Social Network applications are gaining momentum. However, equally important, privacy is being shown a crucial requirement. Nowadays, privacy preferences on Social Network applications consist only on allowing or restricting access to information based on attributes of users who are part in the very same network. This paper tries to enhance privacy and provide automatic reactions to events via a very exible speci cation of privacy policies and the reasoning associated to them. In our approach it is possible to include Social Semantic data exposed on the Web into the policy de nition and reasoning process. We introduce the notion of reactive Semantic Web policies o ering higher control of the communications and interactions among Social Network applications and/or its users. We also present SPoX (Skype Policy Extension), which is an implementation that allows policy-driven behaviour control based on the Social Network and communication software Skype, including the capacity of automatically react in certain situations based on user-de ned reactive policies such as, for instance, to automatically deny or let through Skype calls and messages based on existing online Social Web data.
about which noti cation they are interested in and which message or who is allowed to approach them in certain ways and contexts.
Such privacy preferences are typically limited in several respects. Stating for one
Social Network application that only friends are allowed to leave wall posts in my pro le
does not cover people de ned as friends on another application. Skype, as an example,
is only aware of contacts explicitly listed in Skype. Consequently, it may happen that a
call from someone who is a friend on Twitter or listed in one's FOAF5 pro le is blocked.
This only happens because one did not explicitly (and redundantly) add the caller as a
Skype contact. Generally speaking, any kind of social data that can be gathered from
the Web shall be considered for such decisions. Recent studies for mobile phone usage
actually show that disturbance of messages heavily depends on the social context of
their origin [
In this paper we propose to incorporate Social Web data into the evaluation of privacy preferences and, more generally speaking, into the de nition of behaviour control of Social Network applications. We base our approach on a reactive extension of Semantic Web policies. We describe a language expressing such policies and an algorithm to evaluate them. With this language, policy decisions can be made based on concepts de ned by di erent social aspects; that is, by using logic rules, new concepts can be built from formerly isolated Social Web concepts. We further describe an implementation of this language and our prototype SPoX (Skype Policy Extension)9. SPoX is an extension to Skype clients that allows users to easily specify policies that can, for example, express who is allowed to approach the user under which conditions. With SPoX a user can state that only friends on Twitter and Flickr or people listed in the user's FOAF pro le are allowed to call and calls from all other users are automatically blocked and turned into a chat. For evaluating policies, SPoX is able to consider context information like time and online status of the user as well as social data about other users that is exposed on the Semantic Web or accessible via APIs of proprietary Social Network applications. Based on this information, SPoX automatically reacts to events in Skype's Social Network according to user-de ned reactive policies.
In summary, the contributions of this paper are: 1. integration of social data into logic-based policies thus extending the expressiveness of privacy preferences and behaviour control in Social Network applications by crossing the borders of on-line Social Networks, 5 Friend-Of-A-Friend, http://www.foaf-project.org 6 Semantically-Interlinked Online Communities, http://sioc-project.org 7 available for example in an Sparql Endpoint such as dblp.L3S.de/d2r/ 8 Description-Of-A-Project, http://trac.usefulinc.com/doap 9 downloads and screencast at www.L3S.de/ kaerger/SPoX 2. an extension of Semantic Web policies with events and triggers to adapt to the reactive nature of interactions and communication happening on nowadays Social Web, 3. an implementation of a exible policy engine that handles such reactive policies; and SPoX, a prototypical extension for Skype clients, that allows a user to easily specify policies and evaluates and reason over them to automatically drive the behaviour of Skype accordingly.
This paper is structured as follows. We rst motivate the usage of reactive policies in Section 2 by naming a set of potential useful policies. In Section 3 we provide background information on policies and negotiations. Section 4 introduces our proposed language and how it connects to the Social Web. There, we further discuss the possibilities to identify entities across the borders of Social Networks. An implementation is described in Section 5 and some related work is mentioned in Section 6. Finally, we conclude the paper with discussions about open issues and future work in Section 7. 2
To showcase our approach throughout the paper, we list here a set of simple preferences controlling the ow of messages and the disclosure of information in the context of Social Network applications. (A) Do not accept Skype calls unless the caller is either in my contact list or listed as friend in one of my Social Network pro les. For all other people calling me, cancel the call and open a chat. (B) Show noti cations about emails arriving and contacts going on-line on Skype only if the origin is either in my family group on ickr or in my family category on Skype. Never show such noti cations if my computer is in presentation mode. (C) Do not allow wall posts on my facebook pro le that contain one of a speci ed list of bad words. (D) Automatically accept friend requests on any platform if I ever wrote a paper with the requester or if the requester's website is a blog I regularly comment on. (E) Only people that attended the conference ISWC2009 are allowed to comment on this blog and to see pictures tagged with ISWC09. (F) Forward tweets from Twitter to my mobile phone if I am o ine and the author of the tweet is listed in my FOAF pro le. (G) Do not accept calls by students unless it is in my consultation hour. (H) Show this blog entry only to friends that work in my company. 3
Semantic Web policies and negotiations: Semantic Web policies [5] are declarative
statements with a well-de ned semantics expressing the behaviour of a system. A
typical use case for policies is the de nition of access control rules protecting resources
from being unintentionally accessed. For example, the policy stating that only my
colleagues are allowed to access les tagged with work may look as follows10
allow(access(F ile; U ser))
isT agged(F ile; 'work'); isColleague(U ser):
(1)
Adding the facts \isT agged('study.doc'; 'work'):" and \isColleague('Bob'):" will
make the goal \allow(access('study.doc'; 'Bob')" succeed if posed against this policy|
that is, Bob is allowed to access the document study.doc. In this paper, we follow [
Protune: We base our approach on the Protune11 (PRovisional TrUst NEgotiation) framework. Protune [6] aims at combining distributed trust management policies with provisional-style business rules and access control-related actions. Protune features an advanced policy language for policy-driven negotiation and supports distributed credential management and exible policy protection mechanisms. The Protune policy framework o ers a high exibility for specifying any kind of policy, referring to external systems from within a policy and providing facilities for increasing user awareness, like automatic generation of natural language explanations of the result of a policy's evaluation. The Protune policy language is based on logic programming and as such a Protune policy has much in common with a Logic Program (see Policy (1)). 4
As motivated in previous sections, Social Network applications are purely reactive, that is, events occur and they typically require (semi-)automatically handling by the users (or the application doing it on behalf of the user). The approach presented in this paper extends classical access/deny policies as sketched in Section 3 by the notion of events and (re-)actions thus creating so-called reactive Semantic Web policies. This extension follows the event-driven nature of Social Networks [3] that includes the reaction to interactions. Here, the classical approach of allowing or denying access does not apply anymore since communication attempts, tagging people on pictures, or posting on forums require more advanced control that observe events and trigger reactions. In the following section we introduce a policy language which is able to express simple yet powerful reactive policies. 10 Throughout this paper we will use this simpli ed logic programming syntax of policies that is also used in Protune [6]. 11 http://www.L3S.de/protune 4.1
A reactive policy language Our policy language is a straightforward extension with reactive rules to the Protune language. Such reactive rules are expressed in the common form of Event-ConditionAction rules (ECA rules [8]) written in the form ON Event IF Condition DO Action: ECA rules are interpreted according to the following standard semantics: in case Event occurs and, at the same time, Condition is evaluated to true, the action Action is performed. In the following, we detail our language, which combines standard Protune policies with reactive policies in the form of ECA rules.
Syntax: The language we developed for our approach is a superset of Protune where policy rules of the following form are allowed: (2) (3) where Aie and A(ki;j)(k 2 fc; ag) are terms12 and conditionLi(: : :) are literals, that is, they either represent conditioni(: : :) or :conditioni(: : :) for some logical atom conditioni(: : :).
Example 1. Recalling Scenario (A): a reactive policy that changes a call into a chat based on my local contact list or based on information gathered from a Social Network may look as follows:
IF :isInMyContactList(User); :isMySocialNetworkFriend(User)
By directly extending Protune we are able to combine the de nition of reactive behaviour with the declarative de nition of policies as the following example shows. Example 2. For example, the embedding of standard Protune policies allows us to further de ne what is meant by the predicate isMySocialNetworkFriend( ) that was used in Policy (3): isMySocialNetworkFriend(Person) iAmFollowingOnTwitter(Person): isMySocialNetworkFriend(Person) isMyDBLPCoAuthor(Person): (4) isMySocialNetworkFriend(Person) isFacebookFriend(Person): 12 As it is common in logic programming, variables are denoted starting with a capital letter throughout the paper.
It is important to note that, in a similar way, one may not only de ne the concept \MySocialNetworkFriend" but also \FOAF friend of a FOAF friend of mine" or \person living in my city", etc.
Semantics: The evaluation of a policy described in this language is based on the Semantics of ECA rules and (non-reactive) Protune programs (as de ned in [6]). Due to space limitations we provide the semantics of our language here in a rather informal fashion: If an event occurs it is checked for every ECA-policy if its event predicate uni es with the detected event. Based on the set of policies that matches the event, a Protune policy is constructed by replacing each matching ECA-policy ri with a non-reactive Protune policy of the following shape allow(ri) conditionL1(Ac1;1; : : : ; Ac1;m1 ); The resulting policy is queried with goal allow(r1) (see Section 3). In order to evaluate this goal, the conditions in the body of Rule (5) are evaluated following the Stable Model semantics (as it is done for standard Protune policies [6]). In case the goal succeeds, all the actions associated to r1 are executed. After the evaluation for r1 the goal allow(r2) is evaluated, and so on. It is important to note that we de ne the policy evaluation to follow the order of the reactive policy rules as they appear in the policy. Although the ordering of non-reactive Protune policies does not matters (due to the declarative nature of Stable Models), the order of the reactive policies may matter since di erent orders of action executions triggered by di erent ECA rules may have di erent e ects. This assumption follows the standard interpretation of ECA rules and also the intuitive behaviour one expects, for instance, from standard email lters like the Thunderbird Filter13. Looking at the scenarios in Section 2, a reaction to a message or to an event in the Social Network may depend on social data about my network, be it if someone is a FOAF friend (as used in Scenario (A)), a student (Scenario (G)), attended an event (E) , or with whom I wrote a paper (D). Consequently, the condition part of a reactive policy needs to retrieve such data in order to contribute to the decision about whether to execute the action or not.
Semantic Web technologies provide standards and models to make social information easily accessible. Information about users is described in standard formats like RDF, which allows to deal with the data from di erent sources in a uniform way. In addition, due to the emergence of new Web technologies in the era of Web2.0, many Social Web applications open their platforms for external developers by providing an API in order to access the platform's data. In the following section we show how to technically retrieve such social data for policy reasoning. Subsequently, we elaborate on ways how to exploit this information. 13 http://kb.mozillazine.org/Filters (Thunderbird) Connecting Protune to the Social Web. Looking back at Example 1, Policy (4), in order to evaluate the predicate iAmF ollowingOnT witter( ) it has to be connected to the actual Twitter API. For this, Protune o ers the so-called in-predicate [9, p.13], that allows to consider external data sources as given facts in the state of the knowledge base. Following this approach, Policy (4) has to be extended with the following Protune rule.
iAmFollowingOnTwitter(Person) in([Friend]; TwitterWrapper : getPeopleIAmFollowing()); (6)
Person = Friend: For the evaluation of the in-predicate, Protune requires a wrapper to be implemented that o ers a method getPeopleIAmFollowing(). The results of that method are bound to the variable Friend and, internally, for each result ri a fact is added to the policies: 'in([ri],TwitterWrapper:getPeopleIAmFollowing()).' . For our implementation the translation and replacement of such predicates is done automatically and the creation of logic programming-inspired policies is kept away from users as well and replaced by a graphical policy editor. We extended Protune with wrappers that import knowledge from arbitrary Sparql endpoints, RDF les, Twitter, Skype and Flickr (for more details, see Section 5).
Exploiting social data for policy evaluation. Guiding and controlling the behaviour of social software requires conditions for policy decisions to be based on the information which is available on the social software applications. Moreover as most people use more than one Social Platform bearing their social data, the immense volume of data available, if combined, can lead to more ne-grained policies. This data consists of personal data and Social Network information on the one hand and, on the other hand, of user-generated content, like bookmarks, tags, reviews, photos, and blogposts (the so-called object-centered Social Network [4]). Furthermore, with the advent of the Semantic Web, and the Linked Data movement14 in particular, this social data can be linked to more general concepts revealing information like what is a blog post about, in which country was a photo taken, etc.
In the policy evaluation process all this data, extracted from proprietary Social Platforms or exposed on the Semantic Web, is not isolated anymore. Once the data is retrieved, a policy reasoner can combine the retrieved data from multiple sources of the Social and Semantic Web to create advanced, ne-grained and user-adjusted policies. This is based on the observation that relationships among people are not only extracted from explicitly mentioned links in the network but \citizens form relationships and self-organize into communities around shared interests" [4] thus following the principle of augmented Social Networks [10]. Looking back to Scenario (D), I may, for example, de ne the concepts of \interest-sharers" similar to the concept \MySocialNetworkFriend" in Policy (4) in the following way: from the Skype pro le of a caller, one can retrieve her website. Based on SIOC data exposed on this website one can nd out if it is a blog I regularly comment on [11]. The second condition in Scenario (D) can be determined by a Sparql query to DBLP that delivers all published papers of a 14 http://linkeddata.org person. Based on this, it is possible to decide if a caller ever was a co-author of the person to be called.
The challenge of identi cation. Bridging the walled garden of the Social Web for policy reasoning requires a way of identifying the requester: for example, determining if a caller on Skype is a friend in one's FOAF pro le or on Facebook needs information about the caller's identity on other platforms. Our current implementation solves this problem on the one hand by negotiation: a requester is automatically asked to disclose her identity for the required platform. On the other hand, a caller's website URL given in her Skype pro le is matched against website URLs given in the FOAF pro le. We leave further elaborations on this problem to future work and just name potential solutions here. OpenID15 may be exploited to identify persons across Social Network boundaries. FOAF+SSL [12] can be used to authenticate requesters. Matching people by using further information about the requester is another option. For example, Okkam16 may provide a unique id for the requester on the Semantic Web given known attributes, Sindice17 may reveal other attributes about a person including other account ids. A query to the Google Social Graph API18 may as well deliver information about a person's identity on other platforms. 5
Our approach of controlling the behaviour of Social Network applications by exploiting social data seemed promising to be applied to the Social Network and communication tool Skype. First, Skype's privacy policies controlling who is allowed to do what are very limited: a contact of a Skype user can belong to three classes only: the user's friend, a foreigner, or a person that was blocked by the user. For example, one cannot set up ltering rules based on attributes of contacts such as to which category does a contact belong (see Scenario (B)). Moreover, the way a user is allowed to approach another cannot be ltered. For example, either both, chats and calls, are blocked or none of both (see Scenario (A)). Second, Skype o ers an API which eases the retrieval of social data about other users on the one hand and, on the other hand, it allows to easily in uence Skype's behaviour. Third, Skype o ers a channel separated from chat messages and call streams, that allows to transfer data to other peers. This is particular helpful in order to exchange negotiation messages since no additional channel has to be set up between two peers.
SPoX19[13] is a reactive policy engine that is in uencing the behaviour of a Skype client. SPoX builds on the (non-reactive) policy engine Protune and accesses Skype via the open Skype Java API20. To develop SPoX we (a) implemented a reactive extension of classical Semantic Web policies. We further extended Protune in order 15 http://openid.net/ 16 www.okkam.org 17 sindice.com 18 code.google.com/apis/socialgraph/ 19 www.L3S.de/ kaerger/SPoX 20 developer.skype.com/wiki/Java API to (b) access and reason on Semantic Web data (via Sparql endpoints or RDF les) and social data (via the proprietary Social Platform APIs of Flickr, Skype, and Twitter) and (c) to send negotiation messages over the Skype-inherent application channel21. When launching SPoX the user is presented with a small control panel for activating or de-activating SPoX and for opening the policy overview (see Figure 1). In the overview, policies can be activated and de-activated by means of the check boxes on the left, and they can be deleted or modi ed.
Gathering Social and Semantic Web data in SPoX. In order to incorporate Semantic Web data into the policy decision process of SPoX we extended Protune with a general wrapper that queries Sparql endpoints. In particular, SPoX allows to incorporate co-authorship data from DBLP's Semantic Web endpoint22. Another wrapper is able to access arbitrary RDF les, in particular to gather information about a user's contacts on Flickr23. Further Social Web data is made available to SPoX by a wrapper accessing FOAF pro les and by accessing the API of Twitter24. De ning reactive Semantic Web policies in SPoX. SPoX comes along with an easy-to-use reactive policy editor (see Fig. 2). It is inspired by the design of classical e-mail lters. On the left-hand side, events, conditions, and actions can be selected and added to the policy that is compiled on the right side. The underlined words can be changed in a pop-up that appears by clicking on them. Conditions and actions can be applied either to the initiator of the events (named \the caller" in Fig. 2) or to an arbitrary Skype user. The conditions can be changed between conjunctive and disjunctive connection (by clicking on \one of" resp. \all" ) and conditions can be negated (by clicking on \is not" resp. \is"). Not all conditions one may impose on a person approaching via Skype can be expressed by such a user interface. Therefore, SPoX allows to de ne as conditions arbitrary Protune concepts to be ful lled . This way, new concepts can be de ned and exploited for decisions SPoX has to take (as it is done in Policy (6)). SPoX allows to add such concept de nitions to the user's Protune policy via the link \Edit my Protune policies" (see Fig. 1) that opens the Protune policy editor. In a SPoX policy's condition, one can refer to these concepts by means of a special condition that allows to freely enter Protune predicates. 6
In [
In [16], Golbeck et al. present an email lter based on semantic Social Network information (trust networks). In contrast to our approach, the authors do not allow to directly access social data (like \who is my friend") to decide about trustfulness but describe how to combine available social data into a single reputation score used to rank/ lter emails.
Reactive Semantic Web policies have been mentioned already in our previous work [17]. There, reactive policies are not de ned in a single language but in a hybrid language that requires two engines to be coupled in an interleaved fashion. In the present work, we describe a single reactive policy language that does not have the drawback of requiring an interleaved interpreter. However, other policy languages that allow for events or actions are available but either they do not allow for policy negotiations or they lack a well-de ned semantics. 7
In this paper we described an approach to remove the burden of message overload in Social Network applications. We described a reactive policy language that|based 25 First described in [14]. on social data on the Web|allows to describe what kind of messages are allowed to reach the user. Using our approach we improve the user experience in Social Network applications since (1) communication requests can be handled automatically based on advanced policies (including strong and weak evidences [18], policy negotiations, etc.), (2) messages generated from the Social Platform including news feeds, tweets, etc. can be channeled based on declarative policy statements, and (3) important changes in the Social Network are more visible since they can trigger reactions (e.g., noti cations, forward messages).
To further extend this work, we are planning to perform a user study to understand how people actually use reactive policies and how easy it is to express them. We plan to extend our implementation to cater for more Social Platforms and more sources of Social Semantic Web data. Developing a more advanced policy language is on our agenda as well. A new version may include composite events, combinations of actions, and solutions for con ict detection among rules.
We are aware that open linked data is not valid for tough privacy decisions since creating a fake FOAF pro le is easy (see Scenario (F)). Therefore, we plan to study how to improve the authentication part of our solution by FOAF+SSL [12] or OpenID26. However, our approach currently takes the assumption that messages are sent by cooperative entities. 26 http://openid.net 3. Grandison, T., Maximilien, E.M.: Towards privacy propagation in the social web. In: Workshop on Web 2.0 Security and Privacy at the 2008 IEEE Symposium on Security and Privacy. Oakland, California, USA, 18-21 May 2008 4. Breslin, J., Decker, S.: The future of social networks on the internet: The need for semantics. IEEE Internet Computing 11(6) (2007) 86{90 5. Bonatti, P.A., Duma, C., Fuchs, N., Nejdl, W., Olmedilla, D., Peer, J., Shahmehri, N.: Semantic web policies - a discussion of requirements and research issues. In: 3rd European Semantic Web Conference (ESWC), Budva, Montenegro, Springer (June 2006) 6. Bonatti, P.A., Olmedilla, D.: Driving and monitoring provisional trust negotiation with metapolicies. In: 6th IEEE Policies for Distributed Systems and Networks (POLICY 2005), Stockholm, Sweden, IEEE Computer Society (June 2005) 14{23 7. Gavriloaie, R., Nejdl, W., Olmedilla, D., Seamons, K.E., Winslett, M.: No registration needed: How to use declarative policies and negotiation to access sensitive resources on the semantic web. In: 1st European Semantic Web Symposium (ESWS 2004), Heraklion, Crete, Greece, Springer (May 2004) 342{356 8. Paton, N.W., ed.: Active Rules in Database Systems. Springer, New York (1999) 9. Bonatti, P.A., Olmedilla, D.: Policy language speci cation. Technical report, Working Group I2, EU NoE REWERSE (February 2005) http://rewerse.net/deliverables/m12/i2d2.pdf. 10. Jordan, K., Hauser, J., Foster, S.: The augmented social network: Building identity and trust into the next-generation internet. First Monday 8 (2003) 11. Bojrs, U., Breslin, J.G., Finn, A., Decker, S.: Using the semantic web for linking and reusing data across web 2.0 communities. Web Semant. 6(1) (2008) 21{28 12. Story, H., Harbulot, B., Jacobi, I., Jones, M.: FOAF+SSL: RESTful Authentication for the Social Web. In: Proceedings of the First Workshop on Trust and Privacy on the Social and Semantic Web (SPOT2009) 13. Karger, P., Kigel, E., Jaltar, V.Y.: Spox: combining reactive semantic web policies and social semantic data to control the behaviour of skype. In: ISWC, Poster and Demo Session, Washington, DC, USA. (October 2009) 14. Schmidt, A., Takaluoma, A., Mantyjarvi, J.: Context-aware telephony over wap. Personal
Ubiquitous Comput. 4(4) (2000) 225{229 15. Stan, J., Egyed-Zsigmond, E., Maret, P., Daigremont, J.: E cient Reachability Management With A Semantic User Pro le Framework. In: Personalization in Mobile and Pervasive Computing (at UMAP2009). (June 2009) 16. James, J.G., Hendler, J.: Reputation network analysis for email ltering. In: In Proc. of the Conference on Email and Anti-Spam (CEAS), Mountain View. (2004) 17. Alferes, J.J., Amador, R., Karger, P., Olmedilla, D.: Towards reactive semantic web policies: Advanced agent control for the semantic web. In: ISWC 2008 (Poster and Demo Session) Karlsruhe, Germany 18. Bonatti, P., Samarati, P.: Regulating service access and information release on the web.
In: CCS '00: Proceedings of the 7th ACM conference on Computer and communications security, New York, NY, USA, ACM (2000) 134{143