Archives

Location-Aware Mobile Social Network Systems

These days, hundreds of millions of people are connected through location-aware mobile social network (LAMSN) systems. These are a major platform for communication and interaction between users, who share a huge amount of information between each other as well as service providers and application developers. This rapidly-growing environment has resulted in an emergence of new privacy and security requirements and implications that are not completely understood.

Privacy and Security Challenges in LAMSN Environments

Mobile social networking has risen to a level that has never before been seen. One of the most significant barriers to consumer adoption of location-aware services, such as LAMSN systems is privacy concerns. While many of us dislike the idea that our location is always being known by someone, and that this location information may be broadcast to many people, this becomes a small detail when the latest mobile app or feature comes up.

According to a study conducted at the University of Colorado at Boulder, entitled “Solutions to Security and Privacy Issues in Mobile Social Networking,” there are three classes of privacy and security problems associated with mobile social network systems:

  1. Direct anonymity issues
  2. Indirect or K-anonymity issues
  3. Eavesdropping, spoofing, replay and wormhole attacks

Although these are issues that exist in other environments, they also present unique challenges in the environment of mobile social network systems.

Direct Anonymity Issues

The model upon which mobile social network systems is based offers relatively little protection for users’ privacy. Such systems require users to allow access to their social network profile information, while at the same time associating that information with their identity. This means that users can be tracked, if someone were to log the date and time that each device (mobile or stationary) detects the user’s social network ID. These logs can be complied to create user histories, seriously compromising an individual’s privacy.

Issues that directly compromise a user’s anonymity (such as the one described above) are referred to as direct anonymity attacks. These are possible in both peer-to-peer (P2P) and client-server mobile social network systems.

Indirect or K-Anonymity Issues

One of the largest challenges in working in this environment is being able to support complex mobile social networking applications that utilize personal information, without compromising the anonymity of the users providing the information. Even if users don’t directly provide personal information, they do offer social network information (e.g. preferences0 that might be mapped back to the individual’s identity.

Indirect anonymity issues arise when a piece of information indirectly compromises a user’s identity. For instance, if a list of a user’s favorite movies is given out, this information might be easily mapped back to the user.

The K-anonymity problem arises when n pieces of information or n sets of related information can be used together to uniquely map back to a user’s identity. From there, if a set of information can only be mapped to a set of k or fewer sets of users, the user’s anonymity is still compromised to a degree related to k. Experts argue that the K-anonymity problem is important because it would offer an alternative for users to take advantage of new mobile social network applications without compromising their privacy.

The K-anonymity issue applies to both P2P and client-server mobile social network systems, as they bot involve sharing a user’s social network profile data with other users within those systems.

Eavesdropping, Spoofing, Replay & Wormhole Attacks

If a user’s social network ID has been intercepted in a P2P mobile social network system, it can then be used to mount a various types of attacks, described below:

  • Spoofing attack – A malicious user masquerades as the user whose ID was intercepted by simply sending the intercepted ID to mobile/stationary devices that request the user’s social network ID.
  • Replay attack – The compromised user’s ID is maliciously repeated and thus used to perform the spoofing attack.
  • Wormhole attack – A type of replay attack. Wireless transmissions are captured on one end of the network and replayed on another end.
  • Eavesdropping – Malicious users can eavesdrop through the wireless network, or on information transmitted when a device requests a user’s social network profile information from a social network server. In both cases, malicious users could intercept a user’s social network ID, thus compromising the user’s privacy.

Summary

This article takes a look at location-aware mobile social networks (LAMSNs) and the privacy and security concerns inherent in these environments. The article examines three classes of privacy and security problems associated with mobile social network systems: 1) Direct anonymity issues; 2) Indirect or K-anonymity issues; and 3) Eavesdropping, spoofing, replay and wormhole attacks.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Data accountability (I.C.b.)
  • Purpose and uses of PII (I.C.c.)
  • Business use of mobile services (I.C.f.ii.)
  • Internal data processing – primary and secondary uses (I.F.a.i.)
  • Location-based services (VI.C.)
Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>