Beyond Access Control: Managing Online Privacy via Exposure

We posit that access control, the dominant model for modeling and managing privacy in today’s online world, is fundamentally inadequate. First, with access control, users must a priori specify precisely who can or cannot access information by enumerating users, groups, or roles—a task that is difficult to get right. Second, access control fails to separate who can access information from who actually does, because it ignores the difficulty of finding information. Third, access control does not capture if and how a person who has access to some information redistributes that information. Fourth, access control fails to account for information that can be inferred from other, public information. We present exposure as an alternate model for information privacy; exposure captures the set of people expected to learn an item of information eventually. We believe the model takes an important step towards enabling users to model and control their privacy effectively.

[1]  Saikat Guha,et al.  NOYB: privacy in online social networks , 2008, WOSN '08.

[2]  Krishna P. Gummadi,et al.  Analyzing facebook privacy settings: user expectations vs. reality , 2011, IMC '11.

[3]  Flavio Figueiredo,et al.  The tube over time: characterizing popularity growth of youtube videos , 2011, WSDM '11.

[4]  Mark Zuckerberg,et al.  An Open Letter from Mark Zuckerberg , 2006 .

[5]  Bernardo A. Huberman,et al.  Predicting the popularity of online content , 2008, Commun. ACM.

[6]  D. Boyd Facebook's Privacy Trainwreck , 2008 .

[7]  Bobby Bhattacharjee,et al.  Persona: an online social network with user-defined privacy , 2009, SIGCOMM '09.

[8]  Louis D. Brandeis,et al.  The Right to Privacy , 1890 .

[9]  Cynthia M. Busin-Nicola Integrating the Universal Declaration of Human Rights Document in Management: Using the UDHR in Management , 2006 .

[10]  Brian D. Davison,et al.  Predicting popular messages in Twitter , 2011, WWW.

[11]  Michael S. Bernstein,et al.  Quantifying the invisible audience in social networks , 2013, CHI.

[12]  David J. Danelski,et al.  Privacy and Freedom , 1968 .

[13]  Tad Hogg,et al.  Using a model of social dynamics to predict popularity of news , 2010, WWW '10.

[14]  Cynthia Dwork,et al.  Differential Privacy , 2006, ICALP.

[15]  Lalana Kagal,et al.  Access Control is an Inadequate Framework for Privacy Protection , 2010 .

[16]  Balachander Krishnamurthy,et al.  Privacy and Online Social Networks: Can Colorless Green Ideas Sleep Furiously? , 2013, IEEE Security & Privacy.