Future work

The next natural step is to try out these enhancement ideas by mapping XACML into an example system with a fair amount of data, and develop the backbone and GUI such that the suggestions in Chapter 6 can be evaluated in practice.

The enhancements suggested in this thesis relies on the user to exploit the possibilities, making their own access control rules. Many users do not care about their privacy, and/or do not understand the consequences of sharing too much information. It is also possible that users have privacy preferences that conflicts with their LASNS account privacy control settings, because they are not aware of this or they do not know how to reflect them through these panels. Useful work can thus be directed to helping the users obtain a healthy amount of privacy awareness, and further have them understand how they can reflect their preferences through privacy control panels.

Through the usage of LASNSs, we can try to improve user privacy con-trol panels, yet how can we trust the people behind these services not to abuse our personal information? They are the ones responsible for enforcing the access control, and the only way to protect your information from such abuse is to make sure only the information you wish to share with the system leaves your computer, phone or other device. To tighten privacy control even more, one can research ways to ”move” the policy decision and enforcement points to the client side, where the clients can control exactly what informa-tion leaves their device. This point is even more important when it comes to apps developed by people who you have no reason to trust (third-party developers of iOS, Android, Facebook, Twitter -based apps and programs for instance). These people can, through open APIs develop popular apps with little resources, lowering the threshold for who are able to reach the users.

It would be much more safe to use these kinds of LASNSs if the user could control which information leaves their device from the client side. Other

125

important work in relation to this problem is to get the providers of popu-lar open APIs to create stricter rules as to how the developers using their framework handles user information.

The LASNSs used today are mostly made for fun and social interactions.

Still, SNSs have made their way into corporate environments with systems such as Socialcast, and so could LASNSs. Creating a corporate environment SNS or LASNS is different than making a system open to whoever signs up and where each user is able to decide whether their information is public or not. A corporate setting is different as it is possible to control who the system is open to, because it is possible to limit who gets an account to only include employees or other people with some sort of connection to the company in a practical way. Another difference is that corporate settings often demand more privacy control and can also demand more centralized confidentiality control. There is a much bigger need for information flow control to protect sensitive business information. Future research can go into how access control can be used in such a LASNS setting, possibly using the proposed access control enhancement; RBAC, with a combination of the user as the system administrator to non-sensitive information objects, and a central system administrator to control access to sensitive information. In such a setting it might make sense to use more elements from the RBAC framework, introducing Hierarchical RBAC for instance.

In addition to this possible future work, topics related to this thesis are proposed as student project ideas for master students at the Institute of Telematics at NTNU, and a conference article extending this work is planned.

Chapter 8 Conclusions

In the introduction six research questions were defined.

”1. What kind of access control features exist in current LASNS to control end-user’s privacy?”

We have discovered, through analysis and discussion, that in our opinion, the users of existing LASNSs have very limited and inadequate tools for protecting how their data is shared and treated.

”2. What kind of privacy preferences may end-users have in LASNSs?”

Through imagined scenarios and experience in social networks, we have es-tablished that users may have many different fine-grained privacy preferences.

Users wish to control who can access which data (related to them), in what way, and under which conditions. As LASNS contain sensitive personal data, users should demand such fine-grained access control.

”3. Are existent access control features in LASNSs able to satisfy end-user’s privacy requirements/preferences?”

Based on the different privacy preferences users might have, we created a set of end-user privacy control requirements. None of the examined LASNS control panels fulfilled all the requirements, some not fulfilling a single one.

”4. Which privacy-enhancing access control features in LASNSs should be added (or improved in which way) to satisfy end-user’s requirements/preferences? (Illustrated with examples.)”

Based on our established end-user privacy requirements, we have identified the need for two proposed enhancements. First, the need for more fine-grained subject separation. The ability to divide the potential subjects into

127

groups, based on their relationship/role towards the user, and make access control rules based on these roles/relationships. Second of all, make sure users can specify fine-grained conditions to these rules, reflecting under which conditions a rule should be applied. Together these two enhancements help fulfill all the identified requirements.

”5. How can the privacy-enhancing access control features be represented to end-users?”

Different users have different privacy preferences. A GUI for end-user privacy control should be both effective in reflecting different user’s different privacy preferences, yet as understandable and user-friendly as possible. We have therefore proposed an interface with both a more general way of represent-ing access control rules (similar to Facebook’s current privacy control panel), with system-specified object types and access types, and a user-specifiable subject, yet with an option for specifying tailored access control rules with the combination of rule effect, object types, subject/roles, access types, and con-ditions through easily understandable drop-down menus and variable speci-fication.

”6. How can the privacy-enhancing access control features be represented in terms of logic rules and in machine readable format (e.g. XACML)?”

With our proposed enhanced GUI the system will receive a defined set of data. We have shown that data from the GUI input of five example user preferences, one representing each of our end-user privacy requirements, can be translated into both Datalog and XACML logic rules. This shows that our two enhancements, developed from an end-user perspective are also im-plementable from a developer perspective, and could be further analyzed and extended through the use of formal languages.

LASNSs will usually demand a balance between trust and access control.

Sometimes, in order for the service to be of value to the user, one might have to make sacrifices when it comes to privacy. Still, users should demand better privacy control than what is offered in existing LASNSs. Locational infor-mation, paired with information from SNSs, can represent sensitive personal information, and the user should be able to choose to whom, how and when it is shared. Our two proposed enhancements fulfills this requirement, and it is shown that they work from both a GUI and implementation point of view.

The next step would be to examine the consistency of the logic rules from a security point of view, and naturally, to implement these enhancements to test them in practice.

Appendix A