Whirley Girl Designs - Changing the world one wall at a time!

Privacy and Security in Social Networks

In recent years, social networks such as Facebook or Twitter have grown rapidly, social networks are very useful to talk to friends that we had not had contact for a long time, or former classmates.

They also allow us to create events to stay or leave, without having to call us all over the phone and therefore, save money on the mobile bill. It also serves to establish new relationships with others, based on shared traits such as communities, hobbies, interests, and circles of friendship.

The advantages of social networks are known by everyone, what few people know, is that privacy and security in social networks, is at odds with the sociability and use that can be given. If we have a profile too strict, we can not communicate friends of our friends and that could harm us “socially”, however if we have an open profile, you can communicate all over the world, see all photos, all comments, The privacy is null but nevertheless the sociability is maximum, just what the people want to get in the social networks.

We must take as a premise that social networks are safe from hacking attacks, because if not this article, I would never end up talking about the big gazapos of all social networks and their null interest in correcting the faults before getting it out to the public , After all, people just want to upload their photos and gossip the profiles of others, nobody is going to stop to think that if you put “user” and the key 10 times (attack brute force) you can follow Putting more and more keys to the good. Or that the Login is done through http on port 80 without any encryption. And not to mention, that the whole session is not coded with all the personal data (ours and others), that circulate through it.

When you tell a friend, you are going to upload photos from the last party to the personal blog with password, it says no, it is safer and better upload it to Tuenti. People rely on social networks, but are not aware of the immense information they collect from around the world. When you upload a photo to Facebook, if you then delete it, it will be removed from the profile, but the photo is left on the Facebook servers as we will see later.

Social networks have grown exponentially, and they store lots of private information from their users and their interactions. This information is private and is aimed at certain individuals. However with all the information they store, it’s no wonder that social networks also attract malicious people, to harass, defame, spam and phishing.

Despite the risks, many access control and privacy mechanisms are weak against these attackers.

In this article we will talk about security and privacy in social networks, and we ask ourselves the question: what should be the objectives of security and privacy designs?

When we evaluate the objectives, we enter into the conflict of privacy against functionality and sociability. There must be a balance between them.

Development of the theme:

Main functionalities of social networks:

There are several differences between social networks and others, but they all have one thing in common: communication with our friends, and also with strangers.

A social network is the digital representation of its users, their social relationships, their photos messages etc.

With this social partner we can create a profile of oneself to maintain social relations with other people who also have a profile, improve the existing relationships between us and also helps us to have new social relationships, based on common interests such as geographic location, activities etc. .

Social networks also provide us with a personal management space for our profile. They allow us, among other things, to create, modify and cancel our profile on this social network. It also allows us to enter content (photos or comments) and edit them, all to improve the relationship with other people, since it is automatically updated in the social network and will be in view of our contacts.

They allow us to manage the list of contacts we have, we can add people with our same tastes, same age, city … to establish a new relationship.

If we have people with whom we no longer speak, or simply because we do not want to have them in our list of friends, we can remove them, and will not have the necessary permissions to continue watching our photos or comments (this if the security settings is for only Friends and not open to the public).

Some social networks also allow groups of people, for example we can create the group friends and put there all our friends with some permissions on our profile. If we create the co-workers group, we may not want these people to see our personal photos, because we apply the necessary permissions so that they can not see them, and have total control over what they see and do not see our contacts.

Communication with others is the main feature of social networks, and we can communicate in various ways. We can put comments on a bulletin board as if it were some kind of blog, these comments will be in sight of the world, we can maintain personal conversation in a public way.

If we want more privacy, we can send private messages, which will only read the owner of the profile in question, is like sending an email, but through the social network.

Another form of communication is “Chat”, which is like a messenger conversation, and can incorporate video call.

Some social networks allow third party applications, and we find for example the (very addictive) games of social networks.

Social networks are not limited to maintaining existing relationships (profiles added to our own profile), but also need (need) to establish contact with more people, and that is where the searcher of social networks comes in, where we will do A global search across the network.

In order to find a user we have to put his name, we can also narrow down his search by country, province, university, college, by company and of course by sex and age. We will be presented with a list of all the people that are coincident, and with the main photo of the profile we will be able to decide if it is the person we are looking for, or else we have been wrong and we must continue searching.

We can also look for people who are “friends of our friends”, is what we call a social cross. We enter your profile and we can see all the people that have added. A user may restrict other people from seeing who they have added, but this removes sociability (in exchange for greater privacy).

The main objective of a social network is sociability, so if we have the profile open so that they can see our friends, we will enhance that sociability, and this is what conflicts with privacy and security.

Social networks can also mask poor relationships. When a user removes from the list of friends of another user, you do not see any notification that you have disaggregated, only appear notifications about relationships that are good. That is, they mask unpleasant events. [5]

Architecture of a social network.

There are two ways in which social networks can work, we have the client-server architecture where the server will be the social network and the clients us. And the other is the peer-to-peer architecture, where the information will be distributed and not centralized, as in the client-server.

Today’s current networks are centralized, based on a client-server architecture. All social network functionalities, such as storing, editing data, maintaining the web, or accessing the services provided by the social network, are offered by the social network itself such as Facebook or Tuenti. This architecture has the advantage of being simple, but at the same time, is weak to attacks, such as denial of service attack. If the information stored on the WEB server is very large, it could cause the so-called bottleneck and that all users navigate very slowly through the social network. That is why there are several servers in each of the countries, several nodes, although they are connected to each other for the exchange of information.

Peer-to-peer architecture could be the next generation of social networking. A decentralized system would be adopted based on the cooperation of each of the members of the network, each user would be a client of the social network and at the same time a server of that social network, therefore data would be stored in our team. Direct exchange of information between devices would be supported, among users who already know each other before. P2P architecture can take advantage of real social networks, and geographical proximity to provide local services, without the need for the Internet. The server would be distributed on each storage node, and we should have a “social relationship” with that node. The main problem with this will be to search globally.

In summary, the client-server architecture requires internet connection to communicate through the centralized server of our social network. On the other hand the P2P would connect locally, since the server role is distributed in each storage node.

Privacy and security in social networks.

To understand the great challenge of balancing security and privacy, with sociability and usability we have to see the main security standards in the network.

  • Confidentiality: requires the information to be accessible only to authorized entities. It is vitally important in social networks because misuse of information could have serious consequences on people’s lives.
  • Integrity (requires information to be modified only by authorized entities).
  • Authentication (the user is really who he claims to be).
  • No repudiation (offer protection to one user against another who denies subsequently that made some communication). [4]

All this applied to social networks.

Data protection is of paramount importance in a social network, as unlawful disclosure and misuse of users’ private information can cause undesirable or detrimental consequences on people’s lives.

But since social networks are not infallible, information often comes out that certain things that should be hidden are not. In April, a Google engineer realized a security breach, and was exactly in the profile of the creator of Facebook [9]

Not only social network administrators should be concerned with the protection of their users’ data, but also with the competent authorities in this field, such as the LOPD, which fines € 300,000 to € 600,000 if someone alters or has access to Personal data without the authorization of the owner of such data [4].

Intimacy in the context of social networks has several points:

  • Anonymity of the user’s identity:

The protection of the real identity of the users, changes depending on which social network we are registered. In social networks like Facebook, people use their own name as a profile, so that it is easier for them to locate users and, above all, to locate them within the social network.

As a social network grows, it becomes totally impossible to control all comments, and the disclosure of these comments runs like gunpowder. In November 2005, four students from the University of Northern Kentucky were fined when the images of a meeting were posted on Facebook. The images, taken in one of the dormitories, were a visual test that the students did not comply with the university’s campus policy. In this example, private affairs were published by themselves [2]. We can not know the scope that is going to have something that we put in the social network.

This can also be extrapolated to Youtube videos, where people, for example, upload their videos exceeding the maximum speed allowed on a road and then get the corresponding complaint from the Civil Guard.

Everything that we put in the network, stays in the network, therefore we must be careful that what we put does not harm us or put us in problematic situations.

However on social networks like Twitter, people can usually put pseudonyms or addresses of your own web page as a profile.

  • Privacy of personal space:

The visibility of the user profile of a social network to another varies, in some networks profiles can be found doing a Google search, such as Facebook or Twitter; However in the social network Tuenti this is not possible, it is totally closed to the people registered on the website.

In this part we also enter profiles that people may or may not see. Depending on one social network or another, the default permissions with public or private. Facebook has a different approach by default, users who are part of the same subnet can view the profiles of others, unless a profile has decided to deny permission to those of its subnet. As we mentioned earlier, most social networks allow you to view the added friends of the profiles we are viewing.

As we have said, in most networks, you can see the list of friends that we have, although there are exceptions either because the social network itself gives you the option to hide the list of friends or because you have hacked the profile so that out.

  • Privacy of the user’s communication:

Apart from the data we provide to social networks, such as our photos, comments etc. A social network user discloses additional data, such as the connection time, the IP address used (and of course, its geographic location), the visited profiles, the received and sent messages, that is, a log of Personal information about what we have done while we were in the social network. All this must be private, remember that an IP address in a space of time is unique, identifies a single person, and it is illegal to publish without the consent of the user.

All this is summarized in the fact that privacy must be present in the social network as well as in the exchange of information (photos, messages etc.), as well as the logs that are registered in the social network.

Unauthorized entities should not know the content of private data sent and received through the social network.

This aspect of data privacy implies the confidentiality of the data and the anonymity of the owners, and there must be an access control. Access to information about a user can only be granted by the user. Nor should the unauthorized entities link the private data to the owner’s profile.

Types of attacks on social networks

Authentication and data integrity is a major task in a social network.

We must bear in mind that most networks are based on preexisting relationships in reality, a profile in the social network, is a person in real life, so social networks should try to make sure that this does not change.

Any attempt to divert an online social model from its corresponding real-life social network will be considered a type of attack and must be detected and corrected.

There are two main “attacks” on social networks:

The first of these is identity theft, which is the biggest problem of social networks. For example an attacker can create fake profiles, another attack is to impersonate the other person to damage it. Also they can be made to happen by famous personages, to slander them or to obtain a benefit. This can damage the reputation of social networks, so in some cases when the legitimacy of the profile is doubted, the person behind this profile must show its authenticity (for example in Tuenti when someone is denounced by false profile, You are asked for the DNI to prove its authenticity, – if you think this is an attack on the privacy of the person if you do not show the DNI, nothing happens, you can always not show it – and delete your profile.

Social networks must comply with bad behavior to be eradicated, because some social networks are used as work tools to help their employees (another requirement is availability, that is, they are always available).

We have two types of attackers:

Internal attackers, who are already registered on the network and appear to be normal users of the social network, but act in a malicious way, for example creating third-party programs to damage the social network, or also attackers from our own wireless network. That is, all those who try to damage the social network from within.

We also find external attackers, intruders, who are not in the social network, but who can damage it with attacks external to servers or infrastructures, such as denial of service.

Design Conflict

As we have said before, there is a conflict between the security and privacy of social networks, and their usability and sociability.

In order to support the social search, it is necessary to show certain information of the different profiles that coincide in one that we have looked for. This occurs both in the global search and in the cross-sectional search.

The more data you display, the search will be more accurate and efficient.

Therefore, we have already re-entered the conflict, if we show more power to find an individual correctly but the privacy of people is in question. However if we do not show very little information, finding someone will be a tedious task.

But this goes beyond the domestic environment, imagine that we cross several profiles and find that two employees of different rival companies are friends. This could lead to problems for them.

The main function of these networks is to facilitate and enhance social interaction. On some occasions, we have the need to create two different profiles, one personal and the other for the job. This is not entirely safe, because if it happens that a work friend and a personal friend are (among them) known. There may be a leak of unwanted information, but this leakage is completely outside the field of action of the person in question because he does not depend, and all the efforts he has made to create two profiles and give the minimum permissions, are not worth to nothing. Apart from that it may take quite some time to find out that there is information circulating on the net.

For example, if a user uses a pseudonym, and then a friend tags a photo with their real name to that pseudonym, it would already be revealing their real identity, so all efforts to protect their privacy would have been in vain.

It is not going to be useful to have a good privacy configuration or if all traffic is encrypted, if we do not think about what can be extracted from everything we put [2].

Privacy Policy

The huge amount of data that is uploaded to social networks, are an important source for social analysis, which can help to see how society evolves, but can also be a great marketing study.

The data collected, can also serve to improve the social network itself, with configurations or complements demanded by users.

As always, we are at a crossroads, improve the system as users want, or bet on privacy, and do not collect this data to protect your privacy. Although we hide the data and in theory, they are anonymous, it is demonstrated that the majority of the real identities of the users can be recovered.

Client-server vs P2P architectures

The client-server architecture has several advantages over the P2P architecture, in meeting one of the main objectives of a social network. Users are not limited to just the relationships they already have but can find former classmates on social networks (as long as they are on the same social network). It is easier to find someone on the social network server, performing a search through a certain series of data such as the name, age or school they were in. Data mining is most effective on a centralized server; however, all data is stored on the servers of the chosen social network, and can be used for different purposes for which they were collected, and thus violate the privacy of the users.

On the other hand, the data stored in the databases of the different social networks can be stolen by hackers, and all the information that exists on all the users can eliminate it, modify it or copy it, for its own benefits.

In May Facebook identified the hacker who had stolen more than 1.5 million accounts and tried to sell them on low-cost hacking forums. As you can see, no social network is completely safe, although security starts with ourselves. [6]

In July, Facebook implemented a button to remove our account, quickly and easily. But everything that glitters is not gold, because in the conditions of use of the service, all the photos and everything that you upload to Facebook, happens to be his property. That is, they may delete your profile, but the photos are still on their servers. [7]

Recently, there has been a new case of deleted photos that are still in the servers. Arstechnica.com, a medium of reference about technology, says that many users have complained about photos that they deleted a long time ago and still continue. What a coincidence, that as soon as the news came out, the photos disappeared by magic. [8]

Although Facebook’s privacy policy ensures that they do not share personal information with companies that advertise in that virtual community, it has said that in some cases they had sent the user name to those advertisers and that it was a bug that was already corrected. [12]

In the P2P architecture security is reinforced because it is not centralized, the server is removed from the central social network, stored by the users themselves, who can encrypt their own data to avoid prying eyes, and also strengthen access control to those data.

In a centralized system, you can also upload the encrypted data, but this is not entirely true, because the social network itself may prohibit you from uploading it in this way, and if there is a vacuum in your conditions, you can always modify its conditions of use. Anyway, they will always know who is related to who based on the IP addresses of users.

A P2P system with data encryption is the best combination of privacy that can be, but the problem is that you can not yet efficiently recreate everything that centralized systems do.

An example of a P2P social network is Diaspora. A Social Network that are finishing to develop four American university students, offer a new concept of social communication, whose first objective is to guarantee the privacy of our data, a very important but apparently insignificant issue. Diaspora will offer a P2P platform, that is, our data do not leave our PCs, which allows us to decide what information we share, with whom and at what point we want to disappear, something that today is almost impossible in client social networks -server like Facebook. [14]

Research Directorates

While completely eliminating design conflicts for networks may be impossible, we need to investigate and explore in other directions.

Some networks, based only on whether we accept others as friends or not, have no middle ground. And this is different in real life.

To capture the maximum aspects of social relations in real life we must include:

  • Types of relationships: they can be classified as friends or companions and then there are so-called “followers”.
  • Confidence: shows the confidence that a user places in his / her companions added either in a specific topic or in everything.
  • Intensity of the interaction between users: it measures the quality and quantity of interactions between the different users.

A relational model can provide the social network with more privacy and security in many ways.

First, it would be sharing different information with our friends and colleagues. We must be careful about possible confusions, and assign certain permissions to each group.

The second is the trust relationships between users, which are not the same. We can not have a binary trust relationship (yes or no), there is always a middle ground. Therefore, if we can not give a proper permit to each situation, we could have a security breach in the relationship.

Finally, the intensity of interaction between users can be as a power for the quality of the relationship, to make private decisions. If two users barely speak, it means they do not want to reveal too much information about them. The intensity of interactions can introduce a new way of characterizing networks.

You have to take into account the complexity of describing a relationship. This is completely impractical for a social network, due to inaccurate and ambiguous descriptions, to evaluate this can have a high computational cost that makes it not feasible.

Recently Facebook has incorporated a number of tools that offer users greater control over their personal information and help them interact with smaller, select circles of friends.

The new ‘group’ feature enables 500 million users to interact in small circles of friends, instead of having photos and personal messages open to family members, friends, high school mates and co-workers in one place.

With groups, Facebook users can now gather your friends in different circles and send messages or exclusive online discussions with its members. [10]

Protect social graphs

The main feature of social networks, is to connect users to each other. The information collected in the social network must be protected. The relationships and connections between different profiles also help protect the social network itself and mitigate attacks on social networks.

A social link, may have been made if a malicious user, gets the trust of a good user of the social network. That attacker, you can gain trust in turn, from another friend of the victim in question, but eventually, they will realize that it is a false identity, because they meet in person. The very nature of networks makes it difficult for attackers to force social ties

In many social networks, it is very easy for a malicious user, to create several false profiles and pretend to be different people. If the social network required to teach the proper identification as the DNI, doing this would be much more complicated. However, the privacy of the users can not be guaranteed with the centralized scheme.

The best we can do in these cases is to use the network of real life relationships to check the identity of a user. The idea is for people to connect and communicate. Although it is very easy to create a nick without revealing your name, it is difficult to change contacts and friends.

Although online social graphs give enormous amounts of trustworthy data to facilitate the design of defense mechanisms, personal social relationships represent a lot of sensitive private information to be misused. The key is to find a way to preserve privacy to use the knowledge of social graphs.

There has been a growing concern when they give too much personal information by the threat of sexual violators, remember that Tuenti allows to become a profile if you are older than 14 years.

Article 13 of the Regulation of development of the LOPD says that they can not have access to a social network those under 14 years. Facebook, for its part, ignores this precept and allows the registration of users claiming to be 13 years old. Tuenti has implemented policies to erase profiles of young people who are detected as under 14 years old. There are no known measures taken in this regard adopted by Facebook. [eleven]

To mitigate design conflicts, we can find and use qualitative properties of real-life social networks. Unlike quantitative properties, qualitative ones can be applied to any social network safe and do not reveal personal information about individual users.

Based on the fact that it is difficult to create social links between honest and other non-honest nodes, a new defense scheme is proposed against attacks by malicious users. The idea is that malicious users create too many non-honest nodes, the social graph becomes strange because it has a small cut-off ratio, that is, a small set of social links (the edges of the attack) whose removal disconnects a large number of nodes (All non-honest nodes) from the rest of the graph. On the other hand, real-life networks do not tend to have these cuts (qualitative ownership of networks). Using a special type of arbitrary verifiable path in the online social graph and intersections between those paths, the small cut-off ratio can be identified and the number of non-honest nodes can be jumped accordingly. We believe that more and more qualitative techniques of social networks, combined with cryptographic techniques that preserve privacy, can be used to design new security mechanisms for networks without compromising user privacy.


We have commented on security and privacy designs in online social networks by pointing out a few research directions to mitigate design conflicts between the different designs and the goals of the networks.

However, a final solution will require experts in social science and network security communities, regulatory bodies, and other relevant communities to make decisions on political and security mechanisms.

Users are not aware that their comments can reach anyone on the social network, we must have an intimacy. Usually the more contacts you have, the more popular you are, and therefore you have more influence. Everything you put on the social network will see many more people, and sure many of them do not even know them personally [3].

Any user of the social network, can take all the information we have and use it in the near future to do us harm. The best thing would be not to be in any social network online, thus we would not have any problem of either privacy or internet security. Personal things are, as the same word indicates, “personal”, “private”, and not to be posted on an internet board in the face of everyone as if it were an advertisement. You can check DeltaNet about personal information security.

The job layoffs by inappropriate behavior on social networks are increasing day by day, because companies are increasingly aware of what their employees or candidates published in them, as a matter of image and reputation but also security. [13]

The security and privacy in the social network, begins with us, for the contents that we upload and the permissions that we grant.

Social networks will continue to innovate, creating new designs, but hopefully also focus a lot on security, and above all, the privacy of its users.

home - murals - about the muralist - other creations - contact us - links

©2003 WhirleyGirl Designs. All Rights Reserved.