People are increasingly sharing their lives online in photos, videos, blogs, GPS location logs, activity status and logs, exercise logs, office documents, notes, recommendations, reviews, bookmarks, software, purchase histories, and other personal artifacts. But it is often important that a boss, family member, or stranger not see specific personal information. Consequently, sharers must specify a set of rules that allows access to the information by some people, and denies access to others.
Although contemporary access control, based on explicit blacklists and whitelists (also called “access control lists”), is mathematically precise, it can also be too tedious, inflexible, complicated, or rude in many scenarios. For example, how can a mother share photos of her children with 80 extended family members and family friends, but not with potential Internet predators, without enumerating all 80 viewers, finding their email addresses, getting them accounts and passwords, and whitelisting them? How can an artist give the local art community access to a personal blog, without requiring a login and password, which could severely limit readership? How can a man prevent an ex-girlfriend from seeing his new girlfriend's Facebook photos, visible to all “friends,” without alienating his ex-girlfriend? How can a college student conceal Facebook party photos from employers without blocking them by including their names on a potentially offensive blacklist?
Many personal authentication systems require answers to tests of personal knowledge, but these authenticate individuals rather than controlling access by groups. One such system is discussed by M. Zviran et al., who studied personal authentication questions like “mother's maiden name,” now commonly used for password verification by banks, as described in their work, “User Authentication by Cognitive Passwords: An Empirical Assessment,” Jerusalem Conference on Information Technology, 137144 (1990). These systems typically require a person to answer a generic question, store the response, and subsequently determine if someone attempting to gain access knows the response that was previously stored.
Shared passwords and keys are an alternative to allowing access without the account creation required for access control lists. However, these passwords or keys must still be distributed to a whitelist of users, which can be a rather onerous burden for the person sharing access to implement and maintain. Furthermore, users must remember or store and manage these foreign passwords (one for each whitelist of which they are a member). Instead, it would be preferable to determine access to data based upon shared knowledge by the person enabling access and a different person accessing the data. Finally, it would also be desirable to provide different people access to a site or to data at any time, without any need for redistributing passwords.
Based on the preceding discussion, it will be apparent that a more expedient and simple approach is desirable for controlling access by selected people or groups of people to resources that are being shared. The approach that is used should dynamically enable desired individuals or groups of individuals to access a sharer's resources, based on criteria that the sharer specifies, but without the need for the sharer to explicitly specify each person intended to view the resource and without requiring distribution of explicit passwords to the persons intended to have access.