Security and Privacy in Social Networks

cda_displaydesignimage

Introduction to Security and Privacy in Social Networks

Yuval Elovici, Yaniv Altshuler

As the area of online social networking develops and many online services add social features to their offerings, the definition of online social networking services broadens. Online social networking services range from social interaction-centered sites such as Facebook or MySpace, to information dissemination-centric services such as Twitter or Google Buzz, to social interaction features added to existing sites and services such as Flickr or Amazon. Each of these services has different characteristics of social interaction and different vulnerabilities to attack.

The value of online social networking sites stems from the fact that people spend large amounts of time on these networks updating their personal profiles, browsing for social or professional interactions, or taking part in social-oriented online applications and events. People nowadays have become immersed in their preferred online social environments, creating an exciting entanglement between their real and virtual identities [1]. However, this immersion also holds great peril for users, their friends, and their employers, and may even endanger national security.

There is much information in the patterns of communication between users and their peers. These patterns are affected by many relationship and context factors and can be used in a reverse direction to infer the relationship and context. Later on, these relationships can be further used to deduce additional private information which was intended to remain undisclosed. A recent study carried out at MIT is said to be able to reveal the sexual orientation of Internet users based on social network contacts. In this example, the users whose privacy was compromised did not place this information online, but rather disclosed their social interaction to users who apparently did disclose this information [2].

In other cases, this problem can become even worse due to the (false) assumption of users that information marked as “private” will remain private and will not be disclosed by the network. Indeed, although the operators of social networks rarely betray the confidence of their users, no security mechanism is perfect. Because these networks often use standard (and not necessarily updated) security methods, a determined attacker can sometimes gain access to such unauthorized information. The combination of sensitive private information managed by users who are not security-aware in an environment that is not hermetically sealed is a sure cause of frequent leaks of private information and identity thefts [3,4].

This problem becomes even more threatening when viewed from the corporate (or even national) perspective. Users who possess sensitive commercial or security-related information are expected to be under strict control in their workplaces. However, while interacting virtually in social networks, these same people often tend to ignore precautions due to a false sense of intimacy and privacy, all the while being unaware of the damage their naive behavior may cause. Because it is hard (and sometimes illegal) to monitor the behavior of online social network users, these platforms constitute a significant threat to the safety and privacy of sensitive information. Hard to detect and almost impossible to prevent, leaks of business, military, or government data through social networks could become the security epidemic of the 21st century [5,6].

This book aims to bring to the forefront innovative approaches for analyzing and enhancing the security and privacy dimensions of online social networks. To facilitate the transition of such methods from theory to practical mechanisms designed and deployed in existing online social networking services, we need to create a common language for use between researchers and practitioners in this new area, ranging from the theory of computational social sciences to conventional security and network engineering.

The rest of this book is divided into three parts covering three complementary themes and is structured as follows. The first part contains four studies that touch on fundamental aspects of security and privacy in social networks, raising and discussing topics such as the conceptual definition of identity in social networks and the interplay between ethics and crowdsourcing. The second part of the book is devoted to innovative mathematical models which link the social dimension of networks to existing privacy and network security issues. This section contains three studies which analyze different domains ranging from mobile networks to financial trading networks and demonstrating the essential differences between security issues in social and non-social environments. The third section focuses on specific case studies and presents an in-depth analysis of three unique examples of how “security-oriented research” is carried out in social domains and how it differs from similar efforts which do not take place in such environments.

Chapter 1 introduces a multidimensional concept of privacy in social networks which delineates aspects of privacy along various legal, technical, and social dimensions. The privacy concept thus developed is then visualized using tripartite diagrams which provide a quick orientation to this paradigm’s strengths and weaknesses as demonstrated in social networks. The chapter then investigates how these properties evolve from the fact that information in the physical word decays over time, while in the online world, information is in principle permanently available. Although this chapter focuses on a qualitative analysis of this topic, a more quantitative metric that would clearly enhance comparability of privacy issues in different social networks and the tracking of improvements over time is envisioned for future development.

A key aspect of social networks is the digital identity (or identities) adopted by users to characterize and recognize themselves and others. At first glance, it may appear that users of social networks treat and use digital identities similarly to their “real-world” identities. However, the absence of physical contact enables people to create several identities, some of which may be anonymous. Furthermore, users of social networks search and acknowledge each other based mainly on attributes that they exchange through the infrastructure of the social network (which in turn can be further used to disguise one’s true identity). Chapter 2 sheds light on the fascinating topic of digital identities by presenting a basic conceptual framework that analyzes fundamental aspects of the use of identities in social networks and recommends possible methods to improve the use of such identities. The chapter begins by presenting basic concepts related to the differences between digital and real identities, followed by a discussion on the challenges of the digital facet. Next, solutions for security and privacy challenges relating to digital identities are presented. The chapter discusses the perception of the identity of an entity as a notion existing in the minds of other entities. This gives rise to the possibility of multiple identities for a single entity in different contexts, a phenomenon which is called “pseudonymity” and which is possibly or potentially available in the online world more readily than in the real world.

Chapter 3 presents an overview of the requirements for and comparisons of encryption schemes for social networking services based on a peer-to-peer (p2p) infrastructure (as opposed to centralized server architectures) and describes the challenges of p2p social networking architectures and their high-level requirements. The chapter then discusses the criteria by which p2p encryption systems should be evaluated and compared: efficiency, functionality, and privacy. Four examples of existing p2p social networking architectures are then reviewed (PeerSoN, Safebook, Diaspora, and Persona), which focus on encryption as a means of ensuring data confidentiality. This is followed by a comparative analysis of these architectures against the evaluation criteria presented earlier. In addition, this chapter contains a parallel discussion of the differences between broadcast encryption and predicate encryption techniques in the context of the p2p encryption challenge.

The first part of the book concludes with Chapter 4, which thoroughly investigates various ethical issues with respect to the expanding field of crowdsourcing. This highly disruptive field involves the partitioning of a mission into many small pieces, each given to ad hoc employees using an online platform. The rapid pace of this process enables fast completion of highly complex tasks at extremely low cost. Together with the anonymity of these platforms (which protects the identities of both the employers and the employee), this approach transforms crowdsourcing platforms into the equivalent of a supercomputer network for a fraction of the cost. The number of potential applications is boundless, and several ethical questions arise. This chapter reviews recent developments in this area while examining some of these ethical challenges. In addition, Chapter 4 studies the attitude of workers in crowdsourcing platforms (such as MTurk, oDesk, or Elance) towards performing unethical tasks and asserts that, although many workers in several crowdsourcing platforms studied expressed reluctance to perform unethical tasks, in practice, many workers were willing to accept unethical tasks (especially if they were well paid). Simple but unethical tasks may include breaking into someone else’s email account and sending a fake email on behalf of that person, or faking a review of a commercial service. However, more elaborate large-scale uses may involve activities such as identification of demonstrators by police agencies or dictatorships. Interestingly, the results of an experiment detailed in the chapter hint that the anonymity provided by the crowdsourcing platform, the anticipated task consequence, and gender were not found to be influential. On the other hand, when the amount of monetary compensation offered increased, so did the willingness of workers to perform highly unethical tasks.

The second part of the book is introduced by Chapter 5 and investigates how social networks influence the pricing of assets in the financial market. This influence is a result of the ongoing and unavoidable comparison of relative performance imposed on investors and traders because of the comprehensive integration of social networks into everyday life. Counterintuitively, this abundance of information may sometimes act to suppress of integrity in investment practice by pushing investors to adopt irrational investing strategies. For example, leading investors will in many cases be manipulated into buying risky assets knowingly at inflated prices. This chapter presents a mathematical model that studies these dynamics and suggests that the overpricing of risky assets that is often observed in the market is derived from these “social forces”.

Chapter 6 predicts the existence of new kinds of malicious attacks on communications and on mobile infrastructures that are targeted at extracting, not password or credit card information, but information about the relationships in a real-world social network and characteristic information about the individuals in the network. The chapter discusses the expected features of such attacks and explains the differences between these attacks and traditional types of attacks against data privacy. The chapter then presents a mathematical model of such attacks and predicts that they would be impossible (or very unlikely) to detect using most of the network monitoring tools used today. This problem is caused by the surprising fact that the best strategy for attackers seeking social information and habits is, counterintuitively, a very slow and nonaggressive strategy (in contrast to most of the known malware threats).

Many online social network (OSN) owners regularly publish data collected from their users’ online activities to third parties such as sociologists or commercial companies. These third parties further mine the data and extract knowledge to serve their diverse purposes. In the process of publishing data to these third parties, network owners face a nontrivial challenge: how to preserve users’ privacy while keeping the information useful to third parties. Failure to protect users’ privacy may result in severely undermining the popularity of OSNs as well as restricting the amount of data that the OSN owners are willing to share with third parties. Chapter 7 discusses this problem while focusing on the use of classical privacy preservation models originally developed to protect tabular data privacy, such as k-anonymity and l-diversity, to preserve users’ privacy in the publication of OSN data. The history of these methods is reviewed, and their applicability is demonstrated.

The third part of the book examines specific case studies regarding the unique features of security and privacy in social networks. This section opens with a discussion of innovative methods for using machine-learning techniques to reconstruct the structure of unknown social networks. Using this method, publicly available information may be used to reveal concealed information, which severely compromises the users’ privacy, anonymity, and trust in the network. Chapter 8 presents the “link reconstruction attack,” a method that is capable of inferring a user’s connections to others with high accuracy. This attack may be used to detect connections that the user wanted to hide to preserve his privacy. We show that the concealment of one user’s links is ineffective if it is not also done by others in the network and we present an analysis of the performance of various machine-learning algorithms for link predictions inside small communities.

In contrast to Chapter 8 which demonstrated an attack that can be executed on social networks to steal private information, Chapter 9 analyzes this topic from a different angle by studying the Bitcoin peer-to-peer monetary exchange system. The degree of anonymity in the Bitcoin system, an electronic analog of cash in the online world, is investigated using data from transactions which are publicly available to ensure the integrity of the Bitcoin system. Using mainstream methods from network theory, this chapter demonstrates how this anonymous (at least in theory) payment system can be partially de-anonymized. This technique is then used to track the “flow” of large amounts of stolen monetary credits, thus demonstrating how the identity of the users responsible for this theft can be disclosed using this network-based analysis method.

As discussed in previous chapters of this book, integration between several data sources may lead to compromised data privacy through the use of certain network-based analysis methods. Chapter 10 is devoted to exploring the record linkage problem and presents a scheme for the maintenance of data privacy when data and records from multiple databases are combined in a way which still allows record-linking information verification services. The chapter begins by discussing two common modes of operation in this field, the de-identified and the fully trusted mode, and asserts that these approaches do not provide a definitive response to the needs of social data privacy. The chapter then reviews existing techniques and related work on record-linkage and privacy- preserving computations, pointing out the need for a new scheme for representing integrated data. The chapter contains a proposed model for a decoupled data architecture. The main technological concept studied in this chapter is the separation between identifying information and sensitive data, which needs to be protected. In this chapter, it is demonstrated how this decoupled data-access model can provide the same protection as de-identified data while at the same time being able to integrate data to support broad research in computational social sciences in a flexible manner. The study also tested the impact of different mechanisms for hindering inferences of identity when names are revealed for record-linkage purposes.

Table of content

  • Introduction to Security and Privacy in Social Networks
    Authors: Yuval Elovici, Yaniv Altshuler

  • Chapter 1.
    Analyzing the Impact of Various Research Directions on the Privacy in Social Network
    Authors: Michael Netter, Sebastian Herbst

  • Chapter 2.
    Recognizing Your Digital Friends
    Authors: Patrik Bichsel, Jan Camenisch, Mario Verdicchio

  • Chapter 3.
    Encryption for Peer-to-Peer Social Networks
    Authors: Oleksandr Bodriagov, Sonja Buchegger

  • Chapter 4.
    Crowed Sourcing and Ethics
    Authors: Christopher G. Harris, Padmini Srinivasan

  • Chapter 5.
    The Effect of Social Status on Decision Making and Prices in Financial Networks
    Authors: Yoel Krasny

  • Chapter 6.
    Stealing Reality : When Criminals Become Data Scientists
    Authors: Yaniv Altshuler, Nadav Aharony, Sandy Pentland, Yuval Elovici and Manuel Cebrian

  • Chapter 7.
    The Applications of k-Anonymity and l-Diversity in Publishing Online Social Networks
    Authors: Na Li, Sajal K. Das

  • Chapter 8.
    Links Reconstruction Attack: Using Link Prediction Algorithms to Compromise Social Networks Privacy
    Authors: Michael Fire, Gilad Katz, Lior Rokach and Yuval Elovici

  • Chapter 9.
    An Analysis of Anonymity in the Bitcoin System
    Authors: Fergal Reid, Martin Harrigan

  • Chapter 10.
    Privacy-Preserving Data Integration using Decoupled Data
    Authors: Hye-chung Kum, Stanley Ahalt, Darshana Pathak

References:

[1] Onnela, J.-P. and Reed-Tsochas, F., Spontaneous emergence of social influence in online systems. Proceedings of the National Academy of Sciences 107(4), 2010.
[2] Jernigan, C. and Mistree, B.F.T., Gaydar: Facebook friendships expose sexual orientation. First Monday 14(10), 2009.
[3] Stana, R.M. and Burton, D.R., Identity Theft: Prevalence and Cost Appear to be Growing. GAO-02-363, U.S. General Accounting Office, Washington DC, 2002.
[4] Gross, R. and Acquisti, A., Information revelation and privacy in online social networks, Proceedings, 2005 ACM Workshop on Privacy in the Electronic Society, 71-80, 2005.
[5] Brunner, M., Hofinger, H., Krauss, C., Roblee, C., Schoo, P., and Todt, S., Infiltrating Critical Infrastructures with Next-Generation Attacks. Fraunhofer Institute for Secure Information Technology (SIT), Munich, 2010.
[6] Krishnamurthy, B. and Wills, C.E., On the leakage of personally identifiable information via online social networks. Proceedings, 2nd ACM Workshop on Online Social Networks, 7-12, 2009.

About Telekom Innovation Laboratories

LogoDTGerman

As one of the world's leading telecommunications and information technology service providers, Telekom Innovation Laboratories is setting international standards.

Contact Us

contact_us

Telekom Innovation Laboratories at Ben-Gurion University of the Negev - P.O.B. 653 Beer Sheva, 84105, Israel
Phone: +972 8 6428120/21
e-mail : This email address is being protected from spambots. You need JavaScript enabled to view it.