6.2 Access Control

Access control grants online permissions, i.e. rights. In computing, decision support systems recommend decisions, access control systems permit them, and control systems implement them. Access control began with multi-user systems, as when people sharing the same resources came into conflict it was necessary to define who could do what to what (Karp et al., 2009). Since this is exactly what a right is, access control is the way to implement rights online.

Traditional access control systems used a subject-object access permission matrix to allocate rights (Lampson, 1969). As computing evolved, this was extended to distributed systems, to allow roles for many person systems. The matrix approach has worked for military (Department of Defense, 1985), commercial (Clark & Wilson, 1987), organizational (Ferraiolo & Kuhn, 2004), distributed (Freudenthal et al., 2002), peer-to-peer (Cohen, 2003) and grid environment (Thompson et al., 1999) cases. In most cases, the permission matrix was centrally controlled by an administrator.

In social networks, access control is more about access than control. For friend interactions, the permission matrix increases geometrically with group size, so for hundreds of millions of people the possible combines are astronomical. Social networks vastly increase access complexity, as millions of people want rights to billions of items. A person may add thousands of photos and comments a year, and they want to control them in a way that was previously reserved for system administrators. Giving social networkers direct local control of their resources is not feasible by allocating read, write and execute permissions from a central authority (Ahmad & Whitworth, 2011). Each person essentially wants to define their own social structure (Sanders & McCormick, 1993), e.g. to restrict a photo to family or friends. Social networks were the perfect storm for the traditional ship of access control.

Current social networks allocate rights inconsistently. Making every network person in effect the administrator of their own local domain wasn’t easy, so different systems did it differently. With no guiding principles, the rules of online social interaction were based on designer intuitions rather than formal models. Hence they vary between systems and over time, with public outrage the only check, e.g. Facebook redefining its privacy options after the Cambridge Analytica scandal is only one of a long list of design changes driven by to a social failure. Since there is still no agreed scheme for allocating rights to create, edit, delete or view online entities, let alone manage roles, there is a need for access control rules that are legitimate, efficient, consistent and understandable. We need a universal description of online rights.