An Access Control Model for Facebook-Style Social Network Systems

Recent years have seen unprecedented growth in the popularity of soc ial network systems, with Facebook being an archetypical example. The access control para digm behind the privacy preservation mechanism of Facebook is distinctly different from such ex isting access control paradigms as Discretionary Access Control, Role-Based Access Contro l, Capability Systems, and Trust Management Systems. This work takes a first step in deepening the understanding of this access control paradigm, by proposing an access control model tha t form lizes and generalizes the access control mechanism of Facebook. The model can be insta ntiated into a family of Facebook-style social network systems, each with a recognizably diff erent access control mechanism, so that Facebook is but one instantiation of the model. We also demon strate that the model can be instantiated to express policies that are not currently supp orted by Facebook, and yet these policies possess rich and natural social significance. Amo ng these policies, we formally identify and characterize a special family of policies known as relatio n l policies, which base their authorization decisions on the dynamic relationship between th resource owner and accessor. We believe the family of relational policies is a unique f eature of social network systems. An executable encoding of this model has been develope d to support experimentation with various instantiation of our access control model. This work thus delineates the design space of access control mechanisms for Facebook-style soc ial network systems, and lays out a formal framework for policy analysis in these systems.

[1]  Jason Crampton,et al.  Delegation in role-based access control , 2007, International Journal of Information Security.

[2]  Stephen Weeks,et al.  Understanding trust management systems , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[3]  Anna Cinzia Squicciarini,et al.  PriMa: an effective privacy protection mechanism for social networks , 2010, ASIACCS '10.

[4]  Jeff Haywood,et al.  Engagement with Electronic Portfolios: Challenges from the Student Perspective , 2005 .

[5]  Barbara Carminati,et al.  Enforcing access control in Web-based social networks , 2009, TSEC.

[6]  Z. Rubin Disclosing oneself to a stranger: Reciprocity and its limits , 1975 .

[7]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[8]  Barbara Carminati,et al.  Private Relationships in Social Networks , 2007, 2007 IEEE 23rd International Conference on Data Engineering Workshop.

[9]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[10]  Alessandro Acquisti,et al.  Information revelation and privacy in online social networks , 2005, WPES '05.

[11]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[12]  Richard J. Lipton,et al.  A Linear Time Algorithm for Deciding Subject Security , 1977, JACM.

[13]  Yutaka Matsuo,et al.  Real-world oriented information sharing using social networks , 2005, GROUP '05.

[14]  Sebastian Ryszard Kruk,et al.  D-FOAF: Distributed Identity Management with Access Rights Delegation , 2006, ASWC.

[15]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[16]  Barbara Carminati,et al.  Privacy-Aware Collaborative Access Control in Web-Based Social Networks , 2008, DBSec.

[17]  Barbara Carminati,et al.  Rule-Based Access Control for Social Networks , 2006, OTM Workshops.

[18]  Reinhard Diestel,et al.  Graph Theory , 1997 .

[19]  Alessandro Acquisti,et al.  Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook , 2006, Privacy Enhancing Technologies.

[20]  Ninghui Li,et al.  Beyond proof-of-compliance: security analysis in trust management , 2005, JACM.

[21]  Ravi S. Sandhu,et al.  The schematic protection model: its definition and analysis for acyclic attenuating schemes , 1988, JACM.

[22]  Mohamed Shehab,et al.  Social applications: exploring a more secure framework , 2009, SOUPS.

[23]  Benjamin C. Pierce,et al.  Types and programming languages: the next generation , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[24]  Michael J. Muller,et al.  Motivations for social networking at work , 2008, CSCW.

[25]  Ninghui Li,et al.  On safety in discretionary access control , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[26]  Bhavani M. Thuraisingham,et al.  A semantic web based framework for social network access control , 2009, SACMAT '09.

[27]  Philip W. L. Fong Access control by tracking shallow execution history , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[28]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[29]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[30]  Howard J. Hamilton,et al.  Visualizing Privacy Implications of Access Control Policies in Social Network Systems , 2009, DPM/SETOP.

[31]  Danah Boyd,et al.  Social Network Sites: Definition, History, and Scholarship , 2007, J. Comput. Mediat. Commun..

[32]  Bettina Berendt,et al.  Ubiquitous Social Networks: Opportunities and Challenges for Privacy-Aware User Modelling , 2007 .

[33]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[34]  Peter J. Denning,et al.  Protection: principles and practice , 1972, AFIPS '72 (Spring).

[35]  D. Boyd Facebook's Privacy Trainwreck , 2008 .

[36]  Muthucumaru Maheswaran,et al.  A trust based approach for protecting user data in social networks , 2007, CASCON.

[37]  Ravi S. Sandhu,et al.  Framework for role-based delegation models , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[38]  Mark S. Miller,et al.  Capability Myths Demolished , 2003 .

[39]  E. Wenger Communities of Practice and Social Learning Systems , 2000 .

[40]  Rob Johnson,et al.  More Content - Less Control: Access Control in the Web 2.0 , 2006 .