Intelligent Reactive Access Control for Moving User Data Yang Wang ∗ , Armen Aghasaryan † , Arvind Shrihari ∗ , David Pergament † , Guy-Bertrand Kamga † , St´ ephane Betg´ e-Brezetz † ∗ School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 Email: [wang, arvinds]@cs.cmu.edu † Service Infrastructure Research Domain Alcatel-Lucent Bell Labs France 91620 Nozay, France Email: name.surname@alcatel-lucent.com Abstract—With the boom of social media, it has become increasingly easier for ordinary people to not only post their own content but share other people’s content on the Internet. In this paper, we conceptualize a growing problem of moving user data – once a user posts some content on the Internet, the data is largely out of her control; the content can be forwarded to or shared with other people, applications or websites, potentially causing various privacy issues. We present a technical solution that aims to provide users flexible fine-grained control over their moving data. Our system builds upon the ideas of data envelope with sticky policy, reactive access control, and privacy scores. Users can specify and enforce sticky policies of their data through our data envelope plug-ins. Our reactive access control mechanism allows users to grant access to their data on the fly, extending the pre-defined sticky policies to better fit with the dynamic nature of people’s sharing practices. Finally, the privacy score helps users make decisions about data requests by providing relevant privacy risk assessment information about the requesters. I. I NTRODUCTION With the rise of user-generated content and social media, it becomes increasingly easier for ordinary people to post their own content and share other people’s content on the Inter- net. There is a trend that websites particularly social media sites such as Facebook and Twitter publish their Application Programming Interfaces (APIs). These open APIs allow third parties to develop applications that enable users to access their content on these sites and to share the content to other sites. We conceptualize this phenomena as moving user data – users’ data can be easily moved from one person to another, from one website to another, or from one communication channel (e.g., web) to another (e.g., email). Once a user generates some content on the Internet, the data is largely out of her control. The practices of moving user data can have considerable privacy implications. For instance, a recent study found over 4.4 million protected tweets (tweets that are only accessible by one’s followers on Twitter) were re-tweeted as public tweets, rendering these originally private tweets public and thus violating the privacy of the authors of the original tweets [1]. This telling example illustrates this growing challenge faced by Internet users how can they control their moving data on the Internet? Our research aims to address this challenge. We present a framework that allows end users to control their moving data. Our framework builds upon the ideas of data envelopes with sticky policies, reactive access control and privacy scores. We use data envelopes as a means to encrypt and decrypt user data, and to allow data owners to specify a sticky policy containing access control rules that moves with the data. This sticky policy can be enforced as the data envelope moves [2]. Traditional access control requires users to make access control policies before data sharing. It has been shown that this ex-ante approach is too rigid to fit with the dynamic nature of people’s actual sharing behavior [3]. This is where reactive access control (RAC) comes to play. Under RAC, the data owner can answer incoming data requests as they come, creating a more flexible access control model [3]. While our approach can in principle apply to any moving data on the Internet across different application environments (such as email, social network sites, and blogs), we focus on email and social network service in this paper because they are most common among Internet activities. Imagine a friend of friend wants to see a picture you posted on Facebook, should you grant this person to see your picture? You barely know this person. It would be useful if one can provide some relevant information about this requester to help you make the access control decisions “on the spot”. We designed a privacy score mechanism to provide that information. The privacy score is a quantitative measure of the extent to which allowing this requester to see this protected content would (or would not) compromise your privacy. The main contributions of our work are: (1) flexible reactive access control policy management, (2) enforcement of access control policies across multiple application domains, and (3) decision support for end user access control decisions. In addition, we implemented a prototype system. The rest of this paper is organized as follows. In section II 2011 IEEE International Conference on Privacy, Security, Risk, and Trust, and IEEE International Conference on Social Computing 978-0-7695-4578-3/11 $26.00 © 2011 IEEE DOI 942