Abstract
Online Social Networks (OSNs) are ubiquitous, with more than 70 % of Internet users being active users of such networking services. This widespread use of OSNs brings with it big threats and challenges, privacy being one of them. Most OSNs today offer a limited set of (static) privacy settings and do not allow for the definition, even less enforcement, of more dynamic privacy policies. In this paper we are concerned with the specification and enforcement of dynamic (and recurrent) privacy policies that are activated or deactivated by context (events). In particular, we present a novel formalism of policy automata, transition systems where privacy policies may be defined per state. We further propose an approach based on runtime verification techniques to define and enforce such policies. We provide a proof-of-concept implementation for the distributed social network Diaspora, using the runtime verification tool Larva to synthesise enforcement monitors.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
In the rest of the paper we take SPL to be the set of well-formed policy formulae of the static policy language.
- 2.
When we draw a policy automaton, transitions for events that are not explicitly drawn are assumed to be reflexive.
- 3.
We present these semantics in terms of general configurations, rather than the automata states, since we envisage the extension of the automata to handle local symbolic state, requiring a richer configuration but still in line with the definitions given in this paper.
- 4.
The supra-index over events represent the number of occurrences of the event, so \(\textit{my-location}^3\) represent the sequence of events \(\textit{my-location}; \textit{my-location}; \textit{my-location}\).
- 5.
Diaspora* does not support tagging users in pictures.
References
Alexa-ranking. http://www.alexa.com/topsites. Accessed 11 May 2016
Ben-Zvi, I., Moses, Y.: Agent-time epistemics and coordination. In: Lodaya, K. (ed.) Logic and Its Applications. LNCS, vol. 7750, pp. 97–108. Springer, Heidelberg (2013)
Harvard student loses Facebook internship after pointing out privacy flaws. http://www.boston.com/news/nation/2015/08/12/harvard-student-loses-facebook-internship-after-pointing-out-privacy-flaws/. Accessed 11 May 2016
Colombo, C., Pace, G.J., Schneider, G.: Dynamic event-based runtime monitoring of real-time and contextual properties. In: Cofer, D., Fantechi, A. (eds.) FMICS 2008. LNCS, vol. 5596, pp. 135–149. Springer, Heidelberg (2009)
Colombo, C., Pace, G.J., Schneider, G.: LARVA -a tool for runtime monitoring of Java programs. In: 7th IEEE International Conference on Software Engineering and Formal Methods (SEFM 2009), pp. 33–37. IEEE Computer Society (2009)
Diaspora*. https://diasporafoundation.org/. Accessed 11 May 2016
Fagin, R., Halpern, J.Y., Moses, Y., Vardi, M.Y.: Reasoning about Knowledge, vol. 4. MIT Press, Cambridge (2003)
Diaspora*. Test pod: https://ppf-diaspora.raulpardo.org, Code: https://github.com/raulpardo/ppf-diaspora (2016)
Guernic, G.L.: Automaton-based confidentiality monitoring of concurrent programs. In: 20th IEEE Computer Security Foundations Symposium (CSF 2007), pp. 218–232 (2007)
Johnson, M., Egelman, S., Bellovin, S.M.: Facebook and privacy: it’s complicated. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012, pp. 9:1–9:15. ACM, New York (2012)
Guernic, G., Banerjee, A., Jensen, T., Schmidt, D.A.: Automata-based confidentiality monitoring. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435, pp. 75–89. Springer, Heidelberg (2007). doi:10.1007/978-3-540-77505-8_7
Lenhart, A., Purcell, K., Smith, A., Zickuhr, K.: Social media & mobile internet use among teens and young adults. Pew Internet & American Life Project (2010)
Ligatti, J., Bauer, L., Walker, D.: Edit automata: enforcement mechanisms for run-time security policies. Int. J. Inf. Secur. 4, 2–16 (2005)
Liu, Y., Gummadi, K.P., Krishnamurthy, B., Mislove, A.: Analyzing Facebook privacy settings: user expectations vs. reality. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, IMC 2011, pp. 61–70. ACM (2011)
Madejski, M., Johnson, M., Bellovin, S.: A study of privacy settings errors in an online social network. In: IEEE International Conference on Pervasive Computing and Communication Workshops (PERCOM Workshops 2012), pp. 340–345 (2012)
Madejski, M., Johnson, M.L., Bellovin, S.M.: The failure of online social network privacy settings. Columbia University Computer Science Technical Reports (2011)
Pardo, R.: Formalising privacy policies for social networks. Licentiate thesis, Department of Computer Science and Engineering, Chalmers University of Technology, p. 102 (2015)
Pardo, R., Schneider, G.: A formal privacy policy framework for social networks. In: Giannakopoulou, D., Salaün, G. (eds.) SEFM 2014. LNCS, vol. 8702, pp. 378–392. Springer, Heidelberg (2014)
Riesner, M., Netter, M., Pernul, G.: An analysis of implemented and desirable settings for identity management on social networking sites. In: 2012 Seventh International Conference on Availability, Reliability and Security (ARES), pp. 103–112, August 2012
Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)
Weitzner, D.J., Abelson, H., Berners-Lee, T., Feigenbaum, J., Hendler, J.A., Sussman, G.J.: Information accountability. Commun. ACM 51(6), 82–87 (2008)
Woźna, B., Lomuscio, A.: A logic for knowledge, correctness, and real time. In: Leite, J., Torroni, P. (eds.) CLIMA 2004. LNCS (LNAI), vol. 3487, pp. 1–15. Springer, Heidelberg (2005). doi:10.1007/11533092_1
Acknowledgements
This research has been supported by: the Swedish funding agency SSF under the grant Data Driven Secure Business Intelligence, the Swedish Research Council (Vetenskapsrådet) under grant Nr. 2015-04154 (PolUser: Rich User-Controlled Privacy Policies), the European ICT COST Action IC1402 (Runtime Verification beyond Monitoring (ARVI)), and the University of Malta Research Fund CPSRP07-16.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Pardo, R., Colombo, C., Pace, G.J., Schneider, G. (2016). An Automata-Based Approach to Evolving Privacy Policies for Social Networks. In: Falcone, Y., Sánchez, C. (eds) Runtime Verification. RV 2016. Lecture Notes in Computer Science(), vol 10012. Springer, Cham. https://doi.org/10.1007/978-3-319-46982-9_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-46982-9_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46981-2
Online ISBN: 978-3-319-46982-9
eBook Packages: Computer ScienceComputer Science (R0)