Mohammad Mannan
ABSTRACT
Publishing personal content on the web is gaining increased popularity with dramatic growth in social networking websites, and availability of cheap personal domain names and hosting services. Although the Internet enables easy publishing of any content intended to be generally accessible, restricting personal content to a selected group of contacts is more difficult. Social networking websites partially enable users to restrict access to a selected group of users of the same network by explicitly creating a "friends' list." While this limited restriction supports users' privacy on those (few) selected websites, personal websites must still largely be protected manually by sharing passwords or obscure links. Our focus is the general problem of privacy-enabled web content sharing from any user-chosen web server. By leveraging the existing "circle of trust" in popular Instant Messaging (IM) networks, we propose a scheme called IM-based Privacy-Enhanced Content Sharing (IMPECS) for personal web content sharing. IMPECS enables a publishing user's personal data to be accessible only to her IM contacts. A user can put her personal web page on any web server she wants (vs. being restricted to a specific social networking website), and maintain privacy of her content without requiring site-specific passwords. Our prototype of IMPECS required only minor modifications to an IM server, and PHP scripts on a web server. The general idea behind IMPECS extends beyond IM and IM circles of trust; any equivalent scheme, (ideally) containing pre-arranged groups, could similarly be leveraged.
- ABC News. MySpace finds 29,000 sex offenders. News article (July 25, 2007). http://www.abcnews.go.com/Technology/wireStory?id=3409947.Google Scholar
- B. Adida. Beamauth: Two-factor web authentication with a bookmark. In ACM Computer and Communications Security (CCS), 2007. Google ScholarDigital Library
- S. Ahern, D. Eckles, N. Good, S. King, M. Naaman, and R. Nair. Over-exposed? Privacy patterns and considerations in online and mobile photo sharing. In ACM Computer/Human Interaction (CHI), 2007. Google ScholarDigital Library
- Anonymous. In the face of danger: Facial recognition and the limits of privacy law. Harvard Law Review, 120(7), May 2007.Google Scholar
- Anti-Phishing Working Group. Phishing activity trends report for April 2007. http://www.antiphishing.org/reports/apwg_report_april_2007.pdf.Google Scholar
- ArsTechnica.com. Yahoo Messenger and Windows Live Messenger get together. News Article (Sep. 27, 2006). http://arstechnica.com/news.ars/post/20060927-7846.html.Google Scholar
- S. B. Barnes. A privacy paradox: Social networking in the United States. First Monday: Peer-reviewed Journal on the Internet, 11(9), 2006.Google Scholar
- R. J. Bayardo and S. Thomschke. Exploiting the web for point-in-time file sharing (poster). In World Wide Web (WWW) Conference, 2005. Google ScholarDigital Library
- R. J. Bayardo Jr., R. Agrawal, D. Gruhl, and A. Somani. YouServ: A web hosting and content sharing tool for the masses. In World Wide Web (WWW) Conference, 2002. Google ScholarDigital Library
- M. Bellare and C. Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In AsiaCrypt, 2000. Google ScholarDigital Library
- N. Borisov, I. Goldberg, and E. Brewer. Off-the-record communication, or, why not to use PGP. In ACM Workshop on Privacy in the Electronic Society (WPES), 2004. Google ScholarDigital Library
- BusinessWeek. Social-networking sites a 'hotbed' for spyware. News article (Aug. 18, 2006). http://www.msnbc.msn.com/default.aspx/id/14413906/.Google Scholar
- CBC.ca. 4 charged after school protest over Facebook suspensions. News article (Mar. 23, 2007). http://www.cbc.ca/canada/toronto/story/2007/03/23/protest-birchmount.html.Google Scholar
- S. Chiasson, P. van Oorschot, and R. Biddle. A usability study and critique of two password managers. In USENIX Security, 2006. Google ScholarDigital Library
- F. Dawson and T. Howes. vCard MIME directory profile, 1998. RFC 2426, Status: Standards Track. Google ScholarDigital Library
- C. Dwyer, S. Hiltz, and K. Passerini. Trust and privacy concern within social networking sites: A comparison of Facebook and MySpace. In Americas Conference on Information Systems (AMCIS), Keystone, Colorado, USA, Aug. 2007.Google Scholar
- R. Feizy. An evaluation of identity on online social networking: MySpace (poster). In ACM Hypertext and Hypermedia (HT), 2007.Google Scholar
- J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, and L. Stewart. HTTP authentication: Basic and digest access authentication, June 1999. RFC 2617, Status: Standards Track. Google ScholarDigital Library
- M. Geist. Facing up to Facebook fears. BBC news article (May 9, 2007). http://news.bbc.co.uk/2/hi/technology/6639417.stm.Google Scholar
- V. D. Gligor and P. Donescu. Fast encryption and authentication: XCBC encryption and XECB authentication modes. In Workshop on Fast Software Encryption, Yokohama, Japan, Apr. 2001. Google ScholarDigital Library
- R. Gross and A. Acquisti. Information revelation and privacy in online social networks. In ACM Workshop on Privacy in the Electronic Society (WPES), 2005. Google ScholarDigital Library
- jabberd project. jabberd2 XMPP server. Version 2.1.6. http://jabberd.jabberstudio.org/2/.Google Scholar
- T. Jagatic, N. Johnson, M. Jakobsson, and F. Menczer. Social phishing. Communications of the ACM, 50(10), Oct. 2007. Google ScholarDigital Library
- Liberty Alliance. Liberty ID-WSF People Service - federated social identity. White paper (Dec. 5, 2005). http://www.projectliberty.org.Google Scholar
- M. Mannan and P. C. van Oorschot. Secure public instant messaging: A survey. In Privacy, Security and Trust (PST), Fredericton, NB, Canada, Oct. 2004.Google Scholar
- M. Mannan and P. C. van Oorschot. A protocol for secure public instant messaging. In Financial Cryptography and Data Security (FC), Anguilla, British West Indies, 2006. Google ScholarDigital Library
- V. Mayer-Schönberger. Useful void: The art of forgetting in the age of ubiquitous computing. Harvard KSG Faculty Research Working Paper Series, article number RWP07-022, Apr. 2007.Google Scholar
- NACE Spotlight Online. The issues surrounding college recruiting and social networking web sites. News article (June 22, 2006). http://career.studentaffairs.duke.edu/undergrad/find_job/consider/nace_socialnetworks.html.Google Scholar
- National Cyber Security Alliance. CA/NCSA social networking cyber security survey. Online article (Sep. 2006). http://staysafeonline.org/features/SocialNetworkingReport.ppt.Google Scholar
- Netcraft.com. MySpace accounts compromised by phishers. News article (Oct. 27, 2006). http://news.netcraft.com/archives/2006/10/27/myspace_accounts_compromised_by_phishers.html.Google Scholar
- B. C. Neuman and T. Ts'o. Kerberos: An authentication service for computer networks. IEEE Communications, 32(9), Sept. 1994.Google Scholar
- New York Times. For some, online persona undermines a résumé. News article (June 11, 2006). http://www.nytimes.com/2006/06/11/us/11recruit.html.Google Scholar
- New York Times. How to lose your job on your own time. News article (Dec. 30, 2007). http://www.nytimes.com/2007/12/30/business/30digi.html.Google Scholar
- Pidgin project. Pidgin: A multi-protocol IM client. Version 2.0.1. http://www.pidgin.im/.Google Scholar
- PrisonPlanet.com. The Facebook.com: Big brother with a smile. News article (June 9, 2005). http://www.prisonplanet.com/articles/june2005/090605thefacebook.htm.Google Scholar
- N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser: Analysis of web-based malware. In USENIX HotBots, 2007. Google ScholarDigital Library
- D. Rand. Threats when using online social networks. CSIS Security Group (a Danish IT security company; article published on May 16, 2007). http://www.csis.dk/dk/forside/LinkedIn.pdf.Google Scholar
- Reuters UK. Networking sites a goldmine for ID fraudsters. News article (July 19, 2007). http://uk.reuters.com/article/personalFinanceNews/idUKHIL95513120070719.Google Scholar
- D. Rosenblum. What anyone can know: The privacy risks of social networking sites. IEEE Security and Privacy, 5(3), May 2007. Google ScholarDigital Library
- P. Saint-Andre. Extensible messaging and presence protocol (XMPP): Core, Oct. 2004. RFC 3920, Status: Standards Track.Google Scholar
- P. Saint-Andre. Extensible messaging and presence protocol (XMPP): Instant messaging and presence, 2004. RFC 3921, Status: Standards Track.Google Scholar
- P. Saint-Andre. Internationalized resource identifiers (IRIs) and uniform resource identifiers (URIs) for the extensible messaging and presence protocol (XMPP), July 2006. RFC 4622, Status: Standards Track.Google Scholar
- SANS Internet Storm Center. MySpace phish and drive-by attack vector propagating Fast Flux network growth. SANS handler's diary (June 26, 2007). http://isc.sans.org/diary.html?storyid=3060.Google Scholar
- SecurityFocus.com. Image attack on MySpace boosts phishing exposure. News article (June 11, 2007). http://www.securityfocus.com/brief/522.Google Scholar
- SecurityFocus.com. QuickTime worm uses MySpace to spread. News article (Apr. 12, 2006). http://www.securityfocus.com/brief/375.Google Scholar
- D. J. Solove. 'I've got nothing to hide' and other misunderstandings of privacy. San Diego Law Review, 44, 2007.Google Scholar
- StopBadware.org. StopBadware.org identifies companies hosting large numbers of websites that can infect internet users with badware. Press release (May 3, 2007). http://www.stopbadware.org/home/pr_050307.Google Scholar
- K. Strater and H. Richter. Examining privacy and disclosure in a social networking community (poster). In Symposium on Usable Privacy and Security (SOUPS), Pittsburgh, PA, USA, July 2007. Google ScholarDigital Library
- Toronto Star. Social networking sites hacker targets. News article (Aug. 3, 2007). http://www.thestar.com/sciencetech/Technology/article/243096.Google Scholar
- Wired.com. Fraudsters target Facebook with phishing scam. News article (Jan. 3, 2008). http://www.wired.com/politics/security/news/2008/01/facebook_phish.Google Scholar
- Wired.com. Private Facebook pages are not so private. News article (June 28, 2007). http://www.wired.com/software/webservices/news/2007/06/facebookprivacysearch.Google Scholar
Index Terms
Privacy-enhanced sharing of personal content on the web
Recommendations
Privacy-safe network trace sharing via secure queries
NDA '08: Proceedings of the 1st ACM workshop on Network data anonymizationPrivacy concerns relating to sharing network traces have traditionally been handled via sanitization, which includes removal of sensitive data and IP address anonymization. We argue that sanitization is a poor solution for data sharing that offers ...
The social web: global village or private cliques?
DUX '07: Proceedings of the 2007 conference on Designing for User eXperiencesRhetorics of Web 2.0 emphasize the sharing of user generated content. But how much content is actually openly shared? Is the Web really an open arena for content, or more suited to sharing in small groups? Will sharing change as more people become aware ...
Measuring privacy loss and the impact of privacy protection in web browsing
SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and securityVarious bits of information about users accessing Web sites. some of which are private, have been gathered since the inception of the Web. Increasingly the gathering, aggregation, and processing has been outsourced to third parties. The goal of this ...
Comments