Privacy leakage analysis in online social networks

Download Privacy leakage analysis in online social networks

Post on 01-Apr-2017




0 download

Embed Size (px)


<ul><li><p>Accepted Manuscript</p><p>Privacy Leakage Analysis in Online Social Networks</p><p>Yan Li , Yingjiu Li , Qiang Yan , Robert H. Deng</p><p>PII: S0167-4048(14)00158-8</p><p>DOI: 10.1016/j.cose.2014.10.012</p><p>Reference: COSE 847</p><p>To appear in: Computers &amp; Security</p><p>Received Date: 16 June 2014</p><p>Revised Date: 16 September 2014</p><p>Accepted Date: 19 October 2014</p><p>Please cite this article as: Li Y, Li Y, Yan Q, Deng RH, Privacy Leakage Analysis in Online SocialNetworks, Computers &amp; Security (2014), doi: 10.1016/j.cose.2014.10.012.</p><p>This is a PDF file of an unedited manuscript that has been accepted for publication. As a service toour customers we are providing this early version of the manuscript. The manuscript will undergocopyediting, typesetting, and review of the resulting proof before it is published in its final form. Pleasenote that during the production process errors may be discovered which could affect the content, and alllegal disclaimers that apply to the journal pertain.</p><p></p></li><li><p>MAN</p><p>USCR</p><p>IPT</p><p>ACCE</p><p>PTED</p><p>ACCEPTED MANUSCRIPT</p><p> 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 </p><p>Privacy Leakage Analysis in Online Social Networks</p><p>Yan Lia,, Yingjiu Lia, Qiang Yana, Robert H. Denga</p><p>aSchool of Information Systems, Singapore Management University</p><p>Abstract</p><p>Online Social Networks (OSNs) have become one of the major platforms for social interactions, such as building up relationship,sharing personal experiences, and providing other services. The wide adoption of OSNs raises privacy concerns due to personaldata shared online. Privacy control mechanisms have been deployed in popular OSNs for users to determine who can view theirpersonal information. However, users sensitive information could still be leaked even when privacy rules are properly configured.We investigate the effectiveness of privacy control mechanisms against privacy leakage from the perspective of information flow.Our analysis reveals that the existing privacy control mechanisms do not protect the flow of personal information effectively. Byexamining representative OSNs including Facebook, Google+, and Twitter, we discover a series of privacy exploits. We find thatmost of these exploits are inherent due to the conflicts between privacy control and OSN functionalities. The conflicts reveal that theeffectiveness of privacy control may not be guaranteed as most OSN users expect. We provide remedies for OSN users to mitigatethe risk of involuntary information leakage in OSNs. Finally, we discuss the costs and implications of resolving the privacy exploits.</p><p>Keywords: Online social network, privacy control, information flow, private information leakage, inherent exploit</p><p>1. Introduction</p><p>Online Social Network services (OSNs) have become an es-sential element in modern life for human beings to stay con-nected to each other. About 82% online population use at leastone OSN such as Facebook, Google+, Twitter, and Linkedln,which facilitates building relationship, sharing personal expe-riences, and providing other services [1]. Via OSNs, massiveamount of personal data is published online and accessed byusers from all over the world. Prior research [2, 3, 4, 5] showsthat it is possible to infer undisclosed personal data from pub-licly shared information. Nonetheless, the availability and qual-ity of the public data causing privacy leakage are decreasing dueto the following reasons: 1) privacy control mechanisms havebecome the standard feature of OSNs and keep evolving. 2) thepercentage of users who choose not to publicly share informa-tion is also increasing [4]. In this tendency, it seems that privacyleakage could be prevented as increasingly comprehensive pri-vacy control is in place. However, this may not be achievableaccording to our findings.</p><p>Instead of focusing on new attacks, we investigate the prob-lem of privacy leakage under privacy control (PLPC). PLPCrefers to private information leakage even if privacy rules areproperly configured and enforced. For example, Facebook al-lows its users to control over who can view their friend listson Facebook. Alice, who has Bob in her friend list on Face-book, may not allow Bob to view her complete friend list. Asan essential functionality, Facebook recommends to Bob a list</p><p>Corresponding authorEmail addresses: (Yan Li),</p><p> (Yingjiu Li), Yan), (Robert H. Deng)</p><p>of users, called people you may know, to help Bob make morefriends. This list is usually compiled by enumerating the friendsof Bobs friends on Facebook, which includes Alices friends.Even though Alice doesnt allow Bob to view her friend list,Alices friend list could be leaked as recommendation to Bobby Facebook.</p><p>We investigate the underlying reasons that make privacycontrol vulnerable from the perspective of information flow. Westart with categorizing the personal information of an OSN userinto three attribute sets according to who the user is, whom theuser knows, and what the user does, respectively. We modelthe information flow between these attribute sets and examinethe functionalities which control the flow. We inspect repre-sentative real-world OSNs including Facebook, Google+, andTwitter, where privacy exploits and their corresponding attacksare identified.</p><p>Our analysis reveals that most of the privacy exploits are in-herent due to the underlying conflicts between privacy controland essential OSN functionalities. The recommendation fea-ture for social relationship is a typical example, where it helpsexpanding a users social network but it may also conflict withother users privacy concerns for hiding their social relation-ships. Therefore, the effectiveness of privacy control may notbe guaranteed even if it is technically achievable. We investi-gate necessary conditions for protecting against privacy leakagedue to the discovered exploits and attacks. Based on the neces-sary conditions, we provide suggestions for users to minimizethe risk of involuntary information leakage when sharing pri-vate personal information in OSNs.</p><p>We analyze the potentially vulnerable users due to our iden-tified attacks through user study, in which we investigate partic-ipants usage, knowledge, and privacy attitudes towards Face-</p><p>Preprint submitted to Elsevier September 16, 2014</p><p>;docID=4856&amp;rev=1&amp;fileID=150428&amp;msid={18C385EE-58FA-447C-A69C-EDCD002D2666}</p></li><li><p>MAN</p><p>USCR</p><p>IPT</p><p>ACCE</p><p>PTED</p><p>ACCEPTED MANUSCRIPT</p><p> 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 </p><p>book, Google+, and Twitter. Based on the collected data, we in-vestigate the vulnerability of these participants who could leakthe private information through the attacks. We further discussthe costs and implications of resolving these privacy exploits.</p><p>We summarize the contributions of this paper as follows:</p><p> We investigate the interaction between privacy controland information flow in OSNs. We show that the conflictbetween privacy control and essential OSN functionali-ties restricts the effectiveness of privacy control in OSNs.</p><p> We identify privacy exploits for current privacy con-trol mechanisms in typical OSNs, including Facebook,Google+, and Twitter. Based on these privacy exploits,we introduce a series of attacks for adversaries with dif-ferent capabilities to obtain private personal information.</p><p> We investigate necessary conditions for protectingagainst privacy leakage due to the discovered exploits andattacks. We provide suggestions for users to minimizethe risk of privacy leakage in OSNs. We also analyze thecosts and implications of resolving discovered exploits.While it is possible to fix the exploits due to implemen-tation defects, it is not easy to eliminate the inherent ex-ploits due to the conflicts between privacy control and thefunctionalities. These conflicts reveal that the effective-ness of privacy control may not be guaranteed as mostOSN users expect.</p><p>The rest of this paper is organized as follows: Section 2 pro-vides background information about OSNs. Section 3 presentsour threat model and assumptions. Section 4 models informa-tion flows between attribute sets in OSNs. Section 5 presentsdiscovered exploits, attacks, and mitigations for the exploits.Section 6 analyzes the potentially vulnerable users due to theattacks. Section 7 discusses the implications of our findings.Finally, Section 8 describes related work and Section 9 summa-rizes our conclusions.</p><p>2. Background</p><p>In a typical OSN, Alice owns a space which consists of aprofile page and a feed page for publishing Alices personal in-formation and receiving other users personal information, re-spectively. Alices profile page displays Alices personal in-formation, which can be viewed by others. Alices feed pagedisplays other users personal information which Alice wouldlike to keep up with. The personal information in a users pro-file page can be categorized into three attribute sets: a) personalparticular set (PP set), b) social relationship set (SR set), and c)social activity set (SA set), according to who the user is, whomthe user interact with, and what the user does, respectively. Weshow corresponding personal information and attribute sets onFacebook, Google+, and Twitter in Table 1.</p><p>Alices PP set describes persistent facts about Alice in anOSN, such as gender, date of birth, and race, which usually donot change frequently. Alices SR set records her social rela-tionships in an OSN, which consist of an incoming list and an</p><p>outgoing list. The incoming list consists of the users who in-clude Alice as their friends while the outgoing list consists ofthe users whom Alice includes as her friends. In particular, onGoogle+, the incoming list and the outgoing list correspond tohave you in circles and your circles, respectively. On Twit-ter, the incoming list and the outgoing list correspond to fol-lowing and follower, respectively. The social relationshipsin certain OSNs are mutual. For example, on Facebook, if Aliceis a friend of Bob, Bob is also a friend of Alice. In such a case,a users incoming list and outgoing list are the same, which arecalled friend list. Lastly, Alices SA set describes Alices socialactivities in her daily life. The SA set includes status messages,photos, links, videos, etc.</p><p>To enable users protect their personal information in thethree attribute sets, most OSNs provide privacy control, bywhich users may set up certain privacy rules to control the dis-closure of their personal information. Given a piece of personalinformation, the privacy rules specify who can/cannot view theinformation. A privacy rule usually contains two types of lists,white list, and black list. A white list specifies who can viewthe information while a black list specifies who cannot view theinformation. A white/black list could be local or global. If awhite/black list is local, this list takes effect on specific infor-mation only (e.g. an activity, age information, or gender infor-mation). If a white/black list is global, this list takes effect onall information in a users profile page. For example, if Alicewants to share a status with all her friends except Bob, Alicemay use a local white list which includes all Alices friends,as well as a local black list which includes Bob only. If Alicedoesnt want to share any information with Bob, she may use aglobal black list which includes Bob.</p><p>To help users share their personal information and interactwith each other, most OSNs provide four basic functionalitiesincluding PUB, REC, TAG, and PUSH. The first three func-tionalities, PUB, REC, and TAG, mainly affect the personalinformation displayed in a users profile page, while the lastfunctionality PUSH makes some other users personal informa-tion appear in the users feed page. These basic functionalitiesare described as follows. We exclude any other functionalitieswhich are not relevant to our findings.</p><p>Alice can use PUB functionality to share her personal infor-mation with other users. As shown in Figure 1a, PUB displaysAlices personal information in her profile page. Other usersmay view Alices personal information in Alices profile page.</p><p>To help Alice make more friends in an OSN, REC is an es-sential functionality by which the OSN recommends to Alice alist of users that Alice may include in her SR set. The list of rec-ommended users is composed based on the social relationshipsof the users in Alices SR set. Considering an example shownin Figure 1b, Alices SR set consists of Bob while Bobs SRset consists of Alice, Carl, Derek, and Eliza. After Alice logsinto her space, REC automatically recommends Carl, Derek,and Eliza to Alice who may update her SR set. If Alice intendsto include Carl in her SR set, Alice may need Carls approvaldepending on OSN implementations. Upon approval if needed,Alice can include Carl in her SR set. At the same time, Alice isautomatically included in Carls SR set. In particular, on Face-</p><p>2</p></li><li><p>MAN</p><p>USCR</p><p>IPT</p><p>ACCE</p><p>PTED</p><p>ACCEPTED MANUSCRIPT</p><p> 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 </p><p>Table 1: Types of Personal Information on Facebook, Google+, and TwitterAcronym Attribute set Facebook Google+ Twitter</p><p>PP Personal Particu-lars</p><p>Current city, hometown,sex, birthday, relation-ship status, employer,college/university, highschool, religion, politi-cal views, music, books,movies, emails, address,city, zip</p><p>Taglines, introduc-tion, bragging rights,occupation, employ-ment, education, placeslived, home phone,relationship, gender</p><p>Name, location,bio, website</p><p>SR Social Relation-ship (incominglist, outgoing list)</p><p>Friends, friends Have you in circles, yourcircles</p><p>Following, fol-lower</p><p>SA Social Activities Status message, photo,link, video, comments,like</p><p>Post, photo, comments,link, video, plus 1s</p><p>Tweets</p><p>(a) Alice publishes her personal information (b) Bobs social relationships are recommendedto Alice</p><p>(c) Alice tags Bob in her social activity (d) Bobs personal information is pushed to Al-ices feed page when Bob publishes his personalinformation</p><p>Figure 1: Basic functionalities in OSNs</p><p>book, if Alice intends to include Carl in her SR set, Alice needsto get Carls approval. Upon approval, Alice includes Carl inher friend list. Meanwhile, Facebook automatically includesAlice in Carls friend list. On Google+, Alice can include Carlin her outgoing list without Carls approval. Then Google+ au-tomatically includes Alice in Carls incoming list. On Twitter,if Alice intends to include Carl in her SR set, Alice may needCarls approval depending on Carl option whether his approvalis required. Upon approval if required, Alice includes Carl i...</p></li></ul>