Abstract
The cross-site information sharing and authorized actions of third-party identity management can have significant privacy implications for the users. In this paper, we use a combination of manual analysis of identified third-party identity management relationships and targeted case studies to (i) capture how the protocol usage and third-party selection is changing, (ii) profile what information is requested to be shared (and actions to be performed) between websites, and (iii) identify privacy issues and practical problems that occur when using multiple accounts (associated with these services). By characterizing and quantifying the third-party relationships based on their cross-site information sharing, the study highlights differences in the privacy leakage risks associated with different classes of websites, and provides concrete evidence for how the privacy risks are increasing. For example, many news and file/video-sharing sites ask users to authorize the site to post information to the third-party website. We also observe a general increase in the breadth of information that is shared across websites, and find that due to usage of multiple third-party websites, in many cases, the user can lose (at least) partial control over which identities they can merge/relate and the information that is shared/posted on their behalf.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Armando, A., Carbone, R., Compagna, L., Cuellar, J., Pellegrino, G., Sorniotti, A.: From multiple credentials to browser-based single sign-on: are we more secure? In: Camenisch, J., Fischer-Hübner, S., Murayama, Y., Portmann, A., Rieder, C. (eds.) SEC 2011. IFIP AICT, vol. 354, pp. 68–79. Springer, Heidelberg (2011)
Birrell, E., Schneider, F.B.: Federated identity management systems: A privacy-based characterization. IEEE Security & Privacy 11(5), 36–48 (2013)
Chaabane, A., Acs, G., Kaafar, M.A.: You are what you like! information leakage through users’ interests. In: Proc. NDSS (2012)
Cheng, Y., Park, J., Sandhu, R.: Preserving user privacy from third-party applications in online social networks. In: Proc. WWW, May 2013
Dhamija, R., Dusseault, L.: The seven flaws of identity management: Usability and security challenges. IEEE Security & Privacy 6(2), 24–29 (2008)
Felt, A., Evans, D.: Privacy protection for social networking APIs. In: Proc. W2SP, May 2008
Gill, P., Arlitt, M., Carlsson, N., Mahanti, A., Williamson, C.: Characterizing organizational use of web-based services: Methodology, challenges, observations, and insights. ACM Trans. on the Web 5(4), 19:1–19:23 (2011)
Goga, O., Lei, H., Parthasarathi, S.H.K., Friedland, G., Sommer, R., Teixeira, R.: Exploiting innocuous activity for correlating users across sites. In: Proc. WWW, May 2013
Malandrino, D., Petta, A., Scarano, V., Serra, L., Spinelli, R., Krishnamurthy, B.: Privacy awareness about information leakage: Who knows what about me?. In: Proc. ACM WPES (2013)
Pennacchiotti, M., Popescu, A.-M.: Democrats, republicans and starbucks afficionados: user classification in twitter. In: Proc. ACM SIGKDD (2011)
Shehab, M., Marouf, S., Hudel, C.: Roauth: recommendation based open authorization. In: Proc. SOUPS, July 2011
Sun, S.-T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of oauth sso systems. In: Proc. ACM CCS (2012)
Sun, S.-T., Boshmaf, Y., Hawkey, K., Beznosov, K.: A billion keys, but few locks: the crisis of web single sign-on. In: Proc. NSPW (2010)
Sun, S.T., Pospisil, E., Muslukhov, I., Dindar, N., Hawkey, K., Beznosov, K.: Investigating user’s perspective of web single sign-on: Conceptual gaps, alternative design and acceptance model. ACM Trans. on Internet Technology 13(1), 2:1–2:35 (2013)
Vapen, A., Carlsson, N., Mahanti, A., Shahmehri, N.: Third-party identity management usage on the Web. In: Faloutsos, M., Kuzmanovic, A. (eds.) PAM 2014. LNCS, vol. 8362, pp. 151–162. Springer, Heidelberg (2014)
Vapen, A., Carlsson, N., Mahanti, A., Shahmehri, N.: Information sharing and user privacy in the third-party identity management landscape. In: Proc. ACM CODASPY (2015)
Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through facebook and google: a traffic-guided security study of commercially deployed single-sign-on web services. In: Proc. IEEE Symposium on S&P, May 2012
Zafarani, R., Liu, H.: Connecting users across social media sites: A behavioral-modeling approach. In: Proc. ACM SIGKDD (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 IFIP International Federation for Information Processing
About this paper
Cite this paper
Vapen, A., Carlsson, N., Mahanti, A., Shahmehri, N. (2015). Information Sharing and User Privacy in the Third-Party Identity Management Landscape. In: Federrath, H., Gollmann, D. (eds) ICT Systems Security and Privacy Protection. SEC 2015. IFIP Advances in Information and Communication Technology, vol 455. Springer, Cham. https://doi.org/10.1007/978-3-319-18467-8_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-18467-8_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-18466-1
Online ISBN: 978-3-319-18467-8
eBook Packages: Computer ScienceComputer Science (R0)