Thursday, January 29, 2015

New CMU Study Highlights Challenges of Complex Trade-Off in Privacy Decision-Making; “Privacy is not a modern invention, but a historically universal need,” says CyLab's Acquisti

In "Privacy and Human Behavior in the Information Age", a review published in the Jan. 30 special issue of the journal Science, CMU CyLab's Alessandro Acquisti and a team of fellow CMU researchers have detailed the privacy hurdles people face while navigating in the information age, and offered some perspectives on what should be done about privacy at a policy level.

In their review, Acquisti, professor of information technology and public policy at CMU’s H. John Heinz III College, and his co-authors, Laura Brandimarte and George Loewenstein, challenges a number of claims that have become common in the ongoing debate over privacy, including the claim that privacy may be an historical anomaly, or that people do not really care for data protection.

“Privacy is not a modern invention, but a historically universal need,” said Acquisti, the lead author. “In certain situations, individuals will care for privacy quite a lot and act to protect it, but advances in technology and the acceleration of data collection challenge our ability to make self-interested decisions in the face of increasingly complex tradeoffs.”

In the paper, the authors identify three themes prevalent in empirical research on privacy decisions and behavior: People are often uncertain about the consequences of privacy-related behaviors and their own preferences over these consequence; People’s concern, or lack thereof, about privacy is context dependent; and Privacy concerns are malleable, particularly by commercial and government influences.

Full Text of CMU Press Release  

Some Related Links

CyLab's Alessandro Acquisti on Why Privacy Matters at TEDGlobal 2013

CyLab's Alessandro Acquisti and Co-Authors Release 7 Year Study on Evolution of Facebook Privacy and Disclosure

CyLab Researchers Featured on CBS Sixty Minutes

CyLab's Alessandro Acquisti at TEDx Mid-Atlantic

CyLab's Alessandro Acquisti and Fellow CMU Researcher Christina Fong Win IAPP Privacy Law Scholars Conference Award

New Study Co-Authored by CyLab Researcher: Face Recognition Software and Social Media Result in Increased Privacy Risks

CyLab Researcher’s Study Shows Social Security Numbers Can Be Predicted from Publicly Available Information

Friday, January 9, 2015

CMU CyLab's Dr. Lorrie Cranor named ACM Fellow

Dr. Lorrie Cranor, 10th Annual CyLab Partners Conference (October 2013)
Lorrie Faith Cranor, a professor in the Institute for Software Research and director of the CyLab Usable Privacy and Security Lab, is one of 47 computer scientists named as 2014 Fellows by the Association for Computing Machinery.

Cranor is a professor of computer science and of engineering and public policy and is co-director of the Privacy Engineering masters program. She was cited by the ACM for her contributions to research and education in usable privacy and security.

Cranor has played a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability (O'Reilly 2005) and founded the Symposium On Usable Privacy and Security (SOUPS).

She has authored over 100 research papers on online privacy, usable security, and other topics, served on numerous boards, and has testified about privacy issues before Congress.

She joined the CMU in faculty in 2003 after seven years at AT&T Labs-Research.
ACM President Alexander L. Wolf acknowledged the advances made by Cranor and the other newly named ACM Fellows. “Our world has been immeasurably improved by the impact of their innovations,” he said. “We recognize their contributions to the dynamic computing technologies that are making a difference to the study of computer science, the community of computing professionals, and the countless consumers and citizens who are benefiting from their creativity and commitment.”

ACM will formally recognize the 2014 Fellows at its annual Awards Banquet in June in San Francisco.

See Also

A Decade Into Its Vital Work, Another Savory SOUPS, A Report from the 10th Annual Symposium On Usable Privacy and Security

Thursday, November 20, 2014

CyLab Chronicles: Researchers Share Compelling Work with Silicon Valley Thought Leaders, Technical Experts, Law Enforcement Officials and Media at Fall 2014 Executive Briefing

The Fall 2014 CyLab Executive Briefing,  held at Carnegie Mellon University's Silicon Valley campus (NASA Research Park), brought together an RSVP invitation-only group of  C-level executives, thought leaders, technical experts, venture capitalists, government investigators and one cyber journalist (with an exclusive) for an update from one of the world's premiere cyber security and privacy research programs.

The event consisted of four compelling presentations from CyLab researchers (with Q and A) followed by open-ended dialogue over a delicious buffet luncheon.

The fifteen organizations represented ranged from high tech manufacturers and financial services institutions to social media giants and federal law enforcement agencies.

The presentations delivered reflected the broad scope of CyLab research:

Osman Yagan on "Designing Secure and Reliable Wireless Sensor Networks"

Bruce De Bruhl for Patrick Tague on "That Moment When You Realize Your Network Has Become Self-Aware"

David Brumley on "Software Security"

Anupam Datta on "Privacy through Accountability"

CyLab's Executive Briefings are an outreach to leaders in business, government and the media tasked with cyber security and privacy responsibilities. For half a day, attendees get a glimpse into just a few of the benefits that come with CyLab partnership. These benefits range from online access to the CyLab Seminar Series and attendance at the annual CyLab Partners Conference to the opportunity to put their own researcher at a desk in CyLab for a month or a year,  and the opportunity to help design a CyLab research project and to be integrally involved in its ongoing progress.

Here is a recording of one of the four presentations from this CyLab Executive Briefing, Anupam Datta on "Privacy Through Accountability" --

Tuesday, October 28, 2014

CyLab Chronicles: 2014 CyLab Partners Conference Explores Latest Research Into Vital Cyber Security and Privacy Issues

Student Poster Session, 11th Annual CyLab Partners Conference (October 2014)
The eleventh annual CyLab Partners Conference was held at the main campus of Carnegie Mellon University in Pittsburgh, Pennsylvania, on October 7th and 8th, 2014.

For two days, representatives of a dozen partners were briefed on CyLab's latest research across of broad spectrum of vital issues in the fields of cyber security and privacy. With nineteen presentations, five shared meals and a student poster session, attendees were provided with ample opportunities to both engage in meaningful dialogue with CyLab researchers and network with each other.

Four new CyLab Partners joined us for this year's event: PNC Financial Services Group (PNC), TD Ameritrade, UPMC (University of Pittsburgh Medical Center) and the National Police Agency of Japan.

Partners Conference attendance is an exclusive benefit of formal partnership with CyLab, so is access to the archive of video recordings, presentations and student posters for this year as well as previous years.

CyLab Director Virgil Gligor welcomes attendees, 11th Annual CyLab Partners Conference (October 2014)
Each year, to promote the CyLab program and contribute to the public good, we post a few select conference session videos for free, public access via the CyLab YouTube Channel and CyLab on iTunesU. This year's selections include four full faculty presentations and a fourteen minute sampler with brief excerpts from several other sessions:
For more on the benefits of CyLab partnership, and other aspects of the Carnegie Mellon University CyLab program, visit CyLab Online.

Some Related Posts
Anupam Datta, 11th Annual CyLab Partners Conference (October 2014)
Student Poster Session, 11th Annual CyLab Partners Conference (October 2014)

Wednesday, August 27, 2014

CMU CyLab Researchers Wins USENIX Security 2014 Best Student Paper Award; Seven Other CMU Papers Delivered

As with other leading conferences in the vital fields of cyber security and privacy, Carnegie Mellon University (CMU) CyLab researchers distinguished themselves at USENIX Security 2014, the 23rd USENIX Security Symposium, held in San Diego, California, 8/20/14-8/22/14.

Three hundred fifty papers were submitted to the USENIX program committee, and the ensuing process, which involved 1,340 reviews and 1,627 follow up comments, resulted in sixty-seven papers being accepted for publication, including several from CMU CyLab researchers.

Most notably, CMU's Kyle Soska won one of two Best Student Paper Awards for Automatically Detecting Vulnerable Websites Before They Turn Malicious co-authored with CyLab faculty member Nicolas Christin

Additionally, CyLab faculty member David Brumley co-authored three of the published papers:

BYTEWEIGHT: Learning to Recognize Functions in Binary Code, with Tiffany Bao, Jonathan Burket, and Maverick Woo of Carnegie Mellon University and Rafael Turner, University of Chicago.

Blanket Execution: Dynamic Similarity Testing for Program Binaries and Components, with Manuel Egele, Maverick Woo and Peter Chapman.

Optimizing Seed Selection for Fuzzing, with Alexandre Rebert, Carnegie Mellon University and ForAllSecure; Sang Kil Cha and Thanassis Avgerinos of Carnegie Mellon University; Jonathan Foote and David Warren of Software Engineering Institute CERT; Gustavo Grieco of Centro Internacional Franco Argentino de Ciencias de la Información y de Sistemas (CIFASIS) and Consejo Nacional de Investigaciones Científicas y Técnicas (CONICET).

Brumley also delivered a paper for one of the workshops that proceeded the main body of the Symposium itself, PicoCTF: A Game-Based Computer Security Competition for High School Students, co-authored with Peter Chapman and Jonathan Burket, also from CMU.

CyLab Usable Security and Privacy (CUPS) Lab director Lorrie Cranor teamed up with Cormac Herley, Principal Researcher in the Machine Learning Department at Microsoft Research, and several colleagues, Saranga Komanduri and Richard Shay of CMU and Stuart Schechter of Microsoft Research to co-author Telepathwords: Preventing Weak Passwords by Reading Users' Minds 

Two other CMU-authored papers were presented at USENIX Security 2014

The Long "Taile" of Typosquatting Domain Names co-authored by Janos Szurdi, Carnegie Mellon University; Balazs Kocso and Gabor Cseh, Budapest University of Technology and Economics; Jonathan Spring, Carnegie Mellon University; Mark Felegyhazi, Budapest University of Technology and Economics; and Chris Kanich, University of Illinois at Chicago. 

Password Managers: Attacks and Defenses co-authored by David Silver, Suman Jana, and Dan Boneh, Stanford University; Eric Chen and Collin Jackson, Carnegie Mellon University

Related Posts

Thursday, August 21, 2014

CMU CyLab PPP and CUPS teams win “Capture the Flag” and “Crack Me If You Can" contests at DEFCON 22

Members of CMU CyLab's Plaid Parliament of Pwning (PPP)
Carnegie Mellon University demonstrated its cyber prowess at DEFCON 22 by winning the “Capture the Flag” and “Crack Me If You Can” contests ...

Carnegie Mellon’s computer hacking team, the Plaid Parliament of Pwning (PPP), took first place for the second consecutive year in the Capture the Flag (CTF) contest. Globally, hundreds of teams battle throughout the year for one of 20 slots at DEFCON’s CTF competition, which has been called the “World Series of hacking.”

“Our team competed against universities and also against large defense contractors. This win is a huge accomplishment for our team,” says team advisor David Brumley, an associate professor of Electrical and Computer Engineering and the technical director of Carnegie Mellon CyLab.

The PPP team qualified for DEFCON for the last three years, and won first place in 2013 and again in 2014. The PPP team is part of CyLab’s Undergraduate Computer Security Research group, and it consists of 35 members from the College of Engineering and the School of Computer Science.

At DEFCON 22, the team was limited to eight members: George Hotz, Ryan Goulden, Tyler Nighswander, Brian Pak, Alex Reece, Max Serrano, Andrew Wesie, Ricky Zhou ...

A second team, this one from CyLab Usable Privacy and Security (CUPS) Lab, and simply named “cmu,” won the Street Division category in the “Crack Me If You Can” contest. In this two-day event sponsored by KoreLogic Security, teams exposed or “cracked” encrypted passwords.

"The students leveraged what they had learned from our research studies to develop their winning strategy," CUPS Director Lorrie Cranor says, "It is remarkable for a first-time team to win this competition." Cranor and fellow CyLab faculty members Lujo Bauer, Nicolas Christin, along with their team of students, are responsible for a growing body of work on passwords.

"Black Badge" bestowed upon CTF winners guarantees lifetime free entry to DEFCON
See Also

CyLab's David Brumley and His Student Hacker Team Featured on PBS NEWSHOUR and CNBC

Carnegie Mellon's Capture the Flag Team Excels in Hackjam Competition

CUPS Password Research Studies

Sunday, July 13, 2014

A Decade Into Its Vital Work, Another Savory SOUPS, A Report from the 10th Annual Symposium On Usable Privacy and Security

CMU CyLab's Dr. Lorrie Cranor, Founder of CUPS and SOUPS preps
for welcoming remarks at SOUPS 2014

The CyLab Usable Privacy and Security Laboratory (CUPS) 10th Annual Symposium on Usable Privacy and Security (SOUPS) was hosted by Facebook at its headquarters in Menlo Park, California (7/9/14 - 7/11/14). CUPS Director Lorrie Cranor welcomed the attendees, with the record-breaking numbers in both attendance and papers submitted. For three full days of proceedings, hundreds of researchers from business, academia and government communed together amidst the proliferation of signage which has come to characterize the social media giant's corporate culture: e.g., "Ship Love," "Ruthless Prioritization," "Demand Success," Nelson Mandela, arms outstretched, with the caption, "Open the Doors," etc. (Not so subliminal messaging.)
Perhaps more poignantly than any previous SOUPS keynote, Christopher Soghoian of American Civil Liberties Union (ACLU) articulated the vital nature of research into usable privacy and security. Putting flesh and blood on these issues, Soghoian used examples from the shadow world of investigative reporters and whistle-blowers to highlight the need for privacy and security software that is not only robust but eminently usable. One great benefit of the revelations brought forth by Glenn Greenwald in the Edward Snowden affair, Soghoian opined, is that there has been increased crypto adoption by journalists.
But the heightened engagement has also brought long-standing problems into a harsh new light. For example, Soghoian told SOUPS attendees, many investigative journalists using PGP still do not realize subject lines are not encrypted. "The best our community has to offer sucks, the usability and the default values suck," Soghoian declared, "the software is not protecting journalists and human rights activists, and that's our fault as researchers"

As contributing markets factors for why we still don't have usable encryption, Soghoian cited: potential data loss ("telling your customer that they've just lost every photo of their children is a non starter"), current business models, and of course, government pressure.

Facebook HQ Signage, 1 Hacker Way, Menlo Park
In other parts of his very substantive keynote, Soghoian touched on consumer issues related to the efficacy of privacy and security. He elucidated the differences in privacy and security between the iPhone and the Android: "The privacy and security differences ... are not advertised." He also shed light on a new aspect of the growing gap between rich and poor, "security by default for the rich," and "insecurity by default for the poor." "Those who are more affluent get the privacy benefits without shopping around," he explained, because the discounted, and mass-marketed versions of software often do not have the same full-featured privacy and security as the more expensive business or professional versions.

[NOTE: Full-length video of Soghoian's keynote is available via the CyLab YouTube Channel.]

Several awards were also announced during the opening sessions, including:

The 2014 IAPP SOUPS Privacy Award for the paper with the most practical application in the field of privacy went to Would a Privacy Fundamentalist Sell Their DNA for $1000...If Nothing Bad Happened as a Result? The Westin Categories, Behavioral Intentions, and Consequences authored by Allison Woodruff, Vasyl Pihur, Sunny Consolvo, and Lauren Schmidt of Google; and Laura Brandimarte and Alessandro Acquisti of Carnegie Mellon University.

The 2014 SOUPS Impact Award for a SOUPS paper "published between 2005 and 2009 that has had a significant impact on usable privacy and security research and practice" went to Usability of CAPTCHAs or Usability Issues in CAPTCHA Design authored in 2008 by Jeff Yan and Ahmad Salah El Ahmad of Newcastle University (UK).

Two Distinguished Papers awards were presented:

Understanding and Specifying Social Access Control Lists, authored by Mainack Monda of Max Planck Institute for Software Systems (MPI-SWS), Yabing Liu of Northeastern University, Bimal Viswanath and Krishna P. Gummadi of Max Planck Institute for Software Systems (MPI-SWS), and Alan Mislove of Northeastern University.

Crowdsourcing Attacks on Biometric Systems, authored by Saurabh Panjwani, an independent consultant and Achintya Prakash of University of Michigan.
Carnegie Mellon University (CMU), home to the CyLab Usable Privacy and Security (CUPS) Lab and the MSIT-Privacy Engineering Masters Program was well-represented in the proceeding.

In addition to the IAPP SOUPS Privacy Award winning "Would a Privacy Fundamentalist Sell Their DNA for $1000...If Nothing Bad Happened as a Result? The Westin Categories, Behavioral Intentions, and Consequences," co-authored with Google researchers, several other CMU papers were presented:

Parents’ and Teens’ Perspectives on Privacy In a Technology-Filled World, authored by Lorrie Faith Cranor, Adam L. Durity, Abigail Marsh, and Blase Ur, Carnegie Mellon University

Privacy Attitudes of Mechanical Turk Workers and the U.S. Public, authored by Ruogu Kang, Carnegie Mellon University, Stephanie Brown, Carnegie Mellon University and American University, Laura Dabbish and Sara Kiesler, Carnegie Mellon University

CMU researcher Ruogu Kang presenting
Privacy Attitudes of Mechanical Turk Workers and the U.S. Public
Harder to Ignore? authored by Cristian Bravo-Lillo, Lorrie Cranor, and Saranga Komanduri, Carnegie Mellon University, Stuart Schechter, Microsoft Research, Manya Sleeper, Carnegie Mellon University

The Effect of Social Influence on Security Sensitivity, authored by Sauvik Das, Tiffany Hyun-Jin Kim, Laura A. Dabbish, and Jason I. Hong, Carnegie Mellon University

Modeling Users’ Mobile App Privacy Preferences: Restoring Usability in a Sea of Permission Settings, authored by Jialiu Lin, Bin Liu, Norman Sadeh, and Jason I. Hong, Carnegie Mellon University

The full proceedings of SOUPS 2014 are available via USENIX.

-- Richard Power

Check out CyLab CyBlog's Archive of SOUPS Coverage

A Distinguish Paper Award for CUPS, and Other News from Ninth Annual SOUPS 2013

CyLab's SOUPS 2012 Continues Its Ongoing, Deepening Dialogue on What Works and What Doesn't

SOUPS 2011 Advances Vital Exploration of Usability and Its Role in Strengthening Privacy and Security  

 SOUPS 2010: Insight into Usable Privacy & Security Deepens at 6th Annual Symposium

Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness

Glimpses into the Fourth Annual Symposium on Usable Security and Privacy (SOUPS 2008)

Mike Farb of CyLab's SafeSlinger project presents during the 2014 EFF Crypto Usability Prize (EFF CUP)
Workshop on Day One of SOUPS 2014

Facebook HQ Signage, 1 Hacker Way, Menlo Park