HCI Bibliography Home | HCI Conferences | SOUPS Archive | Detailed Records | RefWorks | EndNote | Hide Abstracts
SOUPS Tables of Contents: 0506070809101112131415

Proceedings of the 2007 Symposium on Usable Privacy and Security

Fullname:Symposium on Usable Privacy and Security
Editors:Lorrie Faith Cranor; Jason Hong; Diana Smetters
Location:Pittsburgh, Pennsylvania
Dates:2007-Jul-18 to 2007-Jul-20
Standard No:ISBN 1-59593-801-X, 978-1-59593-801-5; ACM DL: Table of Contents hcibib: SOUPS07
Links:Conference Home Page
  1. Passwords
  2. Privacy and access control
  3. Training and such
  4. SOUPS du jour
  5. Posters


A second look at the usability of click-based graphical passwords BIBAFull-TextPDF 1-12
  Sonia Chiasson; Robert Biddle; P. C. van Oorschot
Click-based graphical passwords, which involve clicking a set of user-selected points, have been proposed as a usable alternative to text passwords. We conducted two user studies: an initial lab study to revisit these usability claims, explore for the first time the impact on usability of a wide-range of images, and gather information about the points selected by users; and a large-scale field study to examine how click-based graphical passwords work in practice. No such prior field studies have been reported in the literature. We found significant differences in the usability results of the two studies, providing empirical evidence that relying solely on lab studies for security interfaces can be problematic. We also present a first look at whether interference from having multiple graphical passwords affects usability and whether more memorable passwords are necessarily weaker in terms of security.
Reducing shoulder-surfing by using gaze-based password entry BIBAFull-TextPDF 13-19
  Manu Kumar; Tal Garfinkel; Dan Boneh; Terry Winograd
Shoulder-surfing -- using direct observation techniques, such as looking over someone's shoulder, to get passwords, PINs and other sensitive personal information -- is a problem that has been difficult to overcome. When a user enters information using a keyboard, mouse, touch screen or any traditional input device, a malicious observer may be able to acquire the user's password credentials. We present EyePassword, a system that mitigates the issues of shoulder surfing via a novel approach to user input.
   With EyePassword, a user enters sensitive input (password, PIN, etc.) by selecting from an on-screen keyboard using only the orientation of their pupils (i.e. the position of their gaze on screen), making eavesdropping by a malicious observer largely impractical. We present a number of design choices and discuss their effect on usability and security. We conducted user studies to evaluate the speed, accuracy and user acceptance of our approach. Our results demonstrate that gaze-based password entry requires marginal additional time over using a keyboard, error rates are similar to those of using a keyboard and subjects preferred the gaze-based password entry approach over traditional methods.
Modeling user choice in the PassPoints graphical password scheme BIBAFull-TextPDF 20-28
  Ahmet Emir Dirik; Nasir Memon; Jean-Camille Birget
We develop a model to identify the most likely regions for users to click in order to create graphical passwords in the PassPoints system. A PassPoints password is a sequence of points, chosen by a user in an image that is displayed on the screen. Our model predicts probabilities of likely click points; this enables us to predict the entropy of a click point in a graphical password for a given image. The model allows us to evaluate automatically whether a given image is well suited for the PassPoints system, and to analyze possible dictionary attacks against the system. We compare the predictions provided by our model to results of experiments involving human users. At this stage, our model and the experiments are small and limited; but they show that user choice can be modeled and that expansions of the model and the experiments are a promising direction of research.

Privacy and access control

Tracking website data-collection and privacy practices with the iWatch web crawler BIBAFull-TextPDFSlides 29-40
  Carlos Jensen; Chandan Sarkar; Christian Jensen; Colin Potts
In this paper we introduce the iWatch web crawler, a tool designed to catalogue and analyze online data practices and the use of privacy related indicators and technologies. Our goal in developing iWatch was to make possible a new type of analysis of trends, the impact of legislation on practices, and geographic and social differences online. In this paper we present preliminary findings from two sets of data collected 15 months apart and analyzed with this tool. Our combined samples included more than 240,000 pages from over 24,000 domains and 47 different countries. In addition to providing useful and needed data on the state of online data practices, we show that iWatch is a promising approach to the study of the web ecosystem.
Usability of anonymous web browsing: an examination of Tor interfaces and deployability BIBAFull-TextPDF 41-51
  Jeremy Clark; P. C. van Oorschot; Carlisle Adams
Tor is a popular privacy tool designed to help achieve online anonymity by anonymising web traffic. Employing cognitive walkthrough as the primary method, this paper evaluates four competing methods of deploying Tor clients, and a number of software tools designed to be used in conjunction with Tor: Vidalia, Privoxy, Torbutton, and FoxyProxy. It also considers the standalone anonymous browser TorPark. Our results show that none of the deployment options are fully satisfactory from a usability perspective, but we offer suggestions on how to incorporate the best aspects of each tool. As a framework for our usability evaluation, we also provide a set of guidelines for Tor usability compiled and adapted from existing work on usable security and human-computer interaction.
Measuring privacy loss and the impact of privacy protection in web browsing BIBAFull-TextPDF 52-63
  Balachander Krishnamurthy; Delfina Malandrino; Craig E. Wills
Various bits of information about users accessing Web sites. some of which are private, have been gathered since the inception of the Web. Increasingly the gathering, aggregation, and processing has been outsourced to third parties. The goal of this work is to examine the effectiveness of specific techniques to limit this diffusion of private information to third parties. We also examine the impact of these privacy protection techniques on the usability and quality of the Web pages returned. Using objective measures for privacy protection and page quality we examine their tradeoffs for different privacy protection techniques applied to a collection of popular Web sites as well as a focused set of sites with significant privacy concerns. We study privacy protection both at a browser and at a proxy.
Lessons learned from the deployment of a smartphone-based access-control system BIBAFull-TextPDF 64-75
  Lujo Bauer; Lorrie Faith Cranor; Michael K. Reiter; Kami Vaniea
Grey is a smartphone-based system by which a user can exercise her authority to gain access to rooms in our university building, and by which she can delegate that authority to other users. We present findings from a trial of Grey, with emphasis on how common usability principles manifest themselves in a smartphone-based security application. In particular, we demonstrate aspects of the system that gave rise to failures, misunderstandings, misperceptions, and unintended uses; network effects and new flexibility enabled by Grey; and the implications of these for user behavior. We argue that the manner in which usability principles emerged in the context of Grey can inform the design of other such applications.

Training and such

Improving security decisions with polymorphic and audited dialogs BIBAFull-TextPDFSlides 76-87
  José Carlos Brustoloni; Ricardo Villamarín-Salomón
Context-sensitive guidance (CSG) can help users make better security decisions. Applications with CSG ask the user to provide relevant context information. Based on such information, these applications then decide or suggest an appropriate course of action. However, users often deem security dialogs irrelevant to the tasks they are performing and try to evade them. This paper contributes two new techniques for hardening CSG against automatic and false user answers. Polymorphic dialogs continuously change the form of required user inputs and intentionally delay the latter, forcing users to pay attention to security decisions. Audited dialogs thwart false user answers by (1) warning users that their answers will be forwarded to auditors, and (2) allowing auditors to quarantine users who provide unjustified answers. We implemented CSG against email-borne viruses on the Thunderbird email agent. One version, CSG-PD, includes CSG and polymorphic dialogs. Another version, CSG-PAD, includes CSG and both polymorphic and audited dialogs. In user studies, we found that untrained users accept significantly less unjustified risks with CSG-PD than with conventional dialogs. Moreover, they accept significantly less unjustified risks with CSG-PAD than with CSG-PD. CSG-PD and CSG-PAD have insignificant effect on acceptance of justified risks.
Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish BIBAFull-TextPDF 88-99
  Steve Sheng; Bryant Magnien; Ponnurangam Kumaraguru; Alessandro Acquisti; Lorrie Faith Cranor; Jason Hong; Elizabeth Nunge
In this paper we describe the design and evaluation of Anti-Phishing Phil, an online game that teaches users good habits to help them avoid phishing attacks. We used learning science principles to design and iteratively refine the game. We evaluated the game through a user study: participants were tested on their ability to identify fraudulent web sites before and after spending 15 minutes engaged in one of three anti-phishing training activities (playing the game, reading an anti-phishing tutorial we created based on the game, or reading existing online training materials). We found that the participants who played the game were better able to identify fraudulent web sites compared to the participants in other conditions. We attribute these effects to both the content of the training messages presented in the game as well as the presentation of these materials in an interactive game format. Our results confirm that games can be an effective way of educating people about phishing and other security attacks.
Towards understanding IT security professionals and their tools BIBAFull-TextPDFFull-Text 100-111
  David Botta; Rodrigo Werlinger; André Gagné; Konstantin Beznosov; Lee Iverson; Sidney Fels; Brian Fisher
We report preliminary results of our ongoing field study of IT professionals who are involved in security management. We interviewed a dozen practitioners from five organizations to understand their workplace and tools. We analyzed the interviews using a variation of Grounded Theory and predesigned themes. Our results suggest that the job of IT security management is distributed across multiple employees, often affiliated with different organizational units or groups within a unit and responsible for different aspects of it. The workplace of our participants can be characterized by their responsibilities, goals, tasks, and skills. Three skills stand out as significant in the IT security management workplace: inferential analysis, pattern recognition, and bricolage.

SOUPS du jour

An honest man has nothing to fear: user perceptions on web-based information disclosure BIBAFull-TextPDF 112-121
  Gregory Conti; Edward Sobiesk
In today's era of the global ubiquitous use of free online tools and business models that depend on data retention and customized advertising, we face a growing tension between the privacy concerns of individuals and the financial motivations of organizations. As a critical foundation step to address this problem, we must first understand the attitudes, beliefs, behaviors, and expectations of web users in order to create an environment where user privacy needs are met while still allowing online companies to innovate and provide functionality that users desire. As security and usability professionals we must identify areas where misperceptions exist and seek solutions, either by raising awareness, changing policy, or through technical means. In this paper, we explore these issues and report the results from a survey of 352 college undergraduates and a comparison group of 25 middle aged adults The results were at times surprising and even contradictory to the views held by security professionals. To summarize our findings, the students we surveyed believe that "an honest man has nothing to fear."
Facemail: showing faces of recipients to prevent misdirected email BIBAFull-TextPDFPPT 122-131
  Eric Lieberman; Robert C. Miller
Users occasionally send email to the wrong recipients -- clicking Reply To All instead of Reply, mistyping an email address, or guessing an email address and getting it wrong - and suffer violations of security or privacy as a result. Facemail is an extension to a webmail system that aims to alleviate this problem by automatically displaying pictures of the selected recipients in a peripheral display, while the user is composing an email message. We describe techniques for obtaining faces from email addresses, and discovering mailing list memberships from existing web data sources, and a user interface design that keeps important faces recognizable while scaling up to hundreds or thousands of recipients. Preliminary experiments suggest that faces significantly improve users' ability to detect misdirected emails with only a brief glance.
Bitfrost: the one laptop per child security model BIBAFull-TextPDF 132-142
  Ivan Krstiæ; Simson L. Garfinkel
We present an integrated security model for a low-cost laptop that will be widely deployed throughout the developing world. Implemented on top of Linux operating system, the model is designed to restrict the laptop's software without restricting the laptop's user.


A usability evaluation of a home monitoring system BIBAFull-TextPDF 143-144
  Rajah James; Woo Tae Kim; Aleecia M. McDonald; Robert McGuire
In this paper, we describe results from a laboratory-based study of user interactions with the Home Heartbeat system, which allows customers to monitor sensor data about their residence. Our study focused on usability, privacy, and security.
Establishing darknet connections: an evaluation of usability and security BIBAFull-TextPDF 145-146
  John Bethencourt; Wai Yong Low; Isaac Simmons; Matthew Williamson
In many applications, hosts in a peer to peer network may wish to maintain their anonymity or the privacy of their queries. In some applications, an even stronger guarantee is desirable: hosts would like to prevent others from determining whether they participate in the network at all. Darknets, or friend-to-friend networks, are one approach to preventing the discovery of hosts within a peer to peer network [1]. In such a network, hosts only form Internet connections with and directly communicate with a small set of hosts whose operators are known and trusted a priori. That is, each user only connects to her friends, trusting that her friends will not reveal her identity or existence in the network.
Defeat spyware with anti-screen capture technology using visual persistence BIBAFull-TextPDF 147-148
  Johnny Lim
In this paper, we describe a novel web-based method to generate an on-screen keypad with anti-screen capture technology for secure data entry. Our method protects against spying via keyboard, mouse and screen on a compromised computer.
Detecting, analyzing and responding to security incidents: a qualitative analysis BIBAFull-TextPDF 149-150
  Rodrigo Werlinger; David Botta; Konstantin Beznosov
Persistence and cost are the two factors that have motivated several studies about better practices for dealing with security incidents [5]. However, there is not much literature about IT professionals who have to deal with security incidents, in terms of which tasks they actually perform and which resources they need to handle the complex scenarios given by real incidents [6]. This lack of research makes it difficult to evaluate and improve the support that IT security professionals need to respond efficiently to security incidents.
Helping users create better passwords: is this the right approach? BIBAFull-TextPDF 151-152
  Alain Forget; Sonia Chiasson; Robert Biddle
Users tend to form their own mental models of good passwords regardless of any instructions provided. They also tend to favour memorability over security. In our study comparing two mnemonic phrase-based password schemes, we found a surprising number of participants misused both schemes. Intentional or not, they misused the system such that their task of password creation and memorization became easier. Thus, we believe that instead of better instructions or password schemes, a new approach is required to convince users to create more secure passwords. One possibility may lie in employing Persuasive Technology.
Perception and acceptance of fingerprint biometric technology BIBAFull-TextPDF 153-154
  Rosa R. Heckle; Andrew S. Patrick; Ant Ozok
The acceptance of biometric security services appears to be affected by several factors, one of which may be the context in which it is used. In this study, 24 participants were asked to roleplay the use of a fingerprint biometric identification system when making purchases at an online bookstore. The results show differences in opinions about the biometric system when the perceived benefits for the users were manipulated. Participants were more comfortable using biometrics, and considered them more beneficial, when they were used to secure personal information for personal purchases, in contrast to securing personal information for corporate purchases. The results suggest that application contexts with obvious, apparent benefits to the user tend to lead to greater perceptions of usability and higher acceptance rates than contexts where there are only system or corporate benefits...
Secure software installation in a mobile environment BIBAFull-TextPDF 155-156
  Andreas P. Heiner; N. Asokan
Software security in mobile devices today is done by granting privileges to software, usually based on code signing. The cost of obtaining signatures and meeting strict quality requirements deters hobbyist developers from participating and contributing to application development. If a certain piece of software does not come with an acceptable signature, the mobile device may give the user the option of deciding whether that software should be granted the requested privileges. Naturally, designing the user interaction for this step without hampering usability and security is tricky. When users are simply prompted whether they want to grant certain privileges to some software, they often do not have enough information to understand the implications of this action.
   We propose that using community feedback can be an effective way of helping the user to decide whether to grant privileges to software. Community feedback includes opinions and ratings on both security and functionality attributes of software. We argue that users will use community feedback to decide whether they want to use a piece of software and that the decisions to download, install, and grant necessary privileges are implied by the decision to use.
Examining privacy and disclosure in a social networking community BIBAFull-TextPDF 157-158
  Katherine Strater; Heather Richter
The popularity of social networking websites such as Facebook and the subsequent levels and depth of online disclosures have raised several concerns for user privacy. Previous research into these sites has indicated the importance of disclosures between users as well as an under-utilization of extensive privacy options. This study qualitatively examines college students' disclosure and privacy behaviors and attitudes on Facebook.com. Results support current research into social networking and privacy and provide user-generated explanations for observed disclosure and privacy trends. Implications for future research into privacy software are discussed.
A survey of privacy concerns with dynamic collaborator discovery capabilities BIBAFull-TextPDF 159-160
  Robert L. Marchant
Dynamic Collaborator Discovery is concept that proposes using a person's patterns of information access to create models that can then be used to find others with similar interest. This concept may raise privacy concerns to end users. The poster will present the results of a survey conducted in May 2007 to determine if privacy concerns will exist for a dynamic collaborator discovery capability.
Graphical passwords & qualitative spatial relations BIBAFull-TextPDF 161-162
  Di Lin; Paul Dunphy; Patrick Olivier; Jeff Yan
A potential drawback of graphical password schemes is that they are more vulnerable to shoulder surfing than conventional alphanumeric text passwords. We present a variation of the Draw-a-Secret scheme originally proposed by Jermyn et al [1] that is more resistant to shoulder surfing through the use of a qualitative mapping between user strokes and the password, and the use of dynamic grids to both obfuscate attributes of the user secret and encourage them to use different surface realizations of the secret. The use of qualitative spatial relations relaxes the tight constraints on the reconstruction of a secret; allowing a range of deviations from the original. We describe QDAS (Qualitative Draw-A-Secret), an initial implementation of this graphical password scheme, and the results of an empirical study in which we examined the memorability of secrets, and their susceptibility to shoulder-surfing attacks, for both Draw-A-Secret and QDAS.
Vidalia: towards a usable Tor GUI BIBAFull-TextPDF 163-164
  Matthew Edman; Justin Hipple
Tor is a popular tool for online anonymity that currently does not have a standard graphical user interface. We present Vidalia, an open source, cross-platform GUI for Tor. We discuss some of the design decisions we have made in Vidalia, as well as what we have found users expect in a Tor GUI.
Is FacePIN secure and usable? BIBAFull-TextPDF 165-166
  Paul Dunphy; Jeff Yan
Personal identification numbers (PINs) and hardware tokens are often used together for authentication purposes, e.g., in financial transactions with ATM machines. However, many people cannot remember their PINs. This has caused insecure practice, extra management cost, or both. In this paper, we evaluate FacePIN, a solution proposed to improve the security and memorability of the PIN scheme.
End user concern about security and privacy threats BIBAFull-TextPDF 167-168
  Joshua B. Gross; Mary Beth Rosson
End users are typically seen as the weakest link in ensuring security and privacy in computing environments. Our own prior work suggested that end users may have difficulty differentiating between privacy/security problems and other hardware/software concerns. However, a survey of a broad group of internet users showed that, in fact, these users believe that they can not only differentiate between these two sets of concerns, but that in fact users are more concerned with security/privacy concerns than they are with other types of computer problems.
TwoKind authentication: usable authenticators for untrustworthy environments BIBAFull-TextPDF 169-170
  Katelin Bailey; Linden Vongsathorn; Apu Kapadia; Chris Masone; Sean W. Smith
The ease with which a malicious third party can obtain a user's password when he or she logs into Internet sites (such as bank or email accounts) from an insecure computer creates a substantial security risk to private information and transactions. For example, a malicious administrator at a cybercafe, or a malicious user with sufficient access to install key loggers at a kiosk, can obtain users' passwords easily. Even when users do not trust the machines they are using, many of them are faced with the prospect of accessing their accounts with a single level of privilege. To address this problem, we propose a system based on two modes of authentication -- default and restricted. Users can signal to the server whether they are in an untrusted environment so that the server can log them in under restricted privileges that allow them to perform basic actions that cause no serious damage if the session or their password is compromised.
Seven privacy worries in ubiquitous social computing BIBAFull-TextPDF 171-172
  Sara Motahari; Constantine Manikopoulos; Roxanne Hiltz; Quentin Jones
Review of the literature suggests seven fundamental privacy challenges in the domain of ubiquitous social computing. To date, most research in this area has focused on the features associated with the revelation of personal location data. However, a more holistic view of privacy concerns that acknowledges these seven risks is required if we are to deploy privacy respecting next generation social computing applications. We highlight the threat associated with user inferences made possible by knowledge of the context and use of social ties. We also describe work in progress to both understand user perceptions and build a privacy sensitive urban enclave social computing system.
Privacy implications for single sign-on authentication in a hospital environment BIBAFull-TextPDF 173-174
  Rosa R. Heckle; Wayne G. Lutters
Healthcare providers and their IT staff, working in an effort to balance appropriate accessibility with stricter security mandates, are considering the use of a single network sign-on approach for authentication and password management. There is an inherent tension between an authentication mechanism's security strength and the privacy implications of using that authentication technology. This is particularly true with single sign-on authentication. While single sign-on does facilitate authentication, our on-going field work in a regional hospital reveals several unanticipated privacy implications.