Privacy Policies for Social Networks - A Formal Approach
Doctoral thesis, 2017
Online Social Networks (OSNs) are ubiquitous, with more than 70% of Internet users being part of them. The pervasive nature of OSNs brings many threats and challenges, privacy being one of them. Very often the available privacy protection mechanisms in OSNs do not meet users requirements. This results in users that are unable to define privacy settings (also known as privacy policies) that meet their expectations. Furthermore, current privacy settings are difficult to understand, which makes users sharing their personal information with more people than they actually intend to. In this thesis we explore novel techniques to protect users' privacy in OSNs.
On the one hand, we define a formal framework to write privacy policies in OSNs and to reason about them. We use this framework to define and study current and new types of privacy policies that are not present in today's OSNs. In particular, we look into: i) protection against implicit disclosure of information, e.g., a user sharing someone else's information---without her consent; and ii) evolving privacy policies, i.e., privacy policies that change over time, e.g., "my supervisor cannot see my location during the weekend". These formalisms also provide a direct enforcement mechanism for this new type of privacy policies. We have developed a proof-of-concept implementation of the enforcement to show the practicality of our technique. We formally prove that this enforcement is correct, i.e., no privacy violations may occur.
On the other hand, we look into the problem of embedding privacy policies into the data. Having policies and data as separate entities is prone to consistency issues. It might happen that the data is accessed by individuals who should not have access to it because the access policy is outdated or simply missing. This issue is particularly important in OSNs as they normally rely on geographically distributed databases or have a distributed architecture. Concretely, we use Attributed-Based Encryption (ABE) to "attach" privacy policies to pictures.
online social networks