Saturday, February 6, 2010

CyLab Seminar Series Notes: Lujo Bauer Shares Glimpse into CyLab Research on Usable Privacy & Security in the Digital Home

[NOTE: CyLab's weekly seminar series provides a powerful platform for highlighting vital research. The physical audience in the auditorium is composed of Carnegie Mellon University faculty and graduate students, but CyLab's corporate partners also have access to both the live stream and the archived content via the World Wide Web. From time to time, CyBlog wets your appetite by offering brief glimpses into these talks. Here are some of my notes on a talk delivered by CyLab researcher Lujo Bauer on 2-1-10. At the end of this post you will find links to other issues of CyLab Seminar Series Notes as well as two editions of CyLab Chronicles that highlight Bauer's work. -- Richard Power

CyLab Seminar Series Notes: Lujo Bauer Shares Glimpse into CyLab Research on Usable Privacy & Security in Home Computing

According to Lujo Bauer, “Usability” is often seen as the last phase in system design.
“One of the problems in the way we build systems is that first we build the system, and then perhaps we start thinking about how to best design the interfaces that we dress the system up in ...”
The thesis for Bauer’s seminar: “Creating usable systems often requires not just the help of usability experts, but that the system architects are usability experts.”
“Usability is something that we should pay attention to, and start building into our systems from the design phase onward; and not something that can just be always tacked on at the end.”
Bauer supported his thesis with three examples from his personal experience in research. Two of the examples were based on user studies, from which was learned something important to the very initial phases of system design. The third example was from an instance where the research team tried to make a system more usable after it was deployed, and learned something about features needed.
One of these examples involved the Expandable Grid, a robust interface that shows effective policy instead of policy rules, as well as both user and file hierarchies (groups), and also displays the entire policy on the screen; another involved Grey, a smartphone-based, end-user-driven access control system for physical and virtual resources deployed in Carnegie Mellon’s Collaborative Innovation Center (CIC); and the third example, the one we will focus on here, involved the “Future Digital Home,” and highlights not only the CyLab research thrust into “Usable Privacy and Security” but also the CyLab research thrust into “Securing the Digital Home.”
“Most of us already have a bunch of gadgets at home: digital cameras, maybe a network drive, a TV that can stream Netflix, things like that. In the near future, this will become much more extreme. We will have dozens of devices in our home, which will either gather information or store information that we put on them, or will be used for viewing information. Think of this information as being media, whether its music, or video, or home surveillance; you can also think of it as being files, e.g., tax records, or homework, or papers; you can think of it as your current shopping list, or the content of your refrigerator. Your refrigerator is going to have a little computer built into it and it is going to keep track of how much milk is left, and you are going to want to use your phone every once in awhile to ask your refrigerator how much milk there is because you are going to be walking by a grocery store, and wondering if you should pick up milk.”

“So there are exciting new capabilities from the user perspective, but on the other hand, there are also big questions, and one of the big questions is who handles security and reliability? In this environment, with many devices in my home that all somehow talk to each other and share data, I want to make it the case that I can always access all the information, confidential or otherwise, and I can also let any of my friends, or specific friends, to gain access to some of this information, but at the same time I might have really confidential data in the system, and it could be terrible if the wrong person got access.”
“We’re also dealing with people who are not professional system administrators. They only people in the home are the people that love there. They don’t take classes in system administration; so the interfaces that they use to configure the system correctly, or tell the system what they want it to do, have to be somehow specifically tailored to them. These interfaces can’t require much expertise.”
The goal of the research that the CyLab team working in this area is to provide usable security for digital home storage, e.g., enable users to effectively specify and understand policies, and to use and trust mechanisms.
“Having learned something from previous projects that we had done, we decided to start out with some user studies. Technical researchers are notoriously bad judges of what end users do … “
The first study done was based on in-situ, semi-structured interviews of subjects recruited via Craigslist and the distribution of fliers. The study subjects were limited to non-programmer households. There were thirty-three users (from eight to fifty-nine years of age) in fifteen households, these households ranged from families to couples to roommates.
“We also covered a wide range of expertise: even though there were no programmer households, we had people whose households had as many as twenty-something digital devices for two people, or as few as four or five digital devices for a family of three or four.”
House maps were used as reference points in the interviews.
“We had the participants draw maps of their households, and on these maps indicate where various digital devices might live. And we used these maps later to make sure that when we talked about the various digital devices and types of data, we could actually cover all the devices that they had."

The study yielded some insightful findings:
Current methods are not working: Although almost all of the people worry about sensitive data, access control mechanisms varied and were often ad-hoc.
Policy needs are complex: Fine-grained divisions of people and files are needed (e.g., distinguishing between “public” and “private” aren’t enough), dimensions beyond “person” are needed (e.g., “presence” proved important to most and “location” proved important to many), and of course, there was wide variation across participants (e.g., in definitions of what most private and who is most trusted).
A-priori policy isn’t enough: People want to be asked permission (even if they have assigned it), they want to know not only who is accessing files but why, and they want the capability to review access and revise policy.
Mental models do not equal system realities: Mismatches between current systems and users’ mental models may lead those users astray.
From these findings, Bauer and his fellow researchers distilled a set of useful guidelines for anybody building such a system:
Allow fine-grained control
Plan for lending devices
Include reactive policy creation and usable logs
Reduce or eliminate up-front complexity
Acknowledge social conventions
Support iterative policy specification
Account for users’ mental models

Related CyLab Chronicles

CyLab Chronicles: Q&A with Lujo Bauer (2009)

CyLab Chronicles: Q&A with Lujo Bauer (2008)

Other CyLab Seminar Notes

CyLab Seminar Series Notes: The Evolution of A Hacking Tool, Moxie Marlinspike on SSLstrip

CyLab Seminar Series Notes: User-Controllable Security and Privacy -- Norman Sadeh asks, "Are Expectations Realistic?"

CyLab Seminar Series: Of Frogs, Herds, Behavioral Economics, Malleable Privacy Valuations, and Context-Dependent Willingness to Divulge Personal Info

CyLab Seminar Series Notes: Why do people and corporations not invest more in security?

CyLab Research Update: Basic Instincts in the Virtual World?

For information on the benefits of partnering with CyLab, contact Gene Hambrick, CyLab Director of Corporate Relations: hambrick at