Privacy issues in social networking systems (SNSs) can be complex. For example, on Facebook, privacy issues may include whether users should be able to specify who can discover their friends; who can learn which posts they “like”; and who can see their individual posts.
The current privacy settings of SNSs, especially Facebook, are not clearly described to users. Networks sometimes change policies without informing users. Furthermore, the policies typically do not enable users to protect their privacy.
This paper proposes an approach to formally reason about the completeness of privacy control policies. The notion of completeness ensures that every piece of user information can be protected. The authors use OWL, a web ontology language, to model SNS information as a set of users, digital objects, and data values that are related to each other by relationships. The sensitive information that needs to be protected is then represented as properties between two individuals or between an individual and a data value. The owners of each endpoint of each property are eligible to define a privacy policy for that property. Permissions are then defined by a set of protected resources and the corresponding action(s).
The paper describes a model of concepts and properties for Facebook and gives several examples of privacy control permissions for it. System permissions in Facebook are also presented using the notation described. The ideal control properties should be able to control relationships about the user. These include properties that directly relate to the user and properties that relate to some digital objects owned by the user. Facebook clearly does not satisfy this requirement.
Using the model, the authors are able to identify missing permissions in Facebook, including: “Who can see that I have tagged someone?” “Who can see that I have liked something?” “Who can see my comment on someone else’s post?” and “Who can see if I am friends with someone?” These show the importance of formal reasoning about complex privacy situations.