Recommendation Models for Open Authorization

Major online platforms such as Facebook, Google, and Twitter allow third-party applications such as games, and productivity applications access to user online private data. Such accesses must be authorized by users at installation time. The Open Authorization protocol (OAuth) was introduced as a secure and efficient method for authorizing third-party applications without releasing a user's access credentials. However, OAuth implementations don't provide the necessary fine-grained access control, nor any recommendations, i.e., which access control decisions are most appropriate. We propose an extension to the OAuth 2.0 authorization that enables the provisioning of fine-grained authorization recommendations to users when granting permissions to third-party applications. We propose a multicriteria recommendation model that utilizes application-based, user-based, and category-based collaborative filtering mechanisms. Our collaborative filtering mechanisms are based on previous user decisions, and application permission requests to enhance the privacy of the overall site's user population. We implemented our proposed OAuth extension as a browser extension that allows users to easily configure their privacy settings at application installation time, provides recommendations on requested privacy permissions, and collects data regarding user decisions. Our experiments on the collected data indicate that the proposed framework efficiently enhanced the user awareness and privacy related to third-party application authorizations.

[1]  Eugene Volokh,et al.  Personalization and privacy , 2000, CACM.

[2]  Alessandro Acquisti,et al.  Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook , 2006, Privacy Enhancing Technologies.

[3]  Taghi M. Khoshgoftaar,et al.  A Survey of Collaborative Filtering Techniques , 2009, Adv. Artif. Intell..

[4]  Alec Wolman,et al.  A Social Networking-Based Access Control Scheme for Personal Content , 2007 .

[5]  Mary-Anne Williams,et al.  Towards a comprehensive requirements architecture for privacy-aware social recommender systems , 2010, APCCM.

[6]  Elizabeth D. Mynatt,et al.  Challenges in supporting end-user privacy and security management with social navigation , 2009, SOUPS.

[7]  Heather Richter Lipford,et al.  The impact of social navigation on privacy policy configuration , 2010, SOUPS.

[8]  Alessandro Acquisti,et al.  Information revelation and privacy in online social networks , 2005, WPES '05.

[9]  Dick Hardt,et al.  The OAuth 2.0 Protocol , 2010 .

[10]  Evimaria Terzi,et al.  A Framework for Computing the Privacy Scores of Users in Online Social Networks , 2009, 2009 Ninth IEEE International Conference on Data Mining.

[11]  Bob Blakley,et al.  Access Control Requirements for LDAP , 2000, RFC.

[12]  Kristen LeFevre,et al.  Privacy wizards for social networking sites , 2010, WWW '10.

[13]  David A. Wagner,et al.  The Effectiveness of Application Permissions , 2011, WebApps.

[14]  Wang Bin,et al.  Open Identity Management Framework for SaaS Ecosystem , 2009, 2009 IEEE International Conference on e-Business Engineering.

[15]  Nahid Shahmehri,et al.  User help techniques for usable security , 2007, CHIMIT '07.

[16]  Jonathan L. Herlocker,et al.  Evaluating collaborative filtering recommender systems , 2004, TOIS.

[17]  Michael R. M. Jenkin,et al.  A plugin-based privacy scheme for World-Wide Web file distribution , 1998, Proceedings of the Thirty-First Hawaii International Conference on System Sciences.

[18]  John Riedl,et al.  GroupLens: an open architecture for collaborative filtering of netnews , 1994, CSCW '94.

[19]  Lorrie Faith Cranor,et al.  User-controllable learning of security and privacy policies , 2008, AISec '08.

[20]  Rob Johnson,et al.  More Content - Less Control: Access Control in the Web 2.0 , 2006 .

[21]  Gail-Joon Ahn,et al.  Beyond User-to-User Access Control for Online Social Networks , 2008, ICICS.

[22]  John Riedl,et al.  An algorithmic framework for performing collaborative filtering , 1999, SIGIR '99.

[23]  Naren Ramakrishnan,et al.  Privacy Risks in Recommender Systems , 2001, IEEE Internet Comput..

[24]  Paulo J. G. Lisboa,et al.  A probabilistic model for item-based recommender systems , 2007, RecSys '07.

[25]  Jonathan L. Herlocker,et al.  A collaborative filtering algorithm and evaluation metric that accurately model the user experience , 2004, SIGIR '04.

[26]  Yogesh Joshi,et al.  Mitigating man in the middle attack over secure sockets layer , 2009, 2009 IEEE International Conference on Internet Multimedia Services Architecture and Applications (IMSAA).

[27]  David Evans,et al.  Privacy Protection for Social Networking Platforms , 2008 .

[28]  Gail-Joon Ahn,et al.  Privacy-Enhanced User-Centric Identity Management , 2009, 2009 IEEE International Conference on Communications.

[29]  Wei-Guang Teng,et al.  Incorporating Multi-Criteria Ratings in Recommendation Systems , 2007, 2007 IEEE International Conference on Information Reuse and Integration.

[30]  Douglas B. Terry,et al.  Using collaborative filtering to weave an information tapestry , 1992, CACM.