Many people in our society rightly consider themselves as \internet natives": when they need information, they naturally open a browser and search for it; when they want to share information, they naturally post it on a social network. A few gures about Facebook, the leader among social networking sites, exemplify our point: Facebook has more than 800 million users, of which, about 50% log on to their accounts every day; more to the point, Facebook users upload, on average, 250 million photos per day [ 5 ].

Not surprisingly, privacy-related issues are a growing concern among users of social networking sites [ 7, 1, 14, 15 ] and, consequently, among their developers. Last November, Facebook's founder and CEO, Mark Zuckerberg, wrote in his blog [ 16 ] \I also understand that many people are just naturally skeptical of what it means for hundreds of millions of people to share so much personal information online, especially using any one service. Even if our record on privacy were perfect, I think many people would still rightfully question how their information was protected." Then, recognizing an increasing criticism over Facebook privacy policy, Zuckerberg announced: \we're making a clear and formal long-term commitment to do the things we've always tried to do and planned to keeping doing |giving you tools to control who can see your information and then making sure only those people you intend can see it."

To Facebook's credit, over the past 2 years, its users have been equipped with new tools and resources which are designed to give them more control over ? This work has been partially supported by the EU-NoE project NESSoS, 256980. their Facebook experience, including: an easier way to select your audience when making a new post; inline privacy control on all your existing posts; the ability to review tags made by others before they appear on your pro le; a tool to view your pro le as someone else would see it; many more privacy education resources.

Despite all these e orts, many users are still concerned about how to maintain their privacy or |in Zuckerberg's words| \rightfully questions how their information was protected". There are at least three reasons for this: { The Facebook privacy policy is hardly trivial to understand: for example, when tagging policies and privacy settings con ict to each other. { The Facebook privacy policy has been in a constant state of ux over the past few years [ 12 ], and it is prompted to change again in the near future. { The Facebook privacy policy is only informally and partially described in a collection of \privacy education resources", which cannot provide a coherent and complete account of the policy.

As a consequence, even advanced Facebook users may nd di cult to understand, for example, the actual visibility of a post. To illustrate our point, recall the tagging policy explained in [ 6 ]: \When I tag someone in a photo or post, who can see it? When you tag someone, it may be visible to: 1. The audience you selected for your post. 2. Friends of the person you tagged (if the audience is set to \Friends" or more). (...) When someone adds a tag to a photo or post I shared, who can see it? When someone adds a tag to something you shared, it's visible to: 1. The audience you chose for the post or photo. 2. The person tagged in the post, and their friends (if the audience is set to \Friends" or more)." Now, suppose that Bob, Alice, Ted, and Peter have Facebook pro les: Bob is friend of Alice and Ted; Ted is friend of Peter; Ted is not a friend of Alice; and Peter is not friend of Alice or Bob. Assume also that Alice has set to \Friends" the default audience for posts of friends in her wall. Consider the following scenarios: Scenario #1 Alice posts a photo of herself, Bob and Ted in her wall, and set its audience to \Friends". Then, Bob tags Ted in this photo. Question: Can Peter see this photo in Alice's wall? (The answer is Yes.).

Scenario #2 Bob posts a photo of himself, Ted and Alice in Alice's wall. Then, Bob tags Ted in this photo Question: Can Peter see this photo in Alice's wall? (The answer is No. Why?). 2

Objectives. We set ourselves two goals: rst, to provide a formal account of the Facebook privacy policy (as complete as possible); and second, to design methods (based on this formal account) for reasoning about sharing and privacy in Facebook.

Potential impact. We envision at least three new Facebook privacy tools that can use our results as a solid, rigorous foundation: rst, a tool for checking whether a person can see a post (currently, this tool is only available for the owner of the wall where the post is posted, but not for the creator of the post); second, a tool for assessing the risk of a post becoming visible for a person; and third, a tool for assessing the impact, on the visibility of a post, of a default privacy policy change. We also expect our methodology to be applicable to other social networking site, like Google+, opening the path for a formal comparison between privacy policies of di erent social networking sites.

Context. This project is being conducted at IMDEA Software (http://software. imdea.org) Modeling Lab, under the co-supervision of Manuel Clavel and Marina Egea. Manuel Clavel is Associate Researcher at IMDEA Software and Professor at Universidad Complutense de Madrid. Dr. Marina Egea is Consultant & Research Project Manager at Atos S.A., Spain. We are developing this research within the European Network of Excellence for Engineering Secure Software and Systems.

Methodology. As discussed in [ 13 ], when modeling social networking privacy it is crucial to use a language able to formalize ne-grained access control policies: in other words, a role-based access control language, as proposed in [ 9 ], will only do part of the job. There are di erents options for this, but not so many when having a formal semantics becomes a hard requirement. For example, XACML [ 10 ], which can be considered the standard choice for describing privacy policies, lacks of a formal semantics.

To provide a formal account of the Facebook privacy policy, we use SecureUML [ 3 ]. SecureUML is a formal language for modeling role-based access control. It provides a rich language for expressing both static and dynamic access control policies, the latter being policies that depend on the run-time satisfaction of authorization constraints. Based on our preliminary results, we believe that SecureUML is up for the task we have set to ourselves for the following reasons: 1. Facebook ultimately decides about the visibility of a post based on the settings chosen by the owner of the wall and on the relationships (if any) that link the visitor of the wall, the owner of the wall, the creator of the post, and the creators and targets of the tags (if any) added to the post. Interestingly, when only real users are considered (i.e., no Facebook-enhanced games, applications, websites, or advertisers) the purpose of the visitor (and, similarly, for the creator of the post or of the tags) play no role in Facebook decisions; neither assigns the Facebook privacy policy any obligation to the visitor. 2. Facebook's pro les, walls, posts, photos, tags, and so on, can be naturally modeled in SecureUML as entities, with the expected relationships between them: the owner of a wall, the creator of a post, the wall where a post is posted, the post where a tag is added, and so on. In particular, privacy settings can be modeled as attributes of the entities `pro le' and `post' while the relationship of friendship can be modeled as a self-association of the entity `pro le'. 3. Facebook's policy constraints (like `a user can read a post if he or she is a friend of the owner of the wall where the post is posted') are naturally modeled in SecureUML using OCL [ 11 ]. OCL is a strongly typed, declarative language, speci cally designed for querying scenarios consisting of entities (with attributes) and associations between them. In particular, using OCL, we can (the list is by no means exhaustive): { refer to the value, in a data element, of any of the attributes speci ed in the data model. { refer to all the data elements which are linked to a data element through any of the associations speci ed in the data model. { perform standard operations on booleans (negation, conjunction, disjunction, implication, etc.). { perform equalities/inequalites between (collection of) data elements of the same type. { perform standard operations on collections (union, intersection, emptiness, inclusion, exclusion, insertion, deletion, etc.).

To illustrate our methodology, we show in Figure 1 a basic data model that (partially) represents Facebook posts and tags. Using the entities, attributes, and associations contained in this data model, we show in Figure 2 how the following clauses |about when a visitor (@caller) can read a post (@post)| are formalized in OCL: { anybody can read any post that is posted in his or her wall, independently of its creator. { anybody can read any post that is posted in a wall when he or she is a friend of the owner of the wall and the audience selected is `Friends'. )) or ... { anybody can ready any post that is posted in a wall when the audience selected is `Public', unless he or she is blocked by the owner of the wall. { anybody can read any post that is posted in a wall when he or she is tagged in this post, independently of the audience selected, unless he or she is blocked by the owner of the wall. { anybody can read any post that is posted in a wall, when the audience selected is `Friends', he or she is a friend of somebody tagged on the post, he or she is not blocked by the owner of the wall, and the owner of the post happens to be the creator of the post.

On the other hand, with respect to our second goal (namely, reasoning), SecureUML has a well-de ned semantics that supports the formal analysis of its models. In particular, for a certain type of analysis, we can automatically analyze SecureUML models using the metamodel-based approach described in [ 2 ]. For more general analysis, we can use theorem-proving tools (including SMT solvers), thanks to the mapping from OCL to rst-order logic introduced in [ 4 ]. 3

Our rst task is to gather as much information as possible about the Facebook privacy policy. We would like to assume that the information available at [ 6 ] is correct and complete. Unfortunately, our initial results show that this is not always the case. Our second task is then to design \experiments" on precooked Facebook scenarios for testing that our understanding of the Facebook privacy policy corresponds to reality. Eventually, these \experiments" should also help us to monitor and report changes in the Facebook privacy policy. We will also look very closely at the results of the thorough and detailed audit [ 8 ] of Facebook's practices and policies by the O ce of the Irish Data Protection Commissioner.

According to the gathered information, we will decide how to proceed. We envision separated tasks for modeling each of the basic actions on Facebook: select audience, switch reviews on/o , read a post, write a post, remove a post, add a tag, remove a tag, approve a tag, add a friend, remove a friend, block a user, and so on. For each of these actions, we plan to model also their pre- and post-conditions using OCL. We are aware that we may have to exclude from our project the privacy policies that apply to advertisers and/or so-called Facebookenhanced games, applications, and websites, unless we obtain this information directly from the company. Finally, we plan to design methods (based on the di erent types of analysis for SecureUML models that we mentioned before) for reasoning about sharing and privacy in Facebook (e.g., audience evaluation, risk and change impact assessment), although the actual implementation of these methods may have to be carried out in other research projects.