propose a learning to share approach that models user's in- teractions with ... $15.00. managing their privacy requirements while fulfilling these social needs.
Learning to Share: Using Probabilistic Models for Adaptive Sharing in Online Social Networks Yasmin Rafiq1 , Luke Dickens2 , Mu Yang3 , Alessandra Russo1 , Radu Calinescu4 , Arosha K. Bandara3 , Blaine A. Price3 , Avelie Stuart5 , Mark Levine5 , and Bashar Nuseibeh3,6 1
Imperial College, UK, {y.rafiq, a.russo}@imperial.ac.uk University College London, UK, {l.dickens}@ucl.ac.uk The Open University, UK, {mu.yang, a.k.bandara, b.a.price, b.nuseibeh}@open.ac.uk 4 University of York, UK, {radu.calinescu}@york.ac.uk 5 University of Exeter, UK, {a.stuart, m.levine}@exeter.ac.uk 6 Lero, University of Limerick, Ireland, UK, {basahr.nuseibeh}@lero.ie 2
3
ABSTRACT Online social networks allow users to define groups of “friends” as reusable shortcuts for sharing information with a number of social contacts.The static nature of these groups can lead to privacy breaches that are hard to detect; for example, when a member of the group begins to breach the informal contract of privacy implicit in the social connection. We propose a learning to share approach that models user’s interactions with each group member as a parametric Markov chain whose transition probabilities are learnt at runtime. Our approach enables adaptive refinement of the groups with whom a user shares information.To this end, continual Markov chain verification is used to establish the privacy risk and social benefit of sharing information with each group member, to dynamically discover risky friendships, and to guide the user on whether or not to share sensitive information with specific members. We evaluate our approach using a simulated Facebook workflow and scenarios comprising group members exhibiting a variety of non-privacy preserving behavioural patterns, in addition to a privacycompliant pattern. The experimental results demonstrate the efficacy of our approach.
Keywords Online social networks, privacy, information sharing, adaptive systems, discrete-time Markov models, online model learning.
1.
INTRODUCTION
Online Social networks (OSNs) are increasingly used to maintain social ties between family members, friends and colleagues. The users of such systems face the challenge of
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SEAMS ’16 Austin, Texas USA Copyright 20XX ACM X-XXXXX-XX-X/XX/XX ...$15.00.
managing their privacy requirements while fulfilling these social needs. However, when OSN users, e.g. those on Facebook, have control over who sees what information, then even the most privacy-aware individuals are susceptible to mistakes [27]. Specifying privacy policies for every receiver of an information item that is shared is both labour intensive and error prone, especially when an OSN’s average user may have several hundred online friends [28]. To aid this privacy management task, many social media platforms allow users to define groups of “friends” 1 , and to share information by selecting the group(s) they deem most appropriate, rather than sharing separately with each individual. However, the static nature of these groups does not take into account the dynamic contextual shifts in group boundaries, which play a key role in the privacy characteristics of the shared information [1]. As the strength and nature of social relationships, as well as level of sensitivity of the items being shared, changes over time, some of the members in a selected group may no longer be an appropriate audience for a particular sharing action. A mismatch between intended and actual audience for a shared piece of information may lead to privacy breaches. The dynamic behaviour of social network interactions with members of a group, and contextual factors such as level of sensitivity of the information to share, cannot be predicted at the time when the user creates social groups. Therefore, a learning approach is needed that is able to capture these changes at run-time and provide support for adaptive sharing. This can be achieved by predicting whether a member of a selected group is an inappropriate recipient for the information to be shared. To address this problem, we propose in this paper a learning to share approach that learns at runtime the probabilities of the social interactions with each member of a group and uses these probabilities to establish privacy risks and social benefit of sharing information, of a given level of sensitivity, with each group member. Tradeoffs between social benefit and privacy risk are then used to support adaptive refinement of the group with whom the user intends to share information. Our approach models the interactions between the user and each group member as 1
Since we are using Facebook as our case study, we use the terminology “friend(s)” to mean any social connections, e.g., contact(s) in LinkedIn, follower(s) in Twitter.
a discrete-time Markov chain (DTMC) with parameterised transition probabilities. These probabilities are learnt and continually updated at run-time, based on the actual interactions between the user and the group member. Whenever the user considers sharing a new message with a group member, the parametric DTMC is formally verified to establish whether the member still meets the user’s sharing requirements. These requirements specify the maximum level of privacy risk and the minimum level of social benefit that the user is willing to accept in order to share the new message with the group member. The requirements take into account the sensitivity level of the message, and are formally expressed in probabilistic temporal logic. Our solution can be implemented and run as a plugin for deployment in the user’s web browser. This automatic privacy-manager plugin will therefore consist of: (i) a component responsible for monitoring the interaction between the user and each group member; and (ii) an autonomic manager responsible for suggesting, at run-time, recommendation to the user of members in the selected group that should be removed. We have evaluated our approach by using a simulation of a Facebook workflow. The model in this case reflects typical Facebook interactions (e.g. share, re-share, like). Different scenarios have been considered by generating synthetic data for group members exhibiting a variety of non-privacy preserving behavioural patterns, in addition to a privacycompliant pattern. The experimental results demonstrate the validity of the proposed model and of the trade-off between predicted social benefit and privacy risks, as well as the efficacy of our approach in identifying immediate and delayed harmful sharing behaviours from any of the other types of sharing behaviour patterns. Even though our evaluation is focused on the Facebook social network domain, we argue that our approach is general enough to be applied to any on-line social networks whose social interactions can be modelled as DTMC and user requirements specified in probabilistic temporal logic. The paper is structured as follows. Section 2 describes a running example in the context of Facebook OSN domain. Section 3 gives a summary of the two underlying techniques used in our approach: probabilistic model checking [16] and online learning algorithm [8]. Section 4.1 describes our learning to share approach. Specifically, we present a parametric Markov model, which expresses a simplified Facebook workflow, define our mechanisms for computing social benefits, privacy risks and our utility trade-off function, and introduce the Jensen-Shannon divergence approach used to measure similarity between learnt re-share probability distributions. Section 5 shows the results of our simulation-based experiments, Section 6 discusses related work and Section 7 concludes the paper with summary and future work.
2.
RUNNING EXAMPLE
Throughout the paper we will use a simplified Facebook workflow as our running example. Online social interactions between a user and their friends usually start with information sharing events initiated by the user. When a user decides to share a piece of information, s/he specifies the audience and/or restricts people from accessing the information. Each select group member, who receives the information, may perform any of the following associated actions, in addition to simply ignoring it:
• See: see the information. • Comment: post a feedback comment. • Like: express a feedback “Like” opinion. • Re-share: re-share the information with his/her friends. In turn, the user is also allowed to perform Comment and Like actions on the (re-shared) information and comments posted by the group members. Figure 1 shows our simplified Facebook workflow, in which a generic user i, who has selected a group of friends with whom to share a piece of information of sensitivity level k. A friend j, member of this group, logs into his/her Facebook account and s/he either ignores the received information, or sees it. The latter action invokes the seen operation in i’s account, recording that the information has been seen by j. Friend j may, at this point, perform no further actions and his/her interaction with i ends. If j decides to give a feedback, then the feedback operation is invoked, followed by either the operation friendComment or friendLike, depending on the type of feedback given, i.e. comment or like respectively. These interactions may be repeated, as depicted in Figure 1 by the arc going from any of these operations to the decision point before the reply action. Friend j may also re-share the information. If so, and user i is within j’s selected audience, then i can observe that re-share, at which point the reshare operation in i account is invoked. The workflow ends when no further action related to the initial shared piece of information is observed. We associate a probability with each of the above actions. We learn these probabilities at runtime based on actual interactions between user i and a group member j. As we describe later in the paper, these probabilities are used to k and the social bencalculate the potential privacy risk P Rij k efit SBij for user i to share information of sensitivity level k with friend j. Our learning to share approach uses these predicted values to recommend whether or not to shar a piece of information with sensitivity k with friend j based on the following two requirements: R1 : the established social benefit SBkij for user i to share an item of information, with sensitivity level k, with friend j must be greater than the minimum level of social benefit wiSB that user i is willing to accept. R2 : the established privacy risk PRkij for user i of sharing a piece of information with friend j must be lower than or equal to the maximum level of privacy risk wiPR that user i is willing to accept. Note that in the above requirements both wiSB and wiPR are assumed to be specified by the user.
3.
BACKGROUND
In this section we summarise the notions of parametric model checking [4, 16] and online parameter learning [8] for parametric DTMC, which are used in our approach.
3.1
Probabilistic model checking
Definition 1. A Markov chain (MC) over a set of atomic propositions A is a tuple M = (S, s0 , P, L), where S is a finite set of states, s0 ∈ S is the initial state, P is an |S| ×
ignore sees
reshares
and f alse. They extend computation tree logic [9, 15] by replacing the universal path quantifier A and the existential path quantifier E with the probabilistic operator P, which specifies bounds on the probability of the system evolution. The semantics of PCTL is defined with a satisfaction relation |= over the states S, the paths P athsM , and s ∈ S of an MC. Thus, s |= Φ means “Φ is satisfied in state s” or “Φ is true in state s”. For any s ∈ S, we have: s |= true; s |= a iff a ∈ L(s); s |= ¬Φ iff ¬(s |= Φ); and s |= Φi ∨ Φ2 iff s |= Φ1 and s |= Φ2 . A state formula P./p [Ψ] is satisfied in a state s if the probability of the future evolution of the system satisfying Ψ satisfies ./ p:
seen
gives feedback
gives feedback
no feedback
reply
comment
feedback
replies
no reply
friendComment
comment
userComment
s |= P./p (Ψ) iff P rs (π ∈ P athsM (s)|π |= Ψ) ./ p.
like
userLike
The semantics of the three path formulae given in equation (2) are described below.
like
friendLike
• The next state formula XΦ is satisfied by a path π iff Φ is satisfied in the next state of π (i.e., in state π(2)).
reshare
Figure 1: Activity diagram of a Facebook workflow |S| transition probability matrix, L : S → 2A is a labelling function which assigns a set of atomic propositions from A to each state in S. For any states si , sj ∈ S, the element pij from P represents thePprobability of transitioning to state sj from state si , and sj ∈S pij = 1. A path π over a MC M is a (potentially infinite) sequence of states from S such that for any adjacent states s and s0 in π, P(s, s0 ) > 0. The i-th state on a path π is denoted π(i). Finally, for any state s ∈ S, P athsM (s) represents the set of all paths over M that start with state s. Definition 2. A cost/reward structure over a Markov chain M = (S, s0 , P, L) is a pair of functions (ρ, ι) such that: • ρ : S → R≥0 is the state reward function (a vector) • ι : S × S → R≥0 is the transition reward function (a matrix) Our work uses the probabilistic model checker PRISM [16], which supports the analysis of MC properties specified in a cost/reward-augmented version of the probabilistic computation tree logic (PCTL). The syntax of these properties can be defined as follows.
• The bounded until formula Φ1 ∪≤k Φ2 is satisfied by a path π iff Φ1 is satisfied in each of the first x states of π for some x > k, and Φ2 is satisfied in the (x + 1)th state of π. • The unbounded until formula Φ1 ∪ Φ2 is satisfied by a path π iff Φ1 is true in each of the first x > 0 states of π, and Φ2 is true in the (x + 1)th state of π. In a cost/reward state formula the cost/reward operator R can be used to analyse the expected cost at timestep k (R./r [I =k ]), the expected cumulative cost up to time step k (R./r [C ≤k ]), the expected cumulative reward to reach a future state that satisfies a property Φ(R./r [F Φ]), and the expected steady-state reward in the long run (R./r [S]). The reader is referred to [3, 9, 15] for further details about the formal semantics of PCTL. Our approach operates with parametric DTMCs. These are DTMCs for which some or all of the transition probabilities are unknown. For parametric DTMCs, the result of establishing a PCTL property (e.g., using PRISM) is a algebraic expression parameterised by the unknown transition properties. The value of the property can then be established when the unknown properties are identified.
3.2
Learning transition probabilities
(3)
On line learning techniques can be used to learn the transition probabilities of the parametric DTMC. These are an adaptive variant of the Bayesian learning algorithm introduced first in [7] and extended in [8]. In our approach we use an adaptive on-line learning method from [8]. The algorithm learns the transition probabilities pij of a parametric DTMC model M starting from a prior estimate poij and the observations of the last k ≥ 1 system transitions from state si to states sj ∈ S. Assuming that the l−th observation of a transition from state si , 1 ≤ l ≤ k, is a transition to state sjl ∈ S, such that ( 1 if jl = j l xij = (4) 0 otherwise
State formulae include the logical operators ∧ and ¬, which allow the formulation of disjunction (∨), implication (⇒)
the estimate probability of a state transition from si to sj after the k−th observation is calculated as
Definition 3. Let A be a set of atomic propositions and a ∈ A, p ∈ [0, 1], k ∈ N, r ∈ R and ./ ∈ {≥, >, 0 is a smoothing parameter that quantifies the confidence in the accuracy of poij , and wil ∈ [0, 1] is a weight that reflects the age of the l-th observation. From [8], an effective choice of weights is −(tk −tl )
wil = αi
¯
−(k−l)t
≈ αi
(6)
where tl , 1 ≤ l ≤ k, represents the timestamps of the l−th observation, and αi ≥ 1 is an ageing parameter. The effectiveness of this learning algorithm depends on the choice of these two parameters (coi and αi ), and no combination of values for these parameters is suitable for all scenarios. To address this the adaptive learning algoriithm has the ability to select suitable parameters coi and αi at runtime. The dynamic selection of the learning parameters is sensitive to the mean time interval between successive observations, t¯. Furthermore, the adaptive transition-probability learning algorithm adjusts the smoothing parameter c0i and the ageing parameter αi dynamically, based on the mean distance between recent observations t¯. For further details the reader is referred to [8].
4.
LEARNING TO SHARE APPROACH
4.1
Architecture ONLINE SOCIAL NETWORK PLATFORM system operation invoked
notification
info
info sensitivity database
1. Monitor
info, Sen
3. Online updated parameter learning engine params Parametric Markov chain & PCTL state formula
System developer
SB 2. Parametric model checker algebraic
expression
info, G, Sen, wiPR , wiSB
User
Gconfirmed
Evaluator Privacy risk calculator
Utility trade-off calculator
Social benefit calculator
4. Adaptive sharing analyser
RL, IHF, UHF
Learning to share plugin
Figure 2: Learning to share Architecture Our learning to share architecture is shown in Figure 2. It includes four main components: the monitor, the parametric model checker, the on-line parameter learning engine and the adaptive sharing analyser. The Monitor keeps track of all the latest social interactions between the user and each member in the user’s selected group of friends, using Facebook API stream. The Parametric model checker takes as input a parametric DTMC, modelling the Facebook workflow described in Figure 1, and the user’s requirements on social benefit R1 and privacy risk R2, expressed as a PCTL state formula. This component uses PRISM only once to extract from the parametric DTMC an algebraic expression that takes as variables the cost/reward
structure of the DTMC, and as parameters the transition probabilities of the model. The generated list of parameters are passed to the on-line parameter learning engine, whereas the algebraic expression is passed to the adaptive sharing analyser. The On-line parameter learning engine is in charge of updating at run-time the parameters of the parametric DTMC, inline with the latest social interaction notifications received from the monitor. Updated parameters are passed to the Adaptive sharing analyser. The Adaptive sharing analyser is the main component of our architecture. It is responsible of establish at run-time the privacy risk and social benefit of sharing a given piece of information inf o, selected by the user, with members of a selected group G, and dynamically discover risky friendships, and guide the user on whether or not to share the given inf o with specific members of the group G. This component include the Evaluator and the Utility trade-off calculator. The former takes in input the updated parameters, the algebraic expression, the user minimal level of social benefit (wiSB ) and maximum level of privacy risk (wiP R ), for requirements R1 and R2, together with the sensitivity level (Sen) of the piece of information inf o. The Social benefit calculator uses the algebraic expression, the updated model parameters and the threshold wiSB to establish at run-time the social benefit and evaluate R1, whereas the Privacy risk calculator uses the updated re-share probabilities, for the different sensitivity levels, and wiP R to establish at run-time the privacy risk. The Utility trade-off calculator trades-off the established social benefit against the established privacy risk in order to provide an optimal information sharing recommendation to the user about members of group G. Three lists are then generated: the removal list (RL), which contains members in G who have violated both of user’s requirements R1 and R2 and as such the system deems as not suitable candidates for sharing inf o; the intended harmful friend (IHF) list, which contains members in G who exhibit behaviour patterns that reveal intended harmful sharing behaviour (IHF); and the unintended harmful friends (UHF) list, which contains members in G who may have shared user’s sensitive information unknowingly. The outcome of the adaptive sharing analyser is returned to the user, who in turns updates his/her selected group members (Gconf irmed ) and s/he is abele to make a more informed sharing action, which is then executed through the online-social network platform.
4.2
Probabilistic model of OSN interactions
We have mentioned in Section 1 that one of the key aspects of our approach is the use of a parametric DTMC for modelling social network interaction between the user and a group member. Figure 3 describes the parametric DTMC that captures all the online social interactions identified in the simplified Facebook workflow given in Figure 1. Each state in this model represents a stage in the interactions between a user i and a group member j started with a shared piece of information being received (i.e., initial state s0 ). State s10 denotes when no further interactions between user i and friend j, relative to the shared information, occur. Transitions between transient states model the control flow of how the receiver, which can be group member j as well as user i (in the case of a re-shared action performed by j), interacts with the shared information. For example, the transition (s0 , s1 ) model that group member j has ignored
pignore
r1
pseen
1.0
s1 {seen}
{reply}
pagain
r4
s9 s4
puc
�
{feedback}
+ pignore + pjk p {Initial} 1− seen
�
1−
pu
c
pjk pfl
r31
s3k
{reshare}
+
1.0
s5
c
+
pfl �
r6 s6
1 − p re
s8
{afterResponse}
{friendComment} pf
ain
ply
r5
pfc
s2
pag
preply
{userComment} s0
1−
1.0
s10 {Done}
1.0
{userLike} r7
1.0 1.0
s7 {friendLike}
Figure 3: Parametric Markov chain for the activity diagram given in Figure 1 where, puc = puserComment , pf c = pf riendComment and pf l = pf riendLike i’s message, whereas transition (s0 , s2 ) models the feedback interaction between i and j. Transitions (s2 , s4 ) and (s2 , s6 ) represent the i’s interaction with group member j, where transitions (s2 , s5 ) and (s2 , s7 ) model j’s interaction with user i in response to the shared information. The probabilities of the outgoing transitions between states are unknown, or may change over time. For example, transition (s0 , s3k ) models group member j re-sharing user’s i’s received item of information, with sensitivity level k, which depends on the (unknown) sharing behaviour of j. The social-benefit requirements R1 from Section 2 is formally expressed by the PCTL property R≤wSB [F Done]. i The application of the parametric model checking takes the parametric DTMC model and the PCTL property and generates an algebraic expression. The value of this expression is calculated at runtime by replacing the unknown transition probabilities with the learnt estimates, in order to support run-time verification.
user and the group member. As shown in Figure 3, we assign state rewards to s1 , s31 , s4 , s5 , s6 , s7 ∈ S, labelled as r1 , r31 , r4 , r5 , r6 and r7 respectively. State rewards are nonnegative values and denote our system model variables.
4.3
We use information theory [10] to measure the amount of information leakage if member j re-shares. This can be expressed as the difference in the entropy of the system for hiding the shared information from unintended recipients before and after j receives the information, i.e., H(X) − H(X|Yj ) where X (resp. Yj ) is the discrete random variable with probability mass function Pr(X = x) (resp. Pr(Yj = yj )) and x represents the value that the information indicates; yj represents the event whether j is shared with the information or not. The probabilities Pr(X = x) and Pr(X = x|Yj = yj ) capture the knowledge that unintended recipients have about the information before and after the information is shared with j. H(X|Y ) The normalisation of the measurement (i.e., 1− H(X)j ) is combined with the level of sensitivity by a product operator to calculate the potential privacy risks. More formally, for each member j, given the sensitivity level k, the side knowledge of the information c, and the re-sharing probability pjik for the k−th level of sensitivity, we have the following result.
Social benefit
The computation of the social benefit relies on which benefit model is considered. Two types of benefit models are selected and captured in our parametric DTMC by the specific assignment of state rewards. Seen benefit: User i gains social benefit if the information shared is seen by friend j and j belongs to the selected audience group. Interaction benefit: Due to the sharing, user i has opportunities to interact with friend j. In particular, j may comment on i’s sharing, or show an opinion (e.g., Like), or in the case when the shared information is not sensitive at all, j re-shares. These interactions may lead to i and j having further interactions regarding to j’s responses. We use the cost/reward structure of the Markov chain to assign state rewards corresponding to system operations that have a potential of triggering an interaction between the
4.4
Privacy risk
We extend the privacy risk metric first introduced in [31] to quantify users’ potential privacy risks for sharing a piece of information. In this paper, the re-sharing threat, which is one of the most popular privacy threats in OSNs [18], is selected as an example. Re-sharing threat: Once a piece of information is received by the selected audience, e.g., friend member j, user i loses control over it. Member j may re-share the information with their own social connections, potentially leaking the the information to unintended recipients.
Definition 4. For user i, privacy risks PRij quantifies the potential privacy risks to i with respect to friend member j. � � H(X|Yj ) PRij = k 1 − (7) H(X)
trend of this behaviour. We characterise friend j with the following measure: Vj =
n−1 X
sjk JS(Pjk ||Pj(k+1) )
(10)
k=1
where,
where,
H(X|Yj )
= +
H(X)
=
c − (c − 1)(1 − pjik ) c log c c − (c − 1)(1 − pjik ) (c − 1)(1 − pjik ) c log , c 1 − pjik log c .
The quantified PRij is calculated at runtime to establish the privacy risk and determine whether group member j is appropriate for a piece of information in terms of the privacy requirement R2 .
4.5
Definition 5. Consider the two Bernoulli distributions P and Q and the intermediate distribution M = 21 (P + Q)2 , where P (x) = px (1 − p)(1−x) , and Q(x) = q x (1 − q)(1−x) , and binary outcome x ∈ {0, 1}. The JS-divergence between P and Q is defined as 1 1 KL(P ||M ) + KL(Q||M ) (8) 2 2 P (x) Q(x) 1X 1X = + , P (x)log Q(x)log 2 x M (x) 2 x M (x)
JS(P ||Q) =
where KL(A||B) is the KL-divergence between two distributions A and B. The JS-divergence attempts to quantify a parametrisation insensitive measure of the distance between two distributions. Unlike the KL-divergence it is symmetric in its arguments and thus satisfies all requirements of a measure. In our case, we have a number of probability distributions: for each friend j and each sensitivity level k, we have probability distribution (9)
where x = 0 denotes that the information hasn’t been reshared, and x = 1 denotes that it has. We are interested in identifying users who re-share higher sensitivity levels more readily that lower sensitivity levels, and we use the JS-divergence defined above to capture the 2
sjk =
Note that this is an average of two probability distributions.
1 −1
if pj(k+1) − pjk > 0, otherwise.
In other words, the summand in (10) is positive when the re-sharing behaviour in the higher sensitivity level is more permissive than in a lower one. We classify this user j as harmful if his/her behavioural measure Vj is greater than some threshold value µ. More precisely, if Vj > µ then we flag j as potentially harmful.
5.
Identifying harmful sharing behaviour
In Section 1 we have stated that our approach is able to dynamically discover risky friendships, and guide the user on whether or not to share sensitive information with specific group members. To demonstrate this feature we use a measure, based on Jensen-Shannon (JS) divergence [13], that enables is to compute the similarity in the re-share probability distributions of Pjk and Pj(k+1) . JS divergence is based on the Kullback-Leibler (KL) divergence [20], and the key difference between the two is that JS divergence is symmetric and it is always a finite value. In addition, the square root of the JS divergence is known as the JS distance.
Pjk (x) = pxjk (1 − pjk )(1−x)
(
EVALUATION
To evaluate the effectiveness of our learning to share approach, we considered the insider threat model, based on the results of a Facebook privacy investigation survey [19]. The study concludes that strangers (who are the outsiders) are no longer the greatest threat to Facebook users, since application’s privacy settings may reasonably mitigate any such threat. The type of threats we will focus on are those that originate from user’s own friends network; these are people who the user has given legitimate access to the shared information. Listed below are the categories of sharing behaviour patterns we will consider. The goal of our approach is to learn these emerging behaviours, to identify any harmful or risky behaviours that may lead to violation in user’s privacy and to provide system level guidance to prevent against such violations. • Immediate-harmful. This type of behaviour pattern is associated to a member of the social network whose actual re-share probability pjk of sharing item of information that is of sensitivity level k may increase as the sensitivity level k increases. • Agnostic-harmful. The agnostic-harmful behaviour pattern is associated to a member of the the social network whose re-share probabilities for the n level of sensitivities are indiscriminately distributed, e.g., pj1 ' pj2 ' · · · ' pjn . • Privacy-aware-compliance. A privacy-aware compliance behaviour pattern is associated to a member in the social network who shares non-sensitive item of information with high probability and as the level of sensitivity increases the re-share probability starts to decrease, e.g., pj1 ≥ pj2 ≥ · · · ≥ pjn . • Negligent-harmful. A negligent-harmful behaviour pattern may display similar characteristics as the agnosticharmful pattern and as the privacy-aware compliance pattern. For example, if the observed sharing behaviour shows that the level of negligence is low then the sharing behaviour pattern is similar to the privacy-awarecompliance. On the other hand, if the sharing behaviour is more haphazard then it will adopt the characteristics of the agnostic-harmful behaviour pattern.
• Delayed-harmful. A delayed-harmful behaviour may initially reflect a similar behaviour pattern as privacyaware-compliance for a given time period, after which it defaults to the immediate-harmful behaviour pattern. From the above categories of sharing behaviour patterns, the most precarious are the immediate-harmful and the delayedharmful patterns because both are sharing behaviours that are only interested in re-sharing user’s high sensitive information. To illustrate how our learning to share approach works, we developed a prototype of the architecture depicted in Figure 2 as a Java toolset to implement an adaptive sharing version of our running example of the Facebook. The simulated scenario comprised of five members in the selected audience group and each member was assigned one of the sharing behaviour patterns listed above. The actual re-sharing probabilities pjk , for each member were fixed at runtime. The simulation was run on a standard 2.7 GHz Intel Core i5 Macbook Pro computer.
5.1
Effectiveness of our approach
Figure 4 depicts a typical experiment in which the learning to share approach guides the user to make privacy-aware sharing decisions for each piece of information info of sensitivity level k = 5 (very high sensitive) that user i shares with friend j. Plot 1 shows the systems recommendation for each sharing event that is represented by a triangle, over 8760 hours of wall clock time period (1-year), shown along the x-axis. The y-axis represents the three systems recommendation options to the user, 1) Share inf o if user’s sharing requirements R1 and R2 are satisfied; 2) Not Share inf o if R1 and R2 are violated; and 3) Warn if R1 or R2 is not satisfied. Plot 2 depicts the re-sharing behaviour of j, and in this example it resembles the delayed-harmful behaviour pattern, as indicated by the pActual line; where the actual sharing probability value is initially fixed as pj5 = 0.001 for a time period up to 5400-hours, and then it increases to pj5 = 0.9, as indicated by the jump labelled ∆pj . The pLearnt line represents the estimated pj5 values that are learnt by Eq.(5) based on j’s latest sharing interactions. Plot 3 shows i’s social benefit of sharing inf o with friend j. Similarly, plot 4 shows i’s privacy-risk of sharing inf o with j, computed by Eq.(7). The first warning labelled ‘a’ is triggered when j’s learnt re-sharing probability increases, as indicated by the area labelled ‘e’. Furthermore, when pj5 increases, the privacy risk P Rij5 in plot 4 has also increased, as illustrated by the area labelled ‘o’ , where it has exceeded the threshold wiP R . On the other hand, the social benefit has decreased as j’s re-sharing behaviour increases, as indicated by the area labelled as ‘k’, even though SBij > wiSB . When both of i’s sharing preferences wiSB and wiP R are violated, as in areas labelled ‘l’ and ‘p’, and again in areas labelled ‘n’ and ‘r’ , the system recommendation is Not Share, indicated by the triangle labelled ‘b’ in plot.1. However, when the distance between the last shared event increases the learning starts to recede towards the initial a priori value p0ji5 = 0.25, which is why j’s sharing probability in area labelled ‘g’ has slightly decreased, and this slight variation has increased i’s social benefit in area labelled ‘m’ but in area labelled ‘q’ we can see that i’s privacy risk is still above the threshold, hence the triangle labelled ‘c’ in plot.1 indicates a warning. The simulation results in Figure 4 show that our approach can effectively guide the user to make privacy-aware sharing
Table 1: Datasets for the Dataset A 1 immediate-harmful 2 immediate-harmful 3 immediate-harmful 4 delayed-harmful 5 delayed-harmful 6 delayed-harmful
behavioural patterns B agnostic-harmful privacy-aware compliance negligent-harmful agnostic-harmful privacy-aware compliance negligent-harmful
decisions based on runtime observations of friends sharing behaviour and user’s sharing preferences.
5.2
Efficiency in identifying harmful friends
We conducted an empirical study to show the efficiency of the learning to share approach in identifying harmful friend(s) in the selected social group based on their sharing behaviour patterns. We generated six datasets, each dataset contained the simulated sharing behaviour patterns of two friend types, A and B, as listed in Table 1. The tests were designed to show how efficient our approach is in identifying the sharing behaviour of members in user’s friends network that show intended harmful behaviour, e.g., immediate/delayed harmful behaviour pattern, from the unintended harmful behaviour, e.g., negligent/agnostic harmful behaviour and privacy-aware-compliance behaviour pattern. We varied the sensitivity level of the information between level 2 to 5 (low sensitive - very high sensitive) excluding level 1 (non-sensitive). Each set, was generated using a Java simulation of the Facebook workflow, where the user on average shared thirty item of informations with friends A and B on a daily basis for a simulated time period of 1-year. The sets contained equal number of shared events from both behaviour patterns. The actual sharing probabilities for the k level of sensitivity were generated randomly from a normal distribution within a specified range, with respect to the corresponding behaviour patterns. Figure 5 shows how the intended-harmful friend (IHF) list described in Section 4.1 is dynamically generated. The n-th post shared by the user with members A and B is represented along the x-axis, and the y-axis shows which member is included in IHF list. We use Eq( 10) to decide if members A and B should be included in IHF list, such that if Vj > µ then the member is included in the list, where µ = −0.25. For example, at the beginning of the experiment member A is included in the list, whose sharing behaviour is associated with the immediate-harmful behaviour pattern. This is then followed by A and B both being included in IHF list, where B’s behaviour pattern is associated with the privacy-aware-compliance pattern. If the threshold value (µ) was set too small, the test’s sensitivity in classifying different patterns increases but we lose the specificity, which is why B is included in IHF list. On the other hand, if the threshold value was set too high, the specificity of the test is increased but we lose the sensitivity. Figure 6 presents the corresponding ROC curve for the datasets 1-3 in Table 1, which shows that the overall performance of our learning to share approach in correctly identifying A from B is high. In particular, the rate of the performance is very high for dataset 2. However, Figure 7 presents the corresponding ROC curve for the datasets 4-6 in Table 1. The performance of our learning to share ap-
Share a
c
Warning b
Not Share
d
e
pj
k=5
1 " pj
0.5
e
f
pActual
0
g
pLearnt
h
SBij
k=5
1 k
wSB i
l
m
p
q
n
PR ij
k=5
1 r
o
wPR i 5000
5500
6000
6500
7000
7500
8000
Time [hr] Figure 4: Adaptive sharing with a delayed-harmful behaviour pattern; the circular areas labelled ’a’, ’b’, etc. are analysed in Section 5.
A : Immediate-harmful B : Privacy-aware-compliance
IHF list
{A,B}
{B}
1
{A}
0.9
{} 0
0.8
10
20
30
40
50
60
70
80
90
100
0.7
Sensitivity
No. of messages posted by user
Figure 5: Dynamic intended-harmful-friend list
0.6 Dataset 1 Dataset 2 Dataset 3 random classifier
0.5 0.4 0.3 0.2 0.1
proach for the delayed-harmful behaviour has deteriorated from the results of the immediate-harmful behaviour presented in Figure 6. This is because at the beginning of the experiment the delayed-harmful pattern behaves similar to the privacy-aware-compliance pattern. The drop in the performance is not as significant for the datasets 4-5. However, the performance has deteriorated significantly for dataset 6. When the curve is below the random classifier line, the system is under performing and is unable to correctly identify the friend type. On the other hand, when the curve is above the random classifier line the systems performance starts to improve. This is the situation when the delayed-harmful behaviour starts to behave harmful. Furthermore, if friend j is aware of our sensitivity characterisation of information, then they might seek to obfuscate their behaviour. For instance, j might choose to have a low
0
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1-Specificity
Figure 6: ROC curve for system classification from malicious friend who re-shares user’s sensitive information imminently upon receiving the item of information and agnostic/privacy-aware/negligent friend.
1 0.9 0.8
Sensitivity
0.7 0.6 0.5 Dataset 6 Dataset 4 Dataset 5 Random classifier
0.4 0.3 0.2 0.1 0
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1-Specificity
Figure 7: ROC curve for system classification from a delayed-malicious friend and a agnostic/privacyaware/negligent friend. re-share probability for the very highest sensitivity level, but to have a high re-share probability for other lesser sensitivity information, then this would give a low measure Vj (as defined in Equation (10)). This could explain the poorly performing parts of the ROC curve (see Figure 7). To combat this, we could change the Vj measure to:
Vj =
n−1 X k=1
1 (1 + sjk ) JS(Pjk ||Pj(k+1) ) 2
(11)
where summands are only non-zero if sharing at the higher sensitivity level (i.e., k + 1) is more permissive than at the lower level (i.e., k). Figure 6 presents the ROC curve for the datasets 1-3 in Table 1. The overall performance of our learning to share approach in correctly identifying A from B is very high. In particular, the rate of the performance is very high for dataset 2.
6.
RELATED WORK
A considerable body of research has been devoted to address the information sharing problem raised by the increasing number of privacy incidents and regrets happening in OSNs [28, 27]. The proposed solutions range from looking at the process of users’ decision making on information disclosure, the contextual factors that influence sharing intentions, to improving privacy options available to users to support their privacy-aware decision making. In the following we review some of the most prominent approaches, and discuss their relevance to our solution. In the area of privacy decision making, research effort has been directed to investigating how people make sharing decisions on personal information. Dinev and Hart [12] proposed a risk-benefit analysis framework, based on a calculus of behaviours, that trades-off the expected privacy risks against service benefits for sharing information within the E-commerce domain. Proposals [21] and [29] have subsequently applied this framework to OSNs and location-based services, respectively. They have both come to the realisation that perceived privacy risks can hinder information sharing, but can be offset by benefits such as enjoyment, relationship building, etc., and mitigated by trust towards information recipients and adequate privacy controls. A number of studies have also been focusing on develop-
ing a new view of privacy, called contextual integrity [25], which sees privacy as the inappropriateness of information sharing. Various conceptual frameworks for understanding privacy expectations and their implications have been proposed, including computational models of contextual integrity (e.g. [2, 22]). The latter support the modelling and reasoning about information sharing rules that can be used to determine what information should be allowed/hidden from what recipients. Both privacy calculus and contextual integrity approaches emphasise privacy to be highly related to contextual factors. Good observations and predictions of such factors at runtime are essential for making the right information-sharing and privacy-aware decisions. In a very recent work, Criado and Such [11] proposed a framework for learning information sharing rules from users’ sharing decisions. However, they have only considered the information and the recipients whom the user has agreed to share with. Have not taken into account users’ further interactions following by the decisions, such as friends’ commenting and re-sharing activities. These activities also have great impact on building the sharing rules. Adaptive Privacy Control. Most of the proposed solutions rely on machine learning techniques to infer informationsharing privacy policies. They learn from users’ historical sharing decisions for different information content, and predict which friends will most likely to be chosen for new sharing events. The approach [5] builds on the theory of contextual integrity, considering the contextual factors, such as when, where, to whom to share the information, information type, etc., into a feature vector. Their predictions achieve up to 70% accuracy. However, this approach does not consider the situation when users may have made poor sharing decisions in the past. Learning only from those historical decisions without the reasoning of privacy-aware decisions may adversely affect user’s privacy. The very recent work [31] proposed an adaptive sharing approach that refines precreated audience groups at runtime by predicting privacy risks and social benefits associated with each member of the groups, while the historical decisions are treated as feedback for making better privacy calculus in future. Making accurate predictions on privacy risks and social benefits require a runtime learning of users’ and their friends’ behaviours. This is where our proposed approach contributes to the current state-of-the-art in this respect. The use of probabilistic models facilitates runtime learning in OSNs and keeps track of dynamic interactions with friends. Social Learning Techniques Machining learning and statistical inference approaches like [30, 23] study information diffusion in OSNs in order to predict the temporal dynamics of the diffusion process. Guille and Hacid [14] analyse the social structure and dynamic behaviours of involved friends to model the information diffusion process on Twitter for different topics of messages. The work in [17] proposes a continuous-time stochastic process model to capture users’ social activities and predict activity evolution. The model is parameterised by activity features and evolves as social activities evolving over time. Sniggers [26] considers social network evolution as the consequence of users and friends making new choices, or withdrawing existing choices on information sharing and friends making, and proposes continuous-time Markov chain models
to capture the evolution. The model parameters are learned by observed data. The study [24] also uses continuous-time Markov process but with the objective to predict the most influence contacts with respect to different topics of information. A very recent work [6] uses Inductive logic programming to build a formal model that learns users’ dynamic social identities at runtime in order to analyse group processes and intergroup relations in OSNs.
7.
[8]
CONCLUSIONS AND FUTURE WORK
In this paper we have presented a learning to share approach for adaptively refining users’ selected audience group in OSNs at runtime. The core of our proposal is a parametric Markov chain model that captures and predicts users’ dynamic interactions with each group member, the transition probabilities of the model are learnt by observed interaction events. Continual Markov chain verification is used to establish the privacy risk and social benefit of sharing information with each group member, to dynamically discover potential harmful members, and to guide users on whether or not to share sensitive information with specific members. The experiments we conducted using a simulated Facebook workflow show that our approach can effectively guide users on the sharing decision, and is efficient in identifying immediate and delayed harmful behaviour patterns from the agnostic, negligent and privacy-aware compliance patterns. As for future work, we plan to extend the learning to share approach to a more complex scenario where topics of information are taken into account. The extended approach can be used to identify socially-active and harmful groups at runtime with respect to different topics, to provide dynamic options for information sharing.
8.
[7]
REFERENCES
[1] A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum. Privacy and contextual integrity: Framework and applications. In Security and Privacy, 2006 IEEE Symposium on, pages 15–pp. IEEE, 2006. [2] A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum. Privacy and contextual integrity: Framework and applications. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, pages 184–198, 2006. [3] M. Ben-Ari, A. Pnueli, and Z. Manna. The temporal logic of branching time. Acta informatica, 20(3):207–226, 1983. [4] M. Benedikt, R. Lenhardt, and J. Worrell. Ltl model checking of interval markov chains. In Tools and Algorithms for the Construction and Analysis of Systems, pages 32–46. Springer, 2013. [5] I. Bilogrevic, K. Huguenin, B. Agir, M. Jadliwala, and J.-P. Hubaux. Adaptive information-sharing for privacy-aware mobile social networks. In Proceedings of the 2013 ACM International Joint Conference on Pervasive and Ubiquitous Computing, pages 657–666, 2013. [6] G. Calikli, M. Law, A. K. Bandara, A. Russo, L. Dickens, B. A. Price, L. M. Stuart, A., and B. Nuseibeh. Privacy dynamics: Learning privacy norms for social software. In (submitted to) 11th International Symposium on Software Engineering for
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
Adaptive and Self-Managing Systems, SEAMS ’16, 2016. R. Calinescu, K. Johnson, and Y. Rafiq. Using observation ageing to improve markovian model learning in qos engineering. In Proceedings of the 2Nd ACM/SPEC International Conference on Performance Engineering, ICPE ’11, pages 505–510, New York, NY, USA, 2011. ACM. R. Calinescu, Y. Rafiq, K. Johnson, and M. E. Bakir. Adaptive model learning for continual verification of non-functional properties. In Proceedings of the 5th ACM/SPEC International Conference on Performance Engineering, ICPE ’14, pages 87–98, New York, NY, USA, 2014. ACM. F. Ciesinski and M. Gr¨ oßer. On probabilistic computation tree logic. In Validation of Stochastic Systems, pages 147–188. Springer, 2004. T. M. Cover and J. A. Thomas. Elements of Information Theory. Wiley-Interscience, New York, NY, USA, 1991. N. Criado and J. M. Such. Implicit contextual integrity in online social networks. Inf. Sci., 325:48–69, Dec. 2015. T. Dinev and P. Hart. An extended privacy calculus model for e-commerce transactions. Information System Research, 17(1):61–80, 2006. B. Fuglede and F. Topsoe. Jensen-shannon divergence and hilbert space embedding. In IEEE International Symposium on Information Theory, pages 31–31, 2004. A. Guille and H. Hacid. A predictive model for the temporal dynamics of information diffusion in online social networks. In Proceedings of the 21st International Conference on World Wide Web, pages 1145–1152, 2012. H. Hansson and B. Jonsson. A logic for reasoning about time and reliability. Formal aspects of computing, 6(5):512–535, 1994. A. Hinton, M. Kwiatkowska, G. Norman, and D. Parker. Prism: A tool for automatic verification of probabilistic systems. In Tools and Algorithms for the Construction and Analysis of Systems, pages 441–444. Springer, 2006. S. Huang, M. Chen, B. Luo, and D. Lee. Predicting aggregate social activities using continuous-time stochastic process. In Proceedings of the 21st ACM International Conference on Information and Knowledge Management, pages 982–991, 2012. M. Johnson, S. Egelman, and S. M. Bellovin. Facebook and privacy: It’s complicated. In Proceedings of the Eighth Symposium on Usable Privacy and Security, pages 9:1–9:15, 2012. M. Johnson, S. Egelman, and S. M. Bellovin. Facebook and privacy: It’s complicated. In Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS ’12, pages 9:1–9:15, New York, NY, USA, 2012. ACM. J. M. Joyce. Kullback-leibler divergence. In International Encyclopedia of Statistical Science, pages 720–722. Springer, 2011. H. Krasnova, S. Spiekermann, K. Koroleva, and T. Hildebrand. Online social networks: Why we disclose. Journal of Information Technology,
25(2):109–125, 2010. [22] Y. Krupa and L. Vercouter. Handling privacy as contextual integrity in decentralized virtual communities: The privacias framework. Web Intelli. and Agent Sys., 10(1):105–116, 2012. [23] J. Leskovec, L. Backstrom, and J. Kleinberg. Meme-tracking and the dynamics of the news cycle. In Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pages 497–506, 2009. [24] J. Li, W. Peng, T. Li, and T. Sun. Social network user influence dynamics prediction. In Web Technologies and Applications, pages 310–322, 2013. [25] H. Nissenbaum. Privacy as Contextual Integrity. Washington Law Review, 79(1), 2004. [26] T. A. B. Snijders. The statistical evaluation of social network dynamics, 2001. [27] Y. Wang, G. Norcie, S. Komanduri, A. Acquisti, P. G. Leon, and L. F. Cranor. ”i regretted the minute i pressed share”: A qualitative study of regrets on facebook. In Proceedings of the Seventh Symposium on Usable Privacy and Security, pages 10:1–10:16, 2011. [28] S. Wilson, J. Cranshaw, N. Sadeh, A. Acquisti, L. F. Cranor, J. Springfield, S. Y. Jeong, and A. Balasubramanian. Privacy manipulation and acclimation in a location sharing application. In Proceedings of the 2013 ACM International Joint Conference on Pervasive and Ubiquitous Computing, pages 549–558, 2013. [29] H. Xu, H.-H. Teo, B. Tan, and R. Agarwal. The role of push-pull technology in privacy calculus: The case of location-based services. Journal of Management Information Systems, 26(3):135–174, 2009. [30] J. Yang and J. Leskovec. Modeling information diffusion in implicit networks. In Proceedings of the 2010 IEEE International Conference on Data Mining, pages 599–608, 2010. [31] M. Yang, Y. Yu, A. K. Bandara, and B. Nuseibeh. Adaptive sharing for online social networks: A trade-off between privacy risk and social benefit. In Proceedings of the 13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pages 45–52, 2014.
