Summary of On the Leakage of Personally Identiable Information Via Online Social Networks

Balachander Krishnamurthy, Craig E. Wills Total number of words: 680 Anupama Aggarwal {MT10002} August 17, 2012

Motivation
Personally Identiable Information (PII) is the information about a person which can be used to trace an indivisuals identity which is unique to him. PII can either be used alone or linked with other information about the user to identify that person. With the popularity and prevalence of Online Social Networks (OSN), people are putting more and more information about themselves on Internet. However, the information which users provide ay be visible to more than just their friends on these OSNs. There has also been an increase in the use of third party applications to aggregate user activity data on OSNs. These third party servers can leak user information which they provided on OSNs

Problem Statement
They key question this study tries to answer is whether PII of a user present on a social media is being leaked to the third party servers via the OSN itself.

Leakage Detection Methodology :

This study involves analysis of 12 OSNs viz. Bebo, Digg, Facebook, Friendster, Hi5, Imeem, LinkdIn, LiveJournal, MySpace, Orkut, Twitter and Xanga. The PIIs which whose availability to non-friends was under study in these OSNs included photo, location Name, Zip Code etc. The authors used Live HTTP Headers extension on Firefox Internet browser to get the HTTP header information with each of the 12 OSNs studied. After capturing the HTTP header, the authors analyzed Referrer Header, Request-URI and cookies to check if OSN identier is leaked to the third party aggregators.

Results
Types of PII leakage : The authors identied four types of PII Leakage

transmission of OSN identier of a user to third-party via the OSN

 transmission of OSN identier of a user to third party via external applications transmission of some pieces of PII to third party servers linking of PII leakage with other information about the user within and beyond the OSN Leakage of OSN identier : Referrer Header leaks Facebook id to doubleclick.net. Authors observed that 11 out of 12 OSNs had their user id leaked to the third party applications via the OSN itself. Leakage via external applications : The authors show that Facebook identier was leaked to socialmedia.com via Request-URI and Cookie. Similarly, other OSNs like MySpace also had their ids leaked via external applications. Leakage of pieces of PII : Authors observed leakage of age, gender, zip and email via RequestURI and cookie to ad.hi5.com, which is a DNS alias for a yieldmanager.com (Yahoo) server. This third party server is hidden and information is passed without user consent. Authors also observed direct PII leakage for 2 out of 12 OSNs Linking PII Leakage : When users visit another website while logged into the OSN, the cookie for that external website has some information from the cookie for the OSN session. This way, third party servers is able to link users to web accesses which they may not like to share with anybody.

Takeaways from the paper

The paper deals the problem of information leakage beyond the privacy control settings. It shows how HTTP requests and session cookies can cause information leakage. After reading this paper one can make sense why, for example, they see a Pizza advertisement on an external website after visiting Pizza-Hut page on Facebook. The paper does an in-depth analysis of all possible scenarios of information leakage through OSN via external applications and the poor HTTP transfer protocols of the OSNs

Assumptions and Limitations

The study does not take into consideration all the possible HTTP headers but only focusses on Referrer HTTP header and cookies. The authors did not study users login identier via referrer headers. Login identier can give away the login credentials of a user. This study does not include analyzing opaque strings in HTTP headers which are harder to decode but can still be a threat to information leakage.

Conclusion
Authors conclude that there exists an indirect leakage of PII via OSN to third party agents. External applications which have become very prevalent on OSNs like Facebook also leak information. OSNs should have a policy of hiding the OSN identier of a person so that it can not be exploited. 2