A Privacy Preservation Model for Facebook-Style Social Network Systems.

Page 1

A Privacy Preservation Model for Facebook-Style
Social Network Systems
Philip W. L. Fong and Mohd Anwar
Department of Computer Science
University of Calgary
Calgary, Alberta, Canada
{pwlfong,manwar}@ucalgary.ca
Zhen Zhao
Department of Computer Science
University of Regina
Regina, Saskatchewan, Canada
zhao112z@uregina.ca
Abstract
Recent years have seen unprecedented growth in the popularity of social network systems, with Face-
book being an archetypical example. The access control paradigm behind the privacy preservation mech-
anism of Facebook is distinctly different from such existing access control paradigms as Discretionary
Access Control, Role-Based Access Control, Capability Systems, and Trust Management Systems. This
work takes a first step in deepening the understanding of this access control paradigm, by proposing an
access control model that formalizes and generalizes the privacy preservation mechanism of Facebook.
The model can be instantiated into a family of Facebook-style social network systems, each with a rec-
ognizably different access control mechanism, so that Facebook is but one instantiation of the model. We
also demonstrate that the model can be instantiated to express policies that are not currently supported
by Facebook but possess rich and natural social significance. This work thus delineates the design space
of privacy preservation mechanisms for Facebook-style social network systems, and lays out a formal
framework for policy analysis in these systems.
1
Recent years have seen unprecedented growth in the popularity of Social Network Systems (SNSs), with
stories concerning the privacy and security of such household names as Facebook and MySpace appearing
repeatedlyin mainstreammedia. Accordingto boydand Ellison[10], a“social networksite” ischaracterized
by three functions (our paraphrase): (1) these web applications allow users to construct public or semi-
public representation of themselves, usually known as user profiles, in a mediated environment; (2) such
a site provides formal means for users to articulate their relationships with other users (e.g., friend lists),
such that the formal articulation typically reflects existing social connections; (3) users may examine and
“traverse” the articulated relationships in order to explore the space of user profiles (i.e., social graph).
Identity representation, distributed relationship articulation, and traversal-driven access are thus the defining
characteristics of SNSs.
As a user profile contains a constructed representation of the underlying user, the latter must carefully
control what contents are visible to whom in her profile in order to preserve privacy. Many existing SNSs
offer access control mechanisms that are at best rudimentary, typically permitting coarse-grained, binary
visibility control. A pleasant exception is the sophisticated access control mechanism of Facebook. Not
only is the Facebook access control mechanism finer grained than many of its competitions, it also offers a
wide range of access control abstractions to articulate access control policies, notably abstractions that are
based on the topology of the social graph (e.g., the friends-of-friends policy, etc). Unfortunately, the richness
oftheaccesscontrolmechanismcomeswithaprice. Bybasingaccesscontrolontheever-changingtopology
of the social graph, which is co-constructed by all users of the system, authorization now involves a subtle
element of delegation [3, 9] in the midst of discretionary access control [15, 20]. This makes it difficult
Introduction
1

Page 2

for users to fully comprehend the privacy consequence of adjusting their privacy settings or befriending
other users. A three-pronged research agenda is thus needed to alleviate this problem: (a) understanding the
access control paradigm adopted by Facebook, by formally delineating the design space of access control
mechanisms induced by this paradigm, (b) articulating the security requirements of SNSs, by formalizing
the security properties that should be enforced by systems sharing the same access control paradigm as
Facebook, and (c) devising analytical tools to help users assess the privacy consequence of her actions,
an endeavor that traditionally belongs to the domain of safety analysis [16, 21, 28, 26], or, more recently,
security analysis [19, 20].
This work addresses challenge (a). In particular, this study has two objectives. First, we want to deepen
our understanding of the access control paradigm as adopted by Facebook by formally characterizing its
distinctiveness. Second, we want to generalize the Facebook access control mechanism, thereby mapping
out the design space of access control mechanisms that can potentially be deployed in similar SNSs. To these
ends, we have constructed an access control model that captures the access control paradigm of Facebook.
The model can be instantiated into a family of Facebook-style SNSs, each with a recognizably different
access control mechanism, so that Facebook is but one instantiation of the model. Our contributions are
threefold:
1. Our analysis led us to see the access control mechanism behind Facebook as a form of distributed
accesscontrol, suchthat(a)access ismediatedbycapability-likehandles, (b)policiesareintentionally
specified to support delegation, and (c) authorization decision is a function of an abstraction [14] of
the global protection state, namely, the social graph.
2. We formalized the above insight into a concrete access control model for delimiting the design space
of access control mechanisms in Facebook-style social network systems. We carefully constrained
the information that can be consumed by various elements of the authorization mechanism, so that
the only information accessible for the purpose of authorization are local communication history
and global acquaintance topology (to be explained in Sect. 3). We argue that Facebook is but one
instantiation of this model.
3. We demonstrated that the model can be properly instantiated to express a number of topology-based
and history-based access control policies that possess rich and natural social significance: e.g., degree
of separation, known quantity, clique, trusted referral, and staged acquaintance. The utility of such
policies in an information sharing setting is illustrated in a case study. We thus argue that the design
space induced by our access control model should be considered in future design of SNSs.
Thispaperisorganizedasfollows. Sect.2providesahighlevelanalysisoftheaccesscontrolmechanism
of Facebook, as well as highlights of its distinctiveness and possible generalization. Sect. 3 defines an access
control model that captures the above-mentioned distinctiveness and generalization. In Sect. 4, the model
is instantiated to mimic the access control mechanism of Facebook, as well as to produce access control
policies that are rich in social significance. A case study of modeling an e-learning system as an instantiation
of our access control model is provided in Sect. 5. Sect. 6 surveys related literature. Conclusions and future
work are given in Sect. 7.
2Access Control in Facebook and Beyond
2.1Access Control in Facebook
We provide here an informal analysis of the Facebook access control mechanism.
Profile and Profile Items
Facebook allows each user to construct a representation of herself in the form
of a profile. A profile displays such profile items as personal information (e.g., favorite books), multimedia
2

Page 3

contents (e.g., pictures), activity logs (e.g., status), or other user-authored contents (e.g., blog-like postings).
Facebook users may grant one another access to the profile items they own.
Search Listings and their Reachability
Access to profile items is authorized in two stages. In Stage
I, the accessing user must reach the search listing of the profile owner. Then in Stage II, the accessing
user requests access to the profile, and the profile items are selectively displayed. The search listing of a
user could be seen as a “capability” [11, 22] of the user in the system, through which access is mediated.
There are two means by which a profile may be reached in Stage I — global name search and social graph
traversal.
Global Name Search
The first means to reach a search listing is to conduct a global name search. A
successful search would produce for the accessing user the search listing of the target user. A user may
specify a search policy to allow only a subset of users to be able to reach her search listing through a global
name search.
Social Graph Traversal
A second means to reach a search listing is by traversing the social graph. Face-
book allows users to articulate their relationships with one another through the construction of friend lists.
Every user may list a set of other users as her friends. As friendship is an irreflexive, symmetric binary
relation, it induces a simple graph known as the social graph, in which users are nodes and relationships
are edges. A user may traverse this graph by examining the friend lists of other users. More specifically,
the friend list of a user is essentially the set of search listings of her friends. A user may restrict traversal
by specifying a traversal policy, which specifies the set of users who are allowed to examine her friend list
after her search listing is reached.
Profile Access
Once the search listing of a profile owner is reached, the accessing user may elect to access
the profile, thereby initiating Stage II of authorization. Whether the profile as a whole can be accessed is
dictated by another user-specified policy, the details of which we omit1. Not every accessing user sees the
same profile items when a profile is displayed. The owner may assign an access policy to each profile item,
dictating who can see that profile item when the profile is accessed. This is the means through which a user
may project different representations of herself to different groups of users.
Friendship Articulation and other Communication Primitives
sent protocol, whereby a user sends a friendship invitation to another user, who may then accept or ignore
the invitation. Once a mutual consent is reached, that friendship is recognized by Facebook.
Other than friendship invitation, Facebook also supports other communication primitives, such as mes-
saging, “poking”, etc. Common to all these primitives is that the search listing of the receiver must be
reached before the communication primitive can be initiated by the sender. A user can assign a communi-
cation policy to each communication primitive, specifying the set of users who are allowed to initiate that
communication primitive against her once her search listing is reached.
Policies
We have seen in the above discussion that various aspects of user activities are controlled by
user-specified policies (e.g., search policy, access policy, etc). This is typical of a discretionary access
control systems [15, 20], in which a user may grant access privileges to other users. Facebook offers a fixed
vocabulary of predefined policies for users to choose from when they are to identify sets of privileged users.
As in many capability systems, there is no global name space of users that can be used for the purpose of
identifying user sets [22]. Therefore, many of the predefined policies identify user sets indirectly in terms
of the topology of the social graph. For example, one may specify that a certain profile item is accessible
only by “friends”, or that messaging is only available to “friends of friends”.
Facebook also defines groups and networks of users so that policies can be formulated in terms of
these concepts. We deem user grouping a well-understood concept, and thus focus only on topology-based
Articulating friendship involves a con-
1This redundancy is an administrative convenience rather than an essential component of the access control paradigm.
3

Page 4

policies in the sequel.
2.2 Distinctiveness and Generalization
Distinctiveness
Compared with other access control paradigms, the access control paradigm of Facebook
is distinctive in at least three ways.
D1 Capability Mediation. The precondition of any access, be it the display of a user profile or the initiation
of communication, is the reachability of the search listing of the resource owner (Stage I). This causes
user search listings to acquire a role akin to a capability [11, 22]. However, unlike a pure capability
system, reachability is necessary but not sufficient for access. Stage-II authorization still consults
user-specified policies prior to granting access. Furthermore, Facebook would not be considered by
the object capability community to be a pure capability system due to the existence of global name
search, a source of ambient authority [22].
D2 Relation-Based Policies. Due to the lack of a global name space for accessible resources (a common
feature in capability systems [22]), privileged users are not specified in policies by names. Instead,
they are specified intensionally2as the set of users partaking in a certain relationship with the owner
of the resource (e.g., friends of friends). Consequently, privileges are not granted to an extensionally
specified set of users, as in the case of DAC [15, 20], nor to a centrally administrated set of roles, as
in the case of RBAC [27, 13]. Instead, privileges are granted with respect to an intentionally-specified
relation, the articulation of which is carried out in a distributed manner.
D3 Abstraction of Communication History. Facebook is a typical History-Based Access Control system
[29]. Authorization is a function of the history of communication among users (e.g., u invites v to
be a friend, v accepts the invitation, and then v is allowed to access resources owned by u). What
is special about Facebook is the kind of information that the user-specified policies are allowed to
consume. Specifically, the global communication history is abstracted, in the sense of Fong [14], into
a social graph, the topology of which becomes a basis of authorization decisions.
Perhaps the access control paradigm that is the most comparable to that of Facebook is Trust Manage-
ment Systems (TMSs) [4, 33]. To fix thoughts, we provide a comparison with the family of TMSs identified
by Weeks [33]. We note three points of comparison. First, Weeks’ TMSs support the formulation of inten-
tionally specified policies (aka licenses) to avoid the need of centralized identity management. In this respect
they share with Facebook a similar style of distributed access control (D2). Second, Facebook is completely
mediated, and thus search listing reachability (Stage I) is a precondition of authorization (D1). In contrast,
Weeks’ TMSs do not control the reachability of principals and their resources. Third, unlike a Weeks’
TMS, Facebook does not base its authorization decision on the exchange of certificates (aka authorizations).
Rather, the basis of authorization decision in Facebook is a social graph abstracted from the communication
history between users (D3). In our generalization below, this allows us to formulate topology-based policies
that have no analogue in Weeks’ TMSs.
Generalization
Facebook embodies the above paradigm of access control (D1–D3) by providing:
G1 a specific protocol for establishing acquaintance, and
G2 a specific family of relation-based policies for specifying privileged users.
In the following, we will present a formal model of access control for Facebook-style SNSs, capturing
the distinctive paradigm of authorization as identified in D1–D3, while allowing an arbitrary consenting
mechanism (G1) and policy vocabulary (G2) to be adopted. Therefore, such a model delineates the design
space of access control mechanisms embodying such a paradigm.
2An extensional definition specifies a concept by enumerating its instances (e.g., S = {0,1,2}). An intensional definition
specifies a concept by stating the characteristic property of its instances (e.g., S = {x ∈ N | x < 3}).
4

Page 5

3
Notations
We identify the two boolean values by 0 and 1. Given a set S, P(S) is the power set of S, Pk(S) is the set
of all size-k subsets of S, and, when S is finite, G(S) is the set of all simple graphs with S as the vertex
set (i.e., G(S) = {?S,E? | E ⊆ P2(V )}). We use the the standard λ-notation for constructing functions
[25]: i.e., (λx.e) is the anonymous function with formal parameter x and body expression e. For example,
(λx.x2) is a function that returns the square of a given number. We write S ? T for the set of all partial
functions with a subset of S as the domain and T as the codomain. Given f ∈ S ? T, s ∈ S, and t ∈ T,
we write f[s ?→ t] to denote the function (λx.if x = s then t else f(x)).
3.1 System
Our model defines a family of Facebook-style SNSs. Every member of the family represents a point in the
design space of access control mechanisms represented by our model.
3.1.1Basic Ontology
A SNS is made up of users and objects (aka profile items). Users are members of a finite set Sub. It is
assumed that every user owns the same types of objects (e.g., employment information, contact information,
etc). Object types are uniquely identified by object identifiers, which are members of a finite set Obj.
Consequently, given a user u ∈ Sub and an object identifier o ∈ Obj, we write u.o to denote the unique
type-o object owned by u. When v attempts to access u.o, we call v the accessor and u the owner. Our
goal is to model the authorization mechanism by which accessors are granted access to objects. Inspired
by Facebook, a SNS consumes two kinds of information in its authorization mechanism — communication
history and acquaintance topology.
3.1.2Communication History
Whether one user may access the objects owned by another user depends on their relationship with one
another, which in turn is induced by their history of communication. For example, the event of u inviting
v to be a friend, and the subsequent event of v accepting the invitation, turn u and v into friends. Such a
sequence of events affects if u and v may access the objects of one another. We postulate that a SNS tracks
the communication history between every pair of users, and bases authorization decisions on this history.
To formalize the above intuition, we postulate that associated with every SNS is a fixed set Σ of com-
munication primitives (e.g., friendship invitation, acceptance of invitation, etc). A communication event
occurs when one user initiates a communication primitive and address it to another user.
For the ease of addressing users in the following discussion, we assume that the set of users is totally
ordered by ≺. For each pair of users {u,v}, we define an identification function ι{u,v}: {u,v} → B to be
(λx.x = max≺(u,v)), where max≺returns the greater of its two arguments based on the ordering ≺. In
other words, the identification function gives a unique Boolean identifier to each of u and v within the pair.
The inverse ι−1
v, a communication event is a member of the set B ×Σ, such that the ordered pair (b,a) uniquely identifies
the initiator to be ι−1
Not all communication event sequences are allowed by the SNS. For example, it makes no sense for v
to accept a friendship invitation from u when no such invitation has been extended. Built into each SNS is
a communication protocol, which constrains the set of event sequences that can be generated at run time.
A SNS must ensure that this protocol is honored, and at the same time track communication history for the
purpose of authorization. To address both needs, we adopt a minor variant of the security automaton [29] to
model the communication protocol between user pairs, as well as to track communication history. We reuse
the notational convention in [14]. A communication automaton (CA) is a quadruple M = ?Σ,Γ,γ0,δ?,
where
An Access Control Model of Social Network Systems
We write N and B to denote respectively the set of natural numbers and that of boolean values.
{u,v}translates Boolean identifiers back to the users they represent. Given a pair of users u and
{u,v}(b) and the communication primitive to be a.
5