Many of us have privacy concerns when it comes to our online social networks others are not worried that their statements, photos, videos and personal data can be seen by the service provider, other users with which we might not wish to share information and malicious hackers. At first sight, it might seem that protection is not possible, after all our data has to go through the service provider’s computer systems if it is to be shared with our legitimate contacts.
However, computer scientists in Hong Kong have devised a system for encrypting updates that acts as an additional layer above a user password so that only our friends and select connections can see our updates and photos; even the social network provider cannot access the content without our choosing to give it the encryption key. The team has demonstrated proof of principle on the most popular and well known online social networks, Facebook.
Writing in the International Journal of Computational Science and Engineering, Roman Schlegel and Duncan Wong of City University of Hong Kong in Kowloon, express their concern for the unprecedented amount of personal information we inadvertently share with third parties on social networking sites. They point out that providers offer their users little protection from prying eyes and by virtue of the structure of the sites, the provider always has access to your information, whether you would prefer it to or not.
The team explains that software solutions have been developed that can protect one’s data on social networking sites but this usually involves encrypting the data and sending it through a third-party server. This increases the computational overhead required to use a site as well as risking security breach on an additional system. As such, Schlegel and Wong have devised a new broadcast encryption scheme with two very important features that make it a viable option for privacy conscious users of Facebook and its ilk. First, the scheme allows the user to grant permission to only specific users and nobody else, not even the service provider and thus none of its external associates. Secondly, the scheme does not require an independent server for its normal operation, although an encryption/decryption server must be accessed on first registration in order to use the system.
Fundamentally, the plug-in transparently encrypts information posted to a social networking site before the user hits send, so that only the user’s friends can access it. Conversely, the plug-in decrypts content posted by the user’s friends only once the encrypted content has been downloaded to the user’s computer. Rather than requiring users to share encryption keys the encryption process uses the friend’s username, email address or other identity to encrypt the message so that only they can access it once logged in.
When Alice wants to post a message on her wall, for example, she simply enters the desired message in the input box, and clicks ‘Post’ as usual. The plug-in intercepts her post before it is sent to the site, it then fetches her authorized friends list – Janet, Jack and Jill and uses broadcast encryption to encrypt the post as ciphertext using their identities, then and only then does it post it to Alice’s wall. To anyone but Alice’s friends the message on her wall is unintelligible, encrypted ciphertext. But, when Janet, Jack and Jill fire up their browser to check Alice’s updates, the plug-in grabs this ciphertext from her wall and uses the broadcast decryption system to decipher the message.
Only Alice’s friends can see the deciphered message, non-friends, the service provider, members of the public, hackers and spies will see only unintelligible ciphertext. The team has tested a prototype web browser plug-in on Facebook and found it to be feasible, scalable and practical. They suggest that the same plug-in might be employed to protect content on Twitter, Google+ and other social networking sites.
Schlegel, R. and Wong, D.S. (2015) ‘Private friends on a social networking site operated by an overly curious SNP’, Int. J. Computational Science and Engineering, Vol. 10, No. 3, pp.281–292