Multilateral Privacy Requirements Analysis in Online Social - PowerPoint PPT Presentation

Multilateral Privacy Requirements Analysis in Online Social Networks Seda Gürses COSIC, K.U. Leuven 18. February, 2011 CRID University of Namur, Belgium 1

x close this advertisement security and priv acy in online social networks K.U. Leuven (COSIC, DistriNet, ICRI, HMDB), SPION Vrije Universiteit Brussel (SMIT), University of Ghent (Onderwijskunde), Carnegie Melon University (Heinz College) responsibilization accountability 2 2

x close this advertisement security and priv acy in online social networks trust, reputation and access control SPION identity management legal frameworks anonymous communication feedback and awareness systems behavioral aspects http://www.cosic.esat.kuleuven.be/spion 3 3

outline - introduction to privacy requirements - stakeholder analysis: service provider - SNS access control design - feedback and awareness systems 4 4

privacy? - what is privacy? - what are privacy requirements? - in security engineering: confidentiality 5 5

online social networks (SNS) 6 6

online social networks 7 7

1m Facebook created 2004 8 8

5m 1m the entire Internet all facebook users friends of friends friends Facebook in Highschools Facebook 2004 2005 9 9

12m 5m 1m Facebook available to the PUBLIC (pg13) Highschools Facebook 2006 2004 2005 10 10

12m 5m 1m xss attacks Facebook available to the PUBLIC (pg13) Highschools Facebook 2006 2004 2005 11 11

12m 5m 1m newsfeed xss attacks Facebook available to the PUBLIC (pg13) Highschools Facebook 2006 2004 2005 12 12

12m 5m 1m newsfeed protests xss attacks Facebook available to the 740.000 PUBLIC (pg13) Highschools Facebook 2006 2004 2005 13 13

50m 12m 5m 1m Facebook API protests 740.000 newsfeed xss attacks Highschools Facebook PUBLIC 2007 2004 2005 2006 14 14

50m 12m 5m 1m Facebook API Mobile protests 740.000 newsfeed xss attacks Highschools Facebook PUBLIC 2007 2004 2005 2006 15 15

50m 12m 5m 1m Facebook API Mobile BEACON protests 740.000 newsfeed xss attacks Highschools Facebook PUBLIC 2007 2004 2005 2006 16 16

50m 12m 5m 1m protests 50.000 in Facebook API 3 days Mobile BEACON protests 740.000 newsfeed xss attacks Highschools Facebook PUBLIC 2007 2004 2005 2006 17 17

50m 12m 5m 1m protests bans 50.000 in Facebook API 3 days Mobile BEACON protests 740.000 newsfeed xss attacks Highschools Facebook PUBLIC 2007 2004 2005 2006 18 18

50m 12m 5m 1m protests bans 50.000 in Facebook API 3 days breastfeeding Mobile BEACON protests 740.000 newsfeed xss attacks Highschools Facebook PUBLIC 2007 2004 2005 2006 19 19

50m 12m 5m 1m memorilization protests bans 50.000 in Facebook API 3 days breastfeeding Mobile BEACON protests 740.000 newsfeed xss attacks Highschools Facebook PUBLIC 2007 2004 2005 2006 20 20

100m 50m 12m 5m 1m Canadian Privacy Commissioner bans protests protests 50.000 in 3 days BEACON 740.000 newsfeed Mobile xss attacks Facebook API Highschools Facebook PUBLIC 2008 2004 2005 2006 2007 21 21

100m 50m 12m 5m 1m LIVE FEED Canadian Privacy popularity Commissioner algorithm bans protests protests 50.000 in 3 days BEACON 740.000 newsfeed Mobile xss attacks Facebook API Highschools Facebook PUBLIC 2008 2004 2005 2006 2007 22 22

100m 50m 12m 5m 1m LIVE FEED Canadian Privacy popularity Commissioner algorithm protests 1.600.000 bans protests protests 50.000 in 3 days BEACON 740.000 newsfeed Mobile xss attacks Facebook API Highschools Facebook PUBLIC 2008 2004 2005 2006 2007 23 23

100m 350m 50m 12m 5m 1m cyberbullying unlimited license to user content bans protests Canadian Privacy Commissioner protests 50.000 in 3 days BEACON 740.000 newsfeed protests Mobile xss attacks Facebook API 1.600.000 Highschools LIVE FEED Facebook PUBLIC 2009 2004 2005 2006 2007 2008 24 24

100m 350m 50m 12m 5m 1m cyberbullying unlimited license to user content protests bans protests Canadian Privacy Commissioner protests 50.000 in 3 days BEACON 740.000 newsfeed protests Mobile xss attacks Facebook API 1.600.000 Highschools LIVE FEED Facebook PUBLIC 2009 2004 2005 2006 2007 2008 25 25

100m 350m 50m 12m 5m 1m cyberbullying unlimited license to user content protests user voting bans protests Canadian Privacy Commissioner protests 50.000 in 3 days BEACON 740.000 newsfeed protests Mobile xss attacks Facebook API 1.600.000 Highschools LIVE FEED Facebook PUBLIC 2009 2004 2005 2006 2007 2008 26 26

100m 350m 50m 12m 5m 1m cyberbullying friends unlimited license lists to user content protests user voting bans protests Canadian Privacy Commissioner protests 50.000 in 3 days BEACON 740.000 newsfeed protests Mobile xss attacks Facebook API 1.600.000 Highschools LIVE FEED Facebook PUBLIC 2009 2004 2005 2006 2007 2008 27 27

100m 350m 50m 12m 5m 1m cyberbullying friends unlimited license lists to user content protests Canadian user voting Privacy Commissioner bans protests Canadian Privacy Commissioner protests 50.000 in 3 days BEACON 740.000 newsfeed protests Mobile xss attacks Facebook API 1.600.000 Highschools LIVE FEED Facebook PUBLIC 2009 2004 2005 2006 2007 2008 28 28

100m 350m 50m 12m 5m 1m cyberbullying friends unlimited license lists to user content protests Canadian user voting Privacy Commissioner bans protests Canadian Privacy Commissioner protests 50.000 in 3 days BEACON 740.000 newsfeed protests Mobile xss attacks Facebook API 1.600.000 Highschools LIVE FEED Facebook PUBLIC 2009 2004 2005 2006 2007 2008 29 29

100m 350m 400m 50m 12m 5m 1m facebook google cyberbullying bans protests protests Canadian Privacy Commissioner protests user 50.000 in 3 days BEACON friends lists 740.000 voting newsfeed protests Mobile unlimited xss attacks Facebook API 1.600.000 license to Highschools LIVE FEED Facebook PUBLIC user content 2010 2004 2005 2006 2007 2008 2009 30 30

100m 350m 400m 50m 12m 5m 1m facebook google CONNECTIONS cyberbullying bans protests protests Canadian Privacy Commissioner protests user 50.000 in 3 days BEACON friends lists 740.000 voting newsfeed protests Mobile unlimited xss attacks Facebook API 1.600.000 license to Highschools LIVE FEED Facebook PUBLIC user content 2010 2004 2005 2006 2007 2008 2009 31 31

100m 400m 50m 12m 5m 1m facebook chat leak google CONNECTIONS cyberbullying bans protests protests Canadian Privacy Commissioner protests user 50.000 in 3 days BEACON friends lists 740.000 voting newsfeed protests Mobile unlimited xss attacks Facebook API 1.600.000 license to Highschools LIVE FEED Facebook PUBLIC user content 2010 2004 2005 2006 2007 2008 2009 32 32

100m 400m 50m 12m 5m 1m FACECLOAK SCRAMBLE NOYB cyberbullying bans protests protests Canadian Privacy Commissioner protests user 50.000 in 3 days BEACON friends lists 740.000 voting newsfeed chat protests Mobile facebook unlimited leak google xss attacks Facebook API 1.600.000 CONNECTIONS license to Highschools LIVE FEED Facebook PUBLIC user content 2010 2004 2005 2006 2007 2008 2009 33 33

100m 400m 50m 12m 5m 1m cyberbullying bans protests protests Canadian Privacy Commissioner protests FACECLOAK user 50.000 in 3 days NOYB BEACON friends lists 740.000 SCRAMBLE voting newsfeed chat protests Mobile facebook unlimited leak google xss attacks Facebook API 1.600.000 CONNECTIONS license to Highschools LIVE FEED Facebook PUBLIC user content 2010 2004 2005 2006 2007 2008 2009 34 34

100m 400m 50m 12m 5m 1m cyberbullying bans protests protests Canadian Privacy Commissioner protests FACECLOAK user 50.000 in 3 days NOYB BEACON friends lists 740.000 SCRAMBLE voting newsfeed chat protests Mobile facebook unlimited leak google xss attacks Facebook API 1.600.000 CONNECTIONS license to Highschools LIVE FEED Facebook PUBLIC user content 2010 2004 2005 2006 2007 2008 2009 35 35

100m 500m 50m 12m 5m 1m Homeland Discriminatory Security Behavioral Profiling friends NHS Aliens reveals data to User IDs Facebook revealed to Third Parties cyberbullying bans protests protests Canadian Privacy Commissioner protests FACECLOAK user 50.000 in 3 days NOYB BEACON friends lists 740.000 SCRAMBLE voting newsfeed chat protests Mobile facebook unlimited leak google xss attacks Facebook API 1.600.000 CONNECTIONS license to Highschools LIVE FEED Facebook PUBLIC user content 2010 2004 2005 2006 2007 2008 2009 36 36

- all of these are (somehow) about privacy and the design of the system - how do we deal with these issues when developing systems? - specifically: during requirements engineering 37 37

multilateral privacy requirements engineering - reconcile: - privacy notions (legal & surveillance studies) - privacy solutions (computer science) - in a social context (online SNS) - multilaterally - during requirements engineering 38 38