Enabling Collaborative Data Sharing in Google+(Technical Report, SEFCOM, March 2012)

Hongxin Hu, Gail-Joon Ahn and Jan JorgensenArizona State UniversityTempe, AZ 85287, USA

{hxhu,gahn,jan.jorgensen}@asu.edu

ABSTRACTMost of existing online social networks, such as Facebook andTwitter, are designed to bias towards information disclosure to alarge audience. Google recently launched a new social networkplatform, Google+. By introducing the notion of ‘circles’, Google+enables users to selectively share data with specific groups withintheir personal network, rather than sharing with all of their socialconnections at once. Although Google+ can help mitigate the gapbetween the individuals’ expectations and their actual privacy set-tings, it still only allows a single user to restrict access to her/hisdata but cannot provide any mechanism to enforce privacy con-cerns over data associated with multiple users. In this paper, wepropose an approach to facilitate collaborative privacy managementof shared data in Google+. We formulate a circle-based multipartyaccess control model (CMAC) to capture the essence of collabora-tive authorization requirements in Google+, along with a multipartypolicy specification scheme and a policy enforcement mechanism.We also discuss a proof-of-concept prototype of our approach anddescribe system evaluation and usability study of our prototype.

Categories and Subject DescriptorsD.4.6 [Security and Protection]: Access controls; H.2.7 [InformationSystems]: Security, integrity, and protection

General TermsSecurity, Management

KeywordsGoogle+, Social Networks, Access Control, Collaborative, Privacy

1. INTRODUCTIONOnline social networks (OSNs) have experienced explosive growth

in recent years and become a de facto portal for hundreds of mil-lions of Internet users. Facebook, for example, claims that it hasmore than 800 million active users [2]. As the popularity of OSNscontinues to grow, a huge amount of possibly sensitive and privateinformation has been uploaded to OSNs. To protect such a largevolume of sensitive information, access control has received con-siderable attention as a central feature of OSNs [1, 4].

Today, nearly 4 out of 5 active Internet users visit OSNs [11],leading to a fundamental shift in the patterns of information ex-change over the Internet. Users in OSNs are now required to becontent creators and managers, rather than just being content con-sumers. A typical OSN allows users to create connections to ‘friends’,thereby sharing with them a wide variety of personal information.These connections, however, rarely distinguish between differenttypes of relationship. Even within a network of ‘friends’, users may

want to regulate the sharing of information with different peoplebased on their different relationships. Unfortunately, most of ex-iting OSNs could not provide effective mechanisms to sufficientlyaddress how to organize people and how to utilize relationshipsfor privacy settings. For example, Facebook has introduced an op-tional feature called Friend Lists which allows us to group friendsand specify whether a piece of data should be visible or invisibleto a particular friend list [6]. However, studies have consistentlyshown that users struggle to adopt this feature for managing theirfriends and customizing their privacy settings [12, 23, 39], due inpart to an unintuitive and convoluted process [33, 42]. As a result,significant privacy violations and mismatched user expectations inOSNs were identified [35, 36, 45]. In particular, as demonstratedin [35], less than 40% of privacy settings match users’ expectationsin Facebook.

To address the above-mentioned issue, Google recently launcheda new social network service, namely Google+ [5], by utilizing‘circles’ as its fundamental design feature for sorting connectionsand enabling users to selectively share the information with theirfriends, family, colleagues, etc, instead of sharing with all of theirconnections. Circles even demonstrate how users can accommo-date different roles that they normally play in their daily life. Es-pecially, compared with Facebook’s user management, the intuitiveuser interface of Google+ helps a user manage his/her OSN friendsthrough an easy drag-and-drop function.

Despite the fact that Google+ can help mitigate the gap betweenthe users’ expectations and their actual privacy settings, it still onlyallows a single user to regulate access to information containedin their own spaces but cannot provide control over data residingoutside their spaces. For instance, if a user posts a comment ina friend’s space, s/he cannot specify who can view the comment.Furthermore, when a user uploads a photo and tags friends who ap-pear in the photo, the tagged friends cannot govern who can see thisphoto, even though the tagged friends may have different privacyconcerns about the photo. To address such a critical issue, Google+has offered several preliminary protection mechanisms. For ex-ample, Google+ allows tagged users to remove the tags linked totheir profiles or report violations asking Google+ managers to re-move the contents that they do not want to share with the public.However, these simple protection mechanisms suffer from severallimitations. On one hand, removing a tag from a photo can onlyprevent other members from viewing a user’s profile by means ofthe association link, but the user’s image is still contained in thephoto. Since original access control policies cannot be changed,the user’s image continues to be disclosed to all authorized users.On the other hand, reporting to Google+ only allows to either keepor delete the content. Such a binary decision from Google+ man-agers is either too loose or too restrictive, relying on the Google+’sadministration and requiring several people to report their requeston the same content. In another example, the first privacy flaw in

Google+ was identified in [8] and this flaw implies that any contentshared with a particular circle could be reshared with anyone bysomeone from those circles. This problem was fixed by Google+by disabling limited content to be sharable publicly. However, thissolution still cannot prevent users who can access the shared con-tent from disseminating the content to anyone in their circles, whichmay violate the original content owner’s privacy control. Hence,it is essential to develop an effective and flexible access controlmechanism for Google+, accommodating the special authorizationrequirements coming from multiple associated users for managingthe shared data collaboratively.

In this paper, we attempt to explore a systematic method to en-able collaborative management of shared data in Google+. A circle-based multiparty access control (CMAC) model is formulated forGoogle+ to capture the core features of multiparty authorizationrequirements which have not been accommodated in most of exist-ing access control systems for OSNs so far (e.g., [19, 20, 24, 25]).Our model also contains a multiparty policy specification schemeand a policy evaluation mechanism. Since policy conflicts are in-evitable in multiparty authorization enforcement, a conflict reso-lution method is further provided to deal with policy conflicts viabalancing the need for privacy protection and the users’ desire forinformation sharing. In addition, we provide a prototype imple-mentation of our authorization mechanism, and our experimentalresults demonstrate the feasibility and usability of our approach.

The rest of the paper is organized as follows. In Section 2, weoverview Google+ privacy management mechanism and analyzecollaborative authorization requirements in Google+. We articu-late our proposed CMAC model, including multiparty authorizationspecification and multiparty policy evaluation in Section 3. The de-tails about prototype implementation and experimental results aredescribed in Section 4. We overview the related work in Section 5.Section 6 concludes this paper and discusses our future directions.

2. PRELIMINARIES

2.1 Google+ and its Privacy ManagementGoogle launched Google+ on June 28th, 2011, and it then at-

tracted 25 million unique visitors after four weeks in operation [9].This new social network platform offers many unique features dif-ferent from other typical OSNs. For instance, it is able to offer agroup video chat that can include up to ten people. In addition, itsupports an instant messaging service for various mobile devices.

Paul Adams introduced the concept of social circles [7], whichthen act as the foundation of circles for user and privacy manage-ment in Google+. By default, there are four circles in Google+:“Friends”, “Family”, “Acquaintances” and “Following” but a usercan remove/rename any of the default circles or add new circles. Auser can then add any of her/his contacts to one or more circles byusing a simple and intuitive drag-and-drop interface in Google+.

For privacy management, a user in Google+ can selectively shareinformation with a specific set of her/his circles, all her/his cir-cles, her/his extended circles (everyone in her/his circles plus allthe people in their circles) or with the public (everyone). However,Google+ does not allow any exceptions [37]. It means if some con-tent is shared with a larger circle, there is no way to exclude anysubset of the circle.

2.2 Requirements of Collaborative Data Shar-ing in Google+

Users in Google+ can post notes and comments, upload photosand videos in their own spaces, tag others to their content, and sharethe content with their circles. On the other hand, users can also post

content in others’ spaces. The shared content may be connectedwith multiple users. Consider an example where a photograph con-tains three users, Alice, Bob and Carol. If Alice uploads it to herown space and tags both Bob and Carol in the photo, we called Al-ice the owner of the photo, and Bob and Carol stakeholders of thephoto. All of them may be desired to specify privacy policies tocontrol over who can see this photo. In another case, when Aliceposts a note stating “I will go to the bar with @Carol on Saturdaynight” to Bob’s space, we call Alice the contributor of the noteand she may want to make the control over her notes. In addition,since Carol is explicitly identified by @-mention (at-mention) inthis note, she is considered as a stakeholder of the note and mayalso want to control the exposure of this note.

Google+ also enables users to reshare others’ content. For ex-ample, when Alice views a photo in Bob’s space and decides toshare this photo with her circles, the photo will be in turn posted toher space and she can authorize her friends to see this photo. In thiscase, Alice is a disseminator of the photo. Since Alice may adopt aweaker control saying the photo is visible to the public, the initialprivacy concerns of this photo may be violated. Thus, all accesscontrol policies defined by associated users should be enforced toregulate access of the content in disseminator’s space.

In addition to content sharing, collaborative control is requiredin circle sharing [10] in Google+ as well, where users in a sharedcircle may have different privacy concerns on the circle sharing.

3. CIRCLE-BASED MULTIPARTY ACCESSCONTROL FOR GOOGLE+

To enable collaborative authorization management of data shar-ing in Google+, we formalize CMAC (Section 3.1), accompanyingwith a policy scheme (Section 3.2) and a policy evaluation mecha-nism (Section 3.3) for the specification and enforcement of CMACpolicies in Google+.

3.1 CMAC ModelAn OSN system, such as Google+, typically contains a set of

users, a set of user profiles, a set of user contents, and a set of userrelationships (circles in Google+). User profile indicates who a useris in the OSN, including identity and personal information, such asname, birthday, interests and contact information. User content de-scribes what a user has in the OSN, including photos, videos, notes,events, status, and all other data objects created through variousactivities in the OSN. User relationship shows who a user knowsin the OSN, representing user connections with friends, family,coworkers, colleagues, and so on.

Existing OSNs including Google+ do not provide effective mech-anism to support collaborative privacy control over shared data.Several access control schemes (e.g., [19, 20, 24, 25]) have beenrecently introduced to support fine-grained authorization specifi-cations for OSNs. Unfortunately, these schemes also only allow asingle controller, the resource owner, to specify access control poli-cies. Indeed, a flexible access control mechanism in a multi-userenvironment like OSNs should allow multiple controllers, who areassociated with the shared data, to specify access control policies.As we discussed in Section 2.2, in addition to the owner (the con-tent in the space of the user) of content, other controllers , includingthe contributor (the content published by the user in someone else’sspace), stakeholder (The tagged user associated with the content)and disseminator (The user shares the content from someone else’sspace to his/her space) of content, need to govern the access of theshared data as well due to possibly different privacy concerns. Wedefine these controllers as follows:

2

DEFINITION 1. (Owner). Let d be a data item in the space of auser u in the social network. The user u is called the owner of d.

DEFINITION 2. (Contributor). Let d be a data item publishedby a user u in someone else’s space in the social network. The useru is called the contributor of d.

DEFINITION 3. (Stakeholder). Let d be a data item in the spaceof a user in the social network. Let T be the set of tagged users as-sociated with d. A user u is called a stakeholder of d, if u ∈ T .

DEFINITION 4. (Disseminator). Let d be a data item shared bya user u from someone else’s space to his/her space in the socialnetwork. The user u is called a disseminator of d.

In real life, users naturally group their connections (the peoplethey know) into social circles, and also assign them different pri-orities called trust. Social circles and trust among connections canhelp a user determine how to interact with other users. The “cir-cles” in Google+ can directly reflect the feature of social circles inreal life of a user. However, the concept of “trust” cannot be explic-itly represented in existing OSNs including Google+. Obviously,even users in a same circle may represent different degrees of trust,and users’ trustworthiness can be also leveraged to determine whoare authorized to access a resource. For example, a user may wantto disclose business documents to only her/his co-workers who arewith high trust levels. Several existing approaches [18, 20, 26, 27]have discussed how trust could be utilized in OSNs. We believethat such considerations can also apply to our collaborative pri-vacy management scenario. Thus, in our CMAC model, we assumeusers can explicitly specify how much they trust others by assign-ing each of them a trust level when they group their connectionsinto circles in OSNs. OwnerOf

Figure 1: CMAC Model: Components and Relations.

Figure 1 represents the core components and relations of ourCMAC model. Note that each content has only one owner andone contributor, and each profile item and each circle have onlyone owner as well. We now formally define this model as follows:

• U = {u1, . . . , un} is a set of users of the OSN. Each userhas a unique identifier;

• C = {c1, . . . , cm} is a set of circles created by users in theOSN. Each circle is identified by a unique identifier as well;

• O = {o1, . . . , op} is a set of contents in the OSN. Eachcontent also has a unique identifier;

• P = {p1, . . . , pq} is a set of user profile items in the OSN.Each profile item is a <attribute: profile-value> pair, pi =<attri : pvaluei >, where attri is an attribute identifier andpvaluei is the attribute value;

• UC = {uc1, . . . , uctr} is a collection of user circle sets,where uci = {uci1, . . . , ucis} is a set of circles created by auser i ∈ U , where ucij ∈ C;

• UP = {up1, . . . , upv} is a collection of user profile sets,where upi = {upi1, . . . , upiw} is the profile of a user i ∈ U ,where upij ∈ P ;

• CT = {OW,CB, SH,DS} is a set of controller types, in-dicating OwnerOf, ContributorOf, StakeholderOf, and Dis-seminatorOf, respectively;

• CO = {COct1 , . . . , COctx} is a collection of binary user-to-content relations, where COcti ⊆ U×O specifies a set of< user, content > pairs with a controller type cti ∈ CT ;

• TL = {tl1, . . . , tly} is a set of supported trust levels, whichare assumed to be in the closed interval [0,1] in our model;

• CUT ⊆ C × U × TL is a set of 3-tuples < circle, user,trust level > representing user-to-circle membership rela-tions (MemberOf ) with assigned trust levels;

• controllers : OCT−−→ 2U , a function mapping each content

o ∈ O to a set of users who are the controllers of the contentwith the controller type ct ∈ CT :

controllers(o : O, ct : CT ) = {u ∈ U | (u, o) ∈COct};

• contents : UCT−−→ 2O, a function mapping each user u ∈

U to a set of contents, where the user is a controller of thecontents with the controller type ct ∈ CT :

contents(u : U, ct : CT ) = {o ∈ O | (u, o) ∈ COct};

• user own circles : U → 2C , a function mapping each useru ∈ U to a set of circles created by this user:

user own circles(u : U) = {c ∈ C | (∃ucu ∈ UC)[c ∈ucu]};

• circle contain users : C → 2U , a function mapping eachcircle c ∈ C to a set of users who are the members of thiscircle:

circle contain users(c : C) = {u ∈ U | (c, u, ∗) 1 ∈CUT};

• user belong circles : U → 2C , a function mapping eachuser u ∈ U to a set of circles to which this user belongs:

user belong circles(u : U) = {c ∈ C | (c, u, ∗) ∈CUT};

• user extended circles : U → 2C , a function mappingeach user u ∈ U to a set of circles of the user’s circles:

user extended circles(u : U) = {c ∈ C | (∃u′∈

circle contain users(c′)∧c

′∈ user own circles(u))[c ∈

user own circles(u′)]};

• trust level : C,U → TL, a function returning the trustlevel of a user-to-circle membership relation:

trust level(c : C, u : U) = {tl ∈ TL | (c, u, tl) ∈CUT};

1“*”” is to indicate any value of the trust level within the tuple.

3

Figure 2: An Example of Circle-based Multiparty Social Network.

• all circles users : U → 2U , a function mapping a useru ∈ U to a set of users who are the members of the user’scircles:

all circles users(u : U) = {u′∈ U | (∃c ∈

user own circles(u))[u′∈ circle contain users(c)]};

• extended circles users : U → 2U , a function mappinga user u ∈ U to a set of users who are the members of theuser’s circles or extended circles:

extended circles users(u : U) = {u′∈ U | u

′∈

all circles users(u)∨(∃c ∈ user extended circles(u))[

u′∈ circle contain users(c)]}.

Figure 2 depicts an example of circle-based multiparty socialnetwork representation. It contains five individuals, Alice (A), Bob(B), Carol (C), Dave (D) and Edward (E), along with their relationswith user data and circles. Suppose the trust levels that a user canallocate to other users who are in her/his circles are {0.00, 0.25,0.50, 0.75, 1.00}, indicating none trust, weak trust, medium trust,strong trust, and strongest trust, respectively. Note that a user maybelong to more than one circle of another user and be assignedwith different trust levels. For example, in Figure 2, Bob is in both“Friends” and “Colleagues” circles of Alice, and assigned withstrong trust level and medium trust level, respectively. In addition,one user’s circles can be the extended circles of others. For exam-ple, since Edward is in the “Family” circle of Alice, all Edward’scircles are the extended circles of Alice. Moreover, this exampledepicts that some contents have multiple controllers. For instance,ContentA has three controllers: the owner Alice, the contributorDave and a stakeholder Bob. Also, some users may be the con-trollers of multiple contents. For example, Alice is the owner ofContentA as well as a disseminator of ContentE .

3.2 CMAC Policy SpecificationTo achieve authorization requirements with respect to the multi-

party privacy concerns, it is essential for access control policies tobe in place to regulate access over shared data associated with mul-tiple controllers. Our policy specification scheme is constructedbased on the proposed CMAC model. In our model, each controllerof a shared resource can specify one or more rules as her/his policygoverns who can access the resource.Accessor Specification: Accessors are a set of users who are grantedto access the shared data. In Google+, accessors can be specified

with a set of circles. In addition, as we discussed previously, trustlevels can be used as constraints on determining authorized usersin our model. We formally define the accessor specification as fol-lows:

DEFINITION 5. (Accessor Specification). Let ac ∈ C ∪{All Circles} ∪ {Extended Circles} ∪ {∗} be a specific cir-cle c ∈ C, all circles or extended circles of the controller whodefines the policy, or everyone (*) in the OSN. Let tlmin ∈ TLand tlmax ∈ TL be, respectively, the minimum trust level and themaximum trust level that the users in ac must have. The accessorspecification is defined as a set, {a1, . . . , an}, where each elementis a tuple < ac, tlmin > for positive rule (with “permit” effect) or< ac, tlmax > for negative rule (with “deny” effect).

Data Specification: In Google+, users can share their contents, pro-files, even circles with others. To facilitate effective policy conflictresolution for multiparty access control (Section 3.3.1), we intro-duce sensitivity levels for data specification, which are assigned bythe controllers to the shared data. A user’s judgment of the sen-sitivity level of the data is not binary (private/public), but multi-dimensional with varying degrees of sensitivity. Formally, the dataspecification is defined as follows:

DEFINITION 6. (Data Specification). Let dt ∈ O∪C∪P be adata item. Let sl be a sensitivity level, which is a rational numberin the range [0,1], assigned to dt. The data specification is definedas a tuple < dt, sl >.

Access Control Policy: To summarize the above-mentioned policyelements, we give the definition of CMAC access control rule asfollows:

DEFINITION 7. (CMAC Rule). A CMAC rule is a 5-tuple R =<controller, ctype, accessor, data, effect >, where

• controller ∈ U is a user who can regulate the access ofdata;

• ctype ∈ CT is the type of the controller;

• accessor is a set of users to whom the authorization is granted,representing with an access specification defined in Defini-tion 5.

4

• data is represented with a data specification defined in Def-inition 6; and

• effect ∈ {permit, deny} is the authorization effect of therule.

Note that the semantics of accessor specification, {a1, . . . , an},in a rule can be explained as the conjunction of elements in accessorspecification, a1∧. . .∧an, which means that only common users inthe accessor sets defined by the elements in accessor specificationare treated as authorized users. Suppose a controller can leveragefive sensitivity levels: 0.00 (none), 0.25 (low), 0.50 (medium), 0.75(high), and 1.00 (highest) for the shared data, the following is anexample rule:

EXAMPLE 1. Alice authorizes users who are in both her “Friends”circle and her “Colleagues” circle with at least a medium trustlevel to access a photo named funny.jpg she is tagged in, whereAlice considers the photo with a high sensitivity level and she is astakeholder of the photo:r1 = (Alice, SH, {< Friends, 0.50 >,< Colleagues,

0.50 >}, < funny.jpg, 0.75 >, permit).

Applying this rule to the example social network shown in Fig-ure 2, Bob satisfies this rule, since he is in both “Friends” and “Col-leagues” circles of Alice with the trust levels greater than and equalto the trust threshold defined in the rule.

Furthermore, one controller may define more than one rule inher/his policy for a shared resource. In this case, users who satisfyany rule in the policy are considered as authorized users for theresource. The following is another example rule:

EXAMPLE 2. In addition to the rule defined in Example 1, let’sconsider another authorization requirement from Alice, where shealso wants to disclose the same photo to users in her “Family”circle with any trust level:r2 = (Alice, SH, {< Family, 0.00 >}, < funny.jpg,

0.75 >, permit).

Finally, this is a common requirement that controllers can ex-clude specific groups from the authorized users when they definethe policies for shared data. Our policy scheme supports such anexception feature through the definition of positive rules in accesscontrol policies 2.

EXAMPLE 3. Suppose Alice wants to share one of her videos,party.avi, with users who are in her “Friends” circle but disallowsusers in her “Colleagues” circle to watch this video, where Aliceconsiders the video with a medium sensitivity level and she is theowner of the video. Then, Alice can define her policy with followingtwo rules for the video:r′1 = (Alice,OW, {< Friends, 0.00 >}, < party.avi,

0.50 >, permit); andr′2 = (Alice,OW, {< Colleagues, 1.00 >}, < party.avi,

0.50 >, deny).

When we apply this policy to the example social network (Fig-ure 2), although both Bob and Carol are in Alice’s “Friends” circle,only Carol can see the video since Bob is also in Alice’s “Col-leagues” circle that is excluded by the r′2.

2Note that both conjunction and exception features in our policyspecification scheme cannot be supported by the current privacysetting mechanism in Google+.

3.3 CMAC Policy EvaluationIn our CMAC model, we adopt three steps to evaluate an ac-

cess request over multiparty access control policies as shown inFigure 3. The first step checks the access request against the pol-icy specified by each controller and yields a decision for the con-troller. In our CMAC model, controllers can leverage a positiverule to define a set of circles to whom the shared resource is vis-ible, and a negative policy to exclude some specific circles fromwhom the shared resource should be hidden. A strategy calleddeny-overrides, which indicates that “deny” rule take prece-dence over “permit” rule, is adopted to achieve such an exceptionalfeature in our policy evaluation mechanism. In the second step,decisions from all controllers responding to the access request areaggregated to make a collaborative decision for the access request.Since those controllers may generate different decisions (permitand deny) for the access request, conflicts may occur again. Wewill address our approach for resolving such conflicts in detailssubsequently. In addition, if the target of the access request is aresource disseminated by a disseminator, the third step is neededfor policy evaluation. In this case, the disseminator may specify aconflicting privacy control over the disseminated content with re-spect to the original controllers of the content. In order to elimi-nate the potential disclosure risk of sensitive information from theprocedure of data dissemination, we again leverage the restrictiveconflict resolution strategy, Deny-overrides, to resolve con-flicts between original controllers’ decision and the disseminator’sdecision. Permit/DenyPermit/Deny

Figure 3: CMAC Policy Evaluation Process.

3.3.1 Conflict Resolution in Multiparty ControlThe essential reason caused the conflicts among multiple con-

trollers is that each controller of the shared content often has adifferent privacy concern over the content. For example, assumethat Alice and Bob are two controllers of a photo. Both of themdefine their own access control policy stating only her/his friendscan view this photo. Since it is almost impossible that Alice andBob have the same set of friends, privacy conflicts may always ex-ist when considering multiparty control over the shared data item.The process of privacy conflict resolution makes a decision to al-low or deny the requestor to access the shared content. In general,allowing a requestor to access the content may cause privacy risk,but denying a requestor to access the content may result in shar-ing loss. Our privay conflict resolution approach attempts to find atradeoff between privacy protection and data sharing.

Measuring Privacy Risk: The privacy risk of an access requestis an indicator of potential threat to the privacy of controllers interms of the shared content: the higher the privacy risk of an ac-cess request, the higher the threat to controllers’ privacy. Our basicpremises for the measurement of privacy risk for an access requestare the following: (a) the lower the trust levels of the requestor

5

who requires the access request, the higher the privacy risk; (b) thelower the number of controllers who allow the requestor to accessthe content, the higher the privacy risk; (c) the stronger the generalprivacy concerns of controllers, the higher the privacy risk; and (d)the more sensitive the shared data item, the higher the privacy risk.Therefore, the privacy risk of a conflicting segment is calculated bya monotonic function with the following parameters:

• Trust of the requestor: The trust level of the accessor i isdenoted as tli, which is the average of the trust levels of theaccessor with respect to all controllers of the shared content.The trust level of an accessor who belongs to a circle of acontroller is defined by the controller directly. The trust levelof an indirect relationship, which is represented by a rela-tionship chain linking an accessor and a controller, needs tobe calculated based on the trust levels associated with therelationships composing the chain. Several algorithms forcomputing the trust of indirect relationships in OSNs havebeen proposed in [13, 20, 26, 30]. The discussion of select-ing effective algorithm for calculating the trust of indirectrelationships is beyond the scope of this paper; 3

• Number of denied controllers : The denied controllers arecontrollers who make the “deny” decisions for the access re-quest. All denied controllers of an access request i are re-turned by a function controllersd(i);

• General privacy concern of a denied controller: The gen-eral privacy concern of a denied controller j is denoted aspcj . The general privacy concern of a controller can be de-rived from her/his default privacy setting for data sharing.Different controllers may have different general privacy con-cern with respect to the same group of data. For example,public figures may have higher privacy concern on their sharedphotos than ordinary people; and

• Sensitivity of the content: Content sensitivity defines con-trollers’ perceptions of the confidentiality of the content be-ing transmitted. The sensitivity level of the shared contentexplicitly chosen by a denied controller j is denoted as slj .The factor depends on the denied controllers themselves. Somedenied controllers may consider the shared content with ahigher sensitivity.

In order to measure the privacy risk of an accessor i, denoted asPR(i), we can use following equation to aggregate the privacy risksof i due to different denied controllers.

PR(i) = (1− tli)×∑

j∈controllersd(i)

pcj × slj (1)

Measuring Sharing Loss: When the decision of privacy conflictresolution for an access request is “deny”, it may cause losses inpotential content sharing, since there are controllers expecting toallow the requestor to access the data item. Similar to the measure-ment of the privacy risk, four factors are adopted to measure thesharing loss for a requestor. Compared with the factors used forquantifying the privacy risk, the difference is that we only considerallowed controllers for evaluating the sharing loss of an accessor.The sharing loss SL(i) of an accessor i is the aggregation of shar-ing loss with respect to all allowed controllers as follows:

SL(i) = tli ×∑

k∈controllersa(i)

(1− pck)× (1− slk) (2)

3We adopt a trust computation algorithm discussed in [20] to com-pute the trust of indirect relationships in the current version of oursystem.

where, function controllersa(i) returns all allowed controllers ofa requestor i.

Conflict Resolution: The tradeoff between privacy and utility indata publishing has been recently studied [17, 32]. Inspired bythose work, we introduce a mechanism to balance privacy protec-tion and data sharing for an effective privacy conflict resolution inOSNs.

We first calculate the privacy risk (PR(i)) and the sharing loss(SL(i)) for each requestor (i), individually. Then, following equa-tion can be utilized to make the decisions (permitting or denying anaccess request) for privacy conflict resolution.

Decision =

{Permit if αSL(i) ≥ βPR(i)Deny if αSL(i) < βPR(i)

(3)

where, α and β are preference weights for the privacy risk andthe sharing loss, 0 ≤ α, β ≤ 1 and α+ β = 1.

4. IMPLEMENTATION AND EVALUATION

4.1 Prototype System ImplementationWe implemented a proof-of-concept social network application

to demonstrate collaborative management of photos, called Sigmaafter the symbol used for multiple addition (or plus) operations.The intent of the application is to allow users to collaborativelyshare photos in Google+ based on our approach. However, con-strained by current lack of development API for Google+, our im-plementation is a Facebook application 4 using Facebook users’data to simulate an environment like Google+.

Sigma is developed as a third-party Facebook application whichis hosted on an Apache Tomcat server supporting PHP and MySQL,with a user interface built using HTML/CSS/JavaScript, jQuery,and jQuery UI. Sigma is built using Facebook API calls to inte-grate users’ photos and friend lists on a stand-alone application ul-timately intended to mimic Google+ functionality.

Figure 4 shows the architecture of Sigma. The application ishosted on an external web server, but uses Facebook’s graph APIand Facebook Query Language to retrieve user data. A minimalamount of data is kept on the server itself, but our application al-lows users to save their settings and check access to their photosbased on the result of the multiparty policy evaluation.

Sigma consists of two major parts, a circle management moduleand a photo management module. The circle management module,shown in Figure 5 (d), allows users to sort their friends into circlesbased on their existing Facebook friend lists. It also allows them toset trust levels by friend or by circle. For the performance purposein using the application, setting the trust level for a circle applies itto all individual users in that circle in our current implementation.In a real-life implementation, the function of circle trust level woulddepend on the type of circle. If it is a trust-based circle, trust levelmay be used as an indication of which users to place in that circle.If it is a group-based circle, it might display an average trust levelof all the users.

In the photo management module of Sigma, the privacy settingdepicted in Figure 5 (b) accounts for the three features: union,conjunction, and exception, discussed in our policy specificationscheme. To achieve this, three options are presented and then joinedby union for the ultimate policy. The controller indicates a set ofcircles and/or users who may access the photo, a set of circles ofwhich the intersection of users may access the photo, and a set ofcircles and/or users who may not access the photo. The controller

4The link of our application is removed for anonymous review.

6

Figure 5: Sigma Interfaces.

Approve PermissionsLog in Friends Circles TrustSettingsFigure 4: System Architecture of Sigma.

may also optionally indicate a minimum trust level for a “permit”policy or a maximum trust level for a “deny” policy to addition-ally restrict photo sharing. If the controller is the owner of selectedphoto, s/he can adjust the weights to balance privacy protection anddata sharing of the photo. In addition, since malicious users maytag themselves to a photo and specify privacy policies to influencethe sharing of the photo, the photo owner can verify the taggedusers and has the ability to disable fake stakeholders to control thephoto in the privacy setting. To allow the users of the prototype ap-

plication to check the impacts of collaborative control against theirprivacy settings, users are able to check friends’ access to the photoin Sigma as shown in Figure 5 (c).

We chose to supply the user with five photos for the purposes ofevaluation, so that we could ask reasonably users to set privacy set-tings for all of the photos displayed. The photo management mod-ule in Sigma automatically selects five photos the user is tagged in,giving preference to photos with more people tagged (to promotecollaborative use of the application), shown in Figure 5 (a). Theuser can then use the photo privacy controls or check user access tothe photo.

4.2 Prototype System Evaluation

4.2.1 User StudyWe conducted a usability study to test the feasibility of Sigma.

We had 42 users use the application and answer a survey to in-dicate their preferences in social networks. We recruited throughUniversity mailing lists, Google+ and Facebook. Of our respon-dents, 71.4% were 18-24, 21.4% were 25-34, and 7.1% were 35-54years old. Some questions were “ranking” questions, where userswere asked to rank certain things by preference. Responses werethen assigned a weight of (n-r) where n is the total number of dataitems to rank and r is the rank assigned. Therefore, rating some-thing 3 out of 5 gives a score of 2. Responses from all users arethen totaled for comparison. The details of responses are compiledin the Appendix.Prior to using Sigma: Part of the purpose of the survey was to un-derstand the demand for a collaborative data management systemthat balances privacy protection with data sharing. When askedwhether privacy or sharing was more important, half of respondentsrated them as equally important (with 32.1% finding choosing pri-

7

vacy and 17.9% choosing sharing), so we know both are necessarywhen determining an approach to data management in OSNs.

When asked to rank preferences when tagged in a photo, usersindicated that protecting their privacy was the most important tothem (a score of 79), with sharing with friends and protecting otherusers’ privacy were ranked closer to each other (53 and 41, respec-tively). Asked to rank preferences when a user owns a photo, theyindicated protecting their own privacy and sharing closely (92 and81), with protecting tagged users’ privacy (65) still somewhat im-portant and allowing tagged users to share with their friends (42)last.

When a user is tagged, we can see that protecting their own pri-vacy is important. Since in a normal social network a tagged userhas little protection compared to the owner, we can interpret thisas a desire for more control over tagged photos, since the currentapproach allows the owner to override control. When a user ownsa photo, they consider privacy protection and sharing loss aboutequal, but they consider protecting tagged users’ privacy importantas well (a score of 65 indicates that some users ranked it as at leastthe 2nd most important).

We also asked the users who use Google+ (64%) about how theysort their circles to analyze the value of group-based and trust-basedcircles (Table 1). Most of users said they organize by friendship(how well they know someone), and users organize friends by in-terest (group) and by trust about equally. Since a large portion ofusers already sort users by group or by trust, it would be beneficialto incorporate this in collaborative privacy control.

Table 1: Factors Used When Sorting Users into Circles.What factors do you use when sorting other % of respondentsusers into circles?Oragnize friends by interest 44.4%Organize friends by friendship 61.1%Oragnize friends by trust 44.4%Organize friends for sharing control not related 16.7%to trust or interests

After Using Sigma: We collected some Facebook usage statistics todetermine the need for collaborative photo management. We defineneed as the presence of more than one party interested in a photo(the number of controllers is greater than one). We can estimatefrom the data that, in owned photos, there is on average at least twotagged users for every five photos. More importantly, about 15%of owned photos have at least two tagged users, and about 5% havethree or more. This means in an only-owner-control approach forprivacy management, a sizable number of users is being ignored indetermining privacy settings for those photos.

In photos in which our test subjects are tagged, there are an av-erage of two users in every photo. This means in the only-owner-control approach, we can assume that there is at least one user forevery tagged photo whose privacy preferences are not being takeninto account. In addition, 25% of these photos have more than twotagged users. This high amount of stakeholders in various photossupports the need for a collaborative privacy approach.

We also asked users to rank their preferences for various parts ofour system as they tried it out. For a user management system, usersranked their preferences as shown in Table 2. Users ranked theability to indicate trust almost as important as simplicity, meaningthey reacted very positively to this feature of our system. The otherscores indicate the desire for intelligent sorting of friends, as wellas the importance of having a visual interface (like circles).

We then again asked users to rank preferences in sharing, but forthree scenarios: when the user is a stakeholder, when the user is anowner, and in general when collaboratively controlling a photo (Ta-

Table 2: Importance of Features in User Management.Rate the features of this or a similar user Weighted Scoremanagement system in order of importanceSimplicity 146Ability to indicate trust 115Automatically sorting friends 93Visual interface 90Recommending trust levels for friends 76Recommending circle placement 68

ble 3). In all three situations, the user ranked protecting one’s ownprivacy as the most important. This may seem obvious, but it is im-portant to note that this suggests they find protecting one’s privacyas a stakeholder equally important to protecting one’s privacy as anowner (supporting the need for collaborative control). Users indi-cated that when they were tagged, having an equal say to the ownerwas least important, so if the owner has more control in the system(such as setting weights in our system) it is permissible as long asthe stakeholders have a say. In general and as an owner, users in-dicated that owner control was second-most important, which fur-ther supports the need for some additional owner controls like oursin a collaborative approach. When a user owns a photo, the thirdhighest preference, above sharing and giving tagged users control,was preventing fake tagged users from controlling a photo. Besidesthe design concern of preventing collusion attacks as well as otherthreats from false tagging, users indicated that indication of validcontrollers was an important feature to them.

Table 3: Importance of Features in Collaborative Sharing.Rate the following in order of importance when Weighted Scorecollaboratively sharing a photoTaggedProtecting my privacy 99Ability to prevent users from viewing photo 83Ability to allow users to view photo 76Sharing 59Having an equal say to the owner 58OwnedProtecting my privacy 95Having complete control 89Preventing fake tagged users from controlling 72Sharing 61In GeneralProtecting privacy 80Giving the owner control 72Giving tagged users control 52Allowing users to share 46

We asked users to rank the reasons they would use the “CheckAccess” function to determine the need for the function. Usersranked as follows: making sure certain people cannot access aphoto (121), to double-check privacy settings on a photo (101),to make sure certain people can access a photo (88), to see howother controllers’ choices affect my privacy (70), and because theydo not understand how the settings work (32). It makes sense thatusers would mostly want to make sure a specific person should notaccess a photo due to their concern about privacy, but this also in-dicates the usefulness of such a function. What is important to noteis that a score of 32 is low enough that it indicates most users ratedthis as the least likely reason. Users are not worried about misun-derstanding how their settings work and are simply concerned withprotecting themselves, so our system is not prohibitively compli-cated.

Obviously a privacy system is only useful if it is, in fact, used.Shown in Table 4, we asked users how often they would use col-laborative control for photos. 80% of users would collaborativelycontrol photos they are tagged in, which is sizable enough to jus-

8

tify collaborative control from a user-centric standpoint. However,44% of users indicate they would collaboratively control most orall of their individual photos. This means that even with a differentsystem than they are used to, over 2 out of every 5 users would usea system like this for a majority of their photos.

Table 4: Frequency and Usage of Collaborative Photo Privacy.Which of the following would you use collaborative % of respondentsprivacy for?Sensitive Photos 64%Specific Albums 68%Most or all individual photos 44%Photos I own 60%Photos I am Tagged in 80%

4.2.2 Effectiveness EvaluationTo evaluate the effectiveness of our approach, we compare the

outcome, on a single-accessor basis, of a policy set in Google+to a policy set in Sigma. The metric we use for evaluation is thetotal Privacy Risk (PR) plus the total Sharing Loss (SL) from allcontrollers based on the outcome of the access attempt.

We evaluate the outcome in a few cases. The outcome is a mea-surement of average expected privacy risk and sharing loss (whichuses average trust levels and average sensitivity levels). It should benoted, however, that higher trust or lower sensitivity would simplylower the magnitude of the final measurements and lower trust orhigher sensitivity would simply increase the magnitude of the finalmeasurements, but the comparison still holds. Additionally, sincewe are evaluating on a single-accessor basis, number of friends orcircles allowed or denied do not affect the results.

One case is trivial: in both Google+ and Sigma, if all users agreeon the same privacy setting, there are no conflicts to resolve. Theresult is 0 PR and 0 SL in either Google+ or Sigma. This is consid-ered the best case. The rest of the cases and evaluation results areshown in Figure 6.

Case 1 is in Google+ (or any owner-override situation) where allof the stakeholders in a photo disagree with the owner. This is aworst-case for Google+. This can be compared with Case 6, whichis the same access decision in Sigma. In Google+ the privacy riskor sharing loss grows with each non-owner controller, as his or herdecision is being violated. In Sigma, this is only slightly differentfrom the best-case scenario. In Cases 2-5, half of the stakeholdersagree with the owner. In Case 2, the owner allows in Google+ andin Case 3 the owner denies in Sigma. In Case 4 the owner deniesin Google+ and in Case 5 the owner allows in Sigma. This canbe considered an “average case”. In these cases, Sigma’s scoresincrease at the same rate as Google+. This shows that Sigma isat least as good as Google+, until one considers the fact that this“average case” for Google+ is actually the worst case for Sigma.

It is important to note that the rate of PR or SL as number ofcontrollers increases is at most 1/2 in Sigma. This is due to thefact that the maximum proportion of controllers whose preferencesare being violated is 1/2, since (given the same sensitivity and trustsettings) more than 50% controllers in agreement determine the de-cision. In Google+, this is not the case. In fact, PR or SL will in-crease for every new controller who disagrees with the owner sincethe decision is never changed. This is why Cases 2 and 4 increaseat the same rate as Sigma’s maximum rate in Cases 3 and 5 – everysecond controller disagrees with the owner. Thus, Sigma’s worstcase is at least as effective at giving user preference as Google+and can only be better in other cases.

4.2.3 Performance Discussion

Figure 6: Privacy Risk and Sharing Loss in Google+ and Sigmain Six Cases – Case 1: all stakeholders in Google+ disagreewith owner; Case 2: half of stakeholders in Google+ disagreewith owner, who allows access; Case 3: half of stakeholdersin Sigma disagree with owner, who denies access; Case 4: halfof stakeholders in Google+ disagree with owner, who denies ac-cess; Case 5: half of stakeholders in Sigma disagree with owner,who denies access; and Case 6: all stakeholders in Sigma dis-agree with owner.

Though we measured the amount of time of certain operationswithin our system, there was a high variability based on the statusof the shared web server and the speed of responses from FacebookAPI calls, so our discussion of performance would revolve aroundthe scalability of our system.

Our implementation retains user privacy policies, then evaluatesthese policies when each time an access attempt is made. This hasthe advantage of only computation-centric access as needed, ver-sus building an accessor list for shared data every time when a pri-vacy policy is created 5. This means collaborative changes can bemade at a very low performance cost to the system. There are somedrawbacks to the compute-on-access approach, though. A highly-accessed data item may decrease system performance. Addition-ally, this implementation makes checking the access for a group ofusers decidedly inefficient, considering policies from multiple con-trollers. For instance, Sigma’s “Check Access” function applied toan entire circle depends on evaluating policies once per user. Inthe approach that builds an accessor list every time when a privacypolicy is changed, checking access for a group of individuals de-pends only on the speed of a single database look-up. The accessperformance could be improved with a cache, providing the resultof an accessor’s last attempt to view a data item and a “dirty bit” tocheck if the policy for the photo has changed.

The key advantage of this implementation is that it provides forscalability in almost every area other than frequency of access at-tempts. The computation of a policy does not strongly depend onthe size of the set of allowed circles and accessors a user indicates.Instead, evaluation of a policy simply checks if the current acces-sor is in that set, which is significantly more efficient than buildingan accessor list. Thus, as number of users, number of circles, andnumber of friends in those circles increase, policy evaluation effi-

5In this case, all policy conflicts need to be resolved first for build-ing the accessor list.

9

ciency depends only on the number of accesses to a photo. Anotherperformance advantage is the space complexity compared to build-ing an accessor list. As the number of users, circles, and friendsincreases, the space complexity of an accessor list does as well.

5. RELATED WORKSeveral access control models for OSNs have been proposed re-

cently [19, 20, 24, 25, 30]. The D-FOAF system [30] is primarilya Friend of a Friend (FOAF) ontology-based distributed identitymanagement system for OSNs, where relationships are associatedwith a trust level, which indicates the level of friendship betweenthe users participating in a given relationship. Then, Carminati etal. [19] introduced a conceptually-similar but more comprehensivetrust-based access control model, which allows the specification ofaccess rules for online resources, where authorized users are de-noted in terms of the relationship type, depth, and trust level be-tween users in OSNs. They also introduced a semi-decentralizeddiscretionary access control model and a related enforcement mech-anism for controlled sharing of information in OSNs [20], and pro-posed a semantic web based access control framework for socialnetworks. Fong et al. [25] presented an access control model thatformalizes and generalizes the access control mechanism imple-mented in Facebook, admitting arbitrary policy vocabularies thatare based on theoretical graph properties. Gates [21] claimed relationship-based access control as one of new security paradigms that ad-dresses unique requirements of Web 2.0. Then, Fong [24] for-mulated this paradigm called a Relationship-Based Access Control(ReBAC) model that bases authorization decisions on the relation-ships between the resource owner and the resource accessor in anOSN. However, most of these existing work could not model andanalyze access control requirements with respect to collaborativeauthorization management of shared data in OSNs.

Recently, semantic web technologies have been used to modeland express fine-grained access control policies for OSNs (e.g., [16,22, 38]). Especially, Carminati et al. [16] proposed a semantic webbased access control framework for social networks. Three typesof policies are defined in their framework, including authorizationpolicy, filtering policy and admin policy, which are modeled withthe Web Ontology Language (OWL) and the Semantic Web RuleLanguage (SWRL). Access control policies regulate how resourcescan be accessed by the participants; filtering policies specify howresources have to be filtered out when a user fetches an OSN page;and admin policies can determine who is authorized to specify poli-cies. Although they claimed that flexible admin policies are neededto bring a system to a scenario where several access control poli-cies specified by distinct users can be applied to the same resource,the lack of formal descriptions and concrete implementation of theproposed approach leaves behind the ambiguities of their solution.

The need of collaborative management for data sharing, espe-cially photo sharing, in OSNs has been addressed by some recentresearch [15, 28, 31, 40, 44]. Particularly, Squicciarini et al. [40]proposed a solution for collective privacy management for photosharing in OSNs. This work considered the privacy control of acontent that is co-owned by multiple users in an OSN, such thateach co-owner may separately specify her/his own privacy pref-erence for the shared content. The Clarke-Tax mechanism wasadopted to enable the collective enforcement for shared content.Game theory was applied to evaluate the scheme. However, it couldbe very hard for ordinary OSN users to comprehend the Clarke-Taxmechanism and specify appropriate bid values for auctions. Also,the auction process adopted in this approach indicates only the win-ning bids could determine who was able to access the data, insteadof accommodating all stakeholders’ privacy preferences. In con-

trast, we propose a formal model to support the multiparty accesscontrol for OSNs, along with a policy specification scheme anda simple but flexible conflict resolution mechanism to particularlyenable collaborative data sharing in Google+.

Several recent work also explored how to measure privacy risk inOSNs [14, 34, 43]. Becker et al. [14] presented PrivAware, a toolto detect and report unintended information loss through quantify-ing privacy risk associated with friend relationship in OSNs. Liu etal. [34] introduced a framework to compute the privacy score of auser, indicating the user’s potential risk caused by her/his partici-pation in OSNs. Those prior solutions only focused on the privacysettings of users with respect to their profile items. However, ourapproach measures the privacy risk caused by different privacy con-cerns from multiple users, focusing on content sharing in Google+.

A very preliminary analysis of Google+ privacy has been dis-cussed in [37]. They only addressed concern that Google+ sharesthe metadata of the photos uploaded by its users, which could leadto privacy violations, and also showed that Google+ encouragestheir users to provide other names, such as maiden names, whichmay help in identity theft.

6. CONCLUSION AND FUTURE WORKIn this paper, we have proposed a novel mechanism for collab-

oratively controlling the shared data in Google+. A circle-basedmultiparty access control model has been formulated, along witha policy specification scheme and corresponding policy evaluationmechanism. A proof-of-concept implementation of our solutioncalled Sigma and the usability evaluation of our approach have beendiscussed as well.

As part of our future work, we will implement and evaluate ourapproach in Google+ platform once Google releases the Google+application development API. In addition, since a Google+ usermay be involved in the control of hundreds of circles, the man-agement of circles and the configuration of the privacy preferencesbased on circles are time-consuming and tedious tasks. Thus, wewould study inference-based techniques [23, 29, 41] for both smartercircle management and automatic configuration of privacy prefer-ences in Google+. Besides, we will extend our work to addresssecurity and privacy challenges for emerging information sharingservices such as location sharing [3].

AcknowledgmentsThis work was partially supported by the grants from National Sci-ence Foundation (NSF-IIS-0900970 and NSF-CNS-0831360) andDepartment of Energy (DE-SC0004308).

7. REFERENCES[1] Facebook Privacy Policy.

http://www.facebook.com/policy.php/.[2] Facebook Statistics. http://http://www.facebook.

com/press/info.php?statistics.[3] Google Latitude.

www.google.com/mobile/latitude/.[4] Google+ Privacy Policy. http://http:

//www.google.com/intl/en/+/policy/.[5] The Google+ Project. https://plus.google.com.[6] Facebook Friend Lists, 2007. http://www.facebook.

com/blog.php?post=7831767130.[7] P.adams. The real life social network v2, 2010.

http://www.slideshare.net/padday/the-real-life-social-network-v2.

10

[8] The first google+ privacy flaw, 2011.http://blogs.ft.com/fttechhub/2011/06/google-plus-privacy-flaw/#axzz1cxeoa9LS.

[9] Google+ hits 25 million visitors, gets more sticky, 2011.http://mashable.com/2011/08/02/google-plus-25-million-visitors/.

[10] Google+ shared circles are here, 2011.http://www.zdnet.com/blog/google/google-shared-circles-are-here/3355.

[11] The State of Social Media 2011: Social is the new normal,2011. http://www.briansolis.com/2011/10/state-of-social-media-2011/.

[12] F. Adu-Oppong, C. Gardiner, A. Kapadia, and P. Tsang.Social circles: Tackling privacy in social networks. InSymposium on Usable Privacy and Security (SOUPS).Citeseer, 2008.

[13] P. Avesani, P. Massa, and R. Tiella. A trust-enhancedrecommender system application: Moleskiing. In SAC,volume 5, pages 1589–1593. Citeseer, 2005.

[14] J. Becker and H. Chen. Measuring privacy risk in onlinesocial networks. In Proceedings of the 2009 Workshop onWeb, volume 2. Citeseer.

[15] A. Besmer and H. Richter Lipford. Moving beyonduntagging: Photo privacy in a tagged world. In Proceedingsof the 28th international conference on Human factors incomputing systems, pages 1563–1572. ACM, 2010.

[16] S. Brands. Rethinking public key infrastructures and digitalcertificates: building in privacy. The MIT Press, 2000.

[17] J. Brickell and V. Shmatikov. The cost of privacy:destruction of data-mining utility in anonymized datapublishing. In Proceeding of the 14th ACM SIGKDD, pages70–78. ACM, 2008.

[18] B. Carminati, E. Ferrari, S. Morasca, and D. Taibi. Aprobability-based approach to modeling the risk ofunauthorized propagation of information in on-line socialnetworks. In Proceedings of the first ACM conference onData and application security and privacy, pages 51–62.ACM, 2011.

[19] B. Carminati, E. Ferrari, and A. Perego. Rule-based accesscontrol for social networks. In On the Move to MeaningfulInternet Systems 2006: OTM 2006 Workshops, pages1734–1744. Springer, 2006.

[20] B. Carminati, E. Ferrari, and A. Perego. Enforcing accesscontrol in web-based social networks. ACM Transactions onInformation and System Security (TISSEC), 13(1):1–38,2009.

[21] E. Carrie. Access Control Requirements for Web 2.0Security and Privacy. In Proc. of Workshop on Web 2.0Security & Privacy (W2SP). Citeseer, 2007.

[22] N. Elahi, M. Chowdhury, and J. Noll. Semantic accesscontrol in web based communities. In Computing in theGlobal Information Technology, 2008. ICCGI’08. The ThirdInternational Multi-Conference on, pages 131–136. IEEE,2008.

[23] L. Fang and K. LeFevre. Privacy wizards for socialnetworking sites. In Proceedings of the 19th internationalconference on World wide web, pages 351–360. ACM, 2010.

[24] P. Fong. Relationship-Based Access Control: ProtectionModel and Policy Language. In Proceedings of the FirstACM Conference on Data and Application Security andPrivacy. ACM, 2011.

[25] P. Fong, M. Anwar, and Z. Zhao. A privacy preservationmodel for facebook-style social network systems. InProceedings of the 14th European conference on Research incomputer security, pages 303–320. Springer-Verlag, 2009.

[26] J. Golbeck. Computing and applying trust in web-basedsocial networks. PhD thesis, University of Maryland, CollegaPark, 2005.

[27] J. Golbeck. Trust and nuanced profile similarity in onlinesocial networks. ACM Transactions on the Web (TWEB),3(4):1–33, 2009.

[28] H. Hu, G.-J. Ahn, and J. Jorgensen. Detecting and resolvingprivacy conflicts for collaborative data sharing in onlinesocial networks. In Proceedings of the 27th AnnualComputer Security Applications Conference, ACSAC’11.ACM, 2011.

[29] S. Jones and E. O’Neill. Contextual dynamics ofgroup-based sharing decisions. In Proceedings of the 2011annual conference on Human factors in computing systems,pages 1777–1786. ACM, 2011.

[30] S. Kruk, S. Grzonkowski, A. Gzella, T. Woroniecki, andH. Choi. D-foaf: Distributed identity management withaccess rights delegation. The Semantic Web–ASWC 2006,pages 140–154, 2006.

[31] A. Lampinen, V. Lehtinen, A. Lehmuskallio, andS. Tamminen. We’re in it together: interpersonalmanagement of disclosure in social network services. InProceedings of the 2011 annual conference on Humanfactors in computing systems, pages 3217–3226. ACM, 2011.

[32] T. Li and N. Li. On the tradeoff between privacy and utilityin data publishing. In Proceedings of the 15th ACMSIGKDD, pages 517–526. ACM, 2009.

[33] H. Lipford, A. Besmer, and J. Watson. Understanding privacysettings in facebook with an audience view. In Proceedingsof the 1st Conference on Usability, Psychology, and Security,pages 1–8. USENIX Association Berkeley, CA, USA, 2008.

[34] K. Liu and E. Terzi. A framework for computing the privacyscores of users in online social networks. ACM Transactionson Knowledge Discovery from Data (TKDD), 5(1):6, 2010.

[35] Y. Liu, K. Gummadi, B. Krishnamurthy, and A. Mislove.Analyzing Facebook Privacy Settings: User Expectations vs.Reality. In Proceedings of the 2011 annual conference onInternet measurement (IMC’11). ACM, 2011.

[36] M. Madejski, M. Johnson, and S. Bellovin. The Failure ofOnline Social Network Privacy Settings. Technical ReportCUCS-010-11, Columbia University, NY, USA. 2011.

[37] S. Mahmood and Y. Desmedt. Poster: preliminary analysis ofgoogle+’s privacy. In Proceedings of the 18th ACMconference on Computer and communications security,pages 809–812. ACM, 2011.

[38] A. Masoumzadeh and J. Joshi. Osnac: An ontology-basedaccess control model for social networking systems. IEEEInternational Conference on Privacy, Security, Risk andTrust, 0:751–759, 2010.

[39] F. Ozenc and S. Farnham. Life “Modes” in Social Media. InProceedings of the 2011 annual conference on Humanfactors in computing systems, pages 561–570. ACM, 2011.

[40] A. Squicciarini, M. Shehab, and F. Paci. Collective privacymanagement in social networks. In Proceedings of the 18thinternational conference on World wide web, pages 521–530.ACM, 2009.

[41] A. Squicciarini, S. Sundareswaran, D. Lin, and J. Wede.

11

A3p: adaptive policy prediction for shared images overpopular content sharing sites. In Proceedings of the 22ndACM conference on Hypertext and hypermedia, pages261–270. ACM, 2011.

[42] K. Strater and H. Lipford. Strategies and struggles withprivacy in an online social networking community. InProceedings of the 22nd British HCI Group AnnualConference on People and Computers: Culture, Creativity,Interaction-Volume 1, pages 111–119. British ComputerSociety, 2008.

[43] N. Talukder, M. Ouzzani, A. Elmagarmid, H. Elmeleegy, andM. Yakout. Privometer: Privacy protection in socialnetworks. In Proceedings of 26th International Conferenceon Data Engineering Workshops (ICDEW), pages 266–269.IEEE, 2010.

[44] K. Thomas, C. Grier, and D. Nicol. unFriendly: Multi-partyPrivacy Risks in Social Networks. In Privacy EnhancingTechnologies, pages 236–252. Springer, 2010.

[45] Y. Wang, S. Komanduri, P. Leon, G. Norcie, A. Acquisti, andL. Cranor. I regretted the minute I pressed share”: Aqualitative study of regrets on Facebook. In Symposium onUsable Privacy and Security, 2011.

APPENDIXA. USER STUDY TABLES

Table 5: Age of Respondents.Age % of Respondents18-24 21.4%25-34 61.1%35-54 7.1%

Table 6: Education Completed by Respondents.Highest Level of Education Completed % of RespondentsGraduated HS or Equivalent 3.6%Some college, no degree 25%Bachelor’s Degree 3.6%Bachelor’s Degree (in progress) 39.3%Post-Graduate degree 10.7%Post-Graduate degree (in progress) 17.9%

Table 7: Social Networks Used by Respondents.Social Network Used % of RespondentsFacebook 100%Google+ 64.3%Twitter 32.1%

Table 8: Time Respondents Spend on Social Networks.Hours per week spent on Social Networking Sites % of RespondentsLess than 1 Hour 3.6%1-5 hours 42.9%5-10 Hours 32.1%10+ Hours 21.4%

Table 9: Privacy and Sharing Preferences of Respondents.Which is more important to you when using a social % of Respondentsnetwork?Protecting my privacy 32.1%Sharing 17.9%About the same 50%

Table 10: Preferences when User Is Tagged.Rank the following by importance to you when you are Weighted Scoretagged in a photoProtecting my privacy 74Sharing with friends 53Protecting other tagged users’ privacy 41

Table 11: Preferences when User Owns a Photo.Rank the following by importance when you own a photo Weighted Totalothers are tagged inProtecting my own privacy 92Sharing with my friends 81Protecting tagged users’ privacy 65Allowing Tagged users to share photo with their friends 42

Table 12: Usage of Access Checking Function.Rank the following reasons by likelihood of reason for Weighted Scoreusing this functionMake sure certain people can’t access a photo 121Double-check privacy settings on a photo 101Make sure certain people can access a photo 72To see how other controllers’ choices affect my privacy 58Because I don’t understand how the settings work 32

Table 13: Photos Respondent would Collaboratively Control onSocial Networks.

Which photos would you collaboratively control on a % of respondentssocial network?Sensitive photos 64%Specific albums 68%Most or all individual photos 44%Photos I own 60%Photos I am tagged in 80%

12