Access-control tool for personal stuff knows 'private' can mean 'it's complicated'

Researchers have developed tag-based software to control who can see your files

Think about it: Who should be allowed to see photos of you drunk?

Now: Who should be able to see your "very drunk" pictures?

Enterprises have had sophisticated access-control tools for a long time. Researchers at Carnegie Mellon University and the University of North Carolina have now developed a way to apply fine-grained controls to the most sensitive data of all: your personal stuff.

The system, called Penumbra, is based on software that runs in the file system. Penumbra lets consumers apply tags to their content and set policies about who can access files based on those tags. The policies can also use automatically generated tags, such as those based on face recognition. The researchers' prototype system ran on a set of Linux desktops on a LAN, but it could also be implemented across tablets, smartphones and other devices. And the sweet spot for Penumbra could be cloud-based storage services.

In the past, controlling who saw a private photo or letter was relatively simple. Digital media and the Internet changed all that, said Carnegie Mellon graduate student Michelle Mazurek, who gave a presentation on Penumbra to the Usenix FAST conference this week in Santa Clara, California.

"The traditional physical and social boundaries for access control are really failing," Mazurek said. Consumers have content spread across multiple devices and online repositories, such as Web mail, photo sites and social-networking platforms. Instead of simply keeping an embarrassing photo in a drawer, users now have to understand multiple technologies and know how to use them.

"All of us .... are basically all our own access control administrators," Mazurek said. That job is hard even for IT administrators, let alone for consumers. When they try it and fail, things can get ugly. Along with the danger of employers and college admissions offices finding files that reflect poorly on applicants, Mazurek cited reports about a girl in the Netherlands who sent her Facebook friends a birthday party invitation without controlling who could receive it. About 30,000 people ultimately got the invitation, leading to a mob of 3,000 and a riot in which six people were injured.

The Carnegie Mellon researchers wanted to develop access controls that were easy to use and understand. They designed Penumbra to let consumers set up controls that match the way they organize and describe their own content. Rather than presenting users with predefined categories and rules, Penumbra gives them the flexibility to define whatever policies they like based on everyday terms, she said.

"The idea here is that we want to minimize the mismatch between the intended policy -- what the user thought of -- and the actual specified policy," Mazurek said.

By talking to users, Mazurek's team found out that access preferences can be very specific. For example, a preschool teacher wanted to be able to share photos of the children she taught, but only if the parents of those kids allowed it.

Another requested feature was more personal.

"One user ... told us that some friends were allowed to see 'drunk' photos, but not 'very drunk' photos. It's a subtle but apparently very important difference," Mazurek said.

Tags used in Penumbra are cryptographically signed credentials, so they can't be forged or spoofed, she said. Each user can assign different tags to the same file based on how they think about the content. The tags themselves can be secret in addition to the files they describe.

Penumbra controls access to files using software that issues challenges among devices to establish a user's identity and authorization to see a requested file. Those claims are validated through logical proofs. Permissions can be cached for a limited time so the proof doesn't always have to be repeated.

In most cases, users wouldn't notice a lag from using Penumbra, Mazurek said. A rule of thumb is that operations that take less than 100 milliseconds are invisible to users, and most of the system calls generated by Penumbra are well under that limit, she said. In the fastest case, for a user accessing his or her own files, the system works in about 1 millisecond, she said. If anyone turned the system into a product, they could put more effort into performance, Mazurek said.

The researchers don't expect all users to conscientiously tag all their content. Automatic tagging based on locations, keywords or facial recognition could make the process easier, and users could also be given reminders about the tags they use most often, Mazurek said. However, given the idiosyncrasies that came up when the team looked into people's personal data worries, offering default settings probably wouldn't help, she said.

"It's really hard to come up with defaults that make sense to a broad set of people," Mazurek said.

Stephen Lawson covers mobile, storage and networking technologies for The IDG News Service. Follow Stephen on Twitter at @sdlawsonmedia. Stephen's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags University of North CarolinaCarnegie Mellon Universitysecurityinternetprivacy

More about Carnegie Mellon University AustraliaFacebookIDGLANLawsonLinuxMellon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stephen Lawson

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place