4944a577 | Social Networking Service | Privacy

Please download to get full document.

View again

of 6
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Document Description
Document Share
Document Tags
Document Transcript
  Patronus: Augmented Privacy Protection for Resource Publicationin On-line Social Networks Lin Zhang, Yao Guo, Xiangqun Chen Key Laboratory of High-Confidence Software Technologies (Ministry of Education),School of Electronics Engineering and Computer Science, Peking University, Beijing, China {  zhanglin08, yaoguo, cherry } @sei.pku.edu.cn  Abstract —With the popularity of on-line social networks andthe wide spread of smart phones, it is becoming more and morefrequent and convenient for individuals to share resources,such as status, micro-blogs, blogs, photos, videos, and so on,with their friends over on-line social networks. Since on-lineresources might be involved with several users at the sametime, it is far from enough to protect the privacy of userswith the simple group-based access control model (GBAC), inwhich only the privacy requirements of the resource owner isregarded. In order to provide augmented privacy protectionfor resource publication in on-line social networks, this paperproposes the concept of resource involvers and a new accessmodel named Patronus, in which, the privacy requirements of the resource owner and its corresponding involvers are bothtaken into considerations. In Patronus, we employ a simplisticspecification based on the format of “when-where-who-what”to describe a resource and the privacy requirements of anindividual user. We implemented a prototype application basedon Patronus for photo sharing on Android, and demonstratedits feasibility and effectiveness with several case studies.  Keywords -on-line social networks;privacy;resource ownerand resource involvers I. I NTRODUCTION On-line social networks are playing an important rolein our daily lives in the modern society. Individual usersprovide plenty of personal information items in their profiles,such as name, gender, age, birthday, email address, phonenumber, current university/company, political views and soon. Since some of these items are sensitive, access controlis widely employed in order to protect the privacy of users. Generally speaking, each user can classify his/herfriends into groups(a typical classification could be close-friends, friends, classmates, schoolmates, colleagues andacquaintances), and then assign different permissions withdifferent groups for different information items.In addition to personal information items, individualsalso post resources in on-line social networks, such status,micro-blogs, blogs, photos, videos and so on, to share withtheir friends. Sensitive information might be inferred bytaking advantages of a certain resource or several resourcestogether. An article in Hong Kong Economic Times of September 26 th 2011 listed a series of case studies aboutprivacy leakages caused by resource publication on thewebsite of Facebook. We summarized these case studies andpropose the following scenario as our motivating example.In a singles party, Alice took a picture of Lucy, Kate and Bobwhen they clinked, and uploaded this photo on her Facebook homepage to share with her friends. Unfortunately, Lucydid not want others to know her attendance at this party. Inthis circumstance, the privacy requirements of Alice, whois the owner of the photo, could be preserved as usual; butthe privacy requirements of Lucy was not satisfied sinceshe did not have control over the photo publication. Toaddress this problem, we introduce the concept of  resourceinvolvers , and take the privacy requirements of resourceinvolvers into consideration for resource publication in on-line social networks.In order to satisfy the privacy requirements of both re-source owner and resource involvers, the following questionsneed to be answered: ã How to identify the involvers with a certain resource? ã How does an involver specify his/her privacy require-ments? ã How do we enforce the privacy requirements of theresource owner as well as resource involvers?In this paper, we proposes a new access model namedPatronus for resource publication in on-line social networks.As we know, the 4A theory in on-line social networksindicates that anyone can post anything at any time in anyplace, so that we can describe a certain resource in theformat of “who-what-when-where”. Users can also specifytheir privacy requirements in the same format to indicatewhat kinds of resources are allowed/disallowed to publishin on-line social networks. We implemented a prototype of Patronus for photo sharing on Android, and demonstratedits feasibility and effectiveness with several case studies.This paper makes the following main contributions: ã We introduce the concept of  resource involvers toenlarge the traditional scope of privacy protection. ã We propose a new access model named Patronus toorganize the roles, the resource involvers, the privacypolicies together in order to provide better privacyprotection for resource publication in on-line socialnetworks. ã In order to demonstrate the applicability of Patronus, we 2013 IEEE Seventh International Symposium on Service-Oriented System Engineering 978-0-7695-4944-6/12 $26.00 © 2012 IEEEDOI 10.1109/SOSE.2013.14577  implemented a prototype application for photo sharingon Android.The rest of this paper is organized as follows. We presentthe background information and our motivation in Section I.The Patronus model is described in Section II. In Section III,we present the design and implementation of the prototypeapplication for photo publication on Android. Case studiesare provided in Section IV. Related works are reviewed inSection V. Finally, we conclude our work in Section VI. PrivacyPoliciesObjectOwner FeaturesPrivacyPolicies PublicationPolicies InvolversRoleRoleRolePrivacyPoliciesInvolversPrivacyPoliciesInvolvers Figure 1. The Patronus Model II. T HE P ATRONUS M ODEL As we have demonstrated in Section I, it is far fromenough to protect the privacy of users for resource pub-lication in on-line social networks by employing the sim-ple group-based access control model. In this paper, weintroduce the concept of resource involvers, design a newformat of privacy policies for users to specify their privacyrequirements, and propose the Patronus model for resourcepublication in on-line social networks as shown in Figure1.  A. Object and Features The object  refers to a certain resource, which is goingto be published over on-line social networks. It can be atext message, an image, a video or a mixture of the abovethree. For example, an album, which is shared over on-linesocial networks, might include tens of images and severalshort descriptions; And there might be several photos or evenvideos as supporting materials in a blog, in addition to thebody of the text.The Feature describe the type of the object and the contentof the object. There are four types in the Patronus model,including TXT , IMG , VDO and MIX . The contents of eachobject can be extracted and summarized with four key words,which are WHEN , WHERE , WHO , and WHAT .Take a photo as an example. Its type should be set as IMG . And it contains the following content: ã WHEN : the time when this photo was taken ã WHERE : the place where this photo was shot ã WHO : the persons in the photo ã WHAT : what the persons are doing(e.g. drinking,swimming, running, working, playing and so on)The features of Alice’s photo in our motivating scenariocan be represented as in Figure 2. PrivacyPoliciesPhotoOwner:Alice TYPE:IMGWHEN:NIGHTWHERE:ENTERTAIMENTWHO:GROUPWHAT:DRINKING PrivacyPolicies PublicationPolicies BobFriendsStrangersPrivacyPoliciesLucyPrivacyPoliciesKate Figure 2. The Patronus Model Instance for the Motivating Scenario  B. Subjects1) Owner: In the Patronus model, the owner refers to theuser who has control during the publication of the object,instead of the srcinal creator of the object. For example,a wedding video might be recorded by a professionalphotographer, and then released by the bride over on-linesocial networks to enjoy together with her friends. In thiscase, the photographer is the srcinal generator of the video,but the bride is the owner of the video in our definition. 2) Roles and Involvers: The involvers of an object referto the persons whose names are mentioned in the body of the text, or whose faces can be detected and recognized inthe image/video. They are classified into different categories,and linked with the object in different roles.As in our motivating scenario, the involvers of thephoto are Lucy, Kate, and Bob. They are classified intotwo categories: Friends and Strangers. Lucy and Kate areFriends, and Bob is a stranger, as shown in Figure 2. C. Policies There are two kinds of policies in our Patronus model,including privacy policies and publication policies. Pub-lication policies are calculated and generated with corre-sponding privacy policies, which indicate available on-linesocial networks and proper access control lists. And privacypolicies are used to express the privacy preferences of theowner/involvers for social data publication, which includethe following aspects: ã What kinds of social data are allowed to be publishedonline? ã What kinds of social data should be blocked? ã Which on-line social networks are preferred? ã Which on-line social networks should be avoided? ã What kinds of access control lists should be set?Private, Public, or can only be accessed by a certaincrowd, such as classmates, co-workers, friends, 2-degree friends and so on? ã Do they intend to protect the privacy of all the involvers,or just their friends, close friends, or even none of them? 578  In order to express the above information clearly andregularly, and make further calculation and evaluation easier,privacy policies are formatted as follows: ã POLICIES  → kindness !  policies ã kindness → NONE|CLOSEFRIENDS|FRIENDS|ALL ã policies → policy ;  policies | ε  ã policy → to : { rules } ã to → TWITER|PICASA|FACEBOOK ã rules → item , rules | ε  ã item → < lable : value > ã label → TYPE|TXT|IMG|VDO|MIX|WHEN|DAY|NIGHT|WHERE|HOME|OFFICE|ENTERTAINMENT|WHO|SINGLE|GROUP|WHAT|DRINGKING|CRYING|OTHERSLEVEL|PRIVATE|PUBLIC|FRIENDS ã value → ON|OFF| { rules } The following is a simple policy instance: FRIENDS!TWITTER:{<TYPE:{<IMG:OFF>,<VDO:OFF>,<MIX:OFF>}>},<LEVEL:{<PUBLIC:ON>}>};PICASA:{<TYPE:{<TXT:OFF>,<VDO:OFF>,<MIX:OFF>}>,<LEVEL:{<PUBLIC:OFF>,<FRIENDS:OFF>,<PRIVATE:ON>}>};FACEBOOK:{<TYPE:{<VDO:OFF>,<MIX:OFF>}>,<WHEN:{<NIGHT:OFF>}>,<WHERE:{<HOME:OFF>,<OFFICE:OFF>}>,<WHO:{<SINGLE:OFF>}>,<WHAT:{<DRINKING:OFF>,<CRYING:OFF>}><LEVEL:{<PUBLIC:OFF>,<FRIENDS:ON>}>}; which indicates that: ã As the owner of an object, he/she only wishes to protectthe privacy of his/her friends among the involvers whoare related with her object; ã While as an involver of an object, she declares thatonly text messages are allowed to be published on thewebsite of Twitter, and the corresponding access controllists are recommended as public; ã Only photos are agreed to be published on Picasa, andthe corresponding access control lists should be set asprivate; ã On the website of Facebook, both text messages andphotos can be shared with friends, however the follow-ing requirements should be satisfied simultaneously: – It didn’t happen at night. – It didn’t happen at home or in the office. – The subject is not the only one who involves withthe object. – The subject was not drinking or crying. OwnerInvolvers Policies data Features DecisionCenter          F     e     a      t     u     r     e     s       E     x      t     r     a     c      t     o     r PoliciesdataFeatures F     e     a      t     u     r     e     s       E     x      t     r     a     c      t     o     r PolicyEvaluator PolicyEvaluatorDecisionCenter 12 34   567 89 1011 Figure 3. The Prototype Implementation of Patronus on Android III. P ROTOTYPE D ESIGN AND I MPLEMENTATION In the mobile computing world with various mobiledevices such as smartphones and tablets, it is becomingmuch more convenient for individuals to generate variouskinds of resources, and share them with their friends overon-line social networks.As smart phones can be expected to become the majorplatform for resource publication in the near future, wechoose the Android platform to implement a prototypebased on Patronus for photo publication. The prototype runson HTC Magic smartphones with Android 2.3 platform,with the MSM7200A 528MHz processor, 288MB RAM and512MB ROM. The implementation of the prototype is shownin Figure 3.A typical process in the prototype works as follows:As soon as a photo is taken, its features are extractedand stored locally. The corresponding involvers are thenidentified. When the photo is intended to be published on-line, its features are transferred to the involvers for privacyviolation detection. The publication process will succeed if all permissions from the involvers are collected; otherwise,the process will be terminated automatically and the ownerwill be notified with a privacy violation warning.  A. Feature Extractor  As indicated in Section II, there are five essential featuresassociated with a specific piece of social data, which are TYPE , WHEN , WHERE , WHO , and WHAT . The TYPE of the object is fixed as IMG in our prototype for privacy-preserving photo publication. The other four features aregathered by the Feature Extractor. WHEN  : It indicates the time information at whichthe photo is taken. Corresponding to the two terminals inour Patronus model, DAY and NIGHT , we define the timeinterval from 8:00 AM to 9:00 PM as DAY , and the oppositetime interval from 9:00 PM to 8:00 AM as NIGHT . 579  WHERE : It indicates the location information at whichthe photo is taken. With the build-in GPS modular onsmartphones, latitude and longitude information can becollected. We extracted the corresponding information fromthe exif  part of a JPG photo 1 . WHO : In the Patronus model, there are two cor-responding labels with the WHO feature: SINGLE and GROUP . The values of these two labels can be simplydefined based on the results of face detection. Moreover,face recognition should also be applied in order to identifythe corresponding involvers for further use. WHAT  : In the Patronus model, it is attached to twolabels: DRINKING and CRYING . There are also someother events, such as running, jumping, swimming, singing,dancing, working, playing and so on. Additional labels canbe added if necessary. But in our prototype, we assume thatone might not wish photos, in which he or she is drinkingor crying, to be published over on-line social networks,thus these two labels are enough. The value of  WHAT isprovided by the user manually.The privacy policies of the user are also collected: TO : It indicates which on-line social networks arepreferred for the user. In the Patronus model, there arethree corresponding labels: FACEBOOK , PICASA and TWITTER . Users can choose them according to theirpreferences.  LEVEL : It indicates the access control lists whichwill be set if the photo is published on a certain on-line social network. In the Patronus model, there are threecorresponding labels, PRIVATE , PUBLIC and FRIENDS .Users can turn on/off different levels in their policies.By employing the underlying services of the system timeand GPS, the values of  WHEN and WHERE can begenerated, respectively. The values of  WHAT and TO areset by the photo owner manually. According to the values of  TO , the corresponding value of  LEVEL are retrieved fromthe policies predefined by the user. The OpenCV tool forAndroid is employed for the WHO -values generation andinvolvers identification.  B. Communicator, Policy Evaluator, and Decision Center  As a deamon activity, the Communicator provides thefollowing three functions: Features Sending and Receiving,Policies Sending and Receiving, and Responds Collecting. Inour current implementation, features and policies are trans-ferred in text messages. There is a keyword PATRONUS atthe beginning of messages automatically generated by the 1 For privacy concerns, location service is usually recommended to beturned off so that no location information can be associated with the photostaken by digital cameras or smart phones. However, only the privacy of theresource owner is considered and respected in such circumstances. In ourprototype, since the location information of a photo is very important forinvolvers to determine whether or not the corresponding photo should beblocked, we turn on the location service by default. ) $ ) % ) & ) '&ORVH)ULHQGV)ULHQGV)ULHQGV&ORVH)ULHQGV)ULHQGV Figure 4. The Social Relationship Graph prototype. So that, messages can be filtered and redirectedto the Communicator without disturbing the user.The Policy Evaluator calculates the feature informationreceived from the Communicator, and the decision centerdetects for violations with the calculated result and generatepublication policies, which indicates whether or not a certainphoto is allowed to be published on the line. Better choicesof on-line social networks and the corresponding privacylevel are suggested at the same time.IV. C ASE S TUDIES We use 8 persons in our experiment. We assume that fourof them are familiar with each other, whose head icons havealready been pre-stored on their smartphones. The otherfour persons are considered as Strangers . The Familiars are indexed as F   A , F   B , F  C  , and F   D . The social relationshipbetween them is shown in Figure 4. And the Strangers areindexed as S   A , S   B , S  C  , and S   D .We prepared a 300-contacts address book for each personin our experiment. Only one-third contacts are edited withhead icons. And among these 100 contacts, half of them aremarked as Friends. A half of those friends are declared asCloseFriends.We prepared 16 photos, which can be classified into fourcategories: With no strangers in the photo, with only onestranger in the photo, with two strangers in the photo, andwith no familiars in the photo. The photos are shown inFigure 5.  A. Privacy Policies of the Familiars As the owner of an object, F   A would like to protect theprivacy of all the involvers who are related with his/herobject; And as an involver of an object, F   A declares that onlyphotos, which were not taken at night, can be published onthe social networks, including Twitter, Picasa and Facebook.Photos, which were posted on Twitter or Picasa can beshared with any one, but photos on Facebook can only beshared with friends.As the owner of an object, F   B would like to protect theprivacy of his/her friends who are related with his/her object;As an involver of an object, F   B declares that only photos,which were not taken in the office, can be published on 580
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks