multilateral privacy requirements analysis in online ...sguerses/slides/s... · xss attacks...
TRANSCRIPT
Multilateral Privacy Requirements Analysis in Online Social Networks
Seda GürsesCOSIC, K.U. Leuven18. February, 2011
CRIDUniversity of Namur, Belgium
1
2
SPIONsecurity and privacy in online social networks
K.U. Leuven (COSIC, DistriNet, ICRI, HMDB), Vrije Universiteit Brussel (SMIT), University of Ghent (Onderwijskunde), Carnegie Melon
University (Heinz College)responsibilizationaccountability
x close this advertisement
2
3
SPIONsecurity and privacy in online social networks
trust, reputation and access controlidentity management
legal frameworksanonymous communication
feedback and awareness systemsbehavioral aspects
x close this advertisement
http://www.cosic.esat.kuleuven.be/spion
3
outline
- introduction to privacy requirements
- stakeholder analysis: service provider
- SNS access control design
- feedback and awareness systems
4
4
privacy?
- what is privacy?
- what are privacy requirements?
- in security engineering: confidentiality
5
5
online social networks (SNS)
6
6
online social networks
7
7
8
2004
Facebook created
1m
8
9
2004 2005
Facebook in
HighschoolsFacebook
friends
friends of friends
all facebook users
the entire Internet
1m 5m
9
10
2004 2006
Highschools
2005
Facebook available to the
PUBLIC(pg13)
1m 5m 12m
10
11
2004 2006
Highschools
2005
Facebook available to the
PUBLIC(pg13)
xss attacks
1m 5m 12m
11
12
2004 2006
Highschools
2005
Facebook available to the
PUBLIC(pg13)
xss attacks
newsfeed
1m 5m 12m
12
13
2004 2006
Highschools
2005
Facebook available to the
PUBLIC(pg13)
newsfeedprotests740.000
xss attacks
1m 5m 12m
13
14
2004
20072005
PUBLIC
2006
Facebook API
Highschoolsxss attacks
protests740.000newsfeed
1m 5m 12m50m
14
15
2004
20072005
PUBLIC
2006
Facebook APIMobile
Highschoolsxss attacks
protests740.000newsfeed
1m 5m 12m50m
15
16
2004
20072005
PUBLIC
2006
Facebook APIMobileBEACON
Highschoolsxss attacks
protests740.000newsfeed
1m 5m 12m50m
16
17
2004
20072005
PUBLIC
2006
Facebook APIMobileBEACON
protests50.000 in
3 days
Highschoolsxss attacks
protests740.000newsfeed
1m 5m 12m50m
17
18
2004
20072005
PUBLIC
2006
Facebook APIMobileBEACON
protests50.000 in
3 days
bans
Highschoolsxss attacks
protests740.000newsfeed
1m 5m 12m50m
18
19
2004
20072005
PUBLIC
2006
Facebook APIMobileBEACON
protests50.000 in
3 days
bansbreastfeeding
Highschoolsxss attacks
protests740.000newsfeed
1m 5m 12m50m
19
20
2004
20072005
PUBLIC
2006
Facebook APIMobileBEACON
protests50.000 in
3 days
memorilization
bans
Highschoolsxss attacks
protests740.000newsfeed
1m 5m 12m50m
breastfeeding
20
21
2004
20082005
PUBLIC
2006
Facebook APIMobile
BEACON
protests50.000 in 3 days
bans
2007
Canadian Privacy Commissioner
Highschoolsxss attacks
protests740.000newsfeed
1m 5m 12m50m
100m
21
22
2004
20082005
PUBLIC
2006 2007
Canadian Privacy Commissioner
LIVE FEEDpopularity algorithm
Highschoolsxss attacks
protests740.000newsfeed
Facebook APIMobile
BEACON
protests50.000 in 3 days
bans
1m 5m 12m50m
100m
22
23
2004
20082005
PUBLIC
2006 2007
Canadian Privacy Commissioner
LIVE FEEDpopularity algorithmprotests
1.600.000
Highschoolsxss attacks
protests740.000newsfeed
Facebook APIMobile
BEACON
protests50.000 in 3 days
bans
1m 5m 12m50m
100m
23
24
2004
20092005
PUBLIC
2006 2007
Canadian Privacy Commissioner
LIVE FEED
protests1.600.000Highschools
xss attacks
protests740.000newsfeed
Facebook APIMobile
BEACON
protests50.000 in 3 days
bans
2008
cyberbullyingunlimited license to user content
1m 5m 12m50m
100m 350m
24
25
2004
20092005
PUBLIC
2006 2007
Canadian Privacy Commissioner
LIVE FEED
protests1.600.000Highschools
xss attacks
protests740.000newsfeed
Facebook APIMobile
BEACON
protests50.000 in 3 days
bans
2008
cyberbullyingunlimited license to user content
protests
1m 5m 12m50m
100m 350m
25
26
2004
20092005
PUBLIC
2006 2007
Canadian Privacy Commissioner
LIVE FEED
protests1.600.000Highschools
xss attacks
protests740.000newsfeed
Facebook APIMobile
BEACON
protests50.000 in 3 days
bans
2008
cyberbullyingunlimited license to user content
user votingprotests
1m 5m 12m50m
100m 350m
26
27
2004
20092005
PUBLIC
2006 2007
Canadian Privacy Commissioner
LIVE FEED
protests1.600.000Highschools
xss attacks
protests740.000newsfeed
Facebook APIMobile
BEACON
protests50.000 in 3 days
bans
2008
cyberbullyingunlimited license to user content
user votingprotests
friends lists
1m 5m 12m50m
100m 350m
27
28
2004
20092005
PUBLIC
2006 2007
Canadian Privacy Commissioner
LIVE FEED
protests1.600.000Highschools
xss attacks
protests740.000newsfeed
Facebook APIMobile
BEACON
protests50.000 in 3 days
bans
2008
cyberbullyingunlimited license to user content
user votingprotests
friends lists
Canadian Privacy
Commissioner
1m 5m 12m50m
100m 350m
28
29
2004
20092005
PUBLIC
2006 2007
Canadian Privacy Commissioner
LIVE FEED
protests1.600.000Highschools
xss attacks
protests740.000newsfeed
Facebook APIMobile
BEACON
protests50.000 in 3 days
bans
2008
cyberbullyingunlimited license to user content
user votingprotests
friends listsCanadian Privacy
Commissioner
1m 5m 12m50m
100m 350m
29
30
2004
20102005
PUBLIC
2006 2007
Canadian Privacy Commissioner
LIVE FEED
protests1.600.000Highschools
xss attacks
protests740.000newsfeed
Facebook APIMobile
BEACON
protests50.000 in 3 days
bans
2008
cyberbullying
unlimited license to
user content
user voting
protests
friends lists
2009
facebookgoogle
1m 5m 12m50m
100m 350m 400m
30
31
2004
2005
PUBLIC
2006 2007
Canadian Privacy Commissioner
LIVE FEED
protests1.600.000Highschools
xss attacks
protests740.000newsfeed
Facebook APIMobile
BEACON
protests50.000 in 3 days
bans
2008
cyberbullying
unlimited license to
user content
user voting
protests
friends lists
2009
facebookgoogle
CONNECTIONS
1m 5m 12m50m
100m 350m
2010
400m
31
32
2004
2005
PUBLIC
2006 2007
Canadian Privacy Commissioner
LIVE FEED
protests1.600.000Highschools
xss attacks
protests740.000newsfeed
Facebook APIMobile
BEACON
protests50.000 in 3 days
bans
2008
cyberbullying
unlimited license to
user content
user voting
protests
friends lists
2009
facebookgoogle
CONNECTIONSchat leak
1m 5m 12m50m
100m
2010
400m
32
33
2004
2005
PUBLIC
2006 2007
Canadian Privacy Commissioner
LIVE FEED
protests1.600.000Highschools
xss attacks
protests740.000newsfeed
Facebook APIMobile
BEACON
protests50.000 in 3 days
bans
2008
cyberbullying
unlimited license to
user content
user voting
protests
friends lists
2009
facebookgoogle
CONNECTIONS
chat leak
NOYB
FACECLOAK
SCRAMBLE
1m 5m 12m50m
100m
2010
400m
33
34
2004
2005
PUBLIC
2006 2007
Canadian Privacy Commissioner
LIVE FEED
protests1.600.000Highschools
xss attacks
protests740.000newsfeed
Facebook APIMobile
BEACON
protests50.000 in 3 days
bans
2008
cyberbullying
unlimited license to
user content
user voting
protests
friends lists
2009
facebookgoogle
CONNECTIONS
chat leak
NOYBFACECLOAK
SCRAMBLE
1m 5m 12m50m
100m
2010
400m
34
35
2004
2005
PUBLIC
2006 2007
Canadian Privacy Commissioner
LIVE FEED
protests1.600.000Highschools
xss attacks
protests740.000newsfeed
Facebook APIMobile
BEACON
protests50.000 in 3 days
bans
2008
cyberbullying
unlimited license to
user content
user voting
protests
friends lists
2009
facebookgoogle
CONNECTIONS
chat leak
NOYBFACECLOAK
SCRAMBLE
1m 5m 12m50m
100m
2010
400m
35
36
2004
2005
PUBLIC
2006 2007
Canadian Privacy Commissioner
LIVE FEED
protests1.600.000Highschools
xss attacks
protests740.000newsfeed
Facebook APIMobile
BEACON
protests50.000 in 3 days
bans
2008
cyberbullying
unlimited license to
user content
user voting
protests
friends lists
2009
facebookgoogle
CONNECTIONS
chat leak
NOYBFACECLOAK
SCRAMBLE
1m 5m 12m50m
100m
2010
500m
NHSreveals data to
Discriminatory Behavioral Profiling
User IDs revealed to
Third Parties
Homeland Security friends Aliens
36
- all of these are (somehow) about privacy and the design of the system
- how do we deal with these issues when developing systems?
- specifically: during requirements engineering
37
37
multilateral privacy requirements engineering
- reconcile:
- privacy notions (legal & surveillance studies)
- privacy solutions (computer science)
- in a social context (online SNS)
- multilaterally
- during requirements engineering
38
38
privacy requirements definition
39
lack of universality
lack of satisfiability
subjectivity
legal compliance
contrivability
environmental factors
counter - factuality
temporality
agonism
negotiability
39
multilateral privacy requirements engineering
- reconcile:
- privacy notions (legal & surveillance studies)
- privacy solutions (computer science)
- in a social context (online SNS)
- multilaterally
- during requirements engineering
40
40
solutions from privacy research
41
data confidentiality anonymous
communications
PPDM/PPDP
IDMS
Differential Privacy
Privacy Policy Languages
Feedback and Awareness
Systems
41
privacy research paradigms
42
privacy as
confidentiality
the right to be let alone. Warren & Brandeis (1890)
hiding information and identity
42
privacy research paradigms
43
privacy as
confidentiality
the right to be let alone. Warren & Brandeis (1890)
hiding information and identity
privacy as control
separation of identities, data protection principles
right of the individual to decide what information about himself should be communicated to others and under what circumstances. (Westin 1970)
43
privacy research paradigms
44
privacy as
confidentiality
the right to be let alone. Warren & Brandeis (1890)
hiding information and identity
privacy as control
separation of identities, data protection principles
right of the individual to decide what information about himself should be communicated to others and under what circumstances. (Westin 1970)
privacy as practice
the freedom from unreasonable constraints on the construction of
one’s own identity (Agre, 1999)transparency and feedback
44
privacy research paradigms
45
privacy as
confidentiality
hiding information and identity
privacy as control
separation of identities, data protection principlesprivacy
as practice
transparency and feedback
45
multilateral privacy requirements engineering
- reconcile:
- privacy notions (legal & surveillance studies)
- privacy solutions (computer science)
- in a social context (online SNS)
- multilaterally
- during requirements engineering
46
46
case study
47
Social Network Services
web-based systems
communication oriented
wide audience
many stakeholders
short development
cycles
global privacy concernsproprietary
systems47
multilateral privacy requirements engineering
- reconcile:
- privacy notions (legal & surveillance studies)
- privacy solutions (computer science)
- in a social context (online SNS)
- multilaterally
- during requirements engineering
48
48
49
multilaterality
users
SNS providers
DP authorities
user groups
49
SNS providers
50
stakeholder artifacts
privacy policy
legally binding
socially constructed
defining roles & responsibilities
actively and collectively produced
exchanged & consumed
govern usage
50
method
51
template analysisanalyze textual data
codes to construct template
relationships between themes
51
SNS and TPA providers of interest
52
orkut myspace
playfish
zynga
52
overview of findings
- two coders
- total 68 codes in SNS PP, 43 in TPA PP
- 5 main themes (privacy concerns)
- personal information, data protection and policy definition
- user control of information
- user interactions and information
- advertisement and third parties
- internet safety, minors and underage users53
53
overview of findings
- two coders
- total 68 codes in SNS PP, 43 in TPA PP
- 5 main themes (privacy concerns)
- personal information, data protection and policy definition
- user control of information
- user interactions and information
- advertisement and third parties
- internet safety, minors and underage users54
54
55
privacy data protection
non-absolute
relational
contextual
opacity of the individual
procedural safeguards
accountability
transparency
55
privacy policy definition
56
PP
SNS Provideruser
data(user)
56
privacy policy definition
57
PP
SNS Provideruser
data(user)
TP1
TP2
TP3
TP4data(user)
data(user)
57
privacy policy definition
58
PP
SNS ProviderUser1
data(user1)
TP1
TP2
TP3
TP4
User2
User3 data(user1)
data(user1)
data(user1)
data(user1)
58
privacy policy definition
59
PP
SNS ProviderUser1
data(user1)
TP1
TP2
TP3
TP4
User2
User3 data(user1)
data(user1)
data(user1)
data(user1)
59
privacy policy definition
60
PP
SNS ProviderUser1
data(user1)
TP1
TP2
TP3
TP4
User2
User3 data(user1)
data(user1)
data(user1)
data(user1)
TP5
TP6
TP7
60
privacy policy definition
61
PP
SNS ProviderUser1
data(user1)
TP1
TP2
TP3
TP4
User2
User3 data(user1)
data(user1)
data(user1)
data(user1)
TP5
TP6
TP7
t0 t∞61
privacy is control over your personal information
62
personal informationin SNS
PII (USA)
personal information
(EU)(information theoretical/statistical)anonymity
62
privacy as control
63
PP
SNS ProviderUser1
data(user1)
TP1
TP2
TP3
TP4
User2
User3 data(user1)
data(user1)
data(user1)
data(user1)
TP5
TP6
TP7
63
privacy as control
64
PP
SNS ProviderUser1
data(user1)
TP1
TP2
TP3
TP4
User2
User3 data(user1)
data(user1)
data(user1)
data(user1)
64
privacy as control
65
PP
SNS ProviderUser1
data(user1)
TP1
TP2
TP3
TP4
data(user1)
data(user1)
65
privacy as control
66
PP
SNS ProviderUser1
data(user1)
66
privacy as control
67
PP
SNS ProviderUser1
content uploaded by
user
traffic data
67
SNS design
68
Relational Information
(RI)
Transitive Access Control
(TAC)
68
69
Relational Information
(RI)
information on SNS that is controlled by or related to many
69
70
P Rel Q
R
Controllers = {P,Q,R}
Relational Information
70
71
Transitive Access Control
(TAC)
topology based access control where profiles in vicinity co-determine access
71
72
alice’s friends of friends can access her information
Transitive Access Control
72
73
alice’s friends of friends can access her information
Transitive Access Control
73
74
alice’s friends of friends can access her information
Transitive Access Control
74
privacy policy definition
75
PP
SNS ProviderUser1
content uploaded by
user
traffic data
RI
TAC
user attributes
75
user control?
76
PP
SNS ProviderUser1
data(user1)
TP1
TP2
TP3
TP4
User2
User3 data(user1)
data(user1)
data(user1)
data(user1)
TP5
TP6
TP7
u
76
conclusions
- privacy concerns of SP:
- data protection compliance
- frame privacy as control (min. set of data)
- increase trust in providers
- paradox:
- sharing = collaborative (design supported) practice
- privacy = individual responsibility and control of information
77
77
compliance?
- DP success: (semi) transparency of data collection, processing and distribution practices
- DP fail: interpreted to the advantage of the service providers
- responsibilize the users
- false perception of control
- minimize accountability and transparency
- push responsibility to third parties (vice versa)78
78
personal data?- Definition of Personal Data does not address
- collaborative/relational information
- does not fit a matrix of personal data
- statistical inference
- surveillance: control populations by categorizing individuals and practicing social sorting (identification not necessary)
- no protection of anonymous data
- anonymous communications
- anonymized datasets
- consent -> identification -> increased surveillance -> endanger anonymity
79
79
future improvements- expand definition of personal information on SNS
- beware of relational information
- increase scope of “control”
- include traffic data, data from third parties, cookie use
- enable sharing of data that bypasses the SP
- beware: facebook has censored proponents of this vision
- avoid privacy policy jungle
- accountability and transparency
- better security and (transparent) access control
- demand collaborative privacy control
80
80
