California, USA, May 2005, pp. 96–109 (2005)
Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Communications of the ACM 19(8), 461–471 (1976)
Lipton, R.J., Snyder, L.: A linear time algorithm for deciding subject security. Journal of the ACM 24(3), 455–464 (1977)
Sandhu, R.S.: The schematic protection model: Its definition and analysis for acyclic attenuating schemes. Journal of the ACM 35(2), 404–432 (1988)
Li, N., Mitchell, J.C., Winsborough, W.H.: Beyond proof-of-compliance: Security analysis in trust management. Journal of the ACM 52(3), 474–514 (2005)
Fong, P.W.L.: Access control by tracking shallow execution history. In: Proceedings of the 2004 IEEE Symposium on Security and Privacy (S&P 2004), Berkeley, California, USA, May 2004, pp. 43–55 (2004)
Dennis, J.B., Horn, E.C.V.: Programming semantics for multiprogrammed computations. Communications of the ACM 9(3), 143–155 (1966)
Miller, M.S., Yee, K.P., Shapiro, J.: Capability myths demolished. Technical Report SRL2003-02, System Research Lab, Department of Computer Science, The John Hopkins University, Baltimore, Maryland, USA (2003)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 19(2), 38–47 (1996)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security 4(3), 224–274 (2001)
Schneider, F.B.: Enforceable security policies. ACM Transactions on Information and System Security 3(1), 30–50 (2000)
Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy (S&P 1996), Oakland, California, USA, May 1996, pp. 164–173 (1996)
Weeks, S.: Understanding trust management systems. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy (S&P 2001), Oakland, California, USA, May 2001, pp. 94–105 (2001)
Pierce, B.C.: Types and Programming Languages. MIT Press, Cambridge (2002)
Fong, P.W.L., Anwar, M., Zhao, Z.: A privacy preservation model for Facebook-style social network systems. Technical Report 2009-926-05, University of Calgary (April 2009)
Mori, J., Sugiyama, T., Matsuo, Y.: Real-world oriented information sharing using social networks. In: Proceedings of the 2005 ACM SIGGROUP Conference on Supporting Group Work (GROUP 2005), Sanibel Island, Florida, USA, November 2005, pp. 81–84 (2005)
Dimicco, J., Millen, D.R., Geyer, W., Dugan, C., Brownholtz, B., Muller, M.: Motivations for social networking at work. In: Proceedings of the ACM 2008 Conference on Computer Supported Cooperative Work (CSCW 2008), San Diego, California, USA, November 2008, pp. 711–720 (2008)
Anwar, M.: Identity and reputation management for online learners. In: Woolf, B.P., Aïmeur, E., Nkambou, R., Lajoie, S. (eds.) ITS 2008. LNCS, vol. 5091, pp. 177–187. Springer, Heidelberg (2008)
Wenger, E.: Communities of practice and social learning systems. Organization 7(2), 225–246 (2000)
Tosh, D., Light, T.P., Fleming, K., Haywood, J.: Engagement with electronic portfolios: Challenges from the student perspective. Canadian Journal of Learning and Technology 31(3) (Fall 2005)
Thompson, B., Yao, D.: The union-split algorithm and cluster-based anonymization of social networks. In: Proceedings of the 4th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2009), Sydney, Australia, March 2009, pp. 218–227 (2009)
Narayanan, A., Shmatikov, V.: De-anonymizing social networks. In: Proceedings of the 2009 IEEE Symposium on Security and Privacy (S&P 2009), Oakland, California, USA (May 2009)
Hart, M., Johnson, R., Stent, A.: More content – less control: Access control in the Web 2.0. In: Proceedings of the 2007 Workshop on Web 2.0 Security and Privacy (W2SP 2007), Oakland, California, USA, May 2007, pp. 1–3 (2007)
Ali, B., Villegas, W., Maheswaran, M.: A trust based approach for protecting user data in social networks. In: Proceedings of the 2007 Conference of the Center for Advanced Studies in Collaborative Research (CASCON 2007), Richmond Hill, Ontario, Canada, October 2007, pp. 288–293 (2007)
Kruk, S.R., Grzonkowski, S., Gzella, A., Woroniecki, T., Choi, H.-C.: D-FOAF: Distributed identity management with access rights delegation. In: Mizoguchi, R., Shi, Z.-Z., Giunchiglia, F. (eds.) ASWC 2006. LNCS, vol. 4185, pp. 140–154. Springer, Heidelberg (2006)
Carminati, B., Ferrari, E., Perego, A.: Enforcing access control in web-based social networks. ACM Transactions on Information and System Security (to appear, 2009)
Anwar, M., Fong, P.W.L., Yang, X.D., Hamilton, H.: Visualizing privacy implications of access control policies in social network systems. Technical Report 2009-927-06, University of Calgary (May 2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Fong, P.W.L., Anwar, M., Zhao, Z. (2009). A Privacy Preservation Model for Facebook-Style Social Network Systems. In: Backes, M., Ning, P. (eds) Computer Security – ESORICS 2009. ESORICS 2009. Lecture Notes in Computer Science, vol 5789. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04444-1_19
Download citation
DOI: https://doi.org/10.1007/978-3-642-04444-1_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04443-4
Online ISBN: 978-3-642-04444-1
eBook Packages: Computer ScienceComputer Science (R0)