Locations of visitors to this page

Security and Privacy in Social Networks

Web-based social networks (WBSNs) are online communities where participants can establish relationships and share resources across the Web with other users. In recent years, several WBSNs have been adopting Semantic Web technologies, such as FOAF, for representing users' data and relationships, making it possible to enforce information interchange across multiple WBSNs. Despite its advantages in terms of information diffusion, this raised the need of giving content owners more control on the distribution of their resources, which may be accessed by a community far wider than they expected.

So far, this issue has been addressed by some of the available Social Network Management Systems (SNMSs) by allowing users to state whether a specific information (e.g., personal data and resources) should be public or accessible only by the users with whom the owner of such information has a direct relationship. Such simple access control strategies have the advantage of being straightforward, but, on one hand, they may grant access to non-authorized users, and, on the other hand, they are not flexible enough in denoting authorized users. In fact, they do not take into account the ‘type’ of relationship existing between users and, consequently, it is not possible to state that only, say, my “friends” can access a given information. Moreover, they do not allow to grant access to users who have an indirect relationship with the resource owner (e.g., the “friends of my friends”).

We think that more flexible mechanisms are needed, making a user able to decide which network participants are authorized to access his/her resources and personal information, which may be the basis for a more comprehensive privacy and security framework for social networks.

For these purposes, we are investigating how to address security issues in WBSNs along two complementary directions, namely, access control and privacy protection.

Access Control for WBSNs

We defined an access control model for WBSNs, where policies are specified in terms of constraints on the type, depth, and trust level of relationships existing between users. Relevant features of our model are the use of certificates for granting relationships' authenticity, and the client-side enforcement of access control according to a rule-based approach, where a subject user requesting to access an object must demonstrate that it has the rights of doing that by means of a proof. We have also proposed a decentralized system architecture on support of access control enforcement, based on the interaction of two agents: the central node of the network, which stores and manages certificates specified by users, and a set of peripheral nodes, in charge of storing access rules and performing access control.

Related publications

N/A Enforcing Access Control in Web-based Social Networks (2008)

Barbara Carminati, Elena Ferrari, Andrea Perego

ACM Transactions on Information & System Security, 2008. To appear.

PDF Rule-based Access Control for Social Networks (2006)

Barbara Carminati, Elena Ferrari, Andrea Perego

Proceedings: OTM Workshops 2006, pp. 1734–1744, 2006

Privacy Protection in WBSNs

Relationships in a social network may give rise to some relevant privacy concerns. For instance, a user would like to keep private the fact that he/she has a relationship of a given type with a certain user. In other cases, a user would like to avoid other users know the existence of a relationship of a given type, independently from the user with whom it is established.

For this purpose, we have complemented our access control model with a mechanism able to enforce different privacy requirements on social network relationships. The key point is that, since relationships information is fundamental for access control, we have to devise a method able to protect the privacy of relationships and, at the same time, make such information usable for access control purposes.

In order to address this issue, we specify privacy requirements through a set of distribution rules, which basically state the protection requirements to be enforced on a relationship. Cryptographic-based techniques are then used to enforce distribution rules and to avoid privacy breaches that may arise when access control is carried out.

Related publications

PDF A Decentralized Security Framework for Web-based Social Networks (2008)

Barbara Carminati, Elena Ferrari, Andrea Perego

International Journal of Information and System Security 2(4):22–53, 2008.

PDF Private Relationships in Social Networks (2007)

Barbara Carminati, Elena Ferrari, Andrea Perego

Proceedings: ICDE Workshops 2007, pp. 163–171, 2007

The documents distributed by this server have been provided by the contributing authors as a means to ensure timely dissemination of scholarly and technical work on a noncommercial basis. Copyright and all rights therein are maintained by the authors or by other copyright holders, notwithstanding that they have offered their works here electronically. It is understood that all persons copying this information will adhere to the terms and constraints invoked by each author's copyright. These works may not be reposted without the explicit permission of the copyright holder.

Credits: Icons by http://ldodds.com, http://dryicons.com, http://kalsey.com, http://pooliestudios.com, http://www.askthecssguy.com