Access Control Policy Misconfiguration Detection in Online Social Networks

The ability to stay connected with friends online and share information, has accounted for the popularity of online social networking websites. However, the overwhelming task of access control policy management for information shared on these websites has resulted in various mental models of sharing with a false sense of privacy. The misalignment between a user's intended and actual privacy settings causes access control misconfigurations, raising the risk of unintentional privacy leaks. In this paper, we propose a scheme to extract the user's mental model of sharing, enhance this model using information learned from their existing policies, and enable them to compose misconfiguration free policies. We present the possible misconfiguration patterns based on which we scan the Facebook user's access control policies. We implemented a prototype Facebook application of our scheme and conducted a pilot study using Amazon Mechanical Turk. Our preliminary results show that the users' intended policies were significantly different than their actual policies. Our scheme was able to detect the misconfiguration patterns in album policies. However, the reduction in the number of misconfigurations after using our approach was not significant. Participants' perceptions of our proposed policy misconfiguration patterns and the usability of our scheme was positive.