Quick Discussion – based on:http://cups.cs.cmu.edu/courses/ups-sp08/

2

Unpatched Windows machines compromised in minutes

Phishing web sites increasing by 28% each month

Most PCs infected with spyware (avg. = 25) Users have more passwords than they can

remember and practice poor password security

Enterprises store confidential information on laptops and mobile devices that are frequently lost or stolen

3

“Give end-users security controls they can understandand privacy they can control forthe dynamic, pervasive computing environments of the future.”

- Computing Research Association 2003

4

5

POP!POP!

6

7

Security experts are concerned about the bad guys getting in

Users may be more concerned about locking themselves out

“Users do not want to be responsible for, nor concern themselves with, their own security.”

- Blake Ross

8

9

Pick a hard to guess password Don’t use it anywhere else Change it often Don’t write it down

11

Bank = b3aYZ Amazon = aa66x!Phonebill = p$2$ta1

12

Make it “just work”◦ Invisible security

Make security/privacy understandable◦ Make it visible◦ Make it intuitive◦ Use metaphors that users can relate to

Train the user

13

Developers should not expect users to make decisions they themselves can’t make

- Chris Nodder (in charge of user

experience for Windows XP SP2)

15

Privacy is a secondary task◦ Users of privacy tools often seek out these tools due

to their awareness of or concern about privacy◦ Even so, users still want to focus on their primary

tasks Users have differing privacy concerns and

needs◦ One-size-fits-all interface may not work

Most users are not privacy experts◦ Difficult to explain current privacy state or future

privacy implications ◦ Difficult to explain privacy options to them◦ Difficult to capture privacy needs/preferences

Many privacy tools reduce application performance, functionality, or convenience

16

Internet anonymity system Allows users to send messages that cannot

be traced back to them (web browsing, chat, p2p, etc.)

UI was mostly command line interface until recently

2005 Tor GUI competition◦ CUPS team won phase 1 with design for Foxtor!

17

Tor is configurable and different users will want to configure it in different ways◦ But most users won’t understand configuration options◦ Give users choices, not dilemmas

We began by trying to understand our users◦ No budget, little time, limited access to users◦ So we brainstormed about their needs, tried to imagine

them, and develop personas for them

Jim is a current UG at CSM. Goals:

1. Be sure he’s on track to graduate in 4 years2. Find some courses that are interesting3. Get together with friends to study and have fun

Other:Jim is taking a full course load and also working part

time, so he’s always very busy. He also tends to be disorganized, so he keeps losing information and having to look it up again. He is a little shy and doesn’t know too many people in the department yet.

Susie is a parent researching schools for her son Bob, who will be graduating from HS soon.

Goals:1. She wants to find an environment that will be welcoming and

stimulating for Bob2. She thinks Bob may ultimately want to pursue graduate work, so she

wants to be sure the school has faculty doing interesting research3. She wants to find out how expensive the school is and what type of

financial aid is available.Other:

Susie works full time but considers her family to be a top priority. It’s very important to her for her son to be happy, so she’s willing to devote a fair amount of time to the task of selecting a university. The family has a computer at home, so she’s spending her evenings visiting websites to collect data. She’s comfortable surfing the web, but prefers websites that are logical and not too cluttered.

20

The process led to realization that our users had 3 categories of privacy needs◦ Basic, selective, critical

Instead of asking users to figure out complicated settings, most of our configuration involves figuring out which types of privacy needs they have

22

23

Privacy laws and regulations vary widely throughout the world

US has mostly sector-specific laws, with relatively minimal protections - often referred to as “patchwork quilt”◦ Federal Trade Commission has jurisdiction over fraud and

deceptive practices◦ Federal Communications Commission regulates

telecommunications European Data Protection Directive requires all

European Union countries to adopt similar comprehensive privacy laws that recognize privacy as fundamental human right◦ Privacy commissions in each country (some countries have

national and state commissions)◦ Many European companies non-compliant with privacy laws

(2002 study found majority of UK web sites non-compliant)

24

Bank Secrecy Act, 1970 Fair Credit Reporting Act, 1971 Privacy Act, 1974 Right to Financial Privacy Act, 1978 Cable TV Privacy Act, 1984 Video Privacy Protection Act, 1988 Family Educational Right to Privacy Act, 1993 Electronic Communications Privacy Act, 1994 Freedom of Information Act, 1966, 1991, 1996

25

HIPAA (Health Insurance Portability and Accountability Act, 1996)◦ When implemented, will protect medical

records and other individually identifiable health information

COPPA (Children‘s Online Privacy Protection Act, 1998)◦ Web sites that target children must obtain

parental consent before collecting personal information from children under the age of 13

GLB (Gramm-Leach-Bliley-Act, 1999)◦ Requires privacy policy disclosure and opt-out

mechanisms from financial service institutions

26

Direct Marketing Association Privacy Promise http://www.thedma.org/library/privacy/privacypromise.shtml

Network Advertising Initiative Principles http://www.networkadvertising.org/

CTIA Location-based privacy guidelineshttp://www.wow-com.com/news/press/body.cfm?record_id=907

27

28

Policies let consumers know about site’s privacy practices

Consumers can then decide whether or not practices are acceptable, when to opt-in or opt-out, and who to do business with

The presence of privacy policies increases consumer trust

What are some problems with privacy policies?

29

BUT policies are often ◦ difficult to understand ◦ hard to find◦ take a long time to read◦ change without notice

30

Identification of site, scope, contact info

Types of information collected◦ Including information about

cookies How information is used Conditions under which

information might be shared Information about opt-in/opt-

out Information about access Information about data

retention policies Information about seal

programs

Security assurances Children’s privacy

There is lots of informationto convey -- but policy

should be brief andeasy-to-read too!

What is opt-in? What is opt-out?

31

Project organized by Hunton & Williams law firm◦ Create short version (short notice) of a human-readable

privacy notice for both web sites and paper handouts◦ Sometimes called a “layered notice” as short version would

advise people to refer to long notice for more detail◦ Now being called “highlights notice”◦ Focus on reducing privacy policy to at most 7 boxes◦ Standardized format but only limited standardization of

language◦ Proponents believe highlights format may eventually be

mandated by law Alternative proposals from privacy advocates focus on

check boxes Interest Internationally

◦ http://www.privacyconference2003.org/resolution.asp Interest in the US for financial privacy notices

◦ http://www.ftc.gov/privacy/privacyinitiatives/ftcfinalreport060228.pdf

32

33

34

35

WE SHARE [DO NOT SHARE] PERSONAL INFORMATION WITH OTHER WEBSITES OR COMPANIES.

Collection: YES NOWe collect personal information directly from you We collect information about you from other sources: We use cookies on our website We use web bugs or other invisible collection methods We install monitoring programs on your computer

Uses: We use information about you to: With Your Without YourConsent

ConsentSend you advertising mail Send you electronic mail Call you on the telephone

Sharing: We allow others to use your information to: With Your Without YourConsent Consent

Maintain shared databases about you Send you advertising mail Send you electronic mail Call you on the telephone N/A N/A

Access: You can see and correct {ALL, SOME, NONE} of the information we have about you.

Choices: You can opt-out of receiving from Us Affiliates Third PartiesAdvertising mail Electronic mail Telemarketing N/A

Retention: We keep your personal data for: {Six Months Three Years Forever}

Change: We can change our data use policy {AT ANY TIME, WITH NOTICE TO YOU, ONLY FOR DATA COLLECTED IN THE FUTURE}

36

Developed by the World Wide Web Consortium (W3C) http://www.w3.org/p3p/◦ Final P3P1.0 Recommendation issued 16 April 2002

Offers an easy way for web sites to communicate about their privacy policies in a standard machine-readable format◦ Can be deployed using existing web servers

Enables the development of tools (built into browsers or separate applications) that◦ Summarize privacy policies◦ Compare policies with user preferences◦ Alert and advise users

38

Laboratory study of 28 non-expert computer users

Asked to evaluate 10 web sites, take 15 minute break, evaluate 10 more web sites

Experimental group read web-based training materials during break, control group played solitaire

Experimental group performed significantly better identifying phish after training

People can learn from web-based training materials, if only we could get them to read them!

39

Most people don’t proactively look for training materials on the web

Many companies send “security notice” emails to their employees and/or customers

But these tend to be ignored◦ Too much to read◦ People don’t consider them relevant

40

Can we “train” people during their normal use of email to avoid phishing attacks? ◦ Periodically, people get sent a training email◦ Training email looks like a phishing attack◦ If person falls for it, intervention warns and

highlights what cues to look for in succinct and engaging format

P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. CyLab Technical Report. CMU-CyLab-06-017, 2006. http://www.cylab.cmu.edu/default.aspx?id=2253

42

Lab study compared two prototype interventions to standard security notice emails from Ebay and PayPal◦ Existing practice of security notices is ineffective◦ Diagram intervention somewhat better◦ Comic strip intervention worked best◦ Interventions most effective when based on real

brands

44

45

Ecommerce personalization systems◦ Concerns about use of user profiles

Software that “phones home” to fetch software updates or refresh content, report bugs, relay usage data, verify authorization keys, etc.◦ Concerns that software will track and profile users

Communications software (email, IM, chat)◦ Concerns about traffic monitoring, eavesdroppers

Presence systems (buddy lists, shared spaces, friend finders)◦ Concerns about limiting when info is shared and with

whom

46

Similar to issues to consider for privacy tools PLUS

Users may not be aware of privacy issues up front◦ When they find out about privacy issues they may

be angry or confused, especially if they view notice as inadequate or defaults as unreasonable

Users may have to give up functionality or convenience, or spend more time configuring system for better privacy

Failure to address privacy issues adequately may lead to bad press and legal action

47

49

Every time a user makes a new purchase that they want to rate or exclude they have to edit profile info◦ There should be a way to set up default rules

Exclude all purchases Exclude all purchases shipped to my work address Exclude all movie purchases Exclude all purchases I had gift wrapped

50

Users should be able to remove items from profile

If purchase records are needed for legal reasons, users should be able to request that they not be accessible online

51

52

Currently privacy-related options are found with relevant features

Users have to be aware of features to find the options

Put them all in one place But also leave them with relevant features

53

How about an “I didn’t buy it for myself” check-off box (perhaps automatically checked if gift wrapping is requested)

I didn’t buy it for myself

55

Desire to avoid unwanted marketing causes some people to avoid giving out personal information

56

The little people inside my computer might know it’s me…

… and they might tell their friends

57

“My TiVo thinks I’m a psychopath!”

58

Everyone wants to be understood. No one wants to be known.

59

…but then you started getting personalized ads for your favorite brand of dog food

60

Concerns about being charged higher prices Concerns about being treated differently

61

Revealing info to family members or co-workers◦ Gift recipient learns about gifts in advance◦ Co-workers learn about a medical condition

Revealing secrets that can unlock many accounts◦ Passwords, answers to secret questions, etc.

62

The Cranor family’s 25 most frequentgrocerypurchases (sorted by nutritional value)!

63

Stalkers, identity thieves, etc. People who break into account may be able

to access profile info People may be able to probe recommender

systems to learn profile information associated with other users

64

Records are often subpoenaed in patent disputes, child custody cases, civil litigation, criminal cases

65

Governments increasingly looking for personal records to mine in the name of fighting terrorism

People may be subject to investigation even if they have done nothing wrong

66

68

Wireless location tracking Semantic web applications Ubiquitous computing