An Access Control Model for Facebook-Style Social Network Systems
Date
2010-07-02T20:08:24Z
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Recent years have seen unprecedented growth in the popularity of social network systems,
with Facebook being an archetypical example. The access control paradigm behind the privacy
preservation mechanism of Facebook is distinctly different from such existing access control
paradigms as Discretionary Access Control, Role-Based Access Control, Capability Systems,
and TrustManagement Systems. This work takes a first step in deepening the understanding of
this access control paradigm, by proposing an access control model that formalizes and generalizes
the access control mechanism of Facebook. The model can be instantiated into a family
of Facebook-style social network systems, each with a recognizably different access control
mechanism, so that Facebook is but one instantiation of the model. We also demonstrate that
the model can be instantiated to express policies that are not currently supported by Facebook,
and yet these policies possess rich and natural social significance. Among these policies, we
formally identify and characterize a special family of policies known as relational policies,
which base their authorization decisions on the dynamic relationship between the resource
owner and accessor. We believe the family of relational policies is a unique feature of social
network systems. An executable encoding of this model has been developed to support experimentation
with various instantiation of our access control model. This work thus delineates
the design space of access control mechanisms for Facebook-style social network systems, and
lays out a formal framework for policy analysis in these systems.
Description
Keywords
Access control, social network system