Collateral Damage of Online Social Network Applications

Biczók

Shirazi

et al. 2018

Computers & Security

Self Cite

Third-party applications on Facebook can collect personal data of the users who install them, but also of their friends. This raises serious privacy issues as these friends are not notified by the applications nor by Facebook and they have not given consent. This paper presents a detailed multi-faceted study on the collateral information collection of the applications on Facebook. To investigate the views of the users, we designed a questionnaire and collected the responses of 114 participants. The results show that participants are concerned about the collateral information collection and in particular about the lack of notification and of mechanisms to control the data collection. Based on real data, we compute the likelihood of collateral information collection affecting users: we show that the probability is significant and greater than 80% for popular applications such as TripAdvisor. We also demonstrate that a substantial amount of profile data can be collected by applications, which enables application providers to profile users. To investigate whether collateral information collection is an issue to users' privacy we analysed the legal framework in light of the new General Data Protection Regulation. We provide a detailed analysis of the entities involved and investigate which entity is accountable for the collateral information collection. To provide countermeasures, we propose a privacy dashboard extension that implements privacy scoring computations to enhance transparency towards collateral information collection. Furthermore, we discuss alternative solutions highlighting other countermeasures such as notification and access control mechanisms, cryptographic solutions and application auditing. To the best of our knowledge this is the first work that provides a detailed multi-faceted study of this problem and that analyses the threat of user profiling by application providers.

Section: Is Collateral Information Collection a Risk For The Protection Of The Personal Data?mentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Collateral damage of Facebook third-party applications: a comprehensive study

Biczók

Shirazi

et al. 2018

Computers & Security

Self Cite

“…Facebook or Google+, and (iv) not allow users to opt out from the KSS service. A misbehaving KSS may also attempt not to comply with the Privacy policy that it advertises [28]. Thus, privacy policies and consent compliance should be guaranteed.…”

Section: Privacy Threatsmentioning

confidence: 99%

Keyless car sharing system: A security and privacy analysis

2016 IEEE International Smart Cities Conference (ISC2)

Mustafa

Preneel

2016

Self Cite

Abstract-This paper proposes a novel physical keyless car sharing system where users can use and share their cars without the need of physical keys. It also provides a comprehensive security and privacy analysis of such a system. It first presents a high-level model for a keyless car sharing system, describing its main entities and specifying the necessary functional requirements to allow users to share their cars (with other users) without exchanging physical keys. Based on this model and functional requirements, the paper presents a comprehensive threat analysis of the system. It focuses on the threats affecting the system's security and the users' privacy. This analysis results in a specification of an extensive set of security and privacy requirements for the system. This work can be used as a guide for a future keyless car sharing system design and as a mean to assess the security and privacy risks imposed on users by such systems.

“…Later, Facebook has replaced this with a single permission to conform with US Federal Trade Commission (FTC) regulations on data collection [3]. Conformity notwithstanding, apps are still able to collect up to fourteen profile attributes via friends [20]. Of course, users have app-related privacy controls at their disposal; however, they are scattered at multiple locations, such as the user's personal profile (visibility levels per attribute) or the apps menu (attributes friends can bring with them to apps).…”

Section: Introductionmentioning

confidence: 99%

Collateral Damage of Facebook Apps: Friends, Providers, and Privacy Interdependence

ICT Systems Security and Privacy Protection

Shirazi

Biczók

et al. 2016

Self Cite

Abstract. Third-party apps enable a personalized experience on social networking platforms; however, they give rise to privacy interdependence issues. Apps installed by a user's friends can collect and potentially misuse her personal data inflicting collateral damage on the user while leaving her without proper means of control. In this paper, we present a multi-faceted study on the collateral information collection of apps in social networks. We conduct a user survey and show that Facebook users are concerned about this issue and the lack of mechanisms to control it. Based on real data, we compute the likelihood of collateral information collection affecting users; we show that the probability is significant and depends on both the friendship network and the popularity of the app. We also show its significance by computing the proportion of exposed user attributes including the case of profiling, when several apps are offered by the same provider. Finally, we propose a privacy dashboard concept enabling users to control the collateral damage.