Lockr: better privacy for social networks

Today's online social networking (OSN) sites do little to protect the privacy of their users' social networking information. Given the highly sensitive nature of the information these sites store, it is understandable that many users feel victimized and disempowered by OSN providers' terms of service. This paper presents Lockr, a system that improves the privacy of centralized and decentralized online content sharing systems. Lockr offers three significant privacy benefits to OSN users. First, it separates social networking content from all other functionality that OSNs provide. This decoupling lets users control their own social information: they can decide which OSN provider should store it, which third parties should have access to it, or they can even choose to manage it themselves. Such flexibility better accommodates OSN users' privacy needs and preferences. Second, Lockr ensures that digitally signed social relationships needed to access social data cannot be re-used by the OSN for unintended purposes. This feature drastically reduces the value to others of social content that users entrust to OSN providers. Finally, Lockr enables message encryption using a social relationship key. This key lets two strangers with a common friend verify their relationship without exposing it to others, a common privacy threat when sharing data in a decentralized scenario. This paper relates Lockr's design and implementation and shows how we integrate it with Flickr, a centralized OSN, and BitTorrent, a decentralized one. Our implementation demonstrates Lockr's critical primary benefits for privacy as well as its secondary benefits for simplifying site management and accelerating content delivery. These benefits were achieved with negligible performance cost and overhead.

[1]  David Mazières,et al.  RE: Reliable Email , 2006, NSDI.

[2]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[3]  Bruce Schneier,et al.  Applied cryptography (2nd ed.): protocols, algorithms, and source code in C , 1995 .

[4]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[5]  Liviu Iftode,et al.  FRAC: Implementing Role-Based Access Control for Network File Systems , 2007, Sixth IEEE International Symposium on Network Computing and Applications (NCA 2007).

[6]  David L. Mills,et al.  Network Time Protocol (Version 3) Specification, Implementation , 1992 .

[7]  Ronald L. Rivest,et al.  SDSI - A Simple Distributed Security Infrastructure , 1996 .

[8]  Bernard P. Zajac Applied cryptography: Protocols, algorithms, and source code in C , 1994 .

[9]  Ran Canetti,et al.  Efficient and Secure Source Authentication for Multicast , 2001, NDSS.

[10]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[11]  Bobby Bhattacharjee,et al.  Persona: an online social network with user-defined privacy , 2009, SIGCOMM '09.

[12]  Sonja Buchegger,et al.  A case for P2P infrastructure for social networks - opportunities & challenges , 2009, 2009 Sixth International Conference on Wireless On-Demand Network Systems and Services.

[13]  Andrew S. Tanenbaum,et al.  A certificate revocation scheme for a large-scale highly replicated distributed system , 2003, Proceedings of the Eighth IEEE Symposium on Computers and Communications. ISCC 2003.

[14]  Nick Feamster,et al.  Authenticated out-of-band communication over social links , 2008, WOSN '08.

[15]  Ramón Cáceres,et al.  Privacy, cost, and availability tradeoffs in decentralized OSNs , 2009, WOSN '09.

[16]  Saikat Guha,et al.  NOYB: privacy in online social networks , 2008, WOSN '08.

[17]  Michael J. Freedman,et al.  Efficient Private Techniques for Verifying Social Proximity , 2007, IPTPS.

[18]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[19]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[20]  D. Richard Kuhn,et al.  Role-Based Access Controls , 2009, ArXiv.

[21]  Refik Molva,et al.  Privacy preserving social networking through decentralization , 2009, 2009 Sixth International Conference on Wireless On-Demand Network Systems and Services.

[22]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[23]  Shafi Goldwasser,et al.  Efficient Transformation of Well Known Signature Schemes into Designated Confirmer Signature schemes , 2003 .

[24]  Adi Shamir,et al.  Witness indistinguishable and witness hiding protocols , 1990, STOC '90.

[25]  Butler W. Lampson,et al.  SPKI Certificate Theory , 1999, RFC.

[26]  Dwaine E. Clarke,et al.  SPKI/SDSI HTTP Server / Certificate Chain Discovery in SPKI/SDSI , 2001 .

[27]  Viktors Berstis,et al.  Security and protection of data in the IBM System/38 , 1980, ISCA '80.

[28]  David Jefferson,et al.  Protection in the Hydra Operating System , 1975, SOSP.

[29]  Balachander Krishnamurthy,et al.  On the leakage of personally identifiable information via online social networks , 2009, CCRV.

[30]  David L. Mills,et al.  Network Time Protocol (Version 3) Specification, Implementation and Analysis , 1992, RFC.

[31]  Magdalena Balazinska,et al.  Homeviews: peer-to-peer middleware for personal data sharing applications , 2007, SIGMOD '07.