Sanitizable signed privacy preferences for social networks

Abstract

Privacy preferences are the handling rules and constraints under which a data subject allows a third party to process, store, and use his personal data. We have analysed Facebook and show how the Social Network System fails to collect, manage, and hand-over to third-parties user's consent. Todays technical solutions of collecting the consent on the Internet can be argued to fullfil the regulatory requirements of an informed consent to the service's Privacy Policy and Terms of Service. We found no change in Facebook's processes for collecting and managing user consent from 2009 to 2011. The technical solutions used today neither allow to manage, thus change this consent over time, nor allow to hand-over the consent to a third party. We sketch one technical solution, which lends a lot from public key infrastructures. A social network is already trusted by users to keep or federate their data. Hence, we describe the next step of Social Networks becoming an authority and sign the consent collected from its users to making the available data verifiable for third-parties. Better yet, if you do not trust the Social Network a user himself can run his own certificate authority or a group of users can provide one as a community service.