Undoing of Privacy Policies on Facebook

  • Vishwas T. PatilEmail author
  • R. K. Shyamasundar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10359)


Facebook has a very flexible privacy and security policy specification that is based on intensional and extensional categories of user relationships. The former is fixed by Facebook but controlled by users whereas the latter is facilitated by Facebook with limited control to users. Relations and flows among categories is through a well-defined set of protocols and is subjected to the topology of underlying social graph that continuously evolves by consuming user interactions. In this paper, we analyze how far the specified privacy policies of the users in Facebook preserve the standard interpretation of the policies. That is, we investigate whether Facebook users really preserve their privacy as they understand it or certain of their innocuous actions leak information contrary to their privacy settings. We demonstrate the kind of possible breaches and discuss how plausibly they could be set right without compromising performance. The breaches are validated through experiments on the Facebook.



The work was carried out as part of research at ISRDC (Information Security Research and Development Center), supported by 15DEITY004, Ministry of Electronics and Information Technology, Govt of India.


  1. 1.
    Barka, E., Sandhu, R.: Framework for role-based delegation models. In: Proceedings of the 16th Annual Computer Security Applications Conference, p. 168. IEEE Computer Society (2000)Google Scholar
  2. 2.
    Bonneau, J., et al.: Eight friends are enough: Social graph approximation via public listings. In: 2nd EuroSys Workshop on Social Network Systems, SNS 2009, pp. 13–18. ACM (2009)Google Scholar
  3. 3.
    Boyd, D.M., Ellison, N.B.: Social network sites: Definition, history, and scholarship. J. Comput.-Mediated Commun. 13(1), 210–230 (2007)CrossRefGoogle Scholar
  4. 4.
    Bronson, N., Amsden, Z., et al.: TAO: facebook’s distributed data store for the social graph. In: USENIX ATC 2013, pp. 49–60 (2013)Google Scholar
  5. 5.
    Carminati, B., Ferrari, E., Perego, A.: Enforcing access control in web-based social networks. ACM TISSEC 13(1), 6:1–6:38 (2009)CrossRefGoogle Scholar
  6. 6.
    Crampton, J., Khambhammettu, H.: Delegation in role-based access control. Int. J. Inf. Secur. 7(2), 123–136 (2008)CrossRefGoogle Scholar
  7. 7.
    Curtiss, M., Becker, I., Bosman, T., et al.: Unicorn: a system for searching the social graph. Proc. VLDB Endow. 6(11), 1150–1161 (2013)CrossRefGoogle Scholar
  8. 8.
    Facebook: Graph API Overview (2017).
  9. 9.
    Fong, P.W.L.: Preventing sybil attacks by privilege attenuation: a design principle for social network systems. In: IEEE Symposium on Security and Privacy, pp. 263–278 (2011)Google Scholar
  10. 10.
    Fong, P.W.L., Anwar, M., Zhao, Z.: A privacy preservation model for facebook-style social network systems. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 303–320. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-04444-1_19 CrossRefGoogle Scholar
  11. 11.
    Graham, G.S., Denning, P.J.: Protection: principles and practice. In: Proceedings of the Spring Joint Computer Conference, AFIPS 1972, 16–18 May 1972, pp. 417–429. ACM (1972)Google Scholar
  12. 12.
    Hangal, S., Maclean, D., Lam, M.S., Heer, J.: All friends are not equal: using weights in social graphs to improve search. In: 4th SNA-KDD Workshop. ACM (2010)Google Scholar
  13. 13.
    International Association of Privacy Professionals: What is privacy? (2017).
  14. 14.
    Jernigan, C., Mistree, B.: Project ‘Gaydar’ Computes Orientation. In: CACM (2009).
  15. 15.
    Levy, H.M.: Capability-Based Computer Systems. Digital Press, Bedford (1984)Google Scholar
  16. 16.
    Li, N., Tripunitara, M.V.: On safety in discretionary access control. In: 2005 IEEE Symposium on Security and Privacy (SP 2005), pp. 96–109, May 2005Google Scholar
  17. 17.
    Narayanan, A., Reisman, D.: The princeton web transparency and accountability project. In: Cerquitelli, T., Quercia, D., Pasquale, F. (eds.) Transparent Data Mining for Big and Small Data. Studies in Big Data, vol. 11, 45–57. Springer, Cham (2017)Google Scholar
  18. 18.
    Narendra Kumar, N.V., Shyamasundar, R.K.: Dynamic labelling to enforce conformance of cross domain security/privacy policies. In: Krishnan, P., Radha Krishna, P., Parida, L. (eds.) ICDCIT 2017. LNCS, vol. 10109, pp. 183–195. Springer, Cham (2017). doi: 10.1007/978-3-319-50472-8_15 CrossRefGoogle Scholar
  19. 19.
    Patil, V.T., Shyamasundar, R.K.: Privacy as a currency: un-regulated? In: 14th International Conference on Security and Cryptography, SECRYPT 2017 (2017, to appear)Google Scholar
  20. 20.
    Patil, V.T., Shyamasundar, R.K.: Social networks and collective unravelling of privacy. Technical report, ISRDC, IIT Bombay (2017).
  21. 21.
    Renaud, K.G.D.: Privacy: Aspects, definitions and a multi-faceted privacy preservation approach. In: 2010 Information Security for South Africa, pp. 1–8, August 2010Google Scholar
  22. 22.
    Sandhu, R.S.: Lattice-based access control models. Computer 26(11), 9–19 (1993)CrossRefGoogle Scholar
  23. 23.
    Schneider, F.B.: Enforceable security policies. ACM TISSEC 3(1), 30–50 (2000)MathSciNetCrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2017

Authors and Affiliations

  1. 1.Department of Computer Science and Engineering, Information Security R&D CenterIndian Institute of Technology BombayMumbaiIndia

Personalised recommendations