The Location Privacy Preserving of Social Network Based on RCCAM Access Control

ABSTRACT Location-based services in social networks provide much convenience for people but bring much risk of location privacy disclosure. Aiming at this problem, a location privacy preservation algorithm based on RCCAM access control model is proposed to assign the accessing users of the access permission and the visibility level of location information through the combination of conflict resolution strategy, permission allocation strategy and location generalization strategy. RCCAM is a relationship-based multi-users cooperation access control model, which takes the same shared contents that may involves the privacy profits of multi-users into consideration. The core of the algorithm is the value of open tendency which depends on the location sensitivity and the intimacy between the users. The conflict resolution strategy adopts the value of open tendency to vote for concessions. The permission allocation strategy and location generalization strategy to obtain the specific access permission and the location visibility level for accessing users according to the value of open tendency. The algorithm can achieve fine-grained control of location publishing of the shared content which involves stakeholder's privacy profit and maintain the sharing will of promulgator as possible.


INTRODUCTION
The rapid development of the internet has promoted the widespread use of social network. In recent years, the internet has provided the users with rich and personalized services such as location-based services. All these services can be applied to share photos, videos and texts associated with location information which provide the users with better experience and more convenience. The behavior of sharing actually is an active behavior of privacy disclosure. Thus, the leakage of user's privacy cannot be inevitable when the user shares location information to others if the user has low privacy protection awareness. Naini et al. [1] consider that the users can be identified by attracters through the exposure of location information which will result in incalculable losses [2]. Many users are concerned about the leakage of their location privacy. Therefore, the preservation of location privacy is important. This paper proposes an access control-based method to protect location privacy.

RELATED WORK
The protection of location privacy in social network just started [3] introduces the concept of location and reviews many methods which can be categorized into heuristic privacy measurement, probability deduction and private information retrieval-based technologies. But all these methods are based on the traditional protection methods of LBS-based services, not fully applicable in location privacy sharing by content. Access control is one of the most common methods in view of this situation. There are many types of access control models proposed to adapt to different needs. Chen et al. [4] review the current access control models for social network and show that it mainly includes relationship-based, attribute-based model. Relationship is the core of social network so the relationshipbased access control model which uses the relationship between the users to resolve the problem of authorization is very suitable. However, most of the prior research did not pay attention to the fact that shared content may involves multiple users' privacy. Thus, Hu and Ahn [5] propose a multi-authorization framework based on a vote-based resilience mechanism. Pang and Zhang [6] propose an access control mechanism based on the user-to-user relationships and shared information. But they are not focus on the location privacy preservation. Chao et al. [7] propose a CS-LPPM model based on the combination of the above deficiencies to achieve a fine-grained location privacy protection based on the access control method. Inspired by it, this paper proposes a relation-based multi-users corporative access control model (RCCAM) and combines conflict resolution strategy, permission allocation strategy and location generalization strategy to achieve the RCCAM-based location publishing strategy. Finally provides the users with finegrained protection of location privacy and resolves the issue of the same shared content involves multi-user's privacy to provide the location privacy protection of other users.

Description of Location Privacy Issue
Suppose there are four users in the social network, named Alice, Bob, Carol and David. The relationship between these four users is shown in Figure 1. Alice, Bob and Carol are friends, Bob, Carol and David are friends, Alice and David are indirect friends.
Someday, Alice and Bob met together then Alice uploaded a content which including the information of location to the social network and '@' Bob. Carol forward after commenting it. For this content, Alice was a promulgator, Bob was a stakeholder, Carol and David were accessing the users. Assume that the location was a nonsensitive location for Alice, but sensitive to Bob. However, since Alice uploads the location, Carol obtain the sensitive information of Bob and because of the forward of Carol, David could obtain the sensitive location of Bob. Thus, the location privacy of Bob was indirectly leaked. The process is shown in Figure 1.
However, in the most current access control strategies for social networks, owner has absolute control over the content while other stakeholders have no control over it. Due to the interactivity of social networks, content often indirectly leaks other users' privacy. Aiming at the above problem, this paper proposes a location publishing strategy based on multi-users corporation access control

RCCAM Model Components
In RCCAM, subject is the user, object is the content with location information, strategy determines whether the subject has the permission to the object and can be divided into system strategy and customized strategy. The elements are shown in Figure 2.

Content m
The content can be texts, videos or pictures. Each user has their own content set M u i . Unless otherwise specified, the content contains real location information.
Participant User U For a specific m, all related users are the participant users.
Promulgator u post For a specific m, if m ∈ M u i , user u i is the u post of content m.
Stakeholder u rel For a specific m, find(m) is an abstract function that can identify the content-related users by the function of '@.' All these content-related users are stakeholders. U rel is the set of all stakeholders.
Accessing user u acc For a specific m, the user who send an access request is an accessing user of m.
System Strategy P sys As a default strategy made by the network operator that applies to all users who are included in the social network.  Strategy P def In a social network, each user can set personalized privacy strategy according to their own privacy needs and privacy preferences. And the customized strategy can be further divided into promulgator's strategy P post and stakeholder's strategy P rel according to the relationship between the user and the content.

Location Sensitivity
Location sensitivity(Sen) is an indicator that judges whether the location is user's privacy. The higher the Sen is, the stronger the user is unwilling to share it with other users.

The Definition of Location Sensitivity
Sen is different in different scenarios [8].
(1) Sen of the same location is different for different users.
(2) Sen of the same location is different for the same user at different time.
(3) Sen of the same location is different for the same user when the accessing user is different.
Thus, location sensitivity depends on four elements: location l, user u, time t and the type of relationship r u . Using function Sen(l, u, t, r u ) to set the location sensitivity, Sen ∈ [0, 1].
E.g. Sen(l 1 , Alice, t 1 , family) = 0.9 means that location l 1 in the period of t 1 , if the relationship between accessing user and Alice is family, the sensitivity is 0.9.

The Acquisition of Location Sensitivity
When the accessing user sends an access request, the social network system will identify the related stakeholders then performs the sensitivity matching using the function Sen = Matching(u, u acc ), finally return the Sen of each related users. If the result is empty, the system will request the user to set a sensitivity as the format: L sen = (l i , t p , r u, Sen). E.g. L sen = (l 1 , morning, family, 0.5) represents that when the relation of accessing user is 'family', location l 1 is 0.5 sensitivity during morning.

LOCATION PUBLISHING STRATEGY BASED ON RCCAM
This section proposes a location publishing strategy based on the RCCAM model which combines conflict resolution strategy, permission allocation strategy and location generalization strategy. Figure 3 shows the frame of location publishing strategy.

Location Publishing Strategy Construction
• U pr The set of u post and u rel of the same content m. u rel can be one or multiple. • t p Valid time of the sensitivity for location information. It can be a specific time or can be represented by a fuzzy set, e.g. t p ∈ (morning, afternoon, evening). • L The location information set of user.
• P u A set of customized strategy set by user selves. Each user's customized strategy can be more than one. E.g.   sensitivity strategy means in the morning, the location information belongs L is 0 sensitivity to the user whose relationship is 'friend'. • R u A set of the relationship between users. R u ⊆ U × U = {r 1 , r 2 , . . . r n } represents different types of userto-user relationship, such as 'close friend', 'family', etc. [9]. • R r A set of the relationship between the user and the content. R r ⊆ U × R = {y 1 , y 2 , . . . y n } represents the different type of user-to-resource relationship. This paper divides the relationship of user-to-resource into owner, sharer, creator and disseminator [8]. • P P = {P read−only , P read−forward } is the permission of u acc to access the content, P read−only represents readonly permission and P read−forward represents that the user can read and forward it. Specific permission can be classified as Table 1. • Decision The final access control decision for specific u acc . Decision ← (l, u acc , d, P) represents that the specific u acc has the P permission to access the content and the location l will be shown at the d visible level.

Conflict Resolution Strategy
Due to the existence of stakeholders, each u rel has independent access customized strategy which will result in strategy conflicting. E.g. Alice is u post and Bob is the u rel . As for the same location, Alice set the 0 sensitivity and Bob set the 1 sensitivity which means a non-sensitive location is extremely sensitive to Bob. Obviously, the strategies of Alice and Bob have conflicts.
• U conflict Set of u rel who has conflict with u post .
• Identify(u acc , P i ) The function to identify the conflict between u post and u rel . Identify = 1 means there is a conflict.
According to the sensitivity of location, the situation is shown as Table 2. There, 0 indicates that the location is insensitive and 1 indicates that the location is sensitive.
For the first two cases in Table 2, there is no conflict. The final decision follows the principle of the owner priority and executes as the strategy of u post . As for the latter two cases in the table need to be solved by voting based on Open Tendency (OT). L is sensitive to u post but not sensitive to U rel 0 1 L is not sensitive to u post but ∃u r i ∈ U rel L is sensitive 1 1 L is sensitive to u post , and ∃u r i ∈ U rel , L is sensitive OT represents the wiliness that how much the user is willing to share the location to certain u acc , depending on the sensitivity of location and the intimacy between users. The calculation of intimacy refers to [10]. Intimacy does not necessarily be the same even if the users are in the same group. For each u acc , each u post or u rel has its own OT. There, the Intimacy is the intimacy between u acc and u post , the intimacy between u acc and u rel . OT is defined as follows: u i ∈ {u post , u rel }, w 1 + w 2 = 1, Sen(u i , u acc ) represents the location sensitivity set by u i for u acc , close(u i , u acc ) represents the intimacy between u i and u acc . Then the definition of the voting function shown as follows.
V OT ∈ [0, 1] is the voting results of u acc according to the OT. n is the total number of people who participant in the vote. Due to the relationship between each participant and the content, assign different weights w u i of different R r . Therefore, the assignment of weights is based on the principle of the priority of u post and the principle of the importance of relationship. The intimacy of u post itself is 1. w u i is assigned as follows: a ∈ (0, 1) is the weight of w u i when u i is u post close(u i , u post ) represents the intimacy between u i and u post . When u i is the stakeholder, w u i represents the weight of u rel . The degree of concessions is different while the different importance between u post and different u rel . The more close(u rel , u post ) is, the higher intimacy between u rel and u post , u rel is more important to u post and the more the disclosure of the location will damage the privacy profit of the u rel will be taken into account. Therefore, u post is more willing to make concessions in terms of OT.

Permission Allocation Strategy
Permission allocation strategy is one of the system strategies and it is for the further allocation of the user's permission of read and forward, which is achieved through the permission allocation table. In social network, communication has multiple directions. In order to implement finer access control and minimize privacy leakage in the process of dissemination, the social network system should develop a permission allocation table shown as Table 3 to do some permission division according to the V OT which has been calculated.
Here, P = [0, 0] represents that the u acc cannot see the content. P = [1, 0] represents that the u acc can only see the content but cannot forward. P = [1,1] represents that u acc can see the content and forward.

Location Generalization Strategy
The location generalization strategy also belongs to the system strategy, which is used to classify the visible level of the location so as to strengthen the location privacy preserving of user under the premise of retain promulgator's willingness to share. It is achieved through the location generalization table shown as Table 4 by dividing the scope of visibility of location at all levels based on V OT , which is uniformly formulated by the social network operator. E.g. V OT ∈ [0, X 1 ], the location will be generalized to the level L1. Location is not necessarily divided into only three levels, according to the different grained requirements of different social networks, more levels can be divided.

RCCAM-Based Location Publishing Strategy
When u acc sends an access request for the content m containing the real location information l to the server, the permission of u acc will be controlled through the location publishing strategy, and finally the system returns the authority of u acc , and the u acc 's visibility level of l. RCCAM-based location publishing strategy is shown as Table 5.

Forward Strategy
In social networks, the users can forward the content of their friends. However, the forwarder often adopts a weaker control strategy for the forwarded content. The forwarded content is sensitive to content creator and related stakeholders. Therefore, a simple strategy for secondary forwarding is needed. If Carol forward the content m up-loaded by Alice, the role of Alice transfers from u post to u rel , the relation with m changes from owner to creator. And the role of Carol transfers from u acc to u post , and the relation with m changes from disseminator to sub-owner. Thus, the permission assigned to the accessing user must satisfy Alice's privacy control strategy and Carol's strategy at the same time.

Two-User Application Analysis
It is a common scene. Alice and Bob meet and Starbucks and take a photo together. Alice uploads the photo and '@' friend Bob as shown in Figure 4(a). The location information of this content is 'Star-bucks, Shanghai South Railway Station'. Therefore, Alice is u post , Bob is u rel and friend Carol is u acc .  table shown as  Table 6.  The result of voting by conflict resolution strategy is shown as Table 7. It is obvious that there is a conflict.
If the intimacy between Alice and Bob is high, the final decision is: Carol is only authorized the read-only accessing permission of the content and the location is visible in L3 level means Carol can see the location as 'Shanghai'. If intimacy between Alice and Bob is low, the final decision is: Decision ← (L, Carol, L2, [1,1] : read − forward) Carol is authorized the read-forward accessing permission of the content and the location is visible in L2 level that means Carol can see the location as 'Xuhui District'. If we consider Alice's strategy only, the location is 0 sensitivity to Carol and the OT of Alice is 0.75. That is Carol has read-forward permission of the content and the location is visible in L_real level that means Carol can see the location as 'Shanghai South Railway Station'. Obviously, Alice takes the privacy needs of Bob into account and made some concessions. And the closer the intimacy between Alice and Bob is, the more concession Alice willing to make to protect the privacy of Bob.

Multi-Users Application Analysis
This section discusses the scenarios of multi-users based on Section 5.1 and as shown in Figure 4(b  Table 3.  (f). The importance of u rel and u post may be different, which depending on the intimacy between u rel and u post . Two kinds of intimacy condition as shown in Table 8 to verify the concession of Alice in the case of different stakeholder's importance. (g). Permission allocation table same as Table 6.
The results of voting are shown in Table 9. When the importance of stakeholders are the same, the final decision as follows: Decision ← (L, Carol, L1, [1,1] : read-forward) Carol is authorized the read-forward accessing permission of the content and the location is visible in L1 level that means Carol can see the location as 'Lingyun Street'. And when the importance of u rel are different (the importance of Bob is higher than others), final decision is: Decision ← (L, Carol, L2, [1,1] : read-forward) Carol is authorized the read-forward accessing permission of the content and the location is visible in L2 level that means Carol can see the location as 'Xuhui District'. From Table 9, taking the privacy needs of stakeholders into consideration, Alice makes some concessions in the visibility of location. But compared with the two case in which the stakeholder's importance is the same and different, because the importance of Bob is higher, Alice makes more concession for him.

CONCLUSIONS
This paper proposes a multi-users cooperative access control model in order to provide fine-grained privacy protection for social network users while they share the content with location information. Location sensitivity and intimacy are the core elements to get the value of OT and the value of OT is the core of the total strategy of location publishing, which includes the conflict resolution strategy, the permission allocation strategy and the location generalization strategy. Through the case analysis find that we can greatly solve the problem, when a content involves multiple users' privacy, the location privacy of stakeholders can be greatly protected and maintain the sharing behavior of promulgator.