Monday, July 16, 2012

CyLab's SOUPS Continues Its Ongoing, Deepening Dialogue on What Works and What Doesn't



CyLab's SOUPS Continues Its Ongoing, Deepening Dialogue on What Works and What Doesn't

Last week in Washington, D.C., the important work of the Symposium on Usable Privacy and Security (SOUPS), now in its eighth year, continued to deepen and expand. The annual event, shaped and led by Dr. Lorrie Cranor, Director of CyLab Usable Privacy and Security (CUPS) Lab, generates rich content with which to better inform the development of programs, policies and applications.

SOUPS' technical paper sessions were organized into five categories:

Mobile Privacy and Security

User Perceptions

Authentication

Online Social Networks

Access Control

Here are excerpts from select papers in each of these categories, along with links to the full texts:

Mobile Privacy and Security

Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, David Wagner, Android Permissions: User Attention, Comprehension, and Behavior, UC Berkeley:

We performed two usability studies to address the attention, comprehension, and behavior questions ... Our primary findings are: Attention. In both the Internet survey and laboratory study, 17% of participants paid attention to permissions during a given installation. At the same time, 42% of laboratory participants were unaware of the existence of permissions. Comprehension. Overall, participants demonstrated very low rates of comprehension. Only 3% of Internet survey respondents could correctly answer three comprehension questions. However, 24% of laboratory study participants demonstrated competent—albeit imperfect—comprehension. Behavior. A majority of Internet survey respondents claimed to have decided not to install an application because of its permissions at least once. Twenty percent of our laboratory study participants were able to provide concrete details about times that permissions caused them to cancel installation. Our findings indicate that the Android permission system is neither a total success nor a complete failure.

User Perceptions

Blase Ur, Pedro Giovanni Leon, Lorrie Faith Cranor, Richard Shay, Yang Wang, Smart, Useful, Scary, Creepy: Perceptions of Online Behavioral Advertising, Carnegie Mellon University:

Participants found behavioral advertising both useful and privacyinvasive. The majority of participants were either fully or partially opposed to OBA, finding the idea smart but creepy. However, this attitude seemed to be influenced in part by beliefs that more data is collected than actually is. Participants understood neither the roles of different companies involved in OBA, nor the technologies used to profile users, contributing to their misunderstandings. Given effective notice about the practice of tailoring ads based on users’ browsing activities, participants wouldn’t need to understand the underlying technologies and business models. However, current notice and choice mechanisms are ineffective. Furthermore, current mechanisms focus on opting out of targeting by particular companies, yet participants displayed faulty reasoning in evaluating companies. In contrast, participants displayed complex preferences about the situations in which their browsing data could be collected, yet they currently cannot exercise these preferences.

Authentication

Richard Shay, Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Blase Ur, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Correct horse battery staple: Exploring the usability of system-assigned passphrases, Carnegie Mellon University:

Our findings suggest that system-assigned passphrases are far from a panacea for user authentication. Rather than committing them to memory, users tend to write down or otherwise store both passwords and passphrases when they are system assigned. When compared to our password conditions, no passphrase condition significantly outperformed passwords in any of our usability metrics, indicating that the system assigned passphrase types we tested fail to offer substantial usability benefits over system-assigned passwords of equivalent strength. We even find that system-assigned passphrases might actually be less usable than system-assigned passwords. For instance, users were able to enter their passwords more quickly and with fewer errors than passphrases of similar strength. While our results in general do not strongly favor system-assigned passwords over system-assigned passphrases or vice versa, we identify several areas for further investigation. For example, larger dictionary sizes do not appear to have a substantial impact on usability for passphrases. This could be leveraged to make stronger passphrases without much usability cost. We also find that lowercase, pronounceable passwords are an unexpectedly promising strategy for generating system-assigned passwords.

Online Social Networks

Thomas Muders, Matthew Smith and Uwe Sander, Helping Johnny 2.0 to Encrypt His Facebook Conversations, Leibniz Universitaet and University of Applied Sciences and Arts, Hannover, Germany:

While there are some solutions available to cryptographically protect Facebook conversations, to the best of the authors' knowledge, there is no widespread use of them. Thus, the aim of our work was to nd out why this might be the case and what could be done to help OSN users to encrypt their Facebook conversations. While mechanisms to protect email messaging could in principle be adapted to Facebook conversations in a straightforward manner, previous usability studies show signi cant problems with the existing email encryption mechanisms. One of our goals was therefore to see if the changes brought about by the OSN paradigm might open up new possibilities for a usable security mechanism protecting private OSN messages. To answer these questions, we conducted multiple studies to evaluate needs surrounding the protection of users' conversations on Facebook and then compared different existing solutions for conversation encryption. Based on these intermediate results, we developed an approach to encrypt Facebook conversations which we tested in two user studies to ascertain whether the solution provided good usability characteristics while at the same time protecting user privacy. The results of the final study show that the OSN paradigm does indeed o er new ways of simplifying security and fi nding security/usability trade-o s which are acceptable to users.

Access Control

Jason Watson, Andrew Besmer, Heather Richter Lipford, +Your Circles - Sharing Behavior on Google+, University of North Carolina (Charlotte):

This study o ers insight into the behavior of Google+ users and how they use group based sharing. We found participants had strong positive attitudes towards using circles and generally understood the intended purpose of them. However, much of the use of circles was not to protect disclosures from certain people, but to increase the relevance of posting to people. Thus, users are still treating information they post as relatively public. While this may decrease the liklihood of accidentally oversharing, this also means that users will continue to experience the issues from self-censoring, such as the inability to more deeply connect to close friends. Also, despite user understanding, we still saw a disconnect in users' stated desires and behavior. While Google+ lowered the level of eff ort required to interact in contextually appropriate ways, many continued using strategies for privacy management they had formed by using Facebook and simply posted to all circles. In addition, some participants found that circle use increased the mental demand required for social network interaction. Similar to previous studies, the increased e ort lead some of our participants to bypass the privacy mechanisms. In the case of this study, this meant collapsing friends into a single circle. Thus, Google+ users are not yet taking full advantage of the capabilities provided by circles for greater control over information flow. However, these results are also heavily influenced by the overall lack of people and activity on the site, which may have reduced the need for the use of circles. Yet, if site usage grows and users add more connections, the burden of managing circles is also likely to grow.

For the full agenda and links to all the papers presented, visit SOUPS 2012.

For more information on CyLab's ongoing research into Usable Privacy and Security, visit CUPS.

See Also

SOUPS 2011 Advances Vital Exploration of Usability and Its Role in Strengthening Privacy and Security

SOUPS 2010: Insight into Usable Privacy & Security Deepens at 6th Annual Symposium

Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness

Glimpses into the Fourth Annual Symposium on Usable Security and Privacy (SOUPS 2008)

For information on other aspects of CyLab's vital work, visit
http://www.cylab.cmu.edu/