Workshop on Usable Security and Privacy (USEC) 2021
Friday, 7 May
Harry Halpin (Nym Technologies)
In this study, we overview the problems associated with the usability of cryptocurrency wallets, such as those used by ZCash, for end-users. The concept of “holistic privacy,” where information leaks in one part of a system can violate the privacy expectations of different parts of the system, is introduced as a requirement. To test this requirement with real-world software, we did a 60 person task-based evaluation of the usability of a ZCash cryptocurrency wallet by having users install and try to both send and receive anonymized ZCash transactions, as well as install a VPN and Tor. While the initial wallet installation was difficult, we found even a larger amount of difficulty integrating the ZCash wallet into network-level protection like VPNs or Tor, so only a quarter of users could complete a real-world purchase using the wallet.
Phishing is a ubiquitous global problem that is both the simple crime of theft of authenticating information and the first step in advanced persistent attack chains. Despite receiving worldwide attention and investments in targeted anti-phishing campaigns, a large proportion of people are still vulnerable to phishing. This is not only due to the evolution of phishing attacks, but also due to the diversity of those exposed to phishing attacks in terms of demographics, jurisdiction, and technical expertise. To explore phishing resilience, we conducted a cross-national study to identify demographic and other factors that might have an impact on phishing resilience across nations. Specifically, we recruited 250 participants from the United States, Australia, New Zealand, Canada, and the United Kingdom to observe their responses to phishing websites in a simulated environment. We identified how factors including demographics, knowledge, skills, website familiarity, and self-reported risk assessment behaviors relate to efficacy in phishing detection. While participants’ phishing knowledge, familiarity with the target website, and their reported use of the lock icon as a phishing indicator increases participants’ probability of correctly identifying a legitimate website, we found that these factors did not specifically make them more resilient to phishing attacks. Our results further show that computer expertise has a significant positive impact on phishing resilience and that increased age correlates with the probability of misconstruing a phishing site as legitimate. These findings were applicable across all five countries in our study.
Simon Parkin (TU Delft), Kristen Kuhn, Siraj Ahmed Shaikh (Coventry University)
The motivation for corporate leadership to engage with cyber risks is increasingly clear. Stories can be seen of cyber incidents which have crippled large-scale businesses, potentially for extended periods of time and at significant cost. Our contribution here explores a much under-researched area — perceptions of cybersecurity and cyber risk at the highest levels of an organisation — with the aim of developing a structured, scenario-driven and repeatable exercise for executive decision makers. We attempt to understand why cyber risk perception is an important concept but equally a challenging one to grasp. We address this by demonstrating an approach to risk articulation, in terms of systematically constructed scenarios, and assess whether this resonates with decision-makers. As part of this, we also attempt to assess cyber-risk decision-makers for their perception of wider business risks and stakeholders.
Shujaat Mirza, Christina Pöpper (New York University)
Online social networks accumulate unprecedented amounts of data that continue to exist on user profiles long after the time of posting. Given that these platforms primarily provide a venue for people to connect and foster online friendships, the influence and the risks associated with longitudinal data may impact users and their reasons for using these platforms. To better understand these issues, we conducted two user studies of Facebook users analyzing the history of past postings w. r. t. to their perceived relevance, longitudinal exposure, and impact on the users’ befriending behavior. The studies give us a cross-cultural undergraduate student sample (n=89, campus study) and a Mechanical Turk sample of two cultural backgrounds from the US and India (n=209, MTurk study). Our findings reveal that a sizable group of participants consider their past postings irrelevant and, at times, embarrassing. However, participants’ awareness and usage of longitudinal privacy control features (e. g., Limit Past Posts) are limited, resulting in overexposure of their past postings and personal information. Importantly, we find support that these overexposed, yet irrelevant, past postings (of both participants and friend requesters) have the potential to influence users’ fundamental behavior on the platform: friend network expansion. Participants greatly valued friend requester’s past postings, particularly in the absence of prior personal interactions, but are influenced by their backgrounds (American users rely significantly more than their Indian counterparts on the requesters’ past postings for their befriending behavior). We close by discussing the implications of our findings on the future of longitudinal privacy controls.
Alain Giboin (UCA, INRIA, CNRS, I3S), Karima Boudaoud (UCA, CNRS, I3S), Patrice Pena (Userthink), Yoann Bertrand (UCA, CNRS, I3S), Fabien Gandon (UCA, INRIA, CNRS, I3S)
Allowing the users of mobile applications to control their personal data has become a key requirement. In the PadDOC project we studied the design of a mobile application intended to guarantee users the “exclusive control” of their personal data. We decided to use a heuristic evaluation method but we rapidly found that the criteria used were either too general or incomplete. As a result, we undertook to design a new set of heuristics which take this control activity into account, and which can be used by both usability specialists (HCI ergonomists) and computer scientists or engineers. This paper details the heuristics we designed together with the design method. It also reports the first test of the use of the criteria by a group of computer scientists, engineers and HCI ergonomists to evaluate a mock-up version of the PadDOC application. This test shows the benefits and limitations of the criteria.
Abdulmajeed Alqhatani, Heather R. Lipford (University of North Carolina at Charlotte)
Users of wearable fitness devices share different pieces of information with a variety of recipients to support their health and fitness goals. Device platforms could ease this sharing and empower users to protect their information by providing controls and features centered around these common sharing goals. However, there is little research that examines existing mechanisms for sharing and privacy management, and what needs users have beyond their current controls. In this paper, we analyze five popular wearable device platforms to develop taxonomies of mechanisms based on common sharing patterns and boundaries, as well as data collection awareness. With this analysis, we identify design opportunities for supporting users’ sharing and privacy needs.
“Lose Your Phone, Lose Your Identity”: Exploring Users’ Perceptions and Expectations of a Digital Identity Service
Michael Lutaaya, Hala Assal, Khadija Baig, Sana Maqsood, Sonia Chiasson (Carleton University)
Digital identities are gaining traction and spurring the interest of governments around the world. In this paper, we explore the concept of digital identity from the user’s perspective, using a digital identity prototype as a prop. To this effect, we conducted a user study with 22 participants to understand their perceptions and expectations of digital identity services.We conducted the study in Canada, where digital identities are not yet widely adopted. Our participants identified some benefits of using digital identity, particularly those relating to the convenience of using a digital format rather than a printed one.However, participants did not recognize the privacy-preserving benefits of using a digital service. They also expressed concerns about the associated privacy risks, particularly around how their data would be handled and the risk of privacy and security breaches. Based on our findings, we provide recommendations for designing digital identity services that are both usable and privacy-protective.
Ritajit Majumdar (Indian Statistical Institute), Sanchari Das (University of Denver)
Quantum computers are considered a blessing to the dynamic technological world that promises to solve complex problems much faster than their known classical counterparts. Such computational power imposes critical threats on modern cryptography where it has been proven that asymmetric key cryptosystem will be rendered useless in a quantum world. However, we can utilize such a powerful mechanism for improving computer security by implementing such technology to solve complex data security problems such as authentication, secrets management, and others. Mainly, Quantum Authentication (QA) is an emerging concept in computer security that creates robust authentication for organizations, systems, and individuals. To delve deeper into the concept, for this research, we have further investigated QA through a detailed systematic literature review done on a corpus of N = 859 papers. We briefly discuss the major protocols used by various papers to achieve QA, and also note the distribution of papers using those protocols. We analyzed the technological limitations mentioned by previous researchers and highlighted the lack of human-centered solutions for such modern inventions. We emphasize the importance of research in the user aspect of QA to make the users aware of its potential advantages and disadvantages as we move to the quantum age.
Location Data and COVID-19 Contact Tracing: How Data Privacy Regulations and Cell Service Providers Work In Tandem
Callie Monroe, Faiza Tazi, Sanchari Das (university of Denver)
Governments, Healthcare, and Private Organizations in the global scale have been using digital tracking to keep COVID-19 outbreaks under control. Although this method could limit pandemic contagion, it raises significant concerns about user privacy. Known as “Contact Tracing Apps” , these mobile applications are facilitated by Cellphone Service Providers (CSPs), who enable the spatial and temporal realtime user tracking. Accordingly, it might be speculated that CSPs collect information violating the privacy policies such as GDPR, CCPA, and others. To further clarify, we conducted an in-depth analysis comparing privacy legislations with the real world practices adapted by CSPs. We found that three of the regulations (GDPR, COPPA, and CCPA) analyzed defined mobile location data as private information, and two (T-Mobile US, Boost Mobile) of the five CSPs that were analyzed did not comply with the COPPA regulation. Our results are crucial in view of the threat these violations represent, especially when it comes to children’s data. As such proper security and privacy auditing is necessary to curtail such violations. We conclude by providing actionable recommendations to address concerns and provide privacy-preserving monitoring of the COVID-19 spread through the contact tracing applications.
Lavanya Sajwan, James Noble, Craig Anslow (Victoria University of Wellington), Robert Biddle (Carleton University)
Technologies are continually adapting to match ever-changing trends. As this occurs, new vulnerabilities are exploited by malicious attackers and can cause significant economic damage to companies. Programmers must continually expand their knowledge and skills to protect software. Programmers make mistakes, and this is why we must interpret how they implement and adopt security practices. This paper reports on a study to understand programmer adoption of security practices. We identified a theory of inter-related influences involving programmer culture, organizational factors, and industry trends. Understanding these decisions can help inform organizational culture and education to improve software security.
With more devices connected to the internet, collecting and sharing data using the Internet of Things (IoT) is an exciting prospect for many food supply chain stakeholders and consumers. However, new technologies introduce significant real and perceived security and privacy concerns that are hindering broader adoption of these technologies. While many of these risks can be mitigated through advanced privacy preservation technologies and security practices, we hypothesized that participants in primary industry supply chains have limited knowledge of these tools. By investigating perceptions and attitudes towards data sharing and privacy preserving tools, we hoped to reveal how communication strategies could be targeted to address this barrier to usable security in data sharing and digital food supply chains. To this end, we carried out pilot interviews and conducted a survey of Australian food supply chain stakeholders to explore: (1) current data sharing practices and the attitudes of food supply chains participants towards such practices, and (2) the perception towards privacy preserving techniques. We found that the extent of data sharing differs among different food supply chains. In general, participants in these supply chains were cautiously positive about the potential for data sharing. They also report that they were developing more trust in privacy preserving technologies as a tool for managing data sharing risk. An issue that emerged was the perception that the effort required to engage with data sharing platforms outweighs the benefits derived from them. Furthermore, the benefits of data sharing were not seen to be evenly distributed across the supply chain. These findings provide useful direction for progressing the adoption of digital supply chains.