unFriendly - PowerPoint Presentation

Slide1

unFriendly: Multi-Party Privacy Risks in Social Networks

Kurt Thomas, Chris Grier,

David M.

NicolSlide2

Problem

Social networks propelled by personal content

Upload stories, photos; disclose relationships

Access control limited to ownersContent can reference multiple partiesDistinct privacy requirements for each partyCurrently, only one policy enforcedFriends, family inadvertently leak sensitive information

2Slide3

Consequences

One photo or message leaked may be harmless..

Aggregate stories, friends, photos form a composite

Can infer personal data from these public referencesWeighted by perceived importance of relationshipsIn practice, can predict personal attributes with up to 83% accuracyDirectly tied to amount, richness of exposed dataI

ndependent of existing privacy controls

3Slide4

Solution

Adapt privacy controls:

Grant users control over all personal references, regardless where it appears

Includes tags, mentions, linksAllow users to specify global privacy settingsPrototype solution as a Facebook applicationSatisfies privacy requirements of all users referenced

Determines mutually acceptable audience; restricts access to everyone else

4Slide5

Overview

Existing privacy controls

Sources of conflicting requirements

Inferring personal details from leaksInference performanceDevising a solutionConclusion5Slide6

Existing Controls

Everyone

Friends of Friends

Only Friends

Friend

List



Wall Posts



Personal Details



Photos, Videos



6Slide7

Privacy Conflict

Social networks recognize only one owner

But data can pertain to multiple users

Each user has potentially distinct privacy requirementPrivacy Conflict:When two or more users disagree on data’s audienceResults in data exposed against a user’s will7Slide8

Privacy Conflict – Friendships

Privacy

Requirement:

Hide sensitive relationshipsPrivacy Conflict: Alice reveals her friendsLink between Alice-Bob revealed by Alice

8Slide9

Privacy Conflict – Wall Posts

Privacy Requirement:

Control audience of post

Privacy Conflict: Anything posted to Alice’s wall is publicContent written by Bob exposed by Alice

9

Bob > Alice:

Just broke

up with

Carol..Slide10

Privacy Conflict – Tagging

Privacy Requirement:

Hide sensitive posts

Privacy Conflict: Alice shares her postsDetails about Bob exposed by Alice

10

Alice:

Skipping work with

@

Bob

!Slide11

Aggregating Leaked Data

Threat model:

Adversary crawls entire social network

Collects all public references to a user; messages, friendships, tagged contentFeasible for search engines, marketers, political groupsExposure SetAll public information in conflict with a user’s privacy requirement

11Slide12

Inferring Personal Details

Given exposure set, analyze whether leaks create an accurate composite of user

A

ttempt to predict 8 values from exposure set:Personal: Gender, religion, political view, relation statusMedia: Favorite books, TV shows, movies, musicCompare predictions to scenario where no privacy conflict exists

12Slide13

Inference Approaches

Friendships:

Base predictions on attributes of friends

Users with liberal, Catholic friends who like Twilight tend to be…Weight relationships on perceived importance; distinguish strong friends from acquaintancesFrequency of communicationMutual friends; communityFeed vector of attributes, weights into multinomial logistic regression

13Slide14

Inference Approaches

Wall Content:

Base prediction on content written by private user, posted to public walls

A user who talks about sports, girlfriends, and cars tends to be …Treat content as bag of words, weight terms based on TF-IDFFeed vector of words into multinomial logistic regression

14Slide15

Experiment Setup

Analyze inference accuracy on 80,000

Facebook

profiles40,000 profiles from 2 distinct networksCollect all references to a user appearing in public profiles, walls, friend listsSimulate private profilesUsed values reported in public profile as ground truthCompare prediction against ground truth

15Slide16

Frequency Data is Exposed

16

Statistic

Network A

Network B

Profiles in data set

42,796

40,544

Fraction of profiles public

44%

35%

Avg.

# relationships per profile

in exposure set

42

23Avg. # wall posts per profilein exposure set5343Slide17

Prediction Accuracy

17Slide18

More Conflicts, Better Accuracy

18Slide19

Improving Privacy

Privacy must extend beyond single-owner model

Tags, links, mentions can reference multiple users

Rely on these existing features to distinguish who is at riskAllow each user to specify global privacy policyEnforce policy on all personal content, regardless page it appears19Slide20

Enforcing Multi-Party Privacy

20

Alice:

Looks like

@Bob

and

@Carol

are done for!

Individual Policies

U1

U2

U3

U4

U5

U6Alice









Bob







Carol











Mutual Policy



Slide21

Limitations

In absence of mutual friends, safe set of viewers

tends towards empty set

Assume friends will consent to not sharing with wider audienceContent must be tagged; no other way to distinguish privacy-affected partiesCensorship; prevents negative speech

21Slide22

Conclusion

Privacy goes beyond one person’s expectations

All parties affected must have a say

Existing model lacks multi-party supportReferences to other users are commonOutside their controlAggregate exposed data contains sensitive featuresPredictions will only get betterBy adopting multi-party privacy, can return control back to users

22Slide23

Questions?

23Slide24

Correlated Features Among Friends

24Slide25

Importance of Mutual Friends

25Slide26

Importance of Frequent Communication

26