Scholarly article on topic 'Risk Weighted Social Trust Index for Online Social Networks'

Risk Weighted Social Trust Index for Online Social Networks Academic research paper on "Computer and information sciences"

CC BY-NC-ND
0
0
Share paper
Academic journal
Procedia Computer Science
OECD Field of science
Keywords
{"Online social networks" / "trust index" / privacy}

Abstract of research paper on Computer and information sciences, author of scientific article — Jayprakash Lalchandani, Hari Bhaskar Sankaranarayanan

Abstract Online social networks (OSN) are a great boon for connecting internet user communities for sharing ideas, important happenings and life events. At the same time, there is a negative perception among user community that OSN compromises privacy concerns in several ways. To address this concern, this paper proposes the concept of defining a cumulative trust index for OSNs called Risk Weighted Social Trust Index (RWSTI). The end goal of RWSTI is to provide a holistic measure on social media trustworthiness for users. RWSTI could be published by regulatory bodies or internet watchdog organizations to improve trust in OSN communities.

Academic research paper on topic "Risk Weighted Social Trust Index for Online Social Networks"

CrossMark

Available online at www.sciencedirect.com

ScienceDirect

Procedia Computer Science 78 (2016) 307 - 313

International Conference on Information Security & Privacy (ICISP2015), 11-12 December 2015,

Nagpur, INDIA

Risk Weighted Social Trust Index for Online Social Networks

Jayprakash Lalchandania Hari Bhaskar Sankaranarayananb

aInternational Institute of Information Technology, Bangalore, 560100, India bAmadeus Software Labs, Bangalore, 560103, India

Abstract

Online social networks (OSN) are a great boon for connecting internet user communities for sharing ideas, important happenings and life events. At the same time, there is a negative perception among user community that OSN compromises privacy concerns in several ways. To address this concern, this paper proposes the concept of defining a cumulative trust index for OSNs called Risk Weighted Social Trust Index (RWSTI). The end goal of RWSTI is to provide a holistic measure on social media trustworthiness for users. RWSTI could be published by regulatory bodies or internet watchdog organizations to improve trust in OSN communities.

©2016 The Authors.PublishedbyElsevierB.V. This is an open access article under the CC BY-NC-ND license

(http://creativecommons.Org/licenses/by-nc-nd/4.0/).

Peer-reviewunder responsibility of organizing committee of the ICISP2015

Keywords/Online social networks; trust index; privacy

1. Introduction

The advent of OSN offered several benefits like sharing of information, improving productivity in daily routine, and connecting people from different parts of the world in a virtual manner. The number of registered and daily active users is growing on OSN's. They promote modern way of collaboration in real time with minimal communication overheads. Social communities are formed in the form of fan pages, common interest groups and

1877-0509 © 2016 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license

(http://creativecommons.Org/licenses/by-nc-nd/4.0/).

Peer-review under responsibility of organizing committee of the ICISP2015

doi:10.1016/j.procs.2016.02.060

causes. This is a healthy sign for sharing opinions, voices and unlocking worthy ideas from any corner of the world by breaking the geographical boundaries. There are enough evidences that OSN improved productivity by making information available anywhere, anytime [1]. As a multiplier effect, the raise of mobile devices and penetration of cloud computing created a ubiquitous world of harnessing knowledge capital. On the down side, OSN users freely share information without sufficient awareness on how their personal data like photos, messages, videos, and location are getting tracked and used. OSN privacy policies are not clear enough for users to understand. OSN sites almost control what the users see by experimenting content almost every day [2]. The data usage on OSN is a double edged sword with one hand giving the power of productivity benefits while on the other hand risking exploitation of user generated data without much control or visibility to the user. The users are targeted with avalanche of content in the form of advertisements, unsolicited mailers and intrusive browsing pattern learning algorithms that ultimately invade user privacy [3]. The efforts to publish privacy policies, create awareness are considered less effective as there are still unsolved problems on how much voice the user has on the data used and tracked by different OSN sites [4]. This paper makes an attempt to address this critical user concern and proposes a novel concept of creating trust index for the users of OSN community. The paper is organized into following sections, section 2 discusses the current state of OSN privacy concerns, section 3 presents existing gaps in privacy concerns, section 4 explains the process flow of calculating RWSTI, section 5 compares our proposed approach with related work, and section 6 concludes our paper along with a discussion on scope for future work.

Nomenclature

OSN Social media sites like Facebook, Twitter, Google +, Instagram, Linkedin, YouTube etc.

User Users who post, share, comment on OSN sites etc.

Data User personal profile, posts, comments, photos, videos, tweets, messages etc.

2. Current state of privacy concerns

The first and foremost concern is that privacy policies are hard to read and understand from user point of view. Research reports indicate that it would take an average 76 days per year for a user to read the ever changing privacy policies of OSN sites [5]. The second concern is that the usage of personal data for research purposes is not communicated clearly to the users. The example in this case is where Facebook tweaked the news feed to experiment with the emotions of the 700,000 users [6]. The third concern is tracking of user behavior by OSN sites like location information without a prior consent. In this case, Facebook messenger tracked location information of a user without any consent [7]. The fourth concern is hacking attacks [8]. The last concern is on the constant violations to statutory compliance and regulatory guidelines [9]. And, these may be either based on existing global policies (if any), or geography (or country) specific, local policies. To user's relief, OSNs make efforts through regulatory pressures alleviating privacy concerns through following techniques:

• Cookie information display on web pages showing purpose of cookie tracking and usage mandated by European Union [10].

• Guided Privacy features including step by step guided video tours, alerting about user tagging, providing view as a specific person, controlling privacy for each post and allowing users follow only public posts.

• Privacy setting empowerment like section based settings, access controls, feedback on annoying posts & advertisements.

• Disclaimers and awareness initiatives like proactively informing about phishing attacks, email campaigns on the data usage, account protection, data backup facilities etc.

3. Existing Gaps

OSNs have attempted mitigating privacy gaps to enable users to feel safer on data sharing with them for deriving mutual benefits. Users are served with interesting information to make the social media experience as an

engaging one. Despite of the efforts from OSN websites, the gaps on privacy, social data usage prevail and have been summarized in the following:

• Fine prints on privacy policies

The policy terms and conditions are lengthy and a normal user who is just knowledgeable of OSN browsing may not completely understand them. Surveys and research reports highlight that fine prints are complex to read first and decipher the nuances that link the data usage. More importantly users do not bother of such consequences of not reading the privacy policies completely. They tend to click the "Agree" or "Accept" button without spending too much time to read due to the crowded textual display [11].

• Privacy settings gaps

Despite of fine grained privacy settings and controls given to the users, there are leaks that exists [12]. For example: the privacy control of tagging photos might lead one of friend networks to their friends or strangers if the setting chosen by the friend is public. The photos will be shown to public viewing the moment one accepts the tagging out of curiosity. The downstream consequences include a page liked by a friend pops up as suggestions in the OSN for others to accept and it creates annoyance through repeated forms of irrelevant recommendations. Cookies are used as means to understand browsing behavior. The advertisement shown on the browser real estate is still based on the cookie information and there is no easy way to hide or block them.

• Insufficient efforts on awareness initiatives

OSN's do not enforce guided tours or make concerted efforts for users to read some of the critical awareness mailers. They are lost in spam or hidden among the bunch of emails in user inbox. It is a challenge to understand if an attempt is deliberate or unintentional. OSN sites do not pay enough attention to such nuances on improving awareness as they do for commercial opportunities like "Suggestions" or "Recommendations" of the next best product. The efforts are futile since most of the users are kept in dark with respect to such initiatives. There is no mechanism to capture the required feedback and effectiveness of awareness campaigns from both OSN sites and the regulators.

• Degrading OSN content quality

Annoying requests for page likes, ads, and games continue due to heavy commercialization. OSNs capture the browsing real estate space by intruding advertisements despite of users not clicking them. Sites like YouTube have gone a step further by embedding advertisement so that users do not even have a choice to skip beyond a point. Users are forced to watch and OSNs don't offer any control to stop or modify them. More importantly irrelevant advertisements intruding privacy and occupying browser real estate not only degrades browsing experience but erodes the confidence level on the recommended content [13].

4. Our Approach to Risk Weighted Social Trust Index (RWSTI)

RWSTI calculation process flow consists of four phases namely, data collection, processing, compute, and publish. The process of building RWSTI has been summarized in Fig.l.

4.1. Data collection phase

User feedback on privacy policies and data usage are collected through feedback forms. The feedback might be both in objective means like rating scale, close ended questions and subjective form like free text. Subjective feedback can be processed using natural language processing (NLP) techniques for calculating an objective score. Also other forms of data sources include independent research surveys, reports from regulatory bodies and internet watchdogs. For instance, reported security incidents is a clear objective measurements like zero day attacks, list ofpublished vulnerabilities by security scans etc.

4.2. Processing Phase

The acquired data is classified based on attributes mentioned in Table 1. The list of assessment questions are indicative to capture the level at which each of those attributes are addressed by the OSN. Each attribute can be associated with a weight factor while classifying the input data. The process of calculation of weights is discussed in the next phase.

Table 1. Method for Building RWSTI.

Attribute Assessment Questions (indicative)

User awareness 1. How they inform users about privacy policies?

2. How transparent the privacy controls ex: visibility, awareness of such controls

3. How granular are the privacy controls so that user can set them?

Data usage 1. Does the user have a say on how data can be used?

2. Does the user control what data they can or cannot share with the OSN site?

3. Does the OSN site ask and implement user privacy feedback

External threats and attacks

Compliance & Regulations

seriously?

4. How does the mobile apps, website collect data in background?

5. Does the OSN site let the user know about the type ofdata collected and reasons behind those?

6. Does the background data collected are sensitive and privacy controlled in nature? For example: User location information

1. What is the number of hacking attempts made on the site?

2. What are the successful hacks on the OSN site and type of data hacked?

3. Does the OSN site inform about such attacks and threats to the user community on a periodic basis?

1. How many violations, incidents reported on regulations?

2. Does the company openly advocates and practices regulations in letter and spirit?

3. Does the company actively participate, contribute in forums, councils on security and privacy?

4.3. Compute phase

The key part of compute phase is to calculate the weight applied to a particular attribute based on set of risks. In this context risk is defined as the exposure of a non-compliance. The impact can be quantified through loss of money, reputation, market share erosion and qualified through metrics like sustainability, loss of goodwill.

Classification of exposure depends on the type of data or policy not complied with. Each attribute weight can be associated as a function of such exposure values based on the assessment questions. Some of the classification examples for calculating the risks:

• High exposure value and risk weight for something like account hacking.

• Low exposure value for data usage like tagging photos since the user has flexibility to review who can tag or post on timeline.

• Medium exposure for privacy policy awareness since the user is aware of data usage for research however the policy didn't detail about the types of research with examples.

• Medium exposure value for snooping, leaking sensitive information as it might have indirect impact on the user but violates agreed regulations.

The weights can be calculated based on techniques like trend, pattern analysis from past data set [14]. The weights will be published in advance and adjusted based on the prevailing security environment. The useful part of associating risk weighted approach is that quantification can be automated through machine learning techniques. Moreover, it will be capable of providing qualitative way of evaluating the involved risks. The current model of RWSTI computation is explained in the below steps. Step 1: For each QSN"

Score of Attribute n = У compliance (1) + non-compliance (0)

Attribute compliance can be measured a^ "0" or '"1" from the response to the assessment questions of each attribute. A score of ::D" is assigned for noil-compliant response. A 5 с ore of "1" is assigned for compliant response.

Step 2\ Weight is calculated based on the probability or likelihood, impact of the attribute non-compliance. Weight (Risk exposure value) = Likelihood of non-compliance event 51 Impact of such event Likelihood - 0 to 1 (Lo'.v to high) Impact - 0 to 1 (Low to high)

Step 3: Calculate the index.

RWSTI =£ (Attribute 1 * Weight 1 - Attribute 2* Weight 2- ... - Attribute n* Weight n where У Weight = 1

Step 4: Normalize RWSTI of OSN ; to a 1-100 point scale (Low-High)

A low number in RWSTI signifies that there is a good potential of violations, misuse of social data and OSN isn't trustworthy for the users to share personal data. A high score indicates that the OSN complies with the attribute classification and user privacy is very unlikely be compromised.

4.4. . Publish phase

RWSTI can be published for consumption by governing authorities like Internet watchdogs on a periodic basis. This would help in establishing credibility and push OSNs to remediate the privacy concerns. It would also act as an unbiased and neutral indicator to build trust among users. One ofthe ways is to display such index as alerts to the users during registration process.

For instance, the OSN site might be doing a good work on user awareness and exhibit high compliance, however, they may be constantly prone to hacking attacks. Linkedln is a good example where the passwords are stolen completely and published online despite of their efforts to make privacy controls and user awareness as flexible through account classification like basic, premium et al [15]. In such cases RWSTI would be low since external attacks pose great threat to the sustainability of the site and such repeated incidents might completely erode end user confidence of sharing data further.

5. Comparison with related work

Sherchan et al. present a detailed literature survey focusing on building trust in OSN in[16]. They present a classification of social trust system which outlines trust information collection, evaluation, and its dissemination. Trust information collection is based on attitude, behaviors and experiences of different users. Trust evaluation is based on graph, user-interaction and hybrid trust models. Hybrid model uses combinations of graph and user interaction trust models. More importantly trust dissemination is approached in form of visualization and recommendation systems. However, the work in [16] neither prescribes any index or an objective way of capturing the social trust. This becomes a key motivating factor for our paper which uses the recommendation based approach along with having an indicator of social trust. In terms of calculating the weights through a risk assessment process, the survey was done to understand how financial institutions operate for risk management, while our paper draws certain concepts of risk classification and loosely correlates them by assigning suitable weights to different attributes for compliance. Also there is a score card published based on data protection on government requests which has been carried out by a non-profit organization aiming to champion initiatives on user privacy [17]. For instance, there are several studies done on reliability of Wikipedia content from different perspectives like education, health, librarians, scientific community for accuracy score. The assessment is done to compare the quality of content with standard encyclopaedias using statistical techniques, analysis of historical patterns, expert reviews and evaluating the rigor of the unique collaboration based editing process [18].

In addition to those recommendations in publish phase, RWSTI can act as a guideline for user's responsibilities. It can also emphasize the mandatory user awareness sessions and trainings which are necessary for improving trust levels. In the long run, RWSTI implementation could act as an advisory, consultative approach for trust building in the OSN community. It can further assist in building robust privacy policy frameworks in future and having scope for continuous improvement.

6. Conclusion and Future Work

The current state of tracking without user knowledge may be useful for OSN sites to commercialize their offerings for improving profits. However, the larger cause of addressing user privacy remains as an intriguing debate. An ideal state on OSN data usage privacy would be driven by the end user where what should be tracked and what should not be tracked on any site is on the sole discretion of the user. For example, user can have a privacy control that would ask if they consent provide an information that can help the OSN site to tune and offer personal recommendations. Ultimately, the choice of getting services like recommendations,

advertisement must be let into the hands of end users in a non-intrusive way. Users must be clearly made aware of the consequences and benefits of sharing and browsing in OSN. OSN is an eco-system of symbiotic relationships. To create a "win-win" situation the users and OSN sites should work in tandem to improve trust and enable transparency on privacy and data usage.

The RWSTI calculation process encompasses prominent attributes which are pressing in today's privacy landscape. The intention is to extend this as a holistic framework where it can be built with more attributes and assessment questions. Responses to such an assessment mechanism is expected to be compliant or non-compliant in nature along with capturing relevant subjective aspects through probabilistic modeling. The use of RWSTI with a strong governance framework around it would enable creation of an environment where users feel safe about OSN activity while the web sites continue to reap the benefits of commercialization in a more transparent manner. RWSTI uses linear calculation model which can be further improved using machine learning techniques for predicting risks. A prototype can be built using feedback sources to test effectiveness of RWSTI on popular sites like Facebook, Twitter and Google in a periodic manner. It will then be possible to capture index snapshots based-on events like privacy policy changes, data misuse, threats, attacks, and reported violations.

References

1. Microsoft Research Report. Microsoft survey on enterprise social use and perceptions. Microsoft website, May 2013. https://news.microsoft.com/download/presskits/enterprisesocial/docs/escresearchsumppt.pdf

2. Vindu Goel. Facebook Tinkers With User Emotions in News Feed Experiment, Stirring Outcry. New York Times website, June 2014.http://www.nytimes.com/2014/06/30/technology/facebook-tinkers-with-users-emotions-in-news-feed-experiment-stirring-outcry.html

3. Brendan Van Alsenoy et al. From social media service to advertising network: A critical analysis of Facebook's Revised Policies and Terms. Belgian Privacy Commission Draftvl.3, Aug 2015

4. Krishnamurthy, Balachander, and Craig E. Wills. Characterizing privacy in online social networks. Proceedings of the first workshop on online social networks. ACM, 2008.

5. Amanda Scherker. Didn't Read Facebook's Fine Print? Here's Exactly What It Says. Huffmgtonpost website, July 2014. http://www.huffmgtonpost.com/2014/07/21/facebook-terms-condition_n_5551965.html

6. R Jai Krishna.Sandberg: Facebook Study Was 'Poorly Communicated. Wallstreet Journal blog, July 2014. http://blogs.wsj.com/digits/2014/07/02/facebooks-sandberg-apologizes-for-news-feed-experiment/

7. Aran Khanna. Facebook's Privacy Incident Response: a study of geolocation sharing on Facebook Messenger. Harvard Dataverse, August, 2015.

8. Hacking Fears Outweigh Privacy Concerns: US Survey. Security week website, December 2013. http://www.securityweek.com/hacking-fears-outweigh-privacy-concerns-us-survey

9. Samuel Gibbs.Facebook tracks all visitors, breaching EU law. The Guardian website, March 2015. http://www.theguardian.com/technology/2015/mar/31/facebook-tracks-all-visitors-breaching-eu-law-report

10. EU Internet Handbook, http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm

11. Mary Madden. Privacy management on social media sites. Pew Research Center, February 2012

12. Korolova, Aleksandra. "Privacy violations using microtargeted ads: A case study." Data Mining Workshops (ICDMW), 2010 IEEE International Conference on. IEEE, 2010.

13. Robert Hof. Facebook Promises Fewer Head-Scratching Ads In Your Newsfeed. Forbes website, September 2013. http://www.forbes.com/sites/roberthof/2013/09/27/facebook-promises-fewer-head-scratching-ads-in-your-newsfeed/

14. Hendricks, Darryll. Evaluation of Value-at-Risk Models Using Historical Data (Digest Summary). Economic Policy Review Federal Reserve BankofNewYork 2.1 (1996): 39-67.

15. Mathew J Schwarts. Linkedln Confirms Password Breach, Phishing Intensifies. Information Week, July 2012. http://www.darkreading.eom/attacks-and-breaches/linkedin-confirms-password-breach-phishing-intensifies/d/d-id/1104725?

16. Sherchan, W., Nepal, S., and Paris, C. A Survey of trust in social networks.ACM Comput. Surv. 45, 4, Article 47, August 2013

17. Nate Cardozo, Kurt Opsahl, Rainey Reitman. Online Service Providers' Privacy and Transparency Practices Regarding Government Access to User Data. Electronic Frontier Foundation, June 2015

18. Reliability ofWikipedia. Wikipedia, https://en.wikipedia.org/wiki/Reliability_of_Wikipedia