Towards Privacy-aware OpenSocial Applications

2. IBM Almaden Research Center The Team IBM Almaden Research Center IBM Silicon Valley Lab  Tyrone Grandison  Sherry Guo  Kun Liu  Dwayne Richardson  Michael (Max) Maximilien  Tony Sun  Evimaria Terzi 2 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

4. IBM Almaden Research Center From humble beginnings in 1956, Fair Isaac Corp.'s credit score has come to loom over consumer finance like no other statistical measure ever has. The ubiquitous three-digit FICO score now helps determine everything from the interest rates people pay on their credit cards to their attractiveness as job candidates. 5 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

5. IBM Almaden Research Center So, how about a Privacy Score that indicates the privacy risks of online social-networking users? 6 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

6. IBM Almaden Research Center Do you want to design and integrate the privacy score and other advanced privacy and risk management modules in OpenSocial so that 50 years (or much less) later, people will appreciate your effort? 7 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

7. IBM Almaden Research Center Roadmap  Motivation and Goal  Privacy Score and Its Applications  Privacy Score and OpenSocial  Proof of Concept: The Privacy-Aware Market Place  Conclusions 8 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

8. IBM Almaden Research Center Motivation Millions of users share details of their Disclosure of personal info expose the personal lives with vast networks of users to identity theft, digital stalking, etc. friends, and often, strangers Courtesy to: http://www.contrib.andrew.cmu.edu/%7Egct/mygroup.html Courtesy to: http://getyourfirstmortgage.com/wp-content/uploads/ 2008/08/identity-theft-protect-yourself-300x225.jpg 9 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

9. IBM Almaden Research Center Motivation (Cont.) My God! What information I have shared all these years How to prevent my and who can view ex from seeing my these information? status updates? All my friends have shared their hometown and phone number, maybe I should also How to hide do this? my friend list in the search results? I enjoyed sharing my daily activities How to prevent the with the World! applications my But any adverse friends installed effects? from accessing my information? 10 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

10. IBM Almaden Research Center Goal  Our goal is to develop a mechanism and a platform that will  measure and monitor the privacy risks of online social-networking users  boost public awareness of privacy  help users to easily manage their information sharing  Our goal is NOT to prevent people from sharing information  How to achieve this goal?  privacy score calculation  comprehensive information sharing report  privacy settings recommendation  and more … 11 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

12. IBM Almaden Research Center Privacy Score Overview Privacy Score measures the potential privacy risks of online social-networking users. Privacy Settings privacy score of the user Privacy Score Calculation Utilize Privacy Scores Privacy Risk Monitoring Comprehensive Privacy Report Privacy Settings Recommendation 13 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

13. IBM Almaden Research Center How is Privacy Score Calculated? – Basic Premises  Sensitivity: The more sensitive the information revealed by a user, the higher his privacy risk. mother’s maiden name is more sensitive than mobile-phone number  Visibility: The wider the information about a user spreads, the higher his privacy risk. home address known by everyone poses higher risks than by friends only 14 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

14. IBM Almaden Research Center Privacy Score Calculation name, or gender, birthday, address, phone number, degree, job, etc. Privacy Score of User j due to Profile Item i PR(i, j )=βi ×V (i, j ). sensitivity of profile item i visibility of profile item i 15 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

15. IBM Almaden Research Center Privacy Score Calculation name, or gender, birthday, address, phone number, degree, job, etc. Privacy Score of User j due to Profile Item i PR(i, j )=βi ×V (i, j ). sensitivity of profile item i visibility of profile item i Overall Privacy Score of User j PR(j ) = ∑ PR(i , j ) = ∑ β i × V (i, j ). i i 16 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

16. IBM Almaden Research Center The Naïve Approach User_1 User_j User_N Profile Item_1 R(1, 1) R(1, 2) R(1, N) (birthday) Profile Item_i R(i, j) (cell phone #) Profile Item_n R(n, 1) R(n, N) share, R(i, j) = 1 not share, R(i, j) = 0 17 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

17. IBM Almaden Research Center The Naïve Approach User_1 User_j User_N Profile Item_1 R(1, 1) R(1, 2) R(1, N) (birthday) Profile Item_i R(i, j) | Ri |= ∑ R (i, j ) (cell phone j #) Profile Item_n R(n, 1) R(n, N) share, R(i, j) = 1 not share, R(i, j) = 0 N − | Ri | Sensitivity: βi = N 18 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

18. IBM Almaden Research Center The Naïve Approach User_1 User_j User_N Profile Item_1 R(1, 1) R(1, 2) R(1, N) (birthday) Profile Item_i R(i, j) | Ri |= ∑ R (i, j ) (cell phone j #) Profile Item_n R(n, 1) R(n, N) share, R(i, j) = 1 | R j |= ∑ R(i, j ) not share, R(i, j) = 0 i N − | Ri | Sensitivity: βi = N | Ri | | R j | |Rj | Visibility: V (i, j ) = Pr{R (i , j ) = 1} Pij = Pr{R (i, j ) = 1} = × = (1 − β i ) × N n n 19 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

19. IBM Almaden Research Center The Naïve Approach User_1 User_j User_N Profile Item_1 R(1, 1) R(1, 2) R(1, N) (birthday) Profile Item_i R(i, j) | Ri |= ∑ R (i, j ) (cell phone j #) Profile Item_n R(n, 1) R(n, N) share, R(i, j) = 1 | R j |= ∑ R(i, j ) not share, R(i, j) = 0 i N − | Ri | Sensitivity: βi = N | Ri | | R j | |Rj | Visibility: V (i, j ) = Pr{R (i , j ) = 1} Pij = Pr{R (i, j ) = 1} = × = (1 − β i ) × N n n Privacy Score: PR(j ) = ∑β i i × V (i, j ). 20 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

20. IBM Almaden Research Center Item Response Theory (IRT)  IRT (Lawley,1943 and Lord,1952) has its origin in psychometrics.  It is used to analyze data from questionnaires and tests.  It is the foundation of Computerized Adaptive Test like GRE, GMAT Ability 21 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

21. IBM Almaden Research Center The Item Response Theory (IRT) Approach User_1 User_j User_N Profile Item_1 R(1, 1) R(1, 2) R(1, N) (birthday) Profile Item_i R(i, j) (cell phone #) Profile Item_n R(n, 1) R(n, N) share, R(i, j) = 1 not share, R(i, j) = 0 Profile item’s discrimination 1 User’s attitude, Pij = Pr{R(i, j ) = 1} = − α i (θ j − β i ) e.g., conservative or extrovert 1+ e Profile item’s sensitivity Profile item’s visibility 22 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

22. IBM Almaden Research Center Calculating Privacy Score using IRT Overall Privacy Score of User j PR(j ) = ∑ β i × V (i, j ). i Sensitivity: β i Visibility: V (i , j ) = Pr{R(i, j ) = 1} 1 Pij = Pr{R (i , j ) = 1} = − α i (θ j − β i ) 1+ e byproducts: profile item’s discrimination and user’s attitude All the parameters can be estimated using Maximum Likelihood Estimation and EM. 23 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

23. IBM Almaden Research Center Advantages of the IRT Model  The mathematical model fits the observed data well  The quantities IRT computes (i.e., sensitivity, attitude and visibility) have intuitive interpretations  Computation is parallelizable using e.g. MapReduce  Privacy scores calculated within different social networks are comparable 24 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

24. IBM Almaden Research Center Interesting Results from User Study Sensitivity of The Profile Items Computed by IRT Model Survey We collected the information-sharing preferences of 153 users on 49 profile items such as name, gender, birthday, political views, address, phone number, degree, job, etc. Statistics • 49 profile items Average Privacy Scores Grouped by Geographical Regions • 153 users from 18 countries/regions • 53.3% are male and 46.7% are female • 75.4% are in the age of 23 to 39 • 91.6% hold a college degree or higher • 76.0% spend 4+ hours online per day 25 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

25. IBM Almaden Research Center Utilize Privacy Scores  Privacy Risk Monitoring  Privacy (Information Sharing) Report Score: 100 ~ 150 Score: 100 ~ 150  Privacy Settings Recommendation Score: 100 ~ 150 Score: 100 ~ 150 Score: 100 ~ 150 26 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

27. IBM Almaden Research Center Privacy Score and OpenSocial Provide native implementation of Enable application developers to Privacy Score calculations. implement their own Privacy Scores. Enable application developers to build Information Sharing Report modules and Privacy Settings Recommendation modules. 28 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

28. IBM Almaden Research Center Suggested APIs for OpenSocial double getPrivacyScore(userID, key) • Description: Gets the user’s privacy score, which is calculated by the native implementation. The key specifies the mathematical model, i.e., Naïve or IRT. double getPrivacyScore(userID) • Description: Gets the user’s privacy score int getPrivacySetting(userID, profileItemID) • Description: Gets user’s privacy setting for the profile item Boolean setPrivacySetting(userID, profileItemID, PrivacySetting) • Description: Sets the user’s privacy setting for the profile item profileItemID can be chosen from opensocial.Person.Field, opensocial.Address.Field, opensocial.Email.Field, opensocial.Name.Field, opensocial.Organization.Field, opensocial.Phone.Field, etc. 29 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

29. IBM Almaden Research Center Privacy Settings Themselves Are Private/Sensitive OAuth allows the user to authorize access to his or her privacy settings stored in social networks. APPLICATION SOCIAL NETWORK USER Request to access protected information of the user 1 Direct user to Prompt user to provide User authorizes access social network for authorization 3 to private data authorization 2 Use the token to access Grant access token & 4 protected information Direct user to application 5 6 30 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

31. IBM Almaden Research Center Privacy-aware Marketplace (PaMP)  PaMP allows one to create posts that are related to items for sale, housing, and jobs.  PaMP adopts the privacy models previously discussed  PaMP empowers users to control all aspects of their data and enable privacy settings to be configured with least effort.  PaMP is a significant differentiator from other online marketplace offerings. 32 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

32. IBM Almaden Research Center Privacy-aware Marketplace (PaMP) http://apps.facebook.com/p_a_m_p 33 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

33. IBM Almaden Research Center Conclusions  In this talk, we have discussed  the importance of privacy score and privacy management  two ways to compute privacy score using privacy settings  how to integrate the scores with OpenSocial  Our goal is to develop a mechanism and a platform that will  measure and monitor the privacy risks of online social-networking users  boost public awareness of privacy risks  help users to easily manage information sharing  We believe that  simple and effective privacy management makes users feel safe and comfortable about sharing information online, which will eventually facilitate the information sharing and integration. 34 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation

34. IBM Almaden Research Center Next Steps  The Initial Question to You  Do you want to design and integrate the privacy score and other advanced privacy and risk management modules in OpenSocial so that 50 years (or much less) later, people will appreciate your effort?  If Your Answer is Yes  Let’s collaborate on a privacy management roadmap for OpenSocial 35 IBM Almaden Research Center -- http://www.almaden.ibm.com/cs/projects/iis/ppn/ © 2009 IBM Corporation