Monday, July 29, 2013

A Distinguish Paper Award for CUPS, and Other News from Ninth Annual SOUPS 2013

CyLab graduate student Cristian Bravo Lillo presents at SOUPS 2013
The ninth annual Symposium on Usable Privacy and Security (SOUPS 2013) was held July 9th through July 11th at Northumbria University (Newcastle, U.K.).

Lorrie Cranor, Director of CyLab Usable Privacy and Security (CUPS), chaired the conference, and CyLab Associate Research Professior Lujo Bauer served as technical papers co-chair.

CUPS researchers Cristian Bravo-Lillo, Lorrie Faith Cranor, Julie Downs, Saranga Komanduri, and Robert W. Reeder (Carnegie Mellon University), Stuart Schechter (Microsoft Research), and Manya Sleeper (Carnegie Mellon University) won one of two Distinguished Paper Awards, for Your Attention Please: Designing Security-Decision UIs to Make Genuine Risks Harder to Ignore.

Here is a brief excerpt with a link to the full text:

We designed and tested attractors for computer security dialogs: user-interface modi cations used to draw users' attention to the most important information for making decisions. Some of these modi cations were purely visual, while others temporarily inhibited potentially-dangerous behaviors to redirect users' attention to salient information. We conducted three between-subjects experiments to test the effectiveness of the attractors. In the fi rst two experiments, we sent participants to perform a task on what appeared to be a third-party site that required installation of a browser plugin. We presented them with what appeared to be an installation dialog from their operating system. Participants who saw dialogs that employed inhibitive attractors were signifi cantly less likely than those in the control group to ignore clues that installing this software might be harmful. In the third experiment, we attempted to habituate participants to dialogs that they knew were part of the experiment. We used attractors to highlight a eld that was of no value during habituation trials and contained critical information after the habituation period. Participants exposed to inhibitive attractors were two to three times more likely to make an informed decision than those in the control condition. Your Attention Please: Designing Security-Decision UIs to Make Genuine Risks Harder to Ignore, Cristian Bravo-Lillo, Lorrie Faith Cranor, Julie Downs, Saranga Komanduri, and Robert W. Reeder (Carnegie Mellon University), Stuart Schechter (Microsoft Research), and Manya Sleeper (Carnegie Mellon University)


The SOUPS proceedings will be archived in the ACM Digital Library in a few weeks. All papers are also available linked from the SOUPS 2013 program page on the SOUPS site.

CyLab graduate student Pedro Leon presents At SOUPS 2013


Wednesday, July 10, 2013

CyLab's Dr. Lorrie Cranor Keynotes 13th Annual Privacy Enhancing Technologies Symposium



CyLab's Dr. Lorrie Cranor delivered the keynote for the 13th Annual Privacy Enhancing Technologies Symposium (Bloomington, Indiana), Wednesday, July 10, 2013.

Dr. Cranor is Director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering masters program and Associate Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University.

She spoke on "Privacy Notice and Choice in Practice."

"Notice and choice" are key principles of modern information privacy protection. The various sets of fair information practice principles and the privacy laws based on these principles include requirements for providing notice about data practices and allowing individuals to exercise control over those practices. In the United States, privacy self-regulatory efforts focus heavily on notice and choice. However, there has been little follow-up to evaluate the effectiveness of notice and choice efforts in practice -- to determine whether individuals provided with notice are able to make informed choices that align with their expectations of privacy...

Dr. Cranor's CUPS team has conducted empirical evaluations of a variety of notice and choice mechanisms, including privacy policies, the Platform for Privacy Preferences (P3P), online behavioral advertising opt-out tools, privacy nutrition labels, the AdChoices icon, and the standard form privacy notice for financial institutions.

In her keynote, Dr. Cranor provided background on notice and choice and presented several of of her team's empirical studies, highlighting both areas where notice and choice approaches show promise, as well as areas where existing notice and choice tools appear to be largely ineffective. In addition to discussing features of the notices and tools themselves, she also discussed the problems of incentives and enforcement, which continue to plague notice and choice efforts.

The full presentation in .pdf format can be viewed here.

Studies referenced in Dr. Cranor's keynote included:

Necessary But Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice

Smart, Useful, Scary, Creepy: Perceptions of Online Behavioral Advertising

What Do Online Behavioral Advertising Disclosures Communicate to Users?

Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising

Are They Actually Any Different? Comparing Thousands of Financial Institutions’ Privacy Practices