AccessorSharing Algorithm 93

It is effective security practice to divide accessors into viewers and disseminators. The viewers are users who have permission to view the shared item. When a viewer requests to share the item with her/his friends, family members, classmates, etc. and is granted to disseminate the shared item, we call this viewer a disseminator. We introduce the AccessorSharing algorithm where the basic idea is using a trust value between associated controllers and accessors of the shared data as a threshold to decide whether the trust value is high enough to allow this. Algorithm 2 illustrates the entire procedure of accessor sharing.

Algorithm 2.AccessorSharing

input  :  (𝑖𝑡𝑒𝑚,  𝑃={<𝑐𝑜𝑛𝑡𝑟𝑜𝑙𝑙𝑒𝑟,𝑇𝑦𝑝𝑒𝐶,𝑠ℎ𝑎𝑟𝑒𝑑  𝑖𝑡𝑒𝑚,𝑝𝑒𝑟𝑚𝑖𝑡𝑡𝑒𝑑  𝑎𝑐𝑐𝑒𝑠𝑠𝑜𝑟,𝑑𝑒𝑛𝑖𝑒𝑑  𝑎𝑐𝑐𝑒𝑠𝑠𝑜𝑟>}    ,                                        ASP  ={  <  controller  1,  tr-­‐threshold  >  ,  .  .    ,    <  controller  𝑖,  tr-­‐threshold  >},    final  permitted  

accessor  [  ]  ,  TG  )  //  P  set  of  p  where  each  p  ∈  P  and  is  access  control  policy  that  is   assigned  by  each  associated  controller  for  the  data  item  in  question  ,  ASP  set  of  asp  that   is  accessor  sharing  policy  where  each  controller  identify  her/his  trust  threshold  value,  

final  permitted  accessor  [  ]  which  is  the  output  of  PermittedandDeniedAccessors   algorithm,  𝑇𝐺    is  trust  graph  where  each  user  u  ∈  U  assigns  a  trust  value  to  those  who   they  have  direct  relationships  with.  

output  :  disseminators    :  int  [  ]    ,  not-­‐disseminators  :  int  [  ]        

var      

tr       :  string           init  null     controllers-­‐permit   :  [  ]int   init  null     controllers-­‐deny                  :  [  ]int   init  null     decision-­‐  permit             :double              init  0     decision-­‐  deny                     :double              init  0     T   :  int   init  0   F   :  int   init  0  

1:    begin  

2:            for  each    u  ∈    final  permitted  accessor  [  ]    do     3:                      {    

4:                            for  each  controller  c  ∈  U  do    //  controllers  who  belong  to  ASP  {  }  

5:                                  {  

6:                                            tr  ←  𝑻𝑮.𝒊𝒏𝒇𝒆𝒓(c,  u)  //  using  the  FuzzyTrust  algorithm  to  infer  how  much  controller     trusts  user  u  from  TG  

7:                    if    tr  ≥  tr-­‐threshold      //  from  ASP  {  }  for  controller  c   8:                                                    {  controllers-­‐permit  [  ]    ←  c     9:                                  T++}   10:                                        else       11:                                              {  controllers-­‐deny  [  ]    ←  c     12:                                  F++}   13:                            }  

14:                        if        i  =  T    then    //  checking  if  there  are  no  conflicts  where  i  is  number  of  controllers  (size  of  

ASP  set  )   15:                                        add  u  to  disseminators  [  ]   16:                      else  if    i=  F  then  

17:                                        add  u  to  not-­‐disseminators  [  ]   18:                        else  //  conflict  case  

19:                                      for  each  controller  c  ∈  controllers-­‐permit  [  ]    do  

20:                                                        decision  -­‐  permit  +=  𝒘(𝑐)∗  𝒔𝒍(item)       21:                                        for  each  controller  c  ∈  controllers-­‐deny  [  ]    do    

22:                                                          decision  -­‐  deny  +=  𝒘(𝑐)∗  𝒔𝒍(item)       23:                                        if    decision  -­‐  permit  ≥    decision  -­‐  deny  then   24:                                                          add  u  to  disseminators  [  ]  

25:                                      else  

26:                                                    add  u  to  not-­‐disseminators  [  ]  

27:                }      

28:            return  disseminators  [  ]  and  not-­‐disseminators[  ]              

This algorithm simply returns the set of accessors who are allowed to disseminate the shared item (disseminators) and a not-disseminators set that has accessors who are

not allowed to disseminate. The algorithm takes set of policy (p) to determine the type controller and her/his sensitivity level of shared item. Moreover, Algorithm 2 takes as input the trust graph (TG), where a label is assigned to each edge to indicate the trust value of the relationship, to infer trust values (tr) between users. Also, a set of accessor sharing policy (ASP) that is defined by associated controllers is taken as input.In the first phase, the algorithm computes the trust value (tr) between each associated controller and accessor, who belongs to 𝑓𝑖𝑛𝑎𝑙  𝑝𝑒𝑟𝑚𝑖𝑡𝑡𝑒𝑑  𝑎𝑐𝑐𝑒𝑠𝑠𝑜𝑟 which is the result of the

PermittedandDeniedAccessors algorithm by using the FuzzyTrust algorithm

(𝑇𝐺.𝑖𝑛𝑓𝑒𝑟 𝑢 ). Then it compares the trust value (tr) with the sharing policy is specified by each controller (tr-threshold), which is part of the input of Algorithm 2. The tr-

threshold in the sharing policy decides whether the trust value (tr) between the controller and the accessor is high enough for sharing or not. tr-threshold indicates how high the minimum trust value (tr) from the controller to the accessor should be to grant the accessor permission to share the item. If the trust value (tr) is equal to or higher than the required tr-threshold, the controller is added to the set of controllers (controllers-permit) that has all controllers who’s sharing policy is achieved. Otherwise, controllers whose sharing policy requirements have not been satisfied are sent to controllers-deny. If the number of users in controllers-deny set equals the number of related ownerships, the accessor is not granted a permission to share the item with their friends, family members, classmates, etc. Indeed, the trust values between this denied accessor and controllers did not achieve the tr-threshold requirements; hence, the accessor is sent to the not-

disseminators.

In the last case, when the value of trust (tr) from each controller to the accessor does not satisfy all sharing policies that are specified by controllers, who are associated with the shared item, a conflict arises among them to allow or refuse the sharing request. Consequently, we decide to solve conflicts by combining the controllers’ weight and sensitivity levels that are derived from the shared item element policies and reflect the controllers’ privacy concerns. We believe the relationship between controllers and shared items, which is represented by the controller’s weight, has a significant impact to resolve conflicts. In addition, some controllers require high protection for shared items;

inappropriate handling of data. To reach the final result, we compute a decision from controllers whose requirements degree of trust (tr-threshold) have not been achieved, as well as calculate a decision value from controllers whose assign trust level (tr-threshold) is satisfied by the value of (tr). The values of permitted decisions and denied decisions are computed with following equations:

decision - permit += 𝒘(𝑐)∗  𝒔𝒍(item) (5)

decision - deny += 𝒘(𝑐)∗  𝒔𝒍(item) (6)

Finally, when the permitted decision value is greater than or equal to the denied decision value, the final result to disseminate the shared data item by the accessor is authorized. Otherwise, the accessor is refused to share the content by the

AccessorSharing algorithm. To illustrate the algorithm's details, we introduce the following example.

Example 2.

Suppose there are four users, Alice (A), Bob (B), Clare(C) and Dave (D), who share the same photo where Alice has the photo in her profile, Bob and Dave are tagged in the photo that was initially was posted by Clare. Figure 12 shows a similar scenario where Alice is called the owner, Bob and Dave are stakeholders and Clare is called a contributor who posted the content in Alice’s profile. When Edward (E), who is one of viewers, desires to share this photo with his relationship list such as friends, family members, classmates, etc., authorization requirements from all linked controllers are considered by running the AccessorSharing algorithm. A, B, C and D have specified their accessor sharing policies (tr-threshold), and trust values between E and each controller are inferred as shown in Figure 20.

Figure 20: Accessor sharing policies and Inferring trust values.

Also, Figure 20 depicts that the trust value from owner (A) to E satisfies A’s trust requirement as well the contributor, Clare, trust requirement. However, stakeholders B and D refuse E to disseminate the shared photo because their policy requirements have not been satisfied. As a consequence, the decision for E’s sharing request includes both permissions and prohibitions that lead to conflicts. For this example, suppose the photo has diverse sensitivity levels assigned by associated controllers A, B, C and D as follows

sl(photo(A)) = 0.25, sl(photo(B)) = 0.75, sl(photo(C)) = 0.50 and sl(photo(D)) = 1. A and C’s permissions are calculated by decision – permit=(  𝑤  (𝐴)∗  𝑠𝑙(photo(A))) + ( 𝑤(𝐶)∗

 𝑠𝑙(photo(C)) ) = 0.50 , where 𝑤(𝐴) and 𝑤(𝐶)are derived from the Controllers’ Weight scheme. In order to resolve the conflict between controllers’policies about E sharing, Algorithm 2 computes a denied decision value fromB and D based on the decision – deny equation that gives(  𝑤(𝐵)∗  𝑠𝑙(photo(B))) + ( 𝑤(𝐷)∗  𝑠𝑙(photo(D)) ) = 1.75 , where B’s and D’s weights w are derived from principle 1. To acquire a final decision about E, the decision – permit is used as a threshold for decision making. In our example decision – deny is higher than decision – permit, thus E is denied to publish the photo on his profile. The collaborative decision for E’s sharing request takes the privacy protection of highly sensitive data into account. Note this example also corresponds to the situation in Figure 14 and 15 where Edward reflects the contributor who desires to share and post the photo on his friend, family member, classmates, etc. personal page in OSN. Note that if the decision has been left up to the owner, Alice, the decision would have been permit Edward to share the photo with his relationships list. There is no consideration for the other parties’ privacy requirements in most existing OSN privacy protection mechanisms.

Furthermore, they do not support trust notion and sensitivity level of data, which play significant role to measure how disclosure item can affect online users.