Issue No. 06 - November/December (2006 vol. 4)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2006.165
Janice Y. Tsai , Carnegie Mellon University
Serge Egelman , Carnegie Mellon University
The second annual Symposium on Usable Privacy and Security (SOUPS 2006) was held at Carnegie Mellon University (CMU) 12–14 July 2006. Lorrie Cranor, an associate research professor with CMU's Institute for Software Research International, chaired the conference, which was organized by the CMU Usable Privacy and Security (CUPS) Lab with sponsorship from Carnegie Mellon CyLab. Clare-Marie Karat from IBM T.J. Watson Research and Diana Smetters of the Palo Alto Research Center (PARC) served as chairs for the technical paper sessions.
The conference's first day opened with a security-related user studies workshop and poster session. The user-study construction kits discussed in the workshop provided useful examples for researchers developing security-related user studies.
Cranor and Richard Pethia, codirector of Cylab, welcomed the conference participants. Cranor started her remarks with an anecdote about Nigerian scammers who had tried to register for the conference with stolen credit-card information, illustrating the prevalence of phishing scams, which are now even trying to target security and privacy researchers.
Austin Hill, one of the cofounders of RadialPoint (formerly Zero-Knowledge), delivered a keynote address that shared his experiences in trying to make security and privacy usable for everyday users. Unfortunately, Hill discovered that users hadn't yet reached a "crisis point" to push them to protect their security and privacy. He explained that it's increasingly difficult to secure a computer and recommended building security and privacy services into the main access channel, as ISPs are starting to do.
Technical paper sessions
Attendees presented 14 papers in four sessions covering access control, password management, phishing, and risk transparency.
Alex DeWitt from Brunel University, London, started the first paper session with his talk on a usability study of Polaris, software for limiting the privileges available to computer viruses. The study's results showed that Polaris wasn't easily usable and didn't provide system protection. The study's authors concluded that to encourage users to adopt and use security software such as Polaris, it should provide high integration, low time investment, few decision points, obvious perceived benefits, strong visual indicators, and no error messages.
John Karat of IBM T.J. Watson Research Center spoke about a policy management workbench called Server Privacy Architecture and Capability Enablement (Sparcle), which is designed to let nontechnical policymakers write rules in a familiar natural language format. Specifically, the IBM team examined the accuracy rates Sparcle's natural language parser achieved in detecting structural elements from rules written in natural language. Sparcle yielded accuracy rates between 82–100 percent, with an average parsing precision of 94 percent.
Lee Iverson from the University of British Columbia spoke about his work on intentional access management. He argued that most access-control interfaces are written at too low a level for most users involved in collaborative information-sharing tasks. Thus, Iverson and his team built and tested a framework and system for specifying users' resource-sharing intentions for any underlying access-control mechanism that implements users' high-level intentions in the lower-level access-control mechanism.
Ka-Ping Yee from the University of California, Berkeley, kicked off the password session by introducing Passpet, his password-management tool that provides users with an animal image in the Firefox toolbar and a mechanism for creating personal labels for each Web site that they visit. Clicking on the animal prompts the user for a master password, which generates a site-specific password based on the user's label for that page. To log in to a Web site, users must always click on their animal image. Thus users rely on something they've made (the label) for online security, as opposed to something that the attacker might control (Web site layout, for example).
Shirley Gaw from Princeton University presented her results from a user study that examined the strength, use, and user perceptions regarding passwords. She found that most users had an average of three passwords that they continuously reused. Most users perceived their friends to be the most able attackers to compromise their accounts. Gaw's study found that users aren't worried about dictionary attacks; rather, they're primarily concerned about other people closer to them, such as friends or family, guessing their passwords.
Furkan Tari of the University of Maryland, Baltimore County, presented a study of shoulder-surfing's effect on Passfaces, a system that uses faces as passwords. The study confirmed that Passfaces is vulnerable to shoulder-surfing—looking over users' shoulders as they enter their passwords—because the images are easy to observe when the user selects them with a mouse. Additionally, Tari's study found that non-dictionary passwords are easier to observe than dictionary ones, perhaps because users enter non-dictionary passwords more slowly than dictionary ones.
CMU's Cynthia Kuo wrapped up the session with the results from a password study that involved building a dictionary of common phrases to run an attack against mnemonic passwords. In her study, a dictionary attack cracked 11 percent of control passwords and 4 percent of mnemonic passwords. Kuo posited that mnemonic passwords might become more vulnerable in the future as better phrase dictionaries are developed and suggested that instructions on generating mnemonic passwords should warn users not to use well-known phrases.
CMU's Julie Downs examined users' perceptions of phishing and whether they could distinguish between phishing messages and legitimate email. Overall, Downs found that participants based their trust decisions on familiarity with the company and how personal the email appeared to be. At the same time, participants had little grasp of how to prevent being phished.
Anthony Y. Fu from the City University of Hong Kong illustrated some interesting unicode attacks. More than 200 different characters look identical to the ASCII "c," letting phishers create domain names that look exactly like the brands that they're phishing. Fu presented two schemes to help combat this problem: the first examines visual similarities between various characters, and the second examines characters for semantic similarities.
MIT's Min Wu presented Web Wallet, a taskbar program that resides within a Web browser and stores users' personal information. When users' information is sent to the Web site, the toolbar determines whether the Web site is legitimate. Wu found that Web Wallet was very effective in blocking phishing attacks but wasn't as successful when an attacker created a similar looking toolbar within a Web page.
Paul A. Karger presented IBM's Caernarvon protocol, a privacy-preserving way to identify federal employees. Current identification protocols leak information pertaining to the ID holder's agency code. Krager recommended that a new version of the ID standard mandate a formally proven, privacy-preserving protocol for cards issued by all agencies.
Richard Newman from the University of Florida focused on protecting domestic powerline communications with the HomePlug AV standard, which would protect against leaked communications and support multiple virtual networks and devices.
CMU's Serge Egelman presented a study on Privacy Finder, a search engine in which results are enhanced with privacy information from Web sites' Platform for Privacy Preferences (P3P) policies. This study investigated whether additional privacy information affected users' purchasing behaviors. Participants in the study were asked to shop online for a nonprivacy-sensitive item (surge protectors) and a privacy-sensitive one (condoms). With privacy-enhanced searches, users were more likely to select sites with better privacy policies, especially for the condom purchases.
Jennifer Rode and Paul DiGioia of the University of California, Irvine, presented a paper on Impromptu, a file-sharing system in which users move colored dots representing their files in a shared workspace shown as a pie-shaped area. Their user tests confirmed that integration of configuration and action was successful. Emergence of group norms about sharing suggested the concreteness and mutual visibility principles were also successful.
This year's conference featured a panel entitled "Phishing: How Will the Scourge Really Be Killed?" Moderated by IBM's Mary Ellen Zurko, the panel included Rob Franco of Microsoft, Jeff Nelson of Google, Ka-Ping Yee of UC Berkeley, and Diana Smetters. The panelists examined user control via a browser, which represents a central authority deciding trustworthy sites, thus taking the burden off the user and placing it with sites and applications to protect personal information, and trusting users to become more security technology savvy as Web sites themselves use better authentication methods.
SOUPS 2006 included three informal discussion sessions. Bill Cheswick of Lumeta moderated a session entitled, "Johnny Can Obfuscate: Beyond Mother's Maiden Name" to brainstorm ways in which a human calculates challenge-response authentication rather than a hardware token. The "Teaching Usable Privacy and Security" session, moderated by CMU's Jason Hong and Lorrie Cranor, let faculty share their experiences. John Karat moderated the "Policy Management: A Central Theme for Usable Privacy and Security Systems" discussion, which centered on compliance and the difficulties that arise in mapping from high-level policies to implementable rules.
SOUPS 2006's major themes included the invisibility of privacy and security, policy management, and trust. As more user-friendly privacy and security tools are developed, the human-computer interface security (HCISec) community must also develop approaches to encourage users to protect themselves. Trust plays a key role in users' decision-making, but, at the same time, policy management tools are required so that developers understand the security and privacy requirements required for their products.
The second annual SOUPS conference was successful and drew a larger and more diverse audience than SOUPS 2005. It exposed HCISec researchers to a wider range of issues that face the community as well as defined the approaches that seem best for dealing with these issues.
Conference proceedings and selected user-study construction kits are available at http://cups.cs.cmu.edu/soups/. SOUPS 2007 is scheduled for 18–20 July 2007 ( http://cups.cs.cmu.edu/soups/).
Janice Y. Tsai is a PhD student in engineering and public policy at Carnegie Mellon University. Her research interests include privacy, intellectual property, digital rights management, electronic voting, and technology policy in these areas. Tsai has an MLIS from Rutgers University. Contact her at email@example.com.
Serge Egelman is a PhD student in computation, organizations, and society at Carnegie Mellon University. His research interests include privacy, online trust, and usability. Egelman has a BS in computer engineering from the University of Virginia. Contact him at firstname.lastname@example.org.