Tuesday, July 28, 2015

SOUPS 2015: Usable Privacy and Security and the Human Factor

The CyLab Usable Privacy and Security Laboratory (CUPS) 11th Annual Symposium on Usable Privacy and Security (SOUPS) was hosted by Carleton University in Ottawa, Canada on July 22-24, 2015. CUPS Director Lorrie Cranor welcomed the attendees for three days of workshops and proceedings with participation from researchers in business, academia and government. SOUPS underlying theme every year is the human aspect in usable privacy and security. The theme is readily apparent in the keynote address and the proceedings, all dishing up the factor with varying methodologies.
Dr. Valerie Steeves

Opening the conference was keynote speaker Dr. Valerie Steeves, Department of Criminology at the University of Ottawa, with her presentation titled, “Online Privacy for Kids: What Works, What Doesn’t.” Dr. Steeves opened her presentation by reminding the audience of the diversity of people impacted by digital privacy and security. She warned that the current digital privacy landscape leaves many children open to exploitation from commercial interests. While many view today's children as "digital natives" who are fluent with modern technology, she cautioned that 65% of older teen students had no understanding of even advanced web search features. As children increasingly flock to social media sites, which make up the majority of the top 10 websites most visited by kids, they expose themselves to data collection by large digital corporations. Despite laws like the Children's Online Privacy Protection Act, meant to curtail digital surveillance of children, these companies sidestep responsibility in their privacy policies by forbidding childrens' use of the site or deferring to parent to monitor kids' activity. Kids, in turn, don't understand the privacy risks they face—Dr. Steeves notes that many think the presence of a privacy policy on a website indicates their privacy is protected—and so are unprotected from surveillance.

Dr. Steeves went on to discuss that children conceptualize digital privacy very differently from adults. For the most part, she states, children rely on social norms to preserve their privacy online—in other words, if content wasn't meant for a certain audience, kids believe it is the responsibility of the audience to not look. Further, children use the digital world to explore their identities, to navigate trust and friendship, and to grow up. She explained that while kids might like talking to their family members online, parents and older relatives tend to "freak out" about online safety and end up invading kids' private online spaces, including private messages and texts. Children in her studies were very aware of surveillance from not only their parents and schools but also corporations and felt helpless and distrustful in response.

Finally, Dr. Steeves closed with a discussion of the social impact of this digital surveillance. She explained that algorithmic sorting—which is used to show ads based on the demographics and predicted interests of the viewer—exposes girls to female-focused products and media representations of women that establishes norms for social presentation. The girls she has studied were very aware of the sexist double-standard for how women present themselves online, and exposed the constant balancing act necessary to be "pretty, and a little sexy." Successful self-presentation is mediated, Dr. Steeves argued, by a girl's ability to live up to the popular media images that commercial interests present.

In sum, Dr. Steeves felt that the data protection model we currently have does not reflect kids' online world, and children need anonymity, space to explore identity and self-expression, and freedom from the commercialization that pushes impossible standards upon them.

Aside from the keynote address, the symposium included 22 papers and 30 posters. Carnegie Mellon University (CMU), home to the CyLab Usable Privacy and Security (CUPS) Lab and the MSIT-Privacy Engineering Masters Program, was well-represented at the symposium.
SOUPS 2015 poster session

In addition to the IAPP SOUPS Privacy Award winning paper, “My Data Just Goes Everywhere: User Mental Models of the Internet and Implications for Privacy and Security" by Ruogu Kang (HCII, CMU), Laura Dabbish (HCII & Heinz, CMU), Nathaniel Fruchter (Heinz, CMU), and Sara Kiesler (HCII, CMU); two other CMU papers were presented:
Florian Schaub presenting poster.
CMU also presented 2 posters, both of which were SOUPS Distinguished Poster Award winners:
SOUPS 2015 proceedings are available for download from USENIX.

SOUPS 2016 will be held June 22-24 in Denver, Colorado.

Related posts:

Thursday, January 29, 2015

New CMU Study Highlights Challenges of Complex Trade-Off in Privacy Decision-Making; “Privacy is not a modern invention, but a historically universal need,” says CyLab's Acquisti

In "Privacy and Human Behavior in the Information Age", a review published in the Jan. 30 special issue of the journal Science, CMU CyLab's Alessandro Acquisti and a team of fellow CMU researchers have detailed the privacy hurdles people face while navigating in the information age, and offered some perspectives on what should be done about privacy at a policy level.

In their review, Acquisti, professor of information technology and public policy at CMU’s H. John Heinz III College, and his co-authors, Laura Brandimarte and George Loewenstein, challenges a number of claims that have become common in the ongoing debate over privacy, including the claim that privacy may be an historical anomaly, or that people do not really care for data protection.

“Privacy is not a modern invention, but a historically universal need,” said Acquisti, the lead author. “In certain situations, individuals will care for privacy quite a lot and act to protect it, but advances in technology and the acceleration of data collection challenge our ability to make self-interested decisions in the face of increasingly complex tradeoffs.”

In the paper, the authors identify three themes prevalent in empirical research on privacy decisions and behavior: People are often uncertain about the consequences of privacy-related behaviors and their own preferences over these consequence; People’s concern, or lack thereof, about privacy is context dependent; and Privacy concerns are malleable, particularly by commercial and government influences.

Full Text of CMU Press Release  

Some Related Links

CyLab's Alessandro Acquisti on Why Privacy Matters at TEDGlobal 2013

CyLab's Alessandro Acquisti and Co-Authors Release 7 Year Study on Evolution of Facebook Privacy and Disclosure

CyLab Researchers Featured on CBS Sixty Minutes

CyLab's Alessandro Acquisti at TEDx Mid-Atlantic

CyLab's Alessandro Acquisti and Fellow CMU Researcher Christina Fong Win IAPP Privacy Law Scholars Conference Award

New Study Co-Authored by CyLab Researcher: Face Recognition Software and Social Media Result in Increased Privacy Risks

CyLab Researcher’s Study Shows Social Security Numbers Can Be Predicted from Publicly Available Information

Friday, January 9, 2015

CMU CyLab's Dr. Lorrie Cranor named ACM Fellow

Dr. Lorrie Cranor, 10th Annual CyLab Partners Conference (October 2013)
Lorrie Faith Cranor, a professor in the Institute for Software Research and director of the CyLab Usable Privacy and Security Lab, is one of 47 computer scientists named as 2014 Fellows by the Association for Computing Machinery.

Cranor is a professor of computer science and of engineering and public policy and is co-director of the Privacy Engineering masters program. She was cited by the ACM for her contributions to research and education in usable privacy and security.

Cranor has played a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability (O'Reilly 2005) and founded the Symposium On Usable Privacy and Security (SOUPS).

She has authored over 100 research papers on online privacy, usable security, and other topics, served on numerous boards, and has testified about privacy issues before Congress.

She joined the CMU in faculty in 2003 after seven years at AT&T Labs-Research.
ACM President Alexander L. Wolf acknowledged the advances made by Cranor and the other newly named ACM Fellows. “Our world has been immeasurably improved by the impact of their innovations,” he said. “We recognize their contributions to the dynamic computing technologies that are making a difference to the study of computer science, the community of computing professionals, and the countless consumers and citizens who are benefiting from their creativity and commitment.”

ACM will formally recognize the 2014 Fellows at its annual Awards Banquet in June in San Francisco.

See Also

A Decade Into Its Vital Work, Another Savory SOUPS, A Report from the 10th Annual Symposium On Usable Privacy and Security

Thursday, November 20, 2014

CyLab Chronicles: Researchers Share Compelling Work with Silicon Valley Thought Leaders, Technical Experts, Law Enforcement Officials and Media at Fall 2014 Executive Briefing

The Fall 2014 CyLab Executive Briefing,  held at Carnegie Mellon University's Silicon Valley campus (NASA Research Park), brought together an RSVP invitation-only group of  C-level executives, thought leaders, technical experts, venture capitalists, government investigators and one cyber journalist (with an exclusive) for an update from one of the world's premiere cyber security and privacy research programs.

The event consisted of four compelling presentations from CyLab researchers (with Q and A) followed by open-ended dialogue over a delicious buffet luncheon.

The fifteen organizations represented ranged from high tech manufacturers and financial services institutions to social media giants and federal law enforcement agencies.

The presentations delivered reflected the broad scope of CyLab research:

Osman Yagan on "Designing Secure and Reliable Wireless Sensor Networks"

Bruce De Bruhl for Patrick Tague on "That Moment When You Realize Your Network Has Become Self-Aware"

David Brumley on "Software Security"

Anupam Datta on "Privacy through Accountability"

CyLab's Executive Briefings are an outreach to leaders in business, government and the media tasked with cyber security and privacy responsibilities. For half a day, attendees get a glimpse into just a few of the benefits that come with CyLab partnership. These benefits range from online access to the CyLab Seminar Series and attendance at the annual CyLab Partners Conference to the opportunity to put their own researcher at a desk in CyLab for a month or a year,  and the opportunity to help design a CyLab research project and to be integrally involved in its ongoing progress.

Here is a recording of one of the four presentations from this CyLab Executive Briefing, Anupam Datta on "Privacy Through Accountability" --

Tuesday, October 28, 2014

CyLab Chronicles: 2014 CyLab Partners Conference Explores Latest Research Into Vital Cyber Security and Privacy Issues

Student Poster Session, 11th Annual CyLab Partners Conference (October 2014)
The eleventh annual CyLab Partners Conference was held at the main campus of Carnegie Mellon University in Pittsburgh, Pennsylvania, on October 7th and 8th, 2014.

For two days, representatives of a dozen partners were briefed on CyLab's latest research across of broad spectrum of vital issues in the fields of cyber security and privacy. With nineteen presentations, five shared meals and a student poster session, attendees were provided with ample opportunities to both engage in meaningful dialogue with CyLab researchers and network with each other.

Four new CyLab Partners joined us for this year's event: PNC Financial Services Group (PNC), TD Ameritrade, UPMC (University of Pittsburgh Medical Center) and the National Police Agency of Japan.

Partners Conference attendance is an exclusive benefit of formal partnership with CyLab, so is access to the archive of video recordings, presentations and student posters for this year as well as previous years.

CyLab Director Virgil Gligor welcomes attendees, 11th Annual CyLab Partners Conference (October 2014)
Each year, to promote the CyLab program and contribute to the public good, we post a few select conference session videos for free, public access via the CyLab YouTube Channel and CyLab on iTunesU. This year's selections include four full faculty presentations and a fourteen minute sampler with brief excerpts from several other sessions:
For more on the benefits of CyLab partnership, and other aspects of the Carnegie Mellon University CyLab program, visit CyLab Online.

Some Related Posts
Anupam Datta, 11th Annual CyLab Partners Conference (October 2014)
Student Poster Session, 11th Annual CyLab Partners Conference (October 2014)

Wednesday, August 27, 2014

CMU CyLab Researchers Wins USENIX Security 2014 Best Student Paper Award; Seven Other CMU Papers Delivered

As with other leading conferences in the vital fields of cyber security and privacy, Carnegie Mellon University (CMU) CyLab researchers distinguished themselves at USENIX Security 2014, the 23rd USENIX Security Symposium, held in San Diego, California, 8/20/14-8/22/14.

Three hundred fifty papers were submitted to the USENIX program committee, and the ensuing process, which involved 1,340 reviews and 1,627 follow up comments, resulted in sixty-seven papers being accepted for publication, including several from CMU CyLab researchers.

Most notably, CMU's Kyle Soska won one of two Best Student Paper Awards for Automatically Detecting Vulnerable Websites Before They Turn Malicious co-authored with CyLab faculty member Nicolas Christin

Additionally, CyLab faculty member David Brumley co-authored three of the published papers:

BYTEWEIGHT: Learning to Recognize Functions in Binary Code, with Tiffany Bao, Jonathan Burket, and Maverick Woo of Carnegie Mellon University and Rafael Turner, University of Chicago.

Blanket Execution: Dynamic Similarity Testing for Program Binaries and Components, with Manuel Egele, Maverick Woo and Peter Chapman.

Optimizing Seed Selection for Fuzzing, with Alexandre Rebert, Carnegie Mellon University and ForAllSecure; Sang Kil Cha and Thanassis Avgerinos of Carnegie Mellon University; Jonathan Foote and David Warren of Software Engineering Institute CERT; Gustavo Grieco of Centro Internacional Franco Argentino de Ciencias de la Información y de Sistemas (CIFASIS) and Consejo Nacional de Investigaciones Científicas y Técnicas (CONICET).

Brumley also delivered a paper for one of the workshops that proceeded the main body of the Symposium itself, PicoCTF: A Game-Based Computer Security Competition for High School Students, co-authored with Peter Chapman and Jonathan Burket, also from CMU.

CyLab Usable Security and Privacy (CUPS) Lab director Lorrie Cranor teamed up with Cormac Herley, Principal Researcher in the Machine Learning Department at Microsoft Research, and several colleagues, Saranga Komanduri and Richard Shay of CMU and Stuart Schechter of Microsoft Research to co-author Telepathwords: Preventing Weak Passwords by Reading Users' Minds 

Two other CMU-authored papers were presented at USENIX Security 2014

The Long "Taile" of Typosquatting Domain Names co-authored by Janos Szurdi, Carnegie Mellon University; Balazs Kocso and Gabor Cseh, Budapest University of Technology and Economics; Jonathan Spring, Carnegie Mellon University; Mark Felegyhazi, Budapest University of Technology and Economics; and Chris Kanich, University of Illinois at Chicago. 

Password Managers: Attacks and Defenses co-authored by David Silver, Suman Jana, and Dan Boneh, Stanford University; Eric Chen and Collin Jackson, Carnegie Mellon University

Related Posts

Thursday, August 21, 2014

CMU CyLab PPP and CUPS teams win “Capture the Flag” and “Crack Me If You Can" contests at DEFCON 22

Members of CMU CyLab's Plaid Parliament of Pwning (PPP)
Carnegie Mellon University demonstrated its cyber prowess at DEFCON 22 by winning the “Capture the Flag” and “Crack Me If You Can” contests ...

Carnegie Mellon’s computer hacking team, the Plaid Parliament of Pwning (PPP), took first place for the second consecutive year in the Capture the Flag (CTF) contest. Globally, hundreds of teams battle throughout the year for one of 20 slots at DEFCON’s CTF competition, which has been called the “World Series of hacking.”

“Our team competed against universities and also against large defense contractors. This win is a huge accomplishment for our team,” says team advisor David Brumley, an associate professor of Electrical and Computer Engineering and the technical director of Carnegie Mellon CyLab.

The PPP team qualified for DEFCON for the last three years, and won first place in 2013 and again in 2014. The PPP team is part of CyLab’s Undergraduate Computer Security Research group, and it consists of 35 members from the College of Engineering and the School of Computer Science.

At DEFCON 22, the team was limited to eight members: George Hotz, Ryan Goulden, Tyler Nighswander, Brian Pak, Alex Reece, Max Serrano, Andrew Wesie, Ricky Zhou ...

A second team, this one from CyLab Usable Privacy and Security (CUPS) Lab, and simply named “cmu,” won the Street Division category in the “Crack Me If You Can” contest. In this two-day event sponsored by KoreLogic Security, teams exposed or “cracked” encrypted passwords.

"The students leveraged what they had learned from our research studies to develop their winning strategy," CUPS Director Lorrie Cranor says, "It is remarkable for a first-time team to win this competition." Cranor and fellow CyLab faculty members Lujo Bauer, Nicolas Christin, along with their team of students, are responsible for a growing body of work on passwords.

"Black Badge" bestowed upon CTF winners guarantees lifetime free entry to DEFCON
See Also

CyLab's David Brumley and His Student Hacker Team Featured on PBS NEWSHOUR and CNBC

Carnegie Mellon's Capture the Flag Team Excels in Hackjam Competition

CUPS Password Research Studies