Context-aware access control: An alternate privacy protection mechanism for online social networks
The increasing popularity of online social networks (OSNs) is spawning new security and privacy concerns. Currently, a majority of OSNs offer very naive access control mechanisms that are primarily based on static access control lists (ACL) or policies. But as the number of social connections grow, static ACL based approaches become ineffective and unappealing to OSN users. There is an increased need in social-networking and data-sharing applications to control access to data based on the associated context (e.g., event, location, and users involved), rather than solely on data ownership and social connections. Surveillance is another critical concern for OSN users, as the service provider may further scrutinize data posted or shared by users for personal gains (e.g., targeted advertisements), for use by corporate partners or to comply with legal orders. This thesis introduces a novel paradigm of context based access control in OSNs, where users are able to access the shared data only if they have knowledge of the context associated with it. This thesis presents two constructions for context-based access control in OSNs: the first is based on a novel application of Shamir's secret sharing scheme, whereas the second makes use of an attribute-based encryption scheme. For both constructions, the security properties are analyzed, proof-of-concept applications for Facebook are implemented, and their functionality and performance are empirically evaluated. Empirical measurements show that the proposed constructions execute efficiently on standard computing hardware, as well as, on portable mobile devices. With the help of a preliminary user-study, this thesis analyzes privacy concerns associated with data sharing on OSNs and how individuals share data on Facebook. Constructive feedback on usability and user-friendliness of the developed prototype application was also obtained from the user-study.