Sunday, July 13, 2014

A Decade Into Its Vital Work, Another Savory SOUPS, A Report from the 10th Annual Symposium On Usable Privacy and Security



CMU CyLab's Dr. Lorrie Cranor, Founder of CUPS and SOUPS preps
for welcoming remarks at SOUPS 2014


The CyLab Usable Privacy and Security Laboratory (CUPS) 10th Annual Symposium on Usable Privacy and Security (SOUPS) was hosted by Facebook at its headquarters in Menlo Park, California (7/9/14 - 7/11/14). CUPS Director Lorrie Cranor welcomed the attendees, with the record-breaking numbers in both attendance and papers submitted. For three full days of proceedings, hundreds of researchers from business, academia and government communed together amidst the proliferation of signage which has come to characterize the social media giant's corporate culture: e.g., "Ship Love," "Ruthless Prioritization," "Demand Success," Nelson Mandela, arms outstretched, with the caption, "Open the Doors," etc. (Not so subliminal messaging.)
 
Perhaps more poignantly than any previous SOUPS keynote, Christopher Soghoian of American Civil Liberties Union (ACLU) articulated the vital nature of research into usable privacy and security. Putting flesh and blood on these issues, Soghoian used examples from the shadow world of investigative reporters and whistle-blowers to highlight the need for privacy and security software that is not only robust but eminently usable. One great benefit of the revelations brought forth by Glenn Greenwald in the Edward Snowden affair, Soghoian opined, is that there has been increased crypto adoption by journalists.
But the heightened engagement has also brought long-standing problems into a harsh new light. For example, Soghoian told SOUPS attendees, many investigative journalists using PGP still do not realize subject lines are not encrypted. "The best our community has to offer sucks, the usability and the default values suck," Soghoian declared, "the software is not protecting journalists and human rights activists, and that's our fault as researchers"

As contributing markets factors for why we still don't have usable encryption, Soghoian cited: potential data loss ("telling your customer that they've just lost every photo of their children is a non starter"), current business models, and of course, government pressure.

Facebook HQ Signage, 1 Hacker Way, Menlo Park
In other parts of his very substantive keynote, Soghoian touched on consumer issues related to the efficacy of privacy and security. He elucidated the differences in privacy and security between the iPhone and the Android: "The privacy and security differences ... are not advertised." He also shed light on a new aspect of the growing gap between rich and poor, "security by default for the rich," and "insecurity by default for the poor." "Those who are more affluent get the privacy benefits without shopping around," he explained, because the discounted, and mass-marketed versions of software often do not have the same full-featured privacy and security as the more expensive business or professional versions.

[NOTE: Full-length video of Soghoian's keynote is available via the CyLab YouTube Channel.]

Several awards were also announced during the opening sessions, including:

The 2014 IAPP SOUPS Privacy Award for the paper with the most practical application in the field of privacy went to Would a Privacy Fundamentalist Sell Their DNA for $1000...If Nothing Bad Happened as a Result? The Westin Categories, Behavioral Intentions, and Consequences authored by Allison Woodruff, Vasyl Pihur, Sunny Consolvo, and Lauren Schmidt of Google; and Laura Brandimarte and Alessandro Acquisti of Carnegie Mellon University.

The 2014 SOUPS Impact Award for a SOUPS paper "published between 2005 and 2009 that has had a significant impact on usable privacy and security research and practice" went to Usability of CAPTCHAs or Usability Issues in CAPTCHA Design authored in 2008 by Jeff Yan and Ahmad Salah El Ahmad of Newcastle University (UK).

Two Distinguished Papers awards were presented:

Understanding and Specifying Social Access Control Lists, authored by Mainack Monda of Max Planck Institute for Software Systems (MPI-SWS), Yabing Liu of Northeastern University, Bimal Viswanath and Krishna P. Gummadi of Max Planck Institute for Software Systems (MPI-SWS), and Alan Mislove of Northeastern University.

Crowdsourcing Attacks on Biometric Systems, authored by Saurabh Panjwani, an independent consultant and Achintya Prakash of University of Michigan.
Carnegie Mellon University (CMU), home to the CyLab Usable Privacy and Security (CUPS) Lab and the MSIT-Privacy Engineering Masters Program was well-represented in the proceeding.

In addition to the IAPP SOUPS Privacy Award winning "Would a Privacy Fundamentalist Sell Their DNA for $1000...If Nothing Bad Happened as a Result? The Westin Categories, Behavioral Intentions, and Consequences," co-authored with Google researchers, several other CMU papers were presented:

Parents’ and Teens’ Perspectives on Privacy In a Technology-Filled World, authored by Lorrie Faith Cranor, Adam L. Durity, Abigail Marsh, and Blase Ur, Carnegie Mellon University

Privacy Attitudes of Mechanical Turk Workers and the U.S. Public, authored by Ruogu Kang, Carnegie Mellon University, Stephanie Brown, Carnegie Mellon University and American University, Laura Dabbish and Sara Kiesler, Carnegie Mellon University

CMU researcher Ruogu Kang presenting
Privacy Attitudes of Mechanical Turk Workers and the U.S. Public
Harder to Ignore? authored by Cristian Bravo-Lillo, Lorrie Cranor, and Saranga Komanduri, Carnegie Mellon University, Stuart Schechter, Microsoft Research, Manya Sleeper, Carnegie Mellon University

The Effect of Social Influence on Security Sensitivity, authored by Sauvik Das, Tiffany Hyun-Jin Kim, Laura A. Dabbish, and Jason I. Hong, Carnegie Mellon University

Modeling Users’ Mobile App Privacy Preferences: Restoring Usability in a Sea of Permission Settings, authored by Jialiu Lin, Bin Liu, Norman Sadeh, and Jason I. Hong, Carnegie Mellon University

The full proceedings of SOUPS 2014 are available via USENIX.

-- Richard Power

Check out CyLab CyBlog's Archive of SOUPS Coverage

A Distinguish Paper Award for CUPS, and Other News from Ninth Annual SOUPS 2013

CyLab's SOUPS 2012 Continues Its Ongoing, Deepening Dialogue on What Works and What Doesn't

SOUPS 2011 Advances Vital Exploration of Usability and Its Role in Strengthening Privacy and Security  

 SOUPS 2010: Insight into Usable Privacy & Security Deepens at 6th Annual Symposium

Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness

Glimpses into the Fourth Annual Symposium on Usable Security and Privacy (SOUPS 2008)

Mike Farb of CyLab's SafeSlinger project presents during the 2014 EFF Crypto Usability Prize (EFF CUP)
Workshop on Day One of SOUPS 2014

Facebook HQ Signage, 1 Hacker Way, Menlo Park