Towards Privacy-aware OpenSocial Applications
•
5 gefällt mir•645 views
Social-networking sites have grown tremendously in popularity in recent years. Services such as Facebook and MySpace allow millions of users to create online profiles and to share details of their personal lives with vast networks of friends, and often, strangers. Inevitably, the disclosure of personal information has implications on users’ privacy: digital stalking and identity theft are some of the most common threats. Unfortunately, even sophisticated users who value privacy will often compromise it to improve their *presence* in the virtual world. They know that loss of control over their personal information poses a long-term threat, but they cannot assess the overall and long-term risk accurately enough to compare it to the short-term gain. Even worse, setting the privacy preferences in online services is often a complicated and time-consuming task that users usually skip. To address these issues, we (IBM Research) are developing mechanisms and platforms to measure and monitor users’ privacy risks and help them easily manage their information sharing. In this talk, I am going to introduce our work in this area, and also discuss how the work can be incorporated with OpenSocial.
![The Team ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Empfohlen
Weitere ähnliche Inhalte
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Empfohlen
Empfohlen (20)
Towards Privacy-aware OpenSocial Applications
- 1. Towards Privacy-aware OpenSocial Applications IBM Research May 19, 2009
- 4. Wait a minute, how come the talk is related Credit Score?
- 5. From humble beginnings in 1956, Fair Isaac Corp.'s credit score has come to loom over consumer finance like no other statistical measure ever has. The ubiquitous three-digit FICO score now helps determine everything from the interest rates people pay on their credit cards to their attractiveness as job candidates.
- 6. So, how about a Privacy Score that indicates the privacy risks of online social-networking users?
- 7. Do you want to design and integrate the privacy score and other advanced privacy and risk management modules in OpenSocial so that 50 years (or much less) later, people will appreciate your effort?
- 9. Motivation Millions of users share details of their personal lives with vast networks of friends, and often, strangers Disclosure of personal info expose the users to identity theft, digital stalking, etc. Courtesy to: http://getyourfirstmortgage.com/wp-content/uploads/ 2008/08/identity-theft-protect-yourself-300x225.jpg Courtesy to: http://www.contrib.andrew.cmu.edu/%7Egct/mygroup.html
- 10. Motivation (Cont.) How to prevent my ex from seeing my status updates? How to hide my friend list in the search results? How to prevent the applications my friends installed from accessing my information? All my friends have shared their hometown and phone number, maybe I should also do this? I enjoyed sharing my daily activities with the World! But any adverse effects? My God! What information I have shared all these years and who can view these information?
- 13. Privacy Score Overview Privacy Risk Monitoring privacy score of the user Privacy Settings Recommendation Privacy Score Calculation Utilize Privacy Scores Comprehensive Privacy Report Privacy Settings Privacy Score measures the potential privacy risks of online social-networking users.
- 15. Privacy Score Calculation Privacy Score of User j due to Profile Item i sensitivity of profile item i visibility of profile item i name, or gender, birthday, address, phone number, degree, job, etc.
- 16. Privacy Score Calculation Privacy Score of User j due to Profile Item i sensitivity of profile item i visibility of profile item i Overall Privacy Score of User j name, or gender, birthday, address, phone number, degree, job, etc.
- 17. The Naïve Approach R( n, N ) R( n, 1 ) R( i, j ) R( 1, N ) R( 1, 2 ) R( 1, 1 ) User_ 1 User_ j User_ N Profile Item_ 1 (birthday) Profile Item_ i (cell phone #) Profile Item_ n share, R( i, j ) = 1 not share, R( i, j ) = 0
- 18. The Naïve Approach R( n, N ) R( n, 1 ) R( i, j ) R( 1, N ) R( 1, 2 ) R( 1, 1 ) User_ 1 User_ j User_ N Profile Item_ 1 (birthday) Profile Item_ i (cell phone #) Profile Item_ n share, R( i, j ) = 1 not share, R( i, j ) = 0 Sensitivity:
- 19. The Naïve Approach R( n, N ) R( n, 1 ) R( i, j ) R( 1, N ) R( 1, 2 ) R( 1, 1 ) User_ 1 User_ j User_ N Profile Item_ 1 (birthday) Profile Item_ i (cell phone #) Profile Item_ n share, R( i, j ) = 1 not share, R( i, j ) = 0 Sensitivity: Visibility:
- 20. The Naïve Approach R( n, N ) R( n, 1 ) R( i, j ) R( 1, N ) R( 1, 2 ) R( 1, 1 ) User_ 1 User_ j User_ N Profile Item_ 1 (birthday) Profile Item_ i (cell phone #) Profile Item_ n share, R( i, j ) = 1 not share, R( i, j ) = 0 Sensitivity: Visibility: Privacy Score:
- 22. The Item Response Theory (IRT) Approach Profile item’s discrimination User’s attitude , e.g., conservative or extrovert Profile item’s sensitivity Profile item’s visibility R( n, N ) R( n, 1 ) R( i, j ) R( 1, N ) R( 1, 2 ) R( 1, 1 ) User_ 1 User_ j User_ N Profile Item_ 1 (birthday) Profile Item_ i (cell phone #) Profile Item_ n share, R( i, j ) = 1 not share, R( i, j ) = 0
- 23. Calculating Privacy Score using IRT Sensitivity: Visibility: Overall Privacy Score of User j byproducts: profile item’s discrimination and user’s attitude All the parameters can be estimated using Maximum Likelihood Estimation and EM.
- 28. Privacy Score and OpenSocial Enable application developers to implement their own Privacy Scores. Provide native implementation of Privacy Score calculations. Enable application developers to build Information Sharing Report modules and Privacy Settings Recommendation modules.
- 30. Privacy Settings Themselves Are Private/Sensitive OAuth allows the user to authorize access to his or her privacy settings stored in social networks. Request to access protected information of the user APPLICATION SOCIAL NETWORK USER Prompt user to provide authorization User authorizes access to private data Direct user to social network for authorization Grant access token & Direct user to application Use the token to access protected information 1 2 3 4 5 6
- 33. Privacy-aware Marketplace (PaMP) http://apps.facebook.com/p_a_m_p
Hinweis der Redaktion
- Good afternoon, folks. My name is … It is my great pleasure to visit Google and introduce to you our work on privacy and risk management on social networks. As you know, social-networking sites have grown tremendously in popularity in recent years. Services such as Facebook and MySpace allow millions of users to create online profiles and to share details of their personal lives with vast networks of friends, and often, strangers. Inevitably, the disclosure and sharing of personal information have caused many privacy concerns. Open a news paper or a web browser and you are certain to encounter a spate of stories about the misuse or loss of data and how it puts personal information at risk. To address these issues, we are developing mechanisms and platforms to measure and monitor users’ privacy risks and help them easily manage their information sharing. In this talk, I am going to introduce our work in this area, and also discuss how the work can be incorporated with OpenSocial. =======================================Social-networking sites have grown tremendously in popularity in recent years. Services such as Facebook and MySpace allow millions of users to create online profiles and to share details of their personal lives with vast networks of friends, and often, strangers. Inevitably, the disclosure of personal information has implications on users’ privacy: digital stalking and identity theft are some of the most common threats. Unfortunately, even sophisticated users who value privacy will often compromise it to improve their *presence* in the virtual world. They know that loss of control over their personal information poses a long-term threat, but they cannot assess the overall and long-term risk accurately enough to compare it to the short-term gain. Even worse, setting the privacy preferences in online services is often a complicated and time-consuming task that users usually skip. To address these issues, we are developing mechanisms and platforms to measure and monitor users’ privacy risks and help them easily manage their information sharing. In this talk, I am going to introduce our work in this area, and also discuss how the work can be incorporated with OpenSocial.
- Before I start, I’d like to introduce the team ...these are the great people I’ve been working with in this projectTy – my manager, who oversee this project K – this is me Max – who leads the architecture and system part of the project Evi – deep expertise in algorithm and data mining We also have three engineers from SVL who helped to covert many ideas from concepts to practice.
- So how about sth like a privacy score? It indicates the potential privacy risks of you as a social-networking user. It tells u what sensitive info u have shared, and who can view that info. It guides u towards a better privacy configuration that makes ur online environment safer and more comfortable.As I am giving this talk, I hope that you think about this question. Do you want to create a privacy score in open social that will have the same impact as the credit score?
- Next I am gonna discuss why you should want to do this, and how to do this if u really want to do this. First, I will elaborate on the motivation and goal. Then I will describe the theory behind privacy score computation and its applications. After that, I will discuss how this can be integrated with opensocial. Finally, as a proof of concept, Max and I will demonstrate a Facebook application we have developed – called PaMP. This application has adopted many of the privacy concepts that I will be covering today.
- Social-networking sites have grown tremendously in popularity in recent years. Services such as Facebook and MySpace allow millions of users to create online profiles and to share details of their personal lives with vast networks of friends, and often, strangers. Inevitably, the disclosure of personal information has implications on users’ privacy: digital stalking and identity theft are some of the most common threats. =======================================Although all major online social networks provide privacy-enhancing functionalities (explain …), the majority of users typically accept the default settings (which usually means that they let their information open to the public), and do not revisit their options until damage is done [12]. This is either due to the poor user-interface design or the common belief that sharing personal information online is more cool than harmful. Users are overwhelmed by these settings, or simply ignore these settings. The consequences of sharing the current level of information is either unknown, under-estimated or ignored.The current set of popular social networks provide an ever-increasing set of privacy controls. The number of online social networks is also increasing.Many users belong to more than one social network.Likely Conclusion: The explosion in privacy settings/controls in each network, in the number of networks, the lack of awareness about the effects of these settings and even graver public privacy breaches, will herald in the end of the social network as we know it.
- Unfortunately, even sophisticated users who value privacy will often compromise it to improve their digital *presence* in the virtual world. They know that loss of control over their personal information poses a long-term threat, but they cannot assess the overall and long-term risk accurately enough to compare it to the short-term gain. Even worse, setting the privacy controls in online services is often a complicated and time-consuming task that many users feel confused about and usually skip.
- To address these issues, we are developing mechanisms and platforms to measure and monitor users’ privacy risks. Our goal is to boost public awareness of privacy and help users to easily manage their information sharing.It is very important to note that we are not trying to prevent people from sharing information online. We believe that simple and effective privacy and risk management techniques can make the online environment safer and more comfortable, which eventually facilitates the sharing, flow and integration of information. To achieve this goal, we developed the notion of privacy score, which indicates the potential privacy risks of online social networking users. With this score, there could be many applications …For example, similar to your credit report, we can provide a information sharing report to help user understand what sensitive info he has shared and who can view that info. The user can compare his score with other users in the network and see where he stands. In the case where overall privacy risk is lower than this user, the system may recommend a better privacy setting for this user automatically. I am sure you can think of other applications as is the case we do with credit score.
- This is the life cycle of a privacy score. The system takes as inputs the current privacy settings of the users profile items and calculates the privacy score. The score is delivered to the user as a privacy-o-meter. With this score, the users can monitor his privacy take a more active role in safe-gurading his information if necessary. The user can also compare his privacy risk score with the rest of the population to know where he stands. In the case where the overall privacy risks of a user’s social graph are lower than that of the user, the system can recommend the user stronger privacy settings based on the information from his social neighbors.Privacy settings for a user profile control what subset of profile items are accessible by whom. For example, friends have full access, but strangers have restricted access to a user profile.
- There could be many different ways to compute privacy score. Here is our way. It exhibits several advantages which I will discuss later. From the technical point of view, our definition of privacy score satisfies the following properties: 1) the more sensitive information a user reveals, the higher his privacy risk; and 2) the more visible the disclosed the information becomes in the network, the higher his privacy risk.Next I am going to show how to combine these two factors in the calculation of the privacy risk score.
- To calculate a user’s privacy score, we need to first look at his profile items. These items include but are not limited to user’s real name, email, hometown, mobile-phone number, relationship status, sexual orientation, IM screen name, etc.The contribution of a single profile item i in the overall privacy score of a user j is a function of the sensitivity of the item and the visibility it gets.Note that x can be an arbitrary combination function as long as PR(i,j) is monotonically increasing with beta_i and V(i,j).
- To compute the overall privacy score of user j, denoted by Pr (j), we can simply combine the privacy score of this user due to all different profile items.
- How to compute the sensitivity and visibility? Here I am going to present two different ways. For simplicity, let’s consider a dichotomous case, where for a user and a profile item, the user will either share it with the public or not at all. Now we can represent the information sharing of all users and all profile items using a single big table. Each row represents one profile item, and each column a user. If the cell located at the i-row and j-th column is white, meaning user j will disclose item i, if grey user j will NOT disclose item i.
- Intuitively speaking, if a profile item is very sensitive, then very few people will share it, many people will not share it. Thus, we simply compute the proportion of users that are reluctant to disclose item I, and use this value as the sensitivity. The sensitivity, as computed here takes values between 0 and 1; the higher the value of βi, the more sensitive item I, the more people who are reluctant to disclose it.
- The simplest way to compute the visibility of an item i belonging to a user j is to use the explicit setting from the i-th row and j-th column table – i.e., the corresponding cell value in the table, i.e.., R(i, j), which is either 1 or 0, meaning share or not share. From a statistician’s point of view , what we have observed is just a sample from some underlying probability distribution. This table is no exception either. Therefore, we are more interested in the expected value in each cell, not just the observed value. In this case, the visibility of an item I belonging to user j becomes the probability that j will share I – that is, a cell value is 1. Then, what is the probability the value of a cell such as R(i, j) is equal to 1?Assuming independence between items and individuals, we can compute Pij to be the probability of an 1 in the i-th row times the probability of an 1 in the j-th column. In other words, if the user j has high tendency to disclose lots of his profile items, he is more likely to disclose item I too. Also, if many other users have shared this item, the sensitivity is low, then it is very likely that user j will also share this item.
- French psychologist Alfred Binet and physician Theodore Simon developed a method of identifying intellectually deficient children for their placement in special education programs. An item of interest was administrated to a number of kids with age ranging from 5 to 12 years. The free response of each kid to the item was scored as right or wrong. The proportion of correct response at each age level was obtained and presented in tabular form. In his 1916 revision of the Binet-Simon scale, the Stanford psychologist Lewis Terman plotted the proportion of correct response at a function of age and fitted a smooth line to these points by graphical means. This fitted line, shown in this figure is called the ICC. From this example, it can be seen that the ICC is the functional relationship between the proportion of correct response to an item and a criterion variable. This relationship is characterized by the location and shape of the ICC. This curve has an appearance of a cumulative distribution function. The ICC can be defined as a member of a family of two-parameter monotonic functions of the ability variable. Let us next formalize the ICC using appropriate statistical notation.
- The Na
- The problem is that we do not know these parameters. We only know the observations, and the objective is to use the observed data to estimate these parameters. IRT defines for each user and each profile item, how likely this user is to disclose/share this item. From this perspective, IRT can be viewed as a generative model. We can compute the log likelihood of the data using this generative model and then use MLE or EM to estimate the parameters.
- The IRT model seems arbitrary. It seems that any model could be used. Why IRT?The advantages of the IRT framework can be summarized as follows: 1) IRT defines for each user and each profile item, how likely this user is to disclose/share this item. From this perspective, IRT can be viewed as a generative model. Our experiments shows that this generative model fits the real-world data very well in terms of χ2 goodness-of-fit test. That is, real data does follow the distributions defined by IRT.2) The quantities IRT computes, i.e., sensitivity, attitude and visibility, have an intuitive interpretation. For example, the attitude can serve as a psychometric instrument that sociologists can use to study online behaviors of people. The sensitivity of information can be used to send early alerts to users when the sensitivities of their shared profile items are out of the comfortable region. 3) Due some mild assumptions, many of the computations in MLE can be parallelized, which makes the algorithm practically efficient. Most importantly, the estimates obtained from IRT framework are sample independent. This property is also called group invariance.
- To evaluate the model, we conducted experiments on real-data gathered from our user study. We collected the information-sharing preferences of 153 users on 49 profile items such as name, gender, birthday, political views, address, phone number, degree, job, etc. For each profile item, we ask the user to specify whether he wants to keep the item confidential, or share with friends, or friends of friends, et. In the figure we visualize, using a tag cloud, the sensitivity of the profile items we computed from the survey. The larger the fonts used to represent a profile item in the tag cloud, the higher its estimated sensitivity value. It is easily observed that Mother’s Maiden Name is the most sensitive item, while one’s Gender, which locates just right above the letter “h” of “Mother” has the lowest sensitivity; too small to be visually identified.We compute the privacy scores of the 153 respondents using the IRT-based computations. We then group the respondents based on their geographic location. The Figure shows the average values of the users’ privacy scores per location. The results indicate that people from North America and Europe have higher privacy risk than people from Asia and Australia. This experimental finding indicates that people from North America and Europe are more comfortable to reveal personal information on the social networks they participate. This can be either a result of inherent attitude or social pressure. Since online social-networking is more widespread in these regions, one can assume that people in North America and Europe succumb to the social pressure to reveal things about themselves online in order to appear “cool” and become popular.Restate that under social pressure people tend to share more and more information. At some point, they start to worry about their privacy, but it is too late that they have already lost control of their information.
- So for instance, if I am selecting to change my privacy to a score of 25 from whatever score, we would analyze the population of users and select a partition of users with scores around 25, say from 20 to 30----various heuristics could be used for making 'around' more precise---and then from these users determine the average settings for each data item and use that to apply and thus get the score close to 25... Taking the arithmetic average is one approach and others could be used given more information about the current user, the population, and more importantly about the sensitivity of the data the settings will affect.An exact score of 25 could then be achieved by iteratively adjusting some settings and recalculating the score until the actual score reaches 25 +/- some delta. Very likely the average settings and partitioning of the user population would need to be done in batch mode (e.g., Map Reduce calculations) and the results saved in the database for quick access and score computation.
- After having described the models and applications of privacy score, now I am going to discuss how we can work together to create a privacy-aware opensocial environments.
- As the first step the simplest way is to Provide native implementation of Privacy Score calculations in opensocial, as well as APIs to enable developers to implement their own privacy scores.
- To accomplish the first step, we need the following API support …
- OAuth allows the user to authorize access to his or her privacy settings stored in social networks. The basic flow is:A user logs in to a website/applicaiton and performs some action that requires privacy settings of the user’s profile items.The website/application directs the user to a web page hosted on the social network's domain. This web page asks the user if the external website/application should to be able to access his or her privacy settings. If the user agrees, the website/application will receive an OAuth authorization token.The website/application can then include this token in requests made with the OpenSocial REST and RPC protocols.