In Washington, D.C. findet gerade das achte Symposium on Usable Privacy and Security statt. Auf Konferenz über Mensch-Computer-Interaktion, Sicherheit und Privatsphäre gibt es Diskussionen, Workshops und Demonstrationen. Auch davon gibt es Papers.
Eine (wie immer subjektive) Auswahl aus dem Programm:
Measuring User Confidence in Smartphone Security and Privacy
In order to direct and build an effective, secure mobile ecosystem, we must first understand user attitudes toward security and privacy for smartphones and how they may differ from attitudes toward more traditional computing systems. What are users’ comfort levels in performing different tasks? How do users select applications? What are their overall perceptions of the platform? This understanding will help inform the design of more secure smartphones that will enable users to safely and confidently benefit from the potential and convenience offered by mobile platforms.
To gain insight into user perceptions of smartphone security and installation habits, we conduct a user study involving 60 smartphone users. First, we interview users about their willingness to perform certain tasks on their smartphones to test the hypothesis that people currently avoid using their phones due to privacy and security concerns. Second, we analyze why and how they select applications, which provides information about how users decide to trust applications. Based on our findings, we present recommendations and opportunities for services that will help users safely and confidently use mobile applications and platforms.
Smart, Useful, Scary, Creepy: Perceptions of Behavioral Advertising
We report results of 48 semi-structured interviews about online behavioral advertising (OBA). We investigated non-technical users’ attitudes about and understanding of OBA, using participants’ expectations and beliefs to explain their attitudes. Participants found OBA to be simultaneously useful and privacy invasive. They were surprised to learn that browsing history is currently used to tailor advertisements, yet they were aware of contextual targeting.
Our results identify mismatches between participants’ mental models and current approaches for providing users with notice and choice about OBA. Participants misinterpreted icons intended to notify them about behavioral targeting and expected that they could turn to their browser or antivirus software to control OBA. Participants had strong concerns about data collection, and the majority of participants believed that advertisers collect personally identifiable information. They also misunderstood the role of advertising networks, basing their opinions of an advertising network on that company’s non-advertising activities. Participants’ attitudes towards OBA were complex and context-dependent. While many participants felt tailored advertising could benefit them, existing notice and choice mechanisms are not effectively reaching users.
Reasons, Rewards, Regrets: Privacy Considerations in Location Sharing as an Interactive Practice
Rapid growth in the usage of location-aware mobile phones has enabled mainstream adoption of location-sharing services (LSS). Integration with social-networking services (SNS) has further accelerated this trend. To uncover how these developments have shaped the evolution of LSS usage, we conducted an online study (N = 362) aimed at understanding the preferences and practices of LSS users in the US. We found that the main motivations for location sharing were to connect and coordinate with one’s social and professional circles, to project an interesting image of oneself, and to receive rewards offered for ‘checking in.’ Respondents overwhelmingly preferred sharing location only upon explicit action. More than a quarter of the respondents recalled at least one instance of regret over revealing their location. Our findings suggest that privacy considerations in LSS are affected due to integration within SNS platforms and by transformation of location sharing into an interactive practice that is no longer limited only to finding people based on their whereabouts. We offer design suggestions, such as delayed disclosure and conflict detection, to enhance privacy-management capabilities of LSS.
Correct horse battery staple: Exploring the usability of system-assigned passphrases
Users tend to create passwords that are easy to guess, while systemassigned passwords tend to be hard to remember. Passphrases, space-delimited sets of natural language words, have been suggested as both secure and usable for decades. In a 1,476-participant online study, we explored the usability of 3- and 4-word systemassigned passphrases in comparison to system-assigned passwords composed of 5 to 6 random characters, and 8-character systemassigned pronounceable passwords. Contrary to expectations, system-assigned passphrases performed similarly to system-assigned passwords of similar entropy across the usability metrics we examined. Passphrases and passwords were forgotten at similar rates, led to similar levels of user difficulty and annoyance, and were both written down by a majority of participants. However, passphrases took significantly longer for participants to enter, and appear to require error-correction to counteract entry mistakes. Passphrase usability did not seem to increase when we shrunk the dictionary from which words were chosen, reduced the number of words in a passphrase, or allowed users to change the order of words.
A Chrome Extension to Prevent the SSLstripping Attack
SSLstripping is a type of man-in-the-middle attack which has the potential to affect tens of millions of internet users . This attack targets the secure socket layer (SSL) by redirecting users using the HTTP protocol rather than HTTPS. The user, who may not be aware that he/she is using an insecure protocol, submits sensitive data which can then be read by an attacker. Shin and Lopes presented a method for preventing the SSLstripping attack in . This method involves evaluating the form action and page URL in order to determine if a form submission is secure. SSLight is the realization of this method. Implemented as a Google Chrome extension, this tool provides users with a visual security cue which allows users to make better informed decisions when submitting sensitive data. In this demo, we present the latest implementation of SSLight that provides users with an intuitive visual security cue indicating the security status of website forms and a variety of customization options for greater usability.
Prototype System for Visualizing Security Risks on Mobile Device
To maintain information security in the cyber society, it is necessary to improve the awareness level of information security for ordinary IT users. This awareness issue is especially important for mobile communication since devices can be used under insecure environment without users‘ realizing that. For instance, the wireless connection outside could be less reliable than oce network. Visualization of user’s end-to-end security risk will improve the security awareness level, and a risk visualization architecture and its prototype are proposed in . This paper demonstrates the prototype’s usability.
Facebook and Privacy: It’s Complicated
We measure users’ attitudes toward interpersonal privacy concerns on Facebook and measure users’ strategies for reconciling their concerns with their desire to share content online. To do this, we recruited 260 Facebook users to install a Facebook application that surveyed their privacy concerns, their friend network compositions, the sensitivity of posted content, and their privacy-preserving strategies. By asking participants targeted questions about people randomly selected from their friend network and posts shared on their profiles, we were able to quantify the extent to which users trust their “friends” and the likelihood that their content was being viewed by unintended audiences. We found that while strangers are the most concerning audience, almost 95% of our participants had taken steps to mitigate those concerns. At the same time, we observed that 16.5% of participants had at least one post that they were uncomfortable sharing with a specific friend—someone who likely already had the ability to view it—and that 37% raised more general concerns with sharing their content with friends. We conclude that the current privacy controls allow users to effectively manage the outsider threat, but that they are unsuitable for mitigating concerns over the insider threat—members of the friend network who dynamically become inappropriate audiences based on the context of a post.
Helping Johnny 2.0 to Encrypt His Facebook Conversations
Several billion Facebook messages are sent every day. While there are many solutions to email security whose usability has been extensively studied, little work has been done in the area of message security for Facebook and even less on the usability aspects in this area. To evaluate the need for such a mechanism, we conducted a screening study with 514 participants, which showed a clear desire to protect private messages on Facebook. We therefore proceeded to analyse the usability of existing approaches and extracted key design decisions for further evaluation. Based on this analysis, we conducted a laboratory study with 96 participants to analyse different usability aspects and requirements of a Facebook message encryption mechanism. Two key findings of our study are that automatic key management and key recovery capabilities are important features for such a mechanism. Following on from these studies, we designed and implemented a usable service-based encryption mechanism for Facebook conversations. In a final study with 15 participants, we analysed the usability of our solution. All participants were capable of successfully encrypting their Facebook conversations without error when using our service, and the mechanism was perceived as usable and useful. The results of our work suggest that in the context of the social web, new security/usability trade-offs can be explored to protect users more effectively.