Evaluating privacy threats in deployed OSNs: A case study on PTMOL

Andrey Rodrigues; Maria Lúcia Villela; Eduardo Feitosa

doi:10.5753/jis.2025.5610

Authors

Andrey Rodrigues Federal University of Amazonas https://orcid.org/0000-0001-9360-488X
Maria Lúcia Villela Federal University of Viçosa https://orcid.org/0000-0001-6189-1300
Eduardo Feitosa Federal University of Amazonas https://orcid.org/0000-0001-6401-3992

DOI:

https://doi.org/10.5753/jis.2025.5610

Keywords:

Online Social Networks, Privacy Threats, Threat Modeling, Case Study

Abstract

Background: The growth of Online Social Networks (OSNs) has significantly expanded opportunities for interaction and information sharing, while also introducing increasing challenges to user privacy protection. The exposure of sensitive data and the misuse of shared information on these platforms highlight the need for effective methodologies to identify and mitigate privacy threats. Purpose and Methods: In this context, this study investigates the application of the PTMOL methodology to identify and describe privacy threats in already deployed OSNs, aiming to demonstrate its versatility in threat modeling. Results: The results indicate that PTMOL is well-suited for structuring the identification of privacy threats, providing a detailed view of the vulnerabilities present in the analyzed platform. The comparison between modeled threats and documented incidents further reinforces PTMOL’s ability to anticipate real-world risks. Conclusion: As a contribution, this study validates PTMOL’s applicability as a valuable approach for assessing threats in deployed OSNs, extending its use beyond the design phase. The impact of this research extends to strengthening privacy protection strategies and assisting researchers, developers, and policymakers in adopting more effective measures to ensure safer and more transparent digital environments.

Downloads

Download data is not yet available.

References

Abawajy, J. H., Ninggal, M. I. H., and Herawan, T. (2016). Privacy preserving social network data publication. IEEE communications surveys and tutorials, 18(3):1974–1997. DOI: https://doi.org/10.1109/COMST.2016.2533668.

Abid, Y., Imine, A., and Rusinowitch, M. (2018). Online testing of user profile resilience against inference attacks in social networks. In European Conference on Advances in Databases and Information Systems, pages 105–117. Springer. DOI: https://doi.org/10.1007/978-3-030-00063-9_12.

Aktypi, A., Nurse, J., and Goldsmith, M. (2017). Unwinding ariadne's identity thread: Privacy risks with fitness trackers and online social networks. In Proceedings of the 2017 on Multimedia Privacy and Security, page 1–11, New York, NY, USA. Association for Computing Machinery. DOI: 10.1145/3137616.3137617.

Al-Asmari, H. and Saleh, M. (2019). A conceptual framework for measuring personal privacy risks in facebook online social network. In Proc. International Conference on Computer and Information Sciences, pages 1–6. DOI: https://doi.org/10.1109/ICCISci.2019.8716477.

Ali, S., Rauf, A., Islam, N., and Farman, H. (2019). A framework for secure and privacy protected collaborative contents sharing using public osn. Cluster Computing, 22:7275–7286. DOI: https://doi.org/10.1007/s10586-017-1236-2.

Alkhamees, M., Alsaleem, S., Al-Qurishi, M., Al-Rubaian, M., and Hussain, A. (2021). User trustworthiness in online social networks: A systematic review. Applied Soft Computing, 103:107159. DOI: https://doi.org/10.1016/j.asoc.2021.107159.

Altman, I. (1975). The environment and social behavior: Privacy, personal space, territory, and crowding.

Bioglio, L., Capecchi, S., Peiretti, F., Sayed, D., Torasso, A., and Pensa, R. (2019). A social network simulation game to raise awareness of privacy among school children. IEEE Transactions on Learning Technologies, 12(4):456–469. DOI: https://doi.org/10.1109/TLT.2018.2881193.

Casas, I., Hurtado, J., and Zhu, X. (2015). Social network privacy: Issues and measurement. In Proc. 16th International Conference Web Information Systems Engineering, pages 488–502. DOI: https://doi.org/10.1007/978-3-319-26187-4_44.

De, S. and Imine, A. (2018a). Privacy scoring of social network user profiles through risk analysis. In Proc. 12th International Conference on Risks and Security of Internet and Systems, pages 227–243. DOI: https://doi.org/10.1007/978-3-319-76687-4_16.

De, S. and Imine, A. (2018b). To reveal or not to reveal: Balancing user-centric social benefit and privacy in online social networks. In Proc. ACM Symposium on Applied Computing, pages 1157–1164. DOI: https://doi.org/10.1145/3167132.316725.

Denning, T., Friedman, B., and Kohno, T. (2013). The security cards: A security threat brainstorming toolkit. Univ. of Washington.

Dong, C. and Zhou, B. (2016). Privacy inference analysis on event-based social networks. In Proc. 8th International Conference SocInfo, pages 421–438. DOI: https://doi.org/10.1007/978-3-319-47874-6_29.

Du, S., Li, X., Zhong, J., Zhou, L., Xue, M., Zhu, H., and Sun, L. (2018). Modeling privacy leakage risks in large-scale social networks. IEEE Access, 6:17653–17665. DOI: https://doi.org/10.1109/ACCESS.2018.2818116.

Fogues, R., Such, J., Espinosa, A., and Garcia-Fornes, A. (2015). Open challenges in relationship-based privacy mechanisms for social network services. International Journal of Human-Computer Interaction, 31(5):350–370. DOI: https://doi.org/10.1080/10447318.2014.1001300.

Infante, A. and Mardikaningsih, R. (2022). The potential of social media as a means of online business promotion. Journal of Social Science Studies, 2(2):45–48.

Jaafor, O. and Birregah, B. (2015). Multi-layered graph-based model for social engineering vulnerability assessment. In Proc. International Conference on Advances in Social Networks Analysis and Mining, pages 1480–1488. DOI: https://doi.org/10.1145/2808797.2808899.

Jain, A. K., Sahoo, S. R., and Kaubiyal, J. (2021). Online social networks security and privacy: comprehensive review and analysis. Complex & Intelligent Systems, 7(5):2157–2177. DOI: https://doi.org/10.1007/s40747-021-00409-7.

Joyee De, S. and Imine, A. (2019). On consent in online social networks: Privacy impacts and research directions. In Proc. 13th International Conference Risks and Security of Internet and Systems, pages 128–135. DOI: https://doi.org/10.1007/978-3-030-12143-3_11.

Kagan, D., Alpert, G. F., and Fire, M. (2024). Zooming into video conferencing privacy and security threats. IEEE Transactions on Computational Social Systems, 11(1):933–944. DOI: https://doi.org/10.1109/TCSS.2022.3231987.

Kavianpour, S., Ismail, Z., and Mohtasebi, A. (2011). Effectiveness of using integrated algorithm in preserving privacy of social network sites users. Communications in Computer and Information Science, 167(2):237–249. DOI: https://doi.org/10.1007/978-3-642-22027-2_20.

Khan, R., McLaughlin, K., Laverty, D., and Sezer, S. (2017). Stride-based threat modeling for cyber-physical systems. In Proc. Innovative Smart Grid Technologies Conference Europe, pages 1–6. DOI: https://doi.org/10.1109/ISGTEurope.2017.8260283.

Kim, K. H., Kim, K., and Kim, H. K. (2021). Stride-based threat modeling and dread evaluation for the distributed control system in the oil refinery. ETRI Journal, 44(6):991–1003. DOI: https://doi.org/10.4218/etrij.2021-0181.

Kumar, H., Jain, S., and Srivastava, R. (2017). Risk analysis of online social networks. In Proc. International Conference on Computing, Communication and Automation, pages 846–851. DOI: https://doi.org/10.1109/CCAA.2016.7813833.

Laorden, C., Sanz, B., Alvarez, G., and Bringas, P. G. (2010). A threat model approach to threats and vulnerabilities in on-line social networks. In Proc. Computational Intelligence in Security for Information Systems 2010, pages 135–142. DOI: https://doi.org/10.1007/978-3-642-16626-6_15.

Lowson, B. (2005). How designers think. the design process demystified. Tehran: University of Shahid-Beheshti.

Mahmood, S. (2012). New privacy threats for facebook and twitter users. In Proc. 7th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, pages 164–169. DOI: https://doi.org/10.1109/3PGCIC.2012.46.

Mead, N. R., Shull, F., Vemuru, K., and Villadsen, O. (2018). A hybrid threat modeling method. Carnegie Mellon University-Software Engineering Institute-Technical Report-CMU/SEI-2018-TN-002.

Pfitzmann, A. and Hansen, M. (2010). A terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management, pages 1–9. Springer Berlin Heidelberg, Berlin, Heidelberg. DOI: https://doi.org/10.1007/3-540-44702-4_1.

Rathore, S., Sharma, P., Loia, V., Jeong, Y.-S., and Park, J. (2017). Social network security: Issues, challenges, threats, and solutions. Information Sciences, 421:43–69. DOI: https://doi.org/10.1016/j.ins.2017.08.063.

Rodrigues, A., Villela, M. L. B., and Feitosa, E. L. (2023). Privacy threat modeling language. IEEE Access, 11:24448–24471. DOI: https://doi.org/10.1109/ACCESS.2023.3255548.

Sanz, B., Laorden, C., Alvarez, G., and Bringas, P. G. (2010). A threat model approach to attacks and countermeasures in on-line social networks. In Proc. 11th Reunion Espanola de Criptografıa y Seguridad de la Información, pages 343–348.

Sathya, N. and Prabhavathi, C. (2024). The influence of social media on investment decision-making: examining behavioral biases, risk perception, and mediation effects. International Journal of System Assurance Engineering and Management, 15(3):957–963. DOI: https://doi.org/10.1007/s13198-023-02182-x.

Shokri, R., Theodorakopoulos, G., Troncoso, C., Hubaux, J.-P., and Le Boudec, J.-Y. (2012). Protecting location privacy: optimal strategy against localization attacks. In Proc. ACM conference on Computer and communications security, pages 617–627. DOI: https://doi.org/10.1145/2382196.2382261.

Shostack, A. (2008). Experiences threat modeling at microsoft. MODSEC@ MoDELS, 2008:35.

Shostack, A. (2014). Threat modeling: Designing for security. John Wiley & Sons.

Singh, S. S., Muhuri, S., Mishra, S., Srivastava, D., Shakya, H. K., and Kumar, N. (2024). Social network analysis: A survey on process, tools, and application. ACM Computing Surveys, 56(8):1–39. DOI: https://doi.org/10.1145/3648470.

Tucker, R., Tucker, C., and Zheng, J. (2015). Privacy pal: Improving permission safety awareness of third party applications in online social networks. In Proc. 17th International Conference on High Performance Computing and Communications, pages 1268–1273. DOI: https://doi.org/10.1109/HPCC-CSS-ICESS.2015.83.

UcedaVelez, T. and Morana, M. M. (2015). Risk Centric Threat Modeling: process for attack simulation and threat analysis. John Wiley & Sons.

Vu, H., Law, R., and Li, G. (2019). Breach of traveller privacy in location-based social media. Current Issues in Tourism, 22(15):1825–1840. DOI: https://doi.org/10.1080/13683500.2018.1553151.

Wang, Y. and Nepali, R. (2015). Privacy threat modeling framework for online social networks. In Proc. International Conference on Collaboration Technologies and Systems, pages 358–363. DOI: https://doi.org/10.1109/CTS.2015.7210449.

Watanabe, C., Amagasa, T., and Liu, L. (2011). Privacy risks and countermeasures in publishing and mining social network data. In Proc. 7th International Conference on Collaborative Computing: Networking, Applications and Worksharing, pages 55–66. DOI: https://doi.org/10.4108/icst.collaboratecom.2011.247177.

Wuyts, K., Van Landuyt, D., Hovsepyan, A., and Joosen, W. (2018). Effective and efficient privacy threat modeling through domain refinements. In Proc. 33rd Annual ACM Symposium on Applied Computing, pages 1175–1178. DOI: https://doi.org/10.1145/3167132.3167414.

Zeng, Y., Sun, Y., Xing, L., and Vokkarane, V. (2015). A study of online social network privacy via the tape framework. Journal on Selected Topics in Signal Processing, 9(7):1270–1284. DOI: https://doi.org/10.1109/JSTSP.2015.2427774.

Zheleva, E. and Getoor, L. (2009). To join or not to join: the illusion of privacy in social networks with mixed public and private user profiles. In Proc. 18th international conference on World wide web, pages 531–540. DOI: https://doi.org/10.1145/1526709.1526781.