Data Privacy in Online Social Networks With FineGrained Access Control

Abstract

Online Social Networks (OSNs), such as Facebook and Twitter, are popular platforms that enable users to interact and socialize through their networked devices. However, the social nature of such applications forces users to share a great amount of personal data with other users and the OSN service providers, including pictures, location check-ins, etc. Even though some OSNs offer configurable privacy controls that limit access to shared data, users might misconfigure these controls due to their complexity or lack of clear instructions. Furthermore, the fact that OSN service providers have full access over the data stored on their servers is an alarming thought, especially for users who are conscious about their privacy. For example, OSNs might share such data with third parties, data mine them for targeted advertisements, collect statistics, etc. As a result, data and communication privacy over OSNs is a popular topic in the data privacy research community. Existing solutions include cryptographic mechanisms [1], trusted third parties [2], external dictionaries [3], and steganographic techniques [4]. Nevertheless, none of the aforementioned approaches offers a comprehensive solution that (i) implements fine-grained access control over encrypted data and (ii) works seamlessly over existing OSN platforms. To this end, we will design and implement a flexible and user-friendly system that leverages encryption-based access control and allows users to assign arbitrary decryption privileges to every data object that is posted on the OSN servers. The decryption privileges can be assigned on the finest granularity level, for example, to a hand-picked group of users. In addition, data decryption is performed automatically at the application layer, thus enhancing the overall experience for the end-user. Our cryptographic-based solution leverages hidden vector encryption (HVE)[5], which is a ciphertext policy-based access control mechanism. Under HVE, each user generates his/her own master key (one-time) that is subsequently used to generate a unique decryption key for every user with whom they share a link in the underlying social graph. Moreover, during the encryption process, the user interactively selects a list of friends and/or groups that will be granted decryption privileges for that particular data object. To distribute the decryption keys, we utilize an untrusted database server where users have to register before using our system. The server stores (i) the social relationships of the registered users, (ii) their public keys, and (iii) the HVE decryption keys assigned to each user. As the database server is untrusted, the decryption keys are stored in encrypted form, i.e., they are encrypted with the public key of the underlying user. Therefore, our solution relies on the existing public key infrastructure (PKI) to ensure the integrity and authenticity of the users’ public keys. To facilitate the deployment of our system over existing OSN platforms, we use steganographic techniques [6] to hide the encrypted data objects within randomly chosen cover images (stego images). The stego images are then uploaded to the OSN servers, and only authorized users (with the correct decryption keys) would be able to extract the embedded data. Unauthorized users will simply see the random cover images. We aim to implement our system as a Chrome-based browser extension where, after installation, the user registers with the un- trusted server and uploads/downloads the necessary decryption keys. The keys are also stored locally, in order to provide a user-friendly interface to share private information. Specifically, our system will offer a seamless decryption process, where all hidden data objects are displayed automatically while surfing the OSN platform, without any user interaction.