The CMU Usable Privacy and Security Laboratory (CUPS)
brings together researchers working on a diverse set of projects related to
understanding and improving the usability of privacy and security
software and systems. The privacy and security research community has
become increasingly aware that usability problems severely impact the
effectiveness of mechanisms designed to provide security and privacy
in software systems. Indeed, one of the four grand
research challenges in information security and assurance
identified by the Computing Research Association in 2003 is: "Give
end-users security controls they can understand and privacy they can
control for the dynamic, pervasive computing environments of the
future." This is the challenge that CUPS strives to address. Our
research employs a combination of three high-level strategies to
make secure systems more usable: building systems that "just
work" without involving humans in security-critical functions;
making secure systems intuitive and easy to use; and teaching
humans how to perform security-critical tasks.
CUPS is affiliated with Carnegie Mellon CyLab. Our research is funded by grants from the National Science Foundation, the Army Research Office, Microsoft, and IBM. We are participants in the IBM Open Collaborative Research Initiative on Privacy and Security Policy Management.
News and Events
Rob Reeder, Kami Vaniea, and Serge Egelman will present papers at CHI 2008.
Lorrie Cranor will present A Framework for Reasoning About the Human in the Loop at UPSEC '08.
Carnegie Mellon CyLab will host the 4th Symposium On Usable Privacy and Security July 23-25, 2008. Lorrie Cranor is the general chair and Jason Hong is technical papers co-chair.
Demos
|
|
People
Director: Lorrie Cranor
|
Alessandro
Acquisti |
Cynthia Kuo |
Alumni and former lab members: Fahd Arshad, Ian Fette, Eduardo A. Cuervo Laffaye, Matthew Geiger, Braden Kowitz, Chris Long, Ryan Mahon, Elaine Newton
Current Projects and Selected Publications
Privacy decision making | Supporting trust decisions | User controllable security and privacy | Usable access control with smart phones | Usable anonymity tools | Understanding privacy in India | The economics of privacy
Privacy decision making
While most people claim to be very concerned about their privacy, they do not consistently take actions to protect it. Web retailers detail their information practices in their privacy policies, but most of the time this information remains invisible to consumers. Our research focusses on understanding how individuals make privacy-related decisions and in finding ways to make privacy information more usable to consumers. CUPS researchers are working on several P3P-related projects. We helped develop a human-readable translation of P3P elements for P3P 1.1. We are developing enhancements to the Privacy Bird P3P user agent that will make it easier to use and allow it to be ported to new platforms. We also extended a prototype Privacy Bird search engine, and now make it available as the Privacy Finder search service. We are conducting user studies to see how the use of this search service impacts user behavior. Finally, we are using an automated system to gather data from P3P enabled web sites to gain a better understanding of the state of web site privacy practices. [L. Cranor, S. Egelman, S. Sheng, E. Laffaye, J. Tsai, A. Acquisti, J. Tsai]
L. Cranor, P. Guduru, and M. Arjula. User Interfaces for Privacy Agents. ACM Transactions on Computer-Human Interaction, June 2006, pp 135-178.
L. Cranor. Web Privacy with P3P (2002). Sebastopol, CA: O'Reilly & Associates, Inc.
J. Gideon, S. Egelman, L. Cranor, and A. Acquisti. Power Strips, Prophylactics, and Privacy, Oh My! In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.
S. Egelman, L. Cranor, and A. Chowdhury. An Analysis of P3P-Enabled Web Sites among Top-20 Search Results. Proceedings of the Eighth International Conference on Electronic Commerce August 14-16, 2006, Fredericton, New Brunswick, Canada.
J. Tsai, S. Egelman, L. Cranor, and A. Acquisti. The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study. Paper presented at the Workshop on the Economics of Information Security, June 7-8, 2007, Pittsburgh, PA.
L. Cranor, S. Egelman, S. Sheng, A. McDonald, and A. Chowdhury. P3P Deployment on Websites. To be published in Electronic Commerce Research and Applications, 2008.
Supporting trust decisions
When Internet users are asked to make "trust" decisions they often make the wrong decision. Implicit trust decisions include decisions about whether or not to open an email attachment or provide information in response to an email that claims to have been sent by a trusted entity. Explicit trust decisions are decisions made in response to specific trust- or security-related prompts such as pop-up boxes that ask the user whether to trust an expired certificate, execute downloaded software, or allow macros to execute. Attackers are able to take advantage of most users' poor trust decision-making skills through a class of attacks known as "semantic attacks." It is not always possible for systems to make accurate trust decisions on a user's behalf, especially when those decisions require knowledge of contextual information. The goal of this research is not to make trust decisions for users, but rather to develop approaches to support users when they make trust decisions. Our research will begin with a mental models study aimed at understanding and modeling how people make trust decisions in the online context and ultimately result in the development and evaluation of new software. (See also the CyLab announcement about this project and the Supporting trust decisions project page.) [L. Cranor, A. Acquisti, S. Dietrich, J. Downs, J. Hong, N. Sadeh, M. Holbrook, S. Egelman, I. Fette, S. Sheng, P. Kumaraguru]
S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. CHI 2008.
J. Downs, M. Holbrook, and L. Cranor. Behavioral Response to Phishing Risk. Proceedings of the 2nd Annual eCrime Researchers Summit, October 4-5, 2007, Pittsburgh, PA, p. 37-44.
P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, L. Cranor and J. Hong. Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer. Proceedings of the 2nd Annual eCrime Researchers Summit, October 4-5, 2007, Pittsburgh, PA, p. 70-81.
S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 2007 Symposium On Usable Privacy and Security, Pittsburgh, PA, July 18-20, 2007.
P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. Teaching Johnny Not to Fall for Phish. CyLab Technical Report. CMU-CyLab-07-003, 2007.
P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. In CHI 2007: Conference on Human Factors in Computing Systems, San Jose, California, 28 April - May 3, 2007, 905-914. [Originally published as CyLab Technical Report CMU-CyLab-06-017, 2006]
J. Downs, M. Holbrook, and L. Cranor. Decision Strategies and Susceptibility to Phishing. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.
I. Fette, N. Sadeh, and A. Tomasic. Learning to Detect Phishing Emails In Proceedings of the 16th International conference on World Wide Web, Banff, Alberta, Canada, May 8-12, 2007. [Earlier version available as ISRI Technical Report. CMU-ISRI-06-112, 2006.]
Y. Zhang, J. Hong, and L. Cranor. CANTINA: A content-based approach to detecting phishing web sites. In Proceedings of the 16th International conference on World Wide Web, Banff, Alberta, Canada, May 8-12, 2007.
Y. Zhang, S. Egelman, L. Cranor, and J. Hong Phinding Phish: Evaluating Anti-Phishing Tools. In Proceedings of the 14th Annual Network & Distributed System Security Symposium (NDSS 2007), San Diego, CA, 28th February - 2nd March, 2007.
User controllable security and privacy
Managing security and privacy policies is known to be a difficult problem. We believe it is important that new user interfaces be developed to effectively and efficiently support lay users in understanding and managing security and privacy policies - their own as well as those implemented by systems and individuals with whom they interact. Solutions in this area have traditionally taken a relatively narrow view of the problem by limiting the expressiveness of policy languages or the number of options available in templates, restricting some decisions to specific roles within the enterprise, etc. As systems grow more pervasive and more complex, and as demands for increasing flexibility and delegation continue to grow, it is imperative to take a more fundamental view that weaves together issues of security, privacy and usability to systematically evaluate key tradeoffs between expressiveness, tolerance for errors, burden on users and overall user acceptance; and develop novel mechanisms and technologies that help mitigate these tradeoffs, maximizing accuracy and trustworthiness while minimizing the time and effort required by end users. The objective of this project is to develop new interfaces that combine user-centered design principles with dialog, explanation and learning technologies to assist users in specifying and refining policies. One new policy authoring interface we have developed is a visualization technique for displaying policies in a two-dimensional "expandable grid". (See also the User controllable security and privacy project page and the Expandable grids project page.) [N. Sadeh, L. Cranor, M. Reiter, L. Bauer, B. McLaren, K. Vaniea, P. Kelley, R. Reeder]
R. W. Reeder, L. Bauer, L.F. Cranor, M.K. Reiter, K. Bacon, K. How, and H. Strong. Expandable Grids for Visualizing and Authoring Computer Security Policies. ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '08). 2008.
M. Prabaker, J. Rao, I. Fette, P. Kelley, L. Cranor, J. Hong, and N. Sadeh, Understanding and Capturing People's Privacy Policies in a People Finder Application, 2007 Ubicomp Workshop on Privacy, Austria, Sept. 2007.
J. Cornwell, I. Fette, G. Hsieh, M. Prabaker, J. Rao, K. Tang, K. Vaniea, L. Bauer, L. Cranor, J. Hong, B. McLaren, M. Reiter, N. Sadeh, "User-Controllable Security and Privacy For Pervasive Computing", Proceedings of the 8th IEEE Workshop on Mobile Computing Systems and Applications (HotMobile 2007).
Usable access control with smart phones
The Grey project is an experiment to create a universal and highly secure access-control device via software extensions to off-the-shelf "smart phones." Grey builds from formal techniques for proving authorization that assure sound access decisions and that permit virtually unlimited flexibility in the policies that can be implemented. Moreover, it leverages "capture resilience" to ensure that the device cannot be misused even if captured and reverse-engineered by a skilled attacker. Grey is currently deployed to provide access control for door locks throughout our building. We are working with the Grey team to improve the usability of the system and to study how people use the system. [L. Cranor, K. Vaniea, M. Reiter, L. Bauer, R. Reeder]
L. Bauer, L.F. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. A User Study of Policy Creation in a Flexible Access-Control System. ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '08). 2008.
L. Bauer, L. F. Cranor, M. K. Reiter, and K. Vaniea. Lessons Learned from the Deployment of a Smartphone-Based Access-Control System. In Proceedings of the 2007 Symposium On Usable Privacy and Security, Pittsburgh, PA, July 18-20, 2007. [Originally published as Technical Report CMU-CyLab-06-016.
L. Bauer, L. F. Cranor, R. W. Reeder, M. K. Reiter, and K. Vaniea. Comparing Access-Control Technologies: A Study of Keys and Smartphones. Technical Report CMU-CyLab-07-005, CyLab, Carnegie Mellon University, February 2007.
Usable anonymity tools
A variety of tools have been developed to provide anonymity for various types of online interactions. Most of the work in this area has focused on improving the anonymity properties of these tools, and little has been done to improve their usability. We have been working on developing more usable interfaces for Tor. [S. Romanosky, L. Cranor, J. Hong, J. Tsai, K. Vaniea,P. Kumaraguru, S. Egelman, C. Kuo]
FoxTor design document, our entry for the Tor GUI competition (selected as the phase 1 winner)
FoxTor download and FAQ
Understanding privacy in India
The development of privacy-related software had been informed by studies of attitudes about privacy. However, most of these studies have been performed in North America, Europe, or Australia. We are doing an in depth study of privacy in India, including a written survey, interviews, and survey of Indian web site privacy policies. [L. Cranor, P. Kumaraguru]
P. Kumaraguru and L. Cranor. Privacy in India: Attitudes and Awareness. In Proceedings of the 2005 Workshop on Privacy Enhancing Technologies (PET2005), 30 May - 1 June 2005, Dubrovnik, Croatia.
The economics of privacy
Alessandro Acquisti researches the economic impact of privacy protection and privacy intrusions, the relations between privacy and economic rationality, and the dichotomy between expressed privacy attitudes and actual revealed behavior.
A. Acquisti. Privacy in Electronic Commerce and the Economics of Immediate Gratification. ACM Electronic Commerce Conference (EC '04), 2004.
Other Selected Publications
L. Cranor. A Framework for Reasoning About the Human in the Loop. Carnegie Mellon CyLab Technical Report CMU-CyLab-08-001, January 2008.
L. Cranor. What do they "indicate?": evaluating security and privacy indicators. interactions, May/June 2006, p. 45-57.
X. Sheng and L. Cranor. An Evaluation of the Effectiveness of US Financial Privacy Legislation Through the Analysis of Privacy Policies. I/S: A Journal of Law and Policy for the Information Society, Volume 2, Number 3, Fall 2006, pp. 943-979.
L. Cranor. 'I Didn't Buy it for Myself': Privacy and Ecommerce Personalization. Proceedings of the 2nd ACM Workshop on Privacy in the Electronic Society, October 30, 2003, Washington, DC.
L. Cranor, J. Hong, and M. Reiter. Teaching Usable Privacy and Security: A guide for instructors. 2007.
S. Egelman and L. Cranor. The Real ID Act: Fixing Identity Documents with Duct Tape. I/S: A Journal of Law and Policy for the Information Society, Volume 2, Number 1, Winter 2006, pp. 149-183.
M. Geiger and L. Cranor, Counter-Forensic Privacy Tools: A Forensic Evaluation. ISRI Technical Report. CMU-ISRI-05-119, 2005.
B. Kowitz and L. Cranor. Peripheral Privacy Notifications for Wireless Networks. In Proceedings of the 2005 Workshop on Privacy in the Electronic Society, 7 November 2005, Alexandria, VA.
P. Kumaraguru and L. Cranor. Privacy Indexes: A Survey of Westin's Studies. ISRI Technical Report. CMU-ISRI-05-138, 2005.
C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.
S. Romanosky. Private Sector: When it comes to data security, sweat the little things. Pittsburgh Post-Gazette, August 22, 2006.
Resources
Security and Usability: Designing Secure Systems that People Can Use, edited by Lorrie Cranor and Simson Garfinkel, is now available
L. Cranor, J. Hong, and M. Reiter. Teaching Usable Privacy and Security: A guide for instructors. 2007.
The HCISec Bibliography contains a good list of CUPS-related publications.
Usable Security Blog from UC Berkeley
strawberryJAMM's Security and User Experience WebLog from a Microsoft User Experience Program Manager
Slides are available from the July 2004 Workshop on Usable Privacy and Security Software
Usability, Psychology, and Security workshop
Vizsec - a research and development community interested in applying information visualization techniques to the problems of computer security