Security needs to be rigorous in technical implementation, but also of great importance is the education of users.

The basic requirements are:

  • Registration – needs to ensure that anyone can register, but in a way that prevents or minimises the chances of masquerading.
  • Establishment of Identity – The service should utilize an Identity Provider (IdP) to enable users to be authenticated and thence make use of the service as an identified registered user.
  • Secured authentication – access to accounts need to ensure a certain degree of security. The basic mechanism will use passwords. Multi-factor authentication using means such as tokens and biometrics will be considered. Support should be provided for OAuth 2.0 (http://tools.ietf.org/html/rfc6749) and/or OpenID Connect (http://openid.net/connect/faq/)
  • User education: password guidance will be issued; the enforcement ofstrong passwords will be considered.
  • Data security – passwords need to be stored as securely as possible using an architecture that has several levels of defence. Personal data relating to profiles also needs to be stored as securely as possible.
  • Authorisation – the system as a Service Provider (SP) should ensure that users only access what they are entitled to. Safeguards are needed to ensure that information shared to selected parties, e.g. content syndicated to people of a particular relationship type, does not leak out to others. It is proposed to use the OAuth 2.0 Authorization Framework.1
  • Some basic education in security and the safeguarding of privacy – users should always be careful about divulging personal details. The new relationship model should help to make this easier, but guidance should still be provided2.
  • The system itself should help protect against phishing and limit the potential damage of worms and other contagious malware.
  • In support of the previous item, Sigala may observe a policy of not allowing logins through third party sites; Sigala should not provide ‘friend finder’ services that invite the user to enter credentials belonging to a third party service.
  • This is critical regarding passwords; due to its very open network, Facebook has already been the target of 10s of thousands password thefts through viral malware.3 The focus in Sigala will be a bit different: whilst distribution may not be so widespread due to separation of concerns, there is a need to pay even more attention to user security (caution) due to the network’s greater emphasis on trust. The system should monitor anonymously such file references.
  • Similarly, protection against social engineering may include tests against social bots to guard against impersonation of real people.
  • Several factors in Sigala SNS’ design would counter this:
    i) Its focus on more meaningful friendship with more awareness and scrutiny of why one connects, the nature of relationship and attention to behaviour;
    ii) its requirements on mutuality for validation
    iii) its degrees of access according to strength of a tie (established over time) would firstly reduce risk of succumbing to invitation in first place and if connection accepted it would limit potential damage done.

Among other significant factors that impinge on security and privacy are commercial access, particularly to personal profiles. Concerns long expressed by security experts4 have only lately been acted on with appropriate authority.  These concerns can be mitigated by first identifying commercial users, making them explicit to users, anonymising profiles delivered to commercial parties, and by ensuring greater use of aggregate data.

In order to really address potential human violations, we extend our treatment to personal safety
 

Notes

1 An alternative for federated authorisation that seems less well supported, but may also be worth considering is the OpenID Attribute Exchange OpenID Attribute Exchange 1.0 – Final, OpenID.net
http://openid.net/specs/openid-attribute-exchange-1_0.html

2 See e.g. SOPHOS Facebook Security best practices – Profile Information
http://www.sophos.com/security/best-practice/facebook/profile-information.html

3 BBC News 5 January 2012. Worm steals 45,000 Facebook passwords, researchers say http://www.bbc.co.uk/news/technology-16426824

4 See e.g. Mark Ward. Bruce Schneier warns ‘profits killing personal privacy, BBC News, 12 October 2010. http://www.bbc.co.uk/news/technology-11524041