Privacy Policies for Social Networks - A Formal Approach
Doctoral thesis, 2017

Online Social Networks (OSNs) are ubiquitous, with more than 70% of Internet users being part of them. The pervasive nature of OSNs brings many threats and challenges, privacy being one of them. Very often the available privacy protection mechanisms in OSNs do not meet users requirements. This results in users that are unable to define privacy settings (also known as privacy policies) that meet their expectations. Furthermore, current privacy settings are difficult to understand, which makes users sharing their personal information with more people than they actually intend to. In this thesis we explore novel techniques to protect users' privacy in OSNs. On the one hand, we define a formal framework to write privacy policies in OSNs and to reason about them. We use this framework to define and study current and new types of privacy policies that are not present in today's OSNs. In particular, we look into: i) protection against implicit disclosure of information, e.g., a user sharing someone else's information---without her consent; and ii) evolving privacy policies, i.e., privacy policies that change over time, e.g., "my supervisor cannot see my location during the weekend". These formalisms also provide a direct enforcement mechanism for this new type of privacy policies. We have developed a proof-of-concept implementation of the enforcement to show the practicality of our technique. We formally prove that this enforcement is correct, i.e., no privacy violations may occur. On the other hand, we look into the problem of embedding privacy policies into the data. Having policies and data as separate entities is prone to consistency issues. It might happen that the data is accessed by individuals who should not have access to it because the access policy is outdated or simply missing. This issue is particularly important in OSNs as they normally rely on geographically distributed databases or have a distributed architecture. Concretely, we use Attributed-Based Encryption (ABE) to "attach" privacy policies to pictures.

online social networks

formal methods

epistemic logic


GD salen
Opponent: Daniel Le Métayer, INRIA, Lyon, France


Raul Pardo Jimenez

[Formella metoder]

A Formal Privacy Policy Framework for Social Networks

Lecture Notes in Computer Science,; Vol. 8702(2014)p. 378-392

Paper in proceedings

Specification of Evolving Privacy Policies for Online Social Networks

Proceedings 23rd International Symposium on Temporal Representation and Reasoning - Time 2016,; (2016)p. 70-79

Paper in proceedings

An automata-based approach to evolving privacy policies for social networks

Lecture Notes in Computer Science,; Vol. 10012(2016)p. 285-301

Paper in proceedings

Secure photo sharing in social networks

IFIP Advances in Information and Communication Technology,; Vol. 502(2017)p. 79-92

Paper in proceedings

Formalising privacy policies in social networks

Journal of Logical and Algebraic Methods in Programming,; Vol. 90(2017)p. 125-157

Journal article

Model checking social network models

Electronic Proceedings in Theoretical Computer Science, EPTCS,; Vol. 256(2017)p. 238-252

Paper in proceedings

Raúl Pardo, César Sánchez and Gerado Schneider. Timed Epistemic Knowledge Bases for Social Networks

Online Social Networks (OSNs) such as Facebook, Twitter or Instagram connect millions of people everyday. OSN users share mostly personal information, for instance, pictures, locations, relationship status, political views and so forth. Sharing these information to the wrong audience, or, misusing it, are examples of privacy issues that may have negative consequences, and affect the personal lives of the users. Developing the means for people to share information in a private manner is a difficult task. OSNs are very complex systems which are continuously evolving. Moreover, the current privacy protection mechanisms are too simple, and fail to provide OSN users with the tools to control their personal information. As a result, privacy breaches in OSNs occur on a regular basis. This thesis proposes novel techniques to offer users more control over the information they share in OSNs. Using our approach users can define who can access their information, as oppose to the current approach where the user who shares the information defines who can see it. We explore new dimensions such as time, which permits OSN users to express when the information is accessible. Our work has been developed using formal techniques which makes possible to mathematically prove that no privacy violations can occur.

Subject Categories

Computer Science



Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 4312


Chalmers University of Technology

GD salen

Opponent: Daniel Le Métayer, INRIA, Lyon, France