Track: Social networks
Use the red “Join on YouTube” button above to join the livestream. If you cannot see this button, make sure you are logged in (see the upper-right corner of your screen).
Session Chair: Rachel Greenstadt
- An Analysis of the Current State of the Consumer Credit Reporting System in China
- CanaryTrap: Detecting Data Misuse by Third-Party Apps on Online Social Networks
- A Privacy-Focused Systematic Analysis of Online Status Indicators
- Identifying Influential Spreaders in a Social Network (While Preserving Privacy)
Mo Chen (Technical University of Munich) and Jens Grossklags (Technical University of Munich)
Summary: The Chinese Social Credit System (SCS), known as the first national digitally-implemented credit rating system, consists of two parallel arms: a government-run and a commercial one. The government-run arm of the SCS, especially efforts to blacklist and redlist individuals and organizations, has attracted significant attention worldwide. In contrast, the commercial part has been less often in the public spotlight except for discussions about Zhima Credit. The commercial arm of the SCS, also referred to as the Consumer Credit Reporting System (CCRS), has been under development for about two decades and took a major step forward in 2015 when 8 companies were granted permission to implement pilot consumer credit reporting programs. This development fundamentally increased the reach and impact of the SCS due to these companies’ sizable customer base and access to vast troves of consumer-related information. In this paper, we first map the Chinese CCRS to understand the actors in the credit reporting ecosystem. Then, we study 13 consumer credit reporting companies to examine how they collect and use personal information. Based on the findings, we discuss the relationship between the CCRS and the SCS including the changes in the power relationships between the government, consumer credit reporting companies and Chinese citizens.
Shehroze Farooqi (The University of Iowa), Maaz Musa (The University of Iowa), Zubair Shafiq (The University of Iowa), and Fareed Zaffar (Lahore University of Management and Sciences)
Summary: Online social networks support a vibrant ecosystem of third-party apps that get access to personal information of a large number of users. Despite several recent high-profile incidents, methods to systematically detect data misuse by third-party apps on online social networks are lacking. We propose CanaryTrap to detect misuse of data shared with third-party apps. CanaryTrap associates a honeytoken to a user account and then monitors its unrecognized use via different channels after sharing it with the third-party app. We design and implement CanaryTrap to investigate misuse of data shared with third-party apps on Facebook. Specifically, we share the email address associated with a Facebook account as a honeytoken by installing a third-party app. We then monitor the received emails and use Facebook's ad transparency tool to detect any unrecognized use of the shared honeytoken. Our deployment of CanaryTrap to monitor 1,024 Facebook apps has uncovered multiple cases of misuse of data shared with third-party apps on Facebook including ransomware, spam, and targeted advertising.
Camille Cobb (Carnegie Mellon University), Lucy Simko (University of Washington), Tadayoshi Kohno (University of Washington), and Alexis Hiniker (University of Washington)
Summary: Online status indicators (or OSIs, i.e., interface elements that communicate whether a user is online) can leak potentially sensitive information about users. In this work, we analyze 184 mobile applications to systematically characterize the existing design space of OSIs. We identified 40 apps with OSIs across a variety of genres and conducted a design review of the OSIs in each, examining both Android and iOS versions of these apps. We found that OSI design decisions clustered into four major categories, namely: appearance, audience, settings, and fidelity to actual user behavior. Less than half of these apps allow users change the default settings for OSIs. Informed by our findings, we discuss: 1) how these design choices support adversarial behavior, 2) design guidelines for creating consistent, privacy-conscious OSIs, and 3) a set of novel design concepts for building future tools to augment users’ ability to control and understand the presence information they broadcast. By connecting the common design patterns we document to prior work on privacy in social technologies, we contribute an empirical understanding of the systematic ways in which OSIs can make users more or less vulnerable to unwanted information disclosure.
Varsha Bhat Kukkala (Indian Institute of Technology Ropar) and S.R.S. Iyengar (Indian Institute of Technology Ropar)
Summary: In order to disseminate information in a social network, it is important to first identify the influential spreaders in the network. Using them as the seed spreaders, the aim is to ensure that the information is cascaded throughout the network. The traditional approach to identifying influential nodes is to determine the top-r ranked nodes in accordance with various ranking methods such as PageRank, k-Shell decomposition, ClusterRank and VoteRank. In the current work, we study the problem of ranking the nodes when the underlying graph is distributedly held by a set of individuals, who consider their share of the data as private information. In particular, we design efficient secure multiparty computation (MPC) protocols for k-Shell decomposition, PageRank and VoteRank. For improved efficiency, we employ the oblivious RAM construct in conjunction with efficient data-oblivious graph data structures. We are the first to propose a secure variant of the VoteRank algorithm. We prove that the proposed protocols are asymptotically more efficient and have lower runtime in practice than the previous best known MPC protocols for computing k-Shell decomposition and PageRank centrality scores.