In recent years, online social network services (OSNs) have gained wide adoption and become one of the major platforms for social interactions, such as building up relationship, sharing personal experiences, and providing other services. A huge number of users spend a large amount of their time in online social network sites, such as Facebook, Twitter, Google+, etc. These sites allow the users to express themselves by creating their personal profile pages online. On the profile pages, the users can publish various personal information such as name, age, current location, activity, photos, etc. Sharing the personal information can motivate the interaction among the users and their friends. However, the personal information shared by users in OSNs can disclose the private information about these users and cause privacy and security issues. This dissertation focuses on investigating the leakage of privacy and the disclosure of face biometrics due to sharing personal information in OSNs. The first work in this dissertation investigates the effectiveness of privacy control mechanisms against privacy leakage from the perspective of information flow. These privacy control mechanisms have been deployed in popular OSNs for users to determine who can view their personal information. Our analysis reveals that the existing privacy control mechanisms do not protect the flow of personal information effectively. By examining representative OSNs including Facebook, Google+, and Twitter, we discover a series of privacy exploits. We find that most of these exploits are inherent due to the conflicts between privacy control and OSN functionalities. The conflicts reveal that the effectiveness of privacy control may not be guaranteed as most OSN users expect. We provide remedies for OSN users to mitigate the risk of involuntary information leakage in OSNs. Finally, we discuss the costs and implications of resolving the privacy exploits. In addition to the privacy leakage, sharing personal information in OSNs can disclose users’ face biometrics and compromise the security of systems, such as face authentication, which rely on the face biometrics. In the second work, we investigate the threats against real-world face authentication systems due to the face biometrics disclosed in OSNs. We make the first attempt to quantitatively measure the threat of OSN-based facial disclosure (OSNFD). We examine real-world face-authentication systems designed for both smartphones, tablets, and laptops. Interestingly, our results find that the percentage of vulnerable images that can be used for spoofing attacks is moderate, but the percentage of vulnerable users that are subject to spoofing attacks is high. The difference between the face authentication systems designed for smartphones/tablets and laptops is also significant. In our user study, the average percentage of vulnerable users is 64% for laptop-based systems, and 93% for smartphone/tablet-based systems. This evidence suggests that face authentication may not be suitable to use as an authentication factor, as its confidentiality has been significantly compromised due to OSNFD. In order to understand more detailed characteristics of OSNFD, we further develop a risk estimation tool based on logistic regression to extract key attributes affecting the success rate of spoofing attacks. The OSN users can use this tool to calculate risk scores for their shared images so as to increase their awareness of OSNFD. This dissertation makes contributions on understanding the potential risks of private information disclosure in OSNs. On one hand, we analyze the underlying reasons which make the privacy control deployed in OSNs vulnerable against privacy leakage. On the other hand, we reveal that the face biometrics can be disclosed in OSNs and compromise the security of face authentication systems.
privacy leakage, privacy control, information flow, face authentication, facial disclosure, online social network
PhD in Information Systems
Digital Communications and Networking | Information Security
Online Social Network Based Information Disclosure Analysis. (2014). Dissertations and Theses Collection (SMU Access Only).
Available at: http://ink.library.smu.edu.sg/etd_coll_smu/44