KCA031

Privacy and Security in Online

Social Media
 Unit-3
Controlled Information Sharing in OSN
 Unit-3

Controlled Information Sharing in Online Social Networks:

• Access Control Models, Access Control in Online Social Networks
• Relationship-Based Access Control
• Privacy Settings in Commercial Online Social Networks
• Existing Access Control Approaches
Controlled Information Sharing
What is Controlled Information?
Controlled information sharing in online social networks refers to the ability of users to
selectively share their personal information with specific individuals or groups while
maintaining control over who can access that information. This approach recognizes the
importance of privacy and security in online interactions and aims to empower users to
manage their digital identities and protect sensitive data.
Key aspects of controlled information sharing in online social networks include:
1. Granular Privacy Settings
2. Audience Selection
3. Permission Based Sharing
4. Content Encryption
5. Data Ownership and Portability
6. Transparency and Consent
Key aspects of controlled information sharing in online social networks include:
1. Granular Privacy Settings: Platforms provide users with granular controls over the visibility of their posts,
profile information, and other personal data. This allows users to customize their privacy settings based on
their preferences and the level of trust they have in different connections.
2. Audience Selection: Users can choose the audience for each piece of content they share, such as friends,
family, specific groups, or custom lists. This enables users to share different types of information with
different subsets of their social network, ensuring that only relevant individuals have access to it.
3. Permission-Based Sharing: Controlled information sharing often operates on a permission-based model,
where users must explicitly grant permission for others to access their data or view their posts. This helps
prevent unauthorized access and ensures that users have full control over who can see their information.
4. Content Encryption: Some platforms employ encryption techniques to secure users' shared content,
ensuring that it remains protected from unauthorized access or interception by third parties.
5. Data Ownership and Portability: Users retain ownership of their data and have the right to export or
delete it from the platform as desired. This gives users greater autonomy over their digital footprint and
ensures that they can maintain control over their personal information.
6. Transparency and Consent: Platforms are transparent about their data collection practices and obtain
explicit consent from users before collecting, storing, or sharing their personal information. Users have the
right to know how their data is being used and to opt out of certain data processing activities if they so
choose.
 Access Control
&
Access Control Models in OSM
Access Control is the concept of regulating and managing access to resources, data, or
services within a system. Access control solutions are of two types: Physical system - To secure
a private room or area in a building and Information system - To secure sensitive data on office
computers.
Key aspects of access control in online social networks:
1. User Authentication
2. Authorization
3. Privacy Settings
4. Friendship and Connection Management
5. Content-Based Access Control
6. Audience Targeting
7. Third Party App Permission
Access Control Models is a specific framework or approach used to implement
access control within a system. It defines the rules, principles, and methods for determining
access permissions and enforcing security policies. There are four types of access control
methods: Mandatory Access Control (MAC), Role-Based Access Control (RBAC),
Discretionary Access Control (DAC), and Rule-Based Access Control (RBAC or RB-RBAC).
1. Discretionary Access Control (DAC): In DAC, users have discretion over the access control of their
own resources. They can determine who has access to their information and what level of access they
are granted. This model is often used in social media platforms where users can control their privacy
settings and choose who can view their posts, photos, etc.
2. Mandatory Access Control (MAC): MAC is a more rigid access control model where access to
resources is determined by security labels assigned by the system administrator rather than individual
users. This model is commonly used in government or military settings to enforce strict data
confidentiality and integrity policies.
3. Role-Based Access Control (RBAC): RBAC assigns permissions to users based on their roles within
an organization or system. In the context of social media, this could mean that users are grouped into
categories (such as friends, family, colleagues) and access to content is determined by these predefined
roles.
4. Attribute-Based Access Control (ABAC): ABAC evaluates a variety of attributes (such as user
attributes, resource attributes, environmental conditions) to make access control decisions. This model
allows for more dynamic and context-aware access control policies, which can be useful in the
complex and evolving environment of social media.
5. Rule-Based Access Control (RuBAC): Rule-based access control is used to manage access to
locations, databases and devices according to a set of predetermined rules and permissions that do not
account for the individual's role within the organization.
Discretionary Access Control (DAC)
A discretionary access control system is a system in which a user with access to a certain
level of data can give access to the same level of data to someone else based on their
judgement and choice. The first access-control list (ACL) is made by the administration, but
any access granted to someone by someone already on the list is hard to monitor. Although
the list can be checked, revised, and updated anytime by the administration.
Advantages of DAC
Disadvantages of Discretionary Access Control (DAC)
• Less Secure System:- As access can be given from one person to another, data is not
very well secured under DAC. Thus, it is not much feasible for the administration to
overview ACL now and then, which may lead to leakage of information to someone
outside the organization.
• Hard to keep track of data:- As the DAC system is not centralized, the only way
administration can monitor data flow is by going through ACL. Thich is only
convenient in the case of a small organization where employees are fewer.
Mandatory Access Control (MAC)
Mandatory Access Control (MAC) is a system to allow or deny access to private information
in an organization. What makes MAC different from other system is that it works on a
hierarchy pattern. Under this system, the whole team force must be divided into categories
according to their roles and responsibility and according to the information they must be
allowed to see. To make that happen the administration needs to put a lot of efforts at the
time of planning the information flow properly. It would be only a one-time effort to set
things up in order, after that it would only require updates as per change in the position/role.

Often at workplaces where MAC system is to be used, categorizing the information flow in
different categories like - ground level, confidential, secret and top-secret is suggested. Every
system that an individual might be using would have been given prior access as per the
requirements.

Majorly used in sectors like - government offices, military, health care, financial, engineering
projects, etc.
Advantages Mandatory Access Control (MAC)

• High-level data protection (most secure system among role, mandatory and
discretionary system): With MAC, one can be sure that their most confidential data is
well protected and leaves no room for any leakage.
• Centralized Information: Once data is set in a category it cannot be de-categorized by
anyone other than the head administrator. This makes the whole system centralized and
under the control of only one authority.
• Privacy: Data is set manually by an administrator. No one other than admin can make
changes in category or list of users' accesses to any category. It can be updated only by
admin.
Disadvantages Mandatory Access Control (MAC)

• Careful Setting-Up Process: MAC must be set up with good care otherwise it will
make working chaotic. It is because sometimes a piece of information needs to be
shared among co-workers in the same organization, but MAC restricts anyone to do
so.
• Regular Update Required: It requires regular updating when new data is added, or old
data is deleted. The administration is required to put some consideration into the MAC
system and ACL list now and then.
• Lack of Flexibility: MAC system is not operationally flexible. It is not an easy task to
initially input all data and create an ACL that won’t create any trouble later.
Role-Based Access Control (RBAC)
Role-based access control (RBAC), also known as non-discretionary access control, through
which a company’s management can control access or restrict certain area or information
depending upon the position of the employee in a company or his/her work profile. For
example, if a user is classified as a “Project Engineer,” they will automatically receive
permission from Project Engineers within the system. Implementing RBAC in an
organization requires detailed analysis and consideration before the final implementation.
Once this analysis is done, setting up of RBAC system can become a simpler process.
Advantages Role-based access control (RBAC)

• Improves Work Efficiency:- Using RBAC makes it much easier for office
management to change access according to change in the role of office staff. This is
much more convenient to do rather than administering every entry and exit and
approving every time.
• Security Against any Inside Information Leak:- As the access to certain information
or room will only be given to a certain set of people responsible and trusted, it reduces
any type of leakage of confidential information or even entry of any unwanted
individual.
• Time-Saving:- Under RBAC Management, one would only require a card or password
(according to system functionality) to get access to any information/room. This is
contrary to prior methods wherein security officials use to ask and confirm ones’
credentials and then that person would be allowed to enter after everything seems fine,
which is very time-consuming.
• Helps to Keep Record:- RBAC system not only just ensures safety but, also records
data of entries and exits which makes it easy to analyze work hours as well.
Disadvantages Role-based access control (RBAC)

• Complex For Large-Scale Organization: In a large organization, thousands of

employees work in different roles. Managing access for a large number of
employees is difficult with RBAC.
• Management Limited to Role: Under RBAC management, restrictions can be
fixed based only on the role of individuals and not the operations performed by
them.
Rule-Based Access Control (RuBAC)
Rule-based access control is a method based on predefined rules or conditions. This
access control method assigns access to resources based on the users' specific attributes,
like the user's identity or the resource type. This method can be helpful when dealing
with a large number of rules and conditions.
Advantages Rule-based access control (RuBAC)

Improved Security: One of the critical benefits of rule-based access control is improved
security. By using pre-defined rules to regulate access, organizations can ensure that
sensitive information and resources are only accessible to authorized individuals. This
helps to reduce the risk of unauthorized access, theft, or damage to resources.
Rule-Based Access Is Easy To Audit: Another benefit of rule-based access control is the
ease with which you can audit it. Because the rules are stored in a database, administrators
can easily review who has accessed what resources and when. This makes it easier to track
down the source of security incidents and to improve security over time.
Greater Flexibility: Rule-based access control is also more flexible than other forms of
access control. Administrators can easily modify the rules as needed to reflect changes in
the organization or the security landscape. This makes it easier to adapt to changing
security requirements and to keep up with evolving threats.
Disadvantages Rule-based access control (RuBAC)

Difficult initial configuration

The primary downside to working with rule-based access is the amount of work needed to
implement it. This begins with the need to determine the kinds of users who will need
different permissions, and then figuring out all of the combinations of attributes that they
could have.
Technical burdens
Another potential pain point with rule-based access is the extent of computational
resources needed. This is directly proportional to the complexity of your systems. This has
the potential to hamper performance if you have large volumes of users or complicated
criteria for assigning permissions.
Responding to change
The problem is a lot like the difficulty with initially configuring a rule-based system. This
hampers your ability to respond to change.
This effect is amplified when you have more complex, nested conditions in place.
Attribute-based access control (ABAC)
Attribute-based access control (ABAC) is a dynamic access control model with access
granted based on attributes associated with users, administrative resources, and
environmental conditions. Policies are defined using rules that specify conditions for
access, enabling fine-grained control over permissions. ABAC enhances security by
providing flexible, context-aware access control tailored to specific scenarios and
requirements. Attribute-based access control draws on a set of characteristics called
“attributes.” This includes user attributes, environmental attributes, and resource
attributes.
• User attributes include things like the user’s name, role, organization, ID, and
security clearance.
• Environmental attributes include the time of access, location of the data, and current
organizational threat levels.
• Resource attributes include things like creation date, resource owner, file name, and
data sensitivity.
Advantages Attribute-based access control (ABAC)

Flexibility: Policies in ABAC can be dynamically adjusted to changing organizational needs.

Consider a multinational corporation that needs to adjust access rights based on varying data
protection laws in different countries. ABAC policies can be quickly adapted to comply with
these legal variations without completely overhauling the access control system.
Flexibility & Scalability: Policies in ABAC can be dynamically adjusted to changing
organizational needs. ABAC efficiently manages increasing volumes of users and resources. In
a rapidly growing tech company, for instance, as new employees join and new projects are
initiated, ABAC can seamlessly scale to accommodate these changes without needing constant
policy reconfiguration.
Enhanced Security and Compliance: ABAC's detailed access control significantly improves
security. In a financial institution, ABAC can restrict access to sensitive financial records based
on a combination of user role, location, and transaction context, thereby reducing the risk of
data breaches and ensuring compliance with financial regulations.
Reduced Administrative Overhead: ABAC minimizes manual intervention by automating
access decisions based on attributes.
Disadvantages Attribute-based access control (ABAC)

Complex Implementation: Establishing ABAC requires defining a broad set of attributes

across users and resources. This complexity can be particularly challenging for smaller
organizations with limited technical resources, as it demands a deep understanding of the
operational and security dynamics.
Intricate Policy Management: ABAC involves creating detailed, context-specific policies,
which can be numerous and intricate. This complexity necessitates meticulous management
to ensure policies remain relevant and effective as the organization's needs evolve.
Performance Overhead: ABAC's detailed attribute evaluation process can impact system
performance.
Risk of Policy Conflicts: Given the granular nature of ABAC policies, there's a potential for
conflicting rules, especially when numerous attributes and conditions are involved.
Data synchronization: Applications often rely on data sources (Internal or external) to aid in
the decision-making process. Getting all the relevant attribute data into your decision point in
time can pose quite a challenge
 Access
Control Description Example Flexibility Granularity Scalability Complexity
Model
Users control Limited,
Discretionary File/folder Limited;
access; simple Low; relies on especially in Relatively
Access Control permissions on a controlled by
permissions user discretion large simple
(DAC) computer users
setup organizations
Mandatory Central access Government Low; strictly Medium; based Moderate, Moderate,
Access Control controls on security controlled by on security suitable for requires careful
(MAC) labels clearance levels authority labels specific needs planning
Role-Based Access assigned Employee roles Medium; based Medium to high; Highly scalable; Moderate,
Access Control based on user determining on predefined role-specific ideal for large especially in role
(RBAC) roles access roles permissions orgs setup
Healthcare data
Attribute-Based Access is based High; decisions High; tailored to Highly scalable; High, due to
access based on
Access Control on multiple based on various specific accommodates policy
role, location,
(ABAC) attributes attributes attributes dynamic needs complexity
time
Medium; Moderate,
Rule-Based Firewall rules Highly scalable;
Access based on decisions based Medium; based especially in
Access Control for network for specific rule-
defined rules on rule on rule sets managing
(RBAC) traffic based needs
conditions complex rules
Relationship-Based Access
Control (ReBAC)
 Relationship-Based Access Control (ReBAC) is a policy
model focused exclusively on the relationships, or how resources and identities (aka
users) are connected to each other and between themselves. These connections are used
to implement Authorization- i.e. ensuring that the right people and services have the
right access to the right resources

let’s take Facebook as the example. When you make a post or

share a picture, you set who can see that post. As examples:
closed group (share post within group or to certain friends
‘lists’), friends, friends of friends, or everyone (‘public’). It’s
this relationship mechanism that allows Facebook to share your
posts with friends and ‘friends of friends’. Access is granted
based on the relationship. The relationship is not defined on the
subject or resource object, but on a separate store that provides
the semantics required for the relationships involved.
Policy as a Graph
At the core of ReBAC lies the concept of "Policy as a Graph". This idea shows the
importance of visualizing access policies through relationships. Access policies are like
interconnected dots on a graph. Each dot represents an entity, and the lines between them
signify the relationships influencing authorization. It's a visual representation that helps us
understand the complex web of connections that govern access.
Entities:
1. Users: Representing individuals who interact with the system.
2. Objects: Representing resources, such as documents, files, or data.
3. Relationships: Representing connections between users, objects, or other entities.
Examples include “owner,” “collaborator,” or “friend.”
Relationships:
1. User-Object Relationship: Connects users to objects, defining their association with
specific resources. For instance, the “owner” relationship signifies users who own
certain objects.
2. User-User Relationship: Represents connections between users based on various criteria.
For example, the “friend” relationship denotes users who are friends with each other.
3. User-Role Relationship: Similar to traditional RBAC, this relationship assigns roles to
users based on their responsibilities within the system.
Permissions can be associated with roles or specific relationships to define access rights. For
example, a “read” permission may be granted to users who are friends, allowing them to view
each other’s posts.
Privacy Settings in Commercial
Online Social Networks
Privacy settings in commercial online social
networks refer to the controls and options provided to users to manage the
visibility and accessibility of their personal information, posts, and activities on the
platform. These settings allow users to customize their level of privacy based on their
preferences and comfort levels regarding sharing information with others.
Common features found in privacy settings of commercial online social networks:
1. Profile Privacy: Users can control who can view their profile information such as their
bio, profile picture, cover photo, and other details. They can choose to make their profile
public, visible to only friends, or restrict access to specific individuals or groups.
2. Post Visibility: Users can specify the audience for each post they make, deciding
whether it is visible to the public, friends only, or a custom list of people. Some
platforms also offer the option to create private or secret groups for sharing content with
select members.
3. Contact Management: Users can manage their connections and control who can send
them friend requests or follow them. They may also have options to block or unfriend
individuals to restrict their access to their profile and content.
4. Tagging and Mentioning: Users can control who can tag them in posts, photos, or
comments and whether they need approval before tags appear on their profile. Similarly,
they can manage notifications for when others mention them in posts or comments.
5. Location Privacy: Many social networks offer options to control location sharing,
allowing users to disable geotagging of posts or limit who can see their current location
or check-ins.
6. Data Visibility: Users may have options to manage the visibility of their activity and
usage data on the platform, including things like search history, ad preferences, and
connected apps.
7. Third-party Access: Users can review and manage the permissions granted to third-
party apps and services that integrate with the social network, controlling the data
shared with these external entities.
8. Account Security: Privacy settings often include features related to account security,
such as two-factor authentication, login alerts, and options to control who can see
personal information like email address and phone number.
Privacy settings in Facebook
Privacy settings in LinkedIn