SQL Privacy Model for Social Networks

Maryam Majedi Kambiz Ghazinour Amir H. Chinaei Ken Barker Department of Computer Science, University of Calgary

Calgary, Canada {mmajedi, kghazino, achinaei, kbarker}@ucalgary.ca

Abstract This is a preliminary work to extend SQL to support

user privacy in social networks. The proposal is to extend the data definition and data manipulation languages to capture privacy-preserved mandatory and discretionary access controls, respectively. Here, we focus on common user privacy requirements, such as purpose, generalization, and retention, used by social networks desiring to support privacy. Hence, each user can discretionarily control the set of privileges over the view representing their profile. We plan to support the extended language with underlying catalogues, algorithms, and prototypes. The objective is to develop a low-cost mechanism to preserve privacy in databases, with applications in social networks, e-health, e-business, e-government, etc.

1. Introduction

The Structured Query Language (SQL) is at the core of

millions of database applications, many of which were implemented during the past decade. Current social networks, such as Facebook [9], Flickr [10] and MySpace [11], publish a set of privacy policies indicating the usage of personal information within their network. However, there is no system-level or user-centric protection in place to enforce the privacy policy. Facebook and Flickr have chosen to join a third-party auditing firm to resolve disputes once they occur. MySpace relies on its internal policy to enforce such rules. In this work, we propose a user-centric enforcement of the privacy policies applicable to each of these networks. The proposal extends SQL as a possible underlying language; however, the idea is applicable to other languages too. Similar to Rosenthal and Sciore’s contributions [7], we consider three criteria during the extension: modularity, compatibility, and simplicity. Modularity allows system vendors to provide a straightforward implementation of their systems to support the additional privacy provided by this increment. Furthermore, it helps system administrators and end-users to gradually adopt the new features at their discretion. Backwards compatibility is critical when transforming legacy systems to their privacy-preserving equivalents. It also provides an easier

implementation because it is built on existing technology. Simplicity, which is partially ensured by modularity and compatibility, is a key characteristic for the extension to be accepted by the market.

2. User privacy requirements

The key elements of data privacy are purpose,

visibility, generalization, and retention [1, 2]. Purpose specifies the legitimate reasons to access a

specific piece of data. Purpose-based access control models require a set of finer grain operations. For example, in standard SQL, the SELECT statement is a coarse operation; but, in purpose-based systems, a SELECT operation with a “survey” purpose might be distinguished from the one with a “marketing” purpose.

Visibility specifies the legitimate users who can access particular data, for a legitimate purpose. Visibility constrains the set of users who can access data with respect to an operation and a purpose. For example, in a social network, the group friend may be defined by the visibility of operation write on a wall. Thus, not every user can write a message on that wall.

Generalization specifies the level of anonymization required when presenting a given data value in response to a legitimate access request from a user for a particular purpose. The level of generalization, denoted by n, depends on the data type, its domain, and the amount of k-anonymity and l-diversity defined by applications [5, 8].

Retention specifies an expiry condition (time, period, number of accesses, etc.), after which the data is no longer accessible, even for legitimate users, purposes, and/or generalization.

Furthermore, each application may define user-defined privacy constraints (UDC) to capture additional privacy semantics. UDCs can be exploited to implement constraints such as obligations, legitimate time and location of access, or legitimate number of accesses. 3. Objective

Our contribution is twofold: one is to extend SQL to

preserve privacy in mandatory access control models [6]; and, another is to extend the SQL security model to preserve privacy in discretionary access control models.

2009 Advances in Social Network Analysis and Mining

978-0-7695-3689-7 2009

U.S. Government Work Not Protected by U.S. Copyright

DOI 10.1109/ASONAM.2009.60

369

The SQL security model provides two commands—namely, GRANT and REVOKE—by which users can assign (or remove) privileges to (from) other users.

3.1. Modified GRANT and REVOKE

An optional clause is required to extend the GRANT

statement. This clause specifies a privacy policy that includes several restrictions; such as purpose, generalization, visibility, etc. Moreover, another optional clause may be used to allow the user to further grant an operation to others, if desired.

Similar to modified GRANT, we extend REVOKE to include an optional clause of purpose. The default value of purpose is “all”, which means—if the clause is not used, the revokee can no longer use the revoked privilege regardless of his/her intention.

3.2. Corresponding Privacy Catalogues

To represent the models’ semantics, we need to define

a set of privacy catalogues. The catalogues should represent the privacy policies—defined by the corporate or by the users—and are ideally implemented as part of the system catalogues. However, for simplicity, we implement them as a set of standalone tables. This allows legacy systems to utilize the extension without the need for a major upgrade to the database engine itself. 4. Related Work

There are several proposals to increase the SQL

expressivity. Barker and Rosenthal demonstrate how policies, specified in stratified logic, may be exploited to help security administrators recognize the behavior of access control systems [3]. The policies are transformed into a subset of SQL statements to guarantee that only legitimate users have access to data.

Agrawal et al. propose a grant-based model to describe a language construct capable of specifying restrictions at the row, column, and cell levels [1]. In their approach, grant statements can be translated to security views. They also introduce a new algorithm for translating P3P privacy policies [4] into their proposed construct.

van Staden and Olivier also acknowledge that users must declare their intention to access a data value and their intention must be compared against their profile [12]. Furthermore, they state that privacy preservation cannot be accomplished by using a discretionary access control model only. Instead, they propose a hybrid DAC model in which the system security officer binds purposes to data and then grants a proper privilege to the user to access that data. Similarly, Pun et al. have extended the SQL data definition language to capture privacy preservation in mandatory access control models [6].

5. Conclusions We have proposed a privacy-preserved relational

model by extending SQL to support both mandatory and discretionary access controls—with application in social networks, e-health, e-government, etc. The approach supports well-known privacy concepts such as purpose, visibility, generalization, and retention. We also consider a mechanism to capture application-based constraints. Furthermore, the extension is promising to be simple, modular, and backward compatible. Hence, it can be utilized for both new designs and legacy systems. We plan to support our proposal with semantics defined operationally in a relational model. We would also like to support this work with details of the syntaxes and algorithms, similar to our other work on this topic [6].

6. References [1] R. Agrawal, P. M. Bird, T. W. A. Grandison, G. G.

Kiernan, S. I. Logan, and W. Rjaibi, “Extending Relational Database Systems to Automatically Enforce Privacy Policies”, Proceeding of 21st ICDE, Japan, 2005. pp. 1013–1023.

[2] K. Barker, M. Askari, M. Banerjee, K. Ghazinour, B. Mackas, M. Majedi, S. Pun and A. Williams, "A Data Privacy Taxonomy", Proceeding of BNCOD09 (in press), England, 2009.

[3] S. Barker and A. Rosenthal, "Flexible Security Policies in SQL", Proceeding of 15th Annual IFIP Working Conference on Database and Application Security, Canada, 2001, pp. 167–180.

[4] L. F. Cranor, Web Privacy with P3P. O'Reilly Media, 2002. [5] A. Machanavajjhala, J. Gehrke, D. Kifer and M.

Venkitasubramaniam, "l-Diversity: Privacy Beyond k-Anonymity", Proceeding of ICDE, USA, 2006, pp. 24–35.

[6] S. Pun, A. H. Chinaei and K. Barker, "Twins (1): Extending SQL to Support Corporation Privacy Policies in Social Networks, Proceeding of ASONAM (in press), Greece, 2009.

[7] A. Rosenthal and E. Sciore, "Extending SQL's Grant and Revoke Operations, to Limit and Reactivate Privileges", IFIP Workshop on Database Security, The Netherlands, 2000, pp. 209-220.

[8] L. Sweeney, "k-Anonymity: A Model for Protecting Privacy", International Journal of Uncertainty Fuzziness and Knowledge Based Systems, 2002, pp. 557-570.

[9] The Facebook. Privacy Policy. Available at: http://facebook.com/policy.php, March 2009.

[10] The Flickr. Privacy Policy. Available at: http://www.flickr.com/privacy_policy.gne, March 2009.

[11] The Myspace. Privacy Policy. Available at: http://www1.myspace.com/index.cfm?fuseaction=misc.privacy, March 2009.

[12] W. J. C. van Staden and M. S. Olivier, "SQL's Revoke with a View on Privacy", Proceeding of SAICSIT, South Africa, 2007, pp. 181-188.

370