A Privacy Preservation Model for Facebook-Style Social Network Systems

  • Philip W. L. Fong
  • Mohd Anwar
  • Zhen Zhao
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5789)


Recent years have seen unprecedented growth in the popularity of social network systems, with Facebook being an archetypical example. The access control paradigm behind the privacy preservation mechanism of Facebook is distinctly different from such existing access control paradigms as Discretionary Access Control, Role-Based Access Control, Capability Systems, and Trust Management Systems. This work takes a first step in deepening the understanding of this access control paradigm, by proposing an access control model that formalizes and generalizes the privacy preservation mechanism of Facebook. The model can be instantiated into a family of Facebook-style social network systems, each with a recognizably different access control mechanism, so that Facebook is but one instantiation of the model. We also demonstrate that the model can be instantiated to express policies that are not currently supported by Facebook but possess rich and natural social significance. This work thus delineates the design space of privacy preservation mechanisms for Facebook-style social network systems, and lays out a formal framework for policy analysis in these systems.


Access Control Access Control Policy Privacy Preservation Access Control Model Social Graph 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    boyd, d.m., Ellison, N.B.: Social network sites: Definition, history, and scholarship. Journal of Computer-Mediated Communication 13(1), 210–230 (2008)CrossRefGoogle Scholar
  2. 2.
    Barka, E.S., Sandhu, R.S.: Framework for role-based delegation models. In: Proceedings of the 16th Annual Computer Security Applications Conference (ACSAC 2000), New Orleans, Louisiana, USA (December 2000)Google Scholar
  3. 3.
    Crampton, J., Khambhammettu, H.: Delegation in role-based access control. International Journal of Information Security 7(2), 123–136 (2008)CrossRefGoogle Scholar
  4. 4.
    Graham, G.S., Denning, P.J.: Protection: Principles and practices. In: Proceedings of the 1972 AFIPS Spring Joint Computer Conference, Alantic City, New Jersey, USA, May 1972, vol. 40, pp. 417–429 (1972)Google Scholar
  5. 5.
    Li, N., Tripunitara, M.V.: On safety in discretionary access control. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P 2005), Oakland, California, USA, May 2005, pp. 96–109 (2005)Google Scholar
  6. 6.
    Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Communications of the ACM 19(8), 461–471 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Lipton, R.J., Snyder, L.: A linear time algorithm for deciding subject security. Journal of the ACM 24(3), 455–464 (1977)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Sandhu, R.S.: The schematic protection model: Its definition and analysis for acyclic attenuating schemes. Journal of the ACM 35(2), 404–432 (1988)CrossRefGoogle Scholar
  9. 9.
    Li, N., Mitchell, J.C., Winsborough, W.H.: Beyond proof-of-compliance: Security analysis in trust management. Journal of the ACM 52(3), 474–514 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Fong, P.W.L.: Access control by tracking shallow execution history. In: Proceedings of the 2004 IEEE Symposium on Security and Privacy (S&P 2004), Berkeley, California, USA, May 2004, pp. 43–55 (2004)Google Scholar
  11. 11.
    Dennis, J.B., Horn, E.C.V.: Programming semantics for multiprogrammed computations. Communications of the ACM 9(3), 143–155 (1966)CrossRefzbMATHGoogle Scholar
  12. 12.
    Miller, M.S., Yee, K.P., Shapiro, J.: Capability myths demolished. Technical Report SRL2003-02, System Research Lab, Department of Computer Science, The John Hopkins University, Baltimore, Maryland, USA (2003)Google Scholar
  13. 13.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 19(2), 38–47 (1996)CrossRefGoogle Scholar
  14. 14.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security 4(3), 224–274 (2001)CrossRefGoogle Scholar
  15. 15.
    Schneider, F.B.: Enforceable security policies. ACM Transactions on Information and System Security 3(1), 30–50 (2000)CrossRefGoogle Scholar
  16. 16.
    Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy (S&P 1996), Oakland, California, USA, May 1996, pp. 164–173 (1996)Google Scholar
  17. 17.
    Weeks, S.: Understanding trust management systems. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy (S&P 2001), Oakland, California, USA, May 2001, pp. 94–105 (2001)Google Scholar
  18. 18.
    Pierce, B.C.: Types and Programming Languages. MIT Press, Cambridge (2002)zbMATHGoogle Scholar
  19. 19.
    Fong, P.W.L., Anwar, M., Zhao, Z.: A privacy preservation model for Facebook-style social network systems. Technical Report 2009-926-05, University of Calgary (April 2009)Google Scholar
  20. 20.
    Mori, J., Sugiyama, T., Matsuo, Y.: Real-world oriented information sharing using social networks. In: Proceedings of the 2005 ACM SIGGROUP Conference on Supporting Group Work (GROUP 2005), Sanibel Island, Florida, USA, November 2005, pp. 81–84 (2005)Google Scholar
  21. 21.
    Dimicco, J., Millen, D.R., Geyer, W., Dugan, C., Brownholtz, B., Muller, M.: Motivations for social networking at work. In: Proceedings of the ACM 2008 Conference on Computer Supported Cooperative Work (CSCW 2008), San Diego, California, USA, November 2008, pp. 711–720 (2008)Google Scholar
  22. 22.
    Anwar, M.: Identity and reputation management for online learners. In: Woolf, B.P., Aïmeur, E., Nkambou, R., Lajoie, S. (eds.) ITS 2008. LNCS, vol. 5091, pp. 177–187. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  23. 23.
    Wenger, E.: Communities of practice and social learning systems. Organization 7(2), 225–246 (2000)CrossRefGoogle Scholar
  24. 24.
    Tosh, D., Light, T.P., Fleming, K., Haywood, J.: Engagement with electronic portfolios: Challenges from the student perspective. Canadian Journal of Learning and Technology 31(3) (Fall 2005)Google Scholar
  25. 25.
    Thompson, B., Yao, D.: The union-split algorithm and cluster-based anonymization of social networks. In: Proceedings of the 4th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2009), Sydney, Australia, March 2009, pp. 218–227 (2009)Google Scholar
  26. 26.
    Narayanan, A., Shmatikov, V.: De-anonymizing social networks. In: Proceedings of the 2009 IEEE Symposium on Security and Privacy (S&P 2009), Oakland, California, USA (May 2009)Google Scholar
  27. 27.
    Hart, M., Johnson, R., Stent, A.: More content – less control: Access control in the Web 2.0. In: Proceedings of the 2007 Workshop on Web 2.0 Security and Privacy (W2SP 2007), Oakland, California, USA, May 2007, pp. 1–3 (2007)Google Scholar
  28. 28.
    Ali, B., Villegas, W., Maheswaran, M.: A trust based approach for protecting user data in social networks. In: Proceedings of the 2007 Conference of the Center for Advanced Studies in Collaborative Research (CASCON 2007), Richmond Hill, Ontario, Canada, October 2007, pp. 288–293 (2007)Google Scholar
  29. 29.
    Kruk, S.R., Grzonkowski, S., Gzella, A., Woroniecki, T., Choi, H.-C.: D-FOAF: Distributed identity management with access rights delegation. In: Mizoguchi, R., Shi, Z.-Z., Giunchiglia, F. (eds.) ASWC 2006. LNCS, vol. 4185, pp. 140–154. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  30. 30.
    Carminati, B., Ferrari, E., Perego, A.: Enforcing access control in web-based social networks. ACM Transactions on Information and System Security (to appear, 2009)Google Scholar
  31. 31.
    Anwar, M., Fong, P.W.L., Yang, X.D., Hamilton, H.: Visualizing privacy implications of access control policies in social network systems. Technical Report 2009-927-06, University of Calgary (May 2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Philip W. L. Fong
    • 1
  • Mohd Anwar
    • 1
  • Zhen Zhao
    • 2
  1. 1.Department of Computer ScienceUniversity of CalgaryAlbertaCanada
  2. 2.Department of Computer ScienceUniversity of ReginaSaskatchewanCanada

Personalised recommendations