How does large scale companies implement privacy and user access controls

Question

How do companies like Facebook and Google implement privacy controls at scale? For example, Facebook has a select audience type which includes public,friends, "friends except...", only me, specific friends, and even custom. From an implementation and design standpoint, how do these companies handle this? Are they defining rule bases access controls, are they manually coding in these features, do they have a privacy model they use, or is it a hybrid approach? If anyone has links to public available design docs, conference links, white papers, and even research papers, please feel free to share. Every time I try to search for how company "X" does privacy controls, I get the "Business" talk on privacy or access controls as it relates to data centers which is not what I'm looking for.

Answer 1

In this patent of Google they describe a "User privacy framework" which does all the things you mentioned.

It uses a database which stores rules and privacy levels for each user. A authorization server manages this database and evaluates requests for user data.

If user A wants to access data of user B, the authorization server checks if the request is allowed or violates rules or privacy levels. The request is then answered or rejected.

See this flow chart from the patent: Flow chart (Sorry, I am not allowed to post images yet)

So what are privacy levels and privacy rules?

Rules are conditions which need to be met if a user requests information of another user. I couldn't find an example in the patent, but I suspect a rule could be something like "Is user A blocked by user B?".

Privacy levels seem to be more general than rules. For example the level "semi-public" allows another user to access the requested information if no rule forbids it. The level "private" allows storage of the information on the authorization server but forbids access of it through other users. The level "no access" forbids even the storage of the information on the authorization server.

Obviously I have no idea if they really use this on the large-scale. But it is certainly a possible implementation and for me it seems plausible to do it with databases and rule sets. Hope this helps. Maybe you find even more patents which describe similar frameworks.