This week I attended the Usenix Annual Technical Conference in Boston. The first day of the conference I attended the 3rd annual Workshop On Social Networking. It was interesting spending the day with academics who have an entirely different perspective regarding security and privacy than much of the industry itself. I am only going to cover the highlights related to security and privacy from the sessions I attended.
The first paper of the morning was "Ghostbusting Facebook: Detecting and Characterizing Phantom Profiles in Online Social Gaming Applications" by Atif Nazir, Saqib Raza, Chen-Nee Chuah, and Burkhard Schipper. The presentation studied how phantom profile sand fake accounts can be statistically determined through analysis of human behavior versus behavior that is intended only to benefit a human. They showed how "bots" or fake accounts are often used as a way to cheat in online social network games and presented methods to sort out the fakes from real players. Considering the number of fake accounts on social networks that are often used to spam, phish, and spread malware, further development of this research could help create algorithms to detect malicious accounts.
Later in the morning Craig E. Willis from Worcester Polytechnic Institute presented a paper co-authored with Balachander Krishnamurthy of AT&T Labs titled "Privacy Leakage in Mobile Online Social Networks". They studied 20 popular mobile online social networks (mOSNs) to see what information they were inadvertently leaking in addition to data leakage specific to mobile access. Unfortunately their study showed that all mOSNs were leaking data and that much of that information could not be restricted by users.
The next paper was "Don't Tread on Me: Moderating Access to OSN Data with SpikeStrip" by Christo Wilson, Alessandra Sala, Joseph Bonneau, Robert Zablit and Ben Y. Zhao. They explained how current methods of stopping bots from scraping data from social networks are ineffective and proposed a new method called SpikeStrip. SpikeStrip uses cryptographic tokens in URLs on a per-user basis to enforce rate limiting and prevent abuse of publicly available data. They suggest that using SpikeStrip would significantly reduce abuse if implemented by social network providers.
The last paper with privacy implications was "Prediction Promotes Privacy in Dynamic Social Networks" by Smriti Bhagat, Graham Cormode, Balachander Krishnamurthy, and Divesh Srivastava. The goal of this research was to determine how the richly detailed information contained within social networking sites can be used by researchers without compromising users' privacy. They explored different models for sanitizing the data to provide a realistic representation of users' behavior while protecting their identities.
The last paper made me sad because the researchers are far more concerned with the privacy and identity of social network users than both the providers of these services and many of the people who use them. I encourage social media companies to look at this research and use methods like those proposed to share data with their partners.