User-Managed Access Control in Web Based Social Networks

  • Lorena González-ManzanoEmail author
  • Ana I. González-Tablas
  • José M. de Fuentes
  • Arturo Ribagorda
Part of the Lecture Notes in Social Networks book series (LNSN)


Recently, motivated by the expansion and the emergence of Web Based Social Networks (WBSNs), a high number of privacy problems and challenges have arisen. One of these problems that is currently attracting the attention of scientific community is the design and implementation of user-managed access control systems. In this regard, there exist a well-known set of requirements (relationship-based, fine-grained, interoperability, sticky-policies and data exposure minimization) that have been identified in order to provide a user-managed access control for WBSNs. These requirements, partially addressed by the works proposed in the literature, represent “building blocks” for a well defined user-managed access control model. In this chapter, we first provide a conceptualization of a WBSN to propose an access control model, called SoNeUCON ABC, and a mechanism that implements it. A set of mechanisms among the recently proposed in the literature are selected such that, when deployed over SoNeUCON ABC, the whole set of user-managed requirements can be fulfilled.


Access Control Storage Service Access Control Policy Access Control Model Role Base Access Control 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ackermann, M., Ludwig, B., Hymon, K., Wilhelm, K.: Helloworld: An open source, distributed and secure social network. In: W3C Wks. on the Future of Social Networking, 2009Google Scholar
  2. 2.
    Acquisti, A., Gross, R.: Imagined communities: awareness, information sharing, and privacy on the Facebook. In: Privacy Enhancing Technologies, vol. 4258 of Lecture Notes in Computer Science, pp. 36–58. Springer, Berlin/Heidelberg (2006)Google Scholar
  3. 3.
    Aiello, L.M., Ruffo, G.: Lotusnet: Tunable privacy for distributed online social network services. Comput. Comm. 35(1), 75–88 (2012)CrossRefGoogle Scholar
  4. 4.
    Aiello, L.M., Ruffo, G.: Secure and flexible framework for decentralized social network services. In: 2010 8th IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOM Workshops), pp. 594–599, 2010Google Scholar
  5. 5.
    Ajami, R., Ramadan, N., Mohamed, N., Al-Jaroodi, J.: Security challenges and approaches in online social networks: A survey. Int. J. Comput. Sci. Netw. Secur. 11, 1–12 (2011)Google Scholar
  6. 6.
    Ali, B., Villegas, W., Maheswaran, M.: A trust based approach for protecting user data in social networks, pp. 288–293, 2007Google Scholar
  7. 7.
    Allard, T., Anciaux, N., Bouganim, L., Guo, Y., Le Folgoc, L., Nguyen, B., Pucheral, P., Ray, I., Yin, S.: Secure personal data servers: A vision paper. Proc. VLDB Endow. 3(1–2), 25–35 (2010)Google Scholar
  8. 8.
    Anderson, J., Diaz, C., Bonneau, J., Stajano, F.: Privacy-enabling social networking over untrusted networks. In: Proceedings of the 2nd ACM Workshop on Online Social Networks, pp. 1–6. ACM, New York (2009)Google Scholar
  9. 9.
    Attrapadung, N., Imai, H.: Conjunctive broadcast and attribute−based encryption. In: Proc. of the 3rd International Conference Palo Alto on Pairing−Based Cryptography, Pairing ’09. Springer, New York (2009)Google Scholar
  10. 10.
    Backes, M., Maffei, M., Pecina, K.: A security API for distributed social networks. In: NDSS, vol. 11, pp. 35–51 (2011)Google Scholar
  11. 11.
    Baden, R., Bender, A., Spring, N., Bhattacharjee, B., Starin, D.: Persona: an online social network with user−defined privacy. SIGCOMM Comput. Comm. Rev. 39, 135–146 (2009)CrossRefGoogle Scholar
  12. 12.
    Becker, J., Chen, H.: Measuring privacy risk in online social networks. In: Proc. of W2SP 2009: Web 2.0 Security and Privacy, 2009Google Scholar
  13. 13.
    Bertino, E., Bonatti, P.A., Ferrari, E.: Trbac: a temporal role-based access control model. In: Symposium on Access Control Models and Technologies. Proc. of the Fifth ACM Wks. on Role-Based Access Control, pp. 21–30. ACM, New York (2000)Google Scholar
  14. 14.
    Besenyei, T., Földes, Á.M., Gulyás, G.G., Imre, S.: StegoWeb: towards the ideal private web content publishing tool. In: SECURWARE 2011, The Fifth International Conference on Emerging Security Information, Systems and Technologies, pp. 109–114, 2011Google Scholar
  15. 15.
    Besmer, A., Lipford, H.R., Shehab, M., Cheek, G.: Social applications: exploring a more secure framework. In: Proc. of the 5th Symposium on Usable Privacy and Security, SOUPS ’09, pp. 2:1–2:10. ACM, New York (2009)Google Scholar
  16. 16.
    Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: Proc. of the 2007 IEEE Symposium on Security and Privacy, SP ’07. IEEE Computer Society, Oakland, CA (2007)Google Scholar
  17. 17.
    Bishop, M.: Computer Security Art and Science. Addison-Wesley (2002)Google Scholar
  18. 18.
    Bouganim, L., Pucheral, P.: Chip-secured data access: confidential data on untrusted servers. In: Proc. of the 28th International Conference on Very Large Data Bases, VLDB ’02, pp. 131–142. VLDB Endowment, 2002Google Scholar
  19. 19.
    Boyd, D.M., Ellison, N.B.: Social network sites: Definition, history, and scholarship. J. Comput. Mediat. Comm. 13, 210–230 (2007)CrossRefGoogle Scholar
  20. 20.
    Buchegger, S., Schiöberg, D., Vu, L.-H., Datta, A.: Peerson: P2p social networking: early experiences and insights, pp. 46–52, 2009Google Scholar
  21. 21.
    Capitani di Vimercati, S., Foresti, S., Samarati, P.: Authorization and access control. Security, Privacy, and Trust in Modern Data Management, pp. 39–53, 2007Google Scholar
  22. 22.
    Carminati, B., Ferrari, E.: Access control and privacy in web-based social networks. Int. J. Web Inform. Syst. 4(4), 395–415 (2008)CrossRefGoogle Scholar
  23. 23.
    Carminati, B., Ferrari, E.: Privacy-aware collaborative access control in web-based social networks. In: Proceeedings of the 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security, pp. 81–96. Springer, New York (2008)Google Scholar
  24. 24.
    Carminati, B., Ferrari, E., Perego, A.: Rule-based access control for social networks. In: Proc. OTM 2006 Workshops (On the Move to Meaningful Internet Systems), vol. 4278 of LNCS, pp. 1734–1744. Springer, New York (2006)Google Scholar
  25. 25.
    Carminati, B., Ferrari, E., Perego, A.: Private relationships in social networks. In: Proc. of the 2007 IEEE 23rd International Conference on Data Engineering Wks., pp. 163–171. IEEE Computer Society, Oakland, CA (2007)Google Scholar
  26. 26.
    Carminati, B., Ferrari, E.: Access control and privacy in web-based social networks. Int. J. Web Inf. Syst. 4(4), 395–415 (2008)Google Scholar
  27. 27.
    Carminati, B., Ferrari, E., Heatherly, R., Kantarcioglu, M., Thuraisingham, B.: A semantic web based framework for social network access control. In: Proc. of the 14th ACM symposium on Access control models and technologies, SACMAT ’09, pp. 177–186. ACM, New York (2009)Google Scholar
  28. 28.
    Carreras, A., Rodriguez, L., Delgado, J., Maronas, X.: Access control issues in social networks, pp. 47–52, 2010Google Scholar
  29. 29.
    Carrie, Dr., Gates, E.: Access control requirements for web 2.0 security and privacy. In: Proc. of Wks. on Web 2.0 Security & Privacy (W2SP 2007, 2007Google Scholar
  30. 30.
    Chase, M., Chow, S.S.M.: Improving privacy and security in multi-authority attribute-based encryption. In: Proc. of the 16th ACM Conference on Computer and Communications Security, CCS ’09, pp. 121–130. ACM, New York (2009)Google Scholar
  31. 31.
    Chase, M.: Multi-authority attribute based encryption. In: Proc. of the 4th Conference on Theory of Cryptography, TCC’07, pp. 515–534. Springer, New York (2007)Google Scholar
  32. 32.
    Conti, M., Hasani, A., Crispo, B.: Virtual private social networks. In: Proc. of the first ACM conference on Data and application security and privacy, CODASPY ’11, pp. 39–50. ACM, New York (2011)Google Scholar
  33. 33.
    Covington, M.J., Sastry, M.R.: A contextual attribute-based access control model. In: Proc. of the 2006 International Conference on On the Move to Meaningful Internet Systems: AWeSOMe, CAMS, COMINF, IS, KSinBIT, MIOS-CIAO, MONET - Volume Part II, OTM’06, pp. 1996–2006, 2006Google Scholar
  34. 34.
    Covington, M.J., Moyer, M.J., Ahamad, M.: Generalized role−based access control for securing future applications. In: 23rd National Information Systems Security Conference, Citeseer, 2000Google Scholar
  35. 35.
    Cutillo, L.A., Molva, R., Strufe, T.: Safebook: Feasibility of transitive cooperation for privacy on a decentralized social network. In: 2009 IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks & Workshops, (217141):1–6, 2009Google Scholar
  36. 36.
    Dey, R., Jelveh, Z., Ross, K.W.: Facebook users have become much more private: A large-scale study. In: Proc. of SESOC 2012, 2012Google Scholar
  37. 37.
    Di Vimercati, S.D.C., Foresti, S., Jajodia, S., Paraboschi, S., Samarati, P.: A data outsourcing architecture combining cryptography and access control. In: Proceedings of the 2007 ACM Workshop on Computer Security Architecture, pp. 63–69. ACM, New York (2007)Google Scholar
  38. 38.
    Dwyer, C., Hiltz, S.R., Passerini, K.: Trust and privacy concern within social networking sites: A comparison of facebook and MySpace. In: AMCIS, p. 339 (2007)Google Scholar
  39. 39.
    Fong, P.W.L.: Relationship-based access control: protection model and policy language. In: Proc. of the first ACM conference on Data and application security and privacy, CODASPY ’11, pp. 191–202. ACM, New York (2011)Google Scholar
  40. 40.
    Frikken, K.B., Srinivas, P.: Key-allocation schemes for private social networks. In: Proc. of the 8th ACM Wks. on Privacy in the Electronic Society, WPES ’09, pp. 11–20. ACM, New York (2009)Google Scholar
  41. 41.
    Gao, H., Hu, J., Huang, T., Wang, J., Chen, Y.: Security issues in online social networks. IEEE Internet Comput. 15, 56–63 (2011)CrossRefGoogle Scholar
  42. 42.
    Giunchiglia, F., Zhang, R., Crispo, B.: Relbac: Relation based access control. In: Fourth International Conference on Semantics, Knowledge and Grid, 2008. SKG ’08., pp. 3–11, 2008Google Scholar
  43. 43.
    Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Proc. of the 13th ACM Conference on Computer and Communications Security, CCS ’06, pp. 89–98. ACM, New York (2006)Google Scholar
  44. 44.
    Graffi, K., Groß, C., Stingl, D., Hartung, D., Kovacevic, A., Steinmetz, R.: Lifesocial.kom: A secure and p2p-based solution for online social networks. In: Proc. of the IEEE Consumer Communications and Networking Conference. IEEE Computer Society, Oakland, CA (2011)Google Scholar
  45. 45.
    Guha, S., Tang, K., Francis, P.: Noyb: privacy in online social networks. In: Proc. of the First Wks. on Online Social Networks, WOSN ’08, pp. 49–54. ACM, New York (2008)Google Scholar
  46. 46.
    Harary, F., Norman, R.Z.: Graph theory as a mathematical model in social science, 1953Google Scholar
  47. 47.
    Jahid, S., Nilizadeh, S., Mittal, P., Borisov, N., Kapadia, A.: Decent: A decentralized architecture for enforcing privacy in online social networks, 2012Google Scholar
  48. 48.
    Jahid, S., Mittal, P., Borisov, N.: Easier: encryption−based access control in social networks with efficient revocation. In: Proc. of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS ’11, pp. 411–415. ACM, New York (2011)Google Scholar
  49. 49.
    Kourtellis, N., Finnis, J., Anderson, P., Blackburn, J., Borcea, C., Iamnitchi, A.: Prometheus: user-controlled p2p social data management for socially-aware applications. In: Ifip International Federation For Information Processing, pp. 212–231, 2010Google Scholar
  50. 50.
    Kruk, S., Grzonkowski, S., Gzella, A., Woroniecki, T., Choi, H.-C.: D-foaf: Distributed identity management with access rights delegation. In: The Semantic Web? ASWC 2006, vol. 4185 of Lecture Notes in Computer Science, pp. 140–154. Springer, Berlin/Heidelberg, (2006)Google Scholar
  51. 51.
    Lazouski, A., Martinelli, F., Mori, P.: Usage control in computer security: a survey. Comput. Sci. Rev. 4(2), 81–99 (2010)CrossRefGoogle Scholar
  52. 52.
    Lin, H., Cao, Z., Liang, X., Shao, J.: Secure threshold multi authority attribute based encryption without a central authority. Inf. Sci. 180, 2618–2632 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  53. 53.
    Lucas, M.M., Borisov, N.: Flybynight: mitigating the privacy risks of social networking. In: Proc. of the 7th ACM Wks. on Privacy in the Electronic Society, WPES ’08, pp. 1–8. ACM, New York (2008)Google Scholar
  54. 54.
    Luo, W., Xie, Q., Hengartner, U.: FaceCloak: an architecture for user privacy on social networking sites. In: 2009 International Conference on Computational Science and Engineering, pp. 26–33, 2009Google Scholar
  55. 55.
    Au Yeung, C.M., Liccardi, I., Lu, K., Seneviratne, O., Berners-Lee, T.: Decentralization: The future of online social networking. In: W3C Wks. on the Future of Social Networking Position Papers, 2009Google Scholar
  56. 56.
    Mun, M., Hao, S., Mishra, N., Shilton, K., Burke, J., Estrin, D., Hansen, M., Govindan, R.: Personal data vaults: a locus of control for personal data streams. In: Proc. of the 6th International Conference, Co-NEXT ’10, pp. 17:1–17:12. ACM, New York (2010)Google Scholar
  57. 57.
    Nin, J., Carminati, B., Ferrari, E., Torra, V.: Computing Reputation for Collaborative Private Networks, pp. 246–253. IEEE Computer Society, Oakland, CA (2009)Google Scholar
  58. 58.
    Oracle-Team: Online Security, A Human Perspective (2011)Google Scholar
  59. 59.
    Ostrovsky, R., Sahai, A., Waters, B.: Attribute-based encryption with non-monotonic access structures. In: Proc. of the 14th ACM Conference on Computer and Communications Security, CCS ’07, pp. 195–203. ACM, New York (2007)Google Scholar
  60. 60.
    Parent, W.A.: Privacy, morality, and the law. Philos. Publ. Aff. 12(4), 269–288 (1983)Google Scholar
  61. 61.
    Park, J., Sandhu, R.: A Position Paper: A Usage Control (UCON) Model for Social Networks Privacy, (2000)Google Scholar
  62. 62.
    Park, J., Sandhu, R.: The UCONabc usage control model. ACM Trans. Inf. Syst. Secur. 7, 128–174 (2004)CrossRefGoogle Scholar
  63. 63.
    Park, J., Sandhu, R., Cheng, Y.: A user-activity-centric framework for access control in online social networks. IEEE Internet Comput. 15(5), 62–65 (2011)CrossRefGoogle Scholar
  64. 64.
    Ray, I., Kumar, M., Yu, L.: LRBAC: a location-aware role-based access control model. In: Information Systems Security, vol. 4332 of Lecture Notes in Computer Science, pp. 147–161. Springer, Berlin/Heidelberg (2006)Google Scholar
  65. 65.
    Razavi, M.N., Iverson, L.: Towards usable privacy for social software. Technical report, University of British Columbia, 2007Google Scholar
  66. 66.
    Salim, F., Reid, J., Dawson, E.: An administrative model for UCONabc. In: Proc. of the Eighth Australasian Conference on Information Security, vol. 105 of AISC ’10, pp. 32–38, 2010Google Scholar
  67. 67.
    Sandhu, R.S., Samarati, P.: Access control: principles and practice. Access 40–48 (1994)Google Scholar
  68. 68.
    Sastry, M., Krishnan, R., Sandhu, R.: A new modeling paradigm for dynamic authorization in multi-domain systems, pp. 153–158, 2007Google Scholar
  69. 69.
    Schneier, B.: A taxonomy of social networking data. IEEE Security Privacy 8(4) (2010)Google Scholar
  70. 70.
    Scholl, M., Stine, K., Lin, K., Steinberg, D.: Security architecture design process for health information exchanges (HIEs). NISTIR 7497. National Institute of Standards and TechnologyGoogle Scholar
  71. 71.
    Seong, S.-W., Seo, J., Nasielski, M., Sengupta, D., Hangal, S., Teh, S.K., Chu, R., Dodson, B., Lam, M.S.: Prpl: a decentralized social networking infrastructure, pp. 8:1–8:8 (2010)Google Scholar
  72. 72.
    Shakimov, A., Lim, H., Li, K., Liu, D., Varshavsky, A.: Vis-a-Vis: privacy-preserving online social networking via virtual individual servers, (2010)Google Scholar
  73. 73.
    Shen, H., Hong, F.: An attribute-based access control model for web services. In: Seventh International Conference on Parallel and Distributed Computing, Applications and Technologies, 2006. PDCAT ’06., pp. 74–79, 2006Google Scholar
  74. 74.
    Shi, W.: Attribute based encryption with pattern-awareness by attribute based encryption with pattern-awareness. Master’s thesis, Inha University, 2010Google Scholar
  75. 75.
    Shilton, K., Burke, J.A., Estrin, D., Hansen, M.: Designing the personal data stream: enabling participatory privacy in mobile personal sensing. Work (September), 25–27 (2009)Google Scholar
  76. 76.
    Squicciarini, A.C., Shehab, M., Paci, F.: Collective privacy management in social networks. In: Proc. of the 18th International Conference on World Wide Web, WWW ’09, pp. 521–530. ACM, New York (2009)Google Scholar
  77. 77.
    Squicciarini, A.C., Shehab, M., Wede, J.: Privacy policies for shared content in social network sites. VLDB J. 777–796 (2010)Google Scholar
  78. 78.
    Squicciarini, A.C., Shehab, M., Paci, F.: Collective privacy management in social networks. In: Proc. of the 18th International Conference on World Wide Web, WWW ’09, pp. 521–530. ACM, New York (2009)Google Scholar
  79. 79.
    Tootoonchian, A., Saroiu, S., Ganjali, Y., Wolman, A.: Lockr: Better privacy for social networks. In: Proceedings of the 5th International Conference on Emerging Networking Experiments and Technologies, pp. 169–180. ACM, New York (2009)Google Scholar
  80. 80.
    Yuan, E., Tong, J.: Attributed based access control (ABAC) for web services. In: Proc. of the IEEE International Conference on Web Services, ICWS ’05, pp. 561–569. IEEE Computer Society, Oakland, CA (2005)Google Scholar
  81. 81.
    Zhang, X., Park, J., Parisi-Presicce, F., Sandhu, R.: A logical specification for usage control. In: Proc. of the Ninth ACM Symposium on Access Control Models and Technologies, SACMAT ’04, pp. 1–10. ACM, New York (2004)Google Scholar
  82. 82.
    Zheleva, E., Getoor, L.: Social Network Data Analytics, chapter Privacy in Social Networks: A Survey. Springer, New York (2011)Google Scholar
  83. 83.
    Zhu, Y., Hu, Z., Wang, H., Hu, H., Ahn, G.-J.: A collaborative framework for privacy protection in online social networks. Organization 1–15 (2010)Google Scholar

Copyright information

© Springer-Verlag Wien 2013

Authors and Affiliations

  • Lorena González-Manzano
    • 1
    Email author
  • Ana I. González-Tablas
    • 1
  • José M. de Fuentes
    • 1
  • Arturo Ribagorda
    • 1
  1. 1.Computer Science and Engineering DepartmentUniversity Carlos III of MadridLeganésSpain

Personalised recommendations