The CyLab Usable Privacy and Security Laboratory (CUPS)
brings together researchers working on a diverse set of projects related to
understanding and improving the usability of privacy and security
software and systems.
Our
research employs a combination of three high-level strategies to
make secure systems more usable: building systems that "just
work" without involving humans in security-critical functions;
making secure systems intuitive and easy to use; and teaching
humans how to perform security-critical tasks.
CUPS is affiliated with Carnegie Mellon CyLab. Our research is funded by grants from the National Science Foundation, the Army Research Office, Fundação para a Ciência e Tecnologia (FCT) Portugal under a grant from the Information and Communications Technology Institute (ICTI) at CMU, Microsoft, and IBM. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation or any of our other funders. We are participants in the IBM Open Collaborative Research Initiative on Privacy and Security Policy Management. Wombat Security Technologies, Inc. is commercializing some of the technologies we developed.
CUPS PhD students come from several CMU PhD programs including the programs in Computation, Organizations and Society, Engineering and Public Policy, Human Computer Interaction, Computer Science, and Public Policy and Management. Perspective students should apply directly to these programs and also express their interest in the CUPS doctoral training program.
News and Events
We issued two new technical reports and submitted them as public comments to the FTC's exploring privacy roundtable series: Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach and An Empirical Study of How People Perceive Online Behavioral Advertising
Janice Tsai presented a paper on location-sharing technologies at TPRC.
We have received an NSF IGERT grant to support the Carnegie Mellon Usable Privacy and Security Doctoral Training Program. See CMU Press Release.
Josh Sunshine presented the paper Crying Wolf: An Empirical Study of SSL Warning Effectiveness. at USENIX Security 2009. There have been articles on this paper in ABC News, The Tech Herald, Computerworld, and SC Magazine.
SOUPS 2009 was held July 15-17 in Mountain View, CA - proceedings are vailable online.
Lots of CUPS projects featured at the CFP 2009 Research showcase -- Locaccino, Privacy Finder, privacy nutrition labels and more!
SOUPS PhD students Serge Egelman, Kami Vaniea, Janice Tsai, and Patrick Kelley presented papers and posters at CHI 2009. Patrick won the student poster competition!
Lorrie Cranor's article on phishing was published in the December issue of Scientific American
CUPS faculty Lorrie Cranor, Norman Sadeh, and Jason Hong have co-founded Wombat Security Technologies to commercialize CUPS-developed anti-phishing technology.
Demos
|
|
|
People
Director: Lorrie Cranor
Current members: Alessandro Acquisti, Idris Adjerid, Lujo Bauer, Joanna Bresee, Luc Cesca, Justin Cranshaw, Cristian Bravo-Lillo, Nicolas Christin, Julie Downs, Naoko Hayashida, Mandy Holbrook, Jason Hong, Patrick Kelley, Saranga Komanduri, Michelle Mazurek, Marty McGuire, Aleecia McDonald, Bryan Pendleton, Adrian Perrig, Sasha Romanosky, Norman Sadeh, Rich Shay, Kami Vaniea
Alumni and former lab members: Fahd Arshad, Ian Fette, Cynthia Kuo, Eduardo A. Cuervo Laffaye, Matthew Geiger, Braden Kowitz, Chris Long, Ryan Mahon, Elaine Newton, Sven Dietrich, Robert Reeder, Ponnurangam Kumaraguru, Serge Egelman, Steve Sheng, Janice Tsai, Paul Hankes Drielsma
Current Projects and Selected Publications
Privacy decision making | User controllable security and privacy | Usable access control with smart phones | Usable cyber trust indicators | Usable security for digital home storage | Usable anonymity tools | The economics of privacy
Privacy decision making
While most people claim to be very concerned about their privacy, they do not consistently take actions to protect it. Web retailers detail their information practices in their privacy policies, but most of the time this information remains invisible to consumers. Our research focusses on understanding how individuals make privacy-related decisions and in finding ways to make privacy information more usable to consumers. CUPS researchers are developing a "nutrition label" for privacy and working on several P3P-related projects. We are developing enhancements to the Privacy Bird P3P user agent that will make it easier to use and allow it to be ported to new platforms. We also extended a prototype Privacy Bird search engine, and now make it available as the Privacy Finder search service. We are conducting user studies to see how the use of this search service impacts user behavior. Finally, we are using an automated system to gather data from P3P enabled web sites to gain a better understanding of the state of web site privacy practices.
A.M. McDonald and L.F. Cranor. An Empirical Study of How People Perceive Online Behavioral Advertising. Carnegie Mellon CyLab Technical Report CMU-CyLab-09-015, November 10, 2009.
P.G. Kelley, L.J. Cesca, J. Bresee, and L.F. Cranor. Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach. Carnegie Mellon CyLab Technical Report CMU-CyLab-09-014, November 10, 2009.
J.Y. Tsai. The Impact of Salient Privacy Information on Decision-Making, PhD Thesis, Engineering & Public Policy Department, Carnegie Mellon University, Pittsburgh, PA, August 2009.
A.M. McDonald, R.W. Reeder, P.G. Kelley, and L.F. Cranor. A comparative study of online privacy policies and formats. Privacy Enhancing Techonologies Symposium 2009.
P. Kelley, J. Bresee, L. Cranor, and R. Reeder. A "Nutrition Label" for Privacy. SOUPS 2009
S. Egelman, J. Tsai, L. Cranor, and A. Acquisti. 2009. Timing Is Everything? The Effects of Timing and Placement of Online Privacy Indicators. CHI '09: Proceedings of the SIGCHI conference on Human Factors in Computing Systems.
A. McDonald and L. Cranor. The Cost of Reading Privacy Policies. I/S: A Journal of Law and Policy for the Information Society 2008 Privacy Year in Review issue. [Paper originally presented at TPRC 2008, Sept 26-28, 2008, Arlington, VA.]
L. Cranor, S. Egelman, S. Sheng, A. McDonald, and A. Chowdhury. P3P Deployment on Websites. Electronic Commerce Research and Applications, 2008.
J. Tsai, S. Egelman, L. Cranor, and A. Acquisti. The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study. Paper presented at the Workshop on the Economics of Information Security, June 7-8, 2007, Pittsburgh, PA.
S. Egelman, L. Cranor, and A. Chowdhury. An Analysis of P3P-Enabled Web Sites among Top-20 Search Results. Proceedings of the Eighth International Conference on Electronic Commerce August 14-16, 2006, Fredericton, New Brunswick, Canada.
J. Gideon, S. Egelman, L. Cranor, and A. Acquisti. Power Strips, Prophylactics, and Privacy, Oh My! In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.
L. Cranor, P. Guduru, and M. Arjula. User Interfaces for Privacy Agents. ACM Transactions on Computer-Human Interaction, June 2006, pp 135-178.
L. Cranor. Web Privacy with P3P (2002). Sebastopol, CA: O'Reilly & Associates, Inc.
User controllable security and privacy
Managing security and privacy policies is known to be a difficult problem. It is important that new user interfaces be developed to effectively and efficiently support lay users in understanding and managing security and privacy policies - their own as well as those implemented by systems and individuals with whom they interact. Solutions in this area have traditionally taken a relatively narrow view of the problem by limiting the expressiveness of policy languages or the number of options available in templates, restricting some decisions to specific roles within the enterprise, etc. As systems grow more pervasive and more complex, and as demands for increasing flexibility and delegation continue to grow, it is imperative to take a more fundamental view that weaves together issues of security, privacy and usability to systematically evaluate key tradeoffs between expressiveness, tolerance for errors, burden on users and overall user acceptance; and develop novel mechanisms and technologies that help mitigate these tradeoffs, maximizing accuracy and trustworthiness while minimizing the time and effort required by end users. The objective of this project is to develop new interfaces that combine user-centered design principles with dialog, explanation and learning technologies to assist users in specifying and refining policies. One new policy authoring interface we have developed is a visualization technique for displaying policies in a two-dimensional "expandable grid". (See also the User controllable security and privacy project page, the Expandable grids project page, and Locaccino.)
J. Tsai, P. Kelley, L. Cranor, and N. Sadeh. Location-Sharing Technologies: Privacy Risks and Controls. TPRC 2009.
J.Tsai, P. Kelley, P. Drielsma, L. Cranor, J. Hong, and N. Sadeh. Who’s Viewed You? The Impact of Feedback in a Mobile-location System. CHI 2009
L. Bauer, L. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. Real life challenges in access-control management. In CHI 2009: Conference on Human Factors in Computing Systems, pages 899–908, April 2009.
R.W. Reeder, L. Bauer, L.F. Cranor, M.K. Reiter, and K. Vaniea. Effects of Access-Control Policy Conflict-Resolution Methods on Policy-Authoring Usability. CyLab Technical Report CMU-CyLab-09-006, March 2009.
R.W. Reeder, P.G. Kelley, A.M. McDonald, and L.F. Cranor. A User Study of the Expandable Grid Applied to P3P Policy Visualization. Workshop on Privacy in the Electronic Society (WPES 2008). Oct. 2008.
R. W. Reeder, L. Bauer, L.F. Cranor, M.K. Reiter, K. Bacon, K. How, and H. Strong. Expandable Grids for Visualizing and Authoring Computer Security Policies. ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '08). 2008.
R. W. Reeder. Expandable Grids: A user interface visualization technique and a policy semantics to support fast, accurate security and privacy policy authoring. PhD Thesis, Computer science department, Carnegie Mellon University, Pittsburgh, PA, July 2008. Available as tech report number CMU-CS-08-143.
M. Prabaker, J. Rao, I. Fette, P. Kelley, L. Cranor, J. Hong, and N. Sadeh, Understanding and Capturing People's Privacy Policies in a People Finder Application, 2007 Ubicomp Workshop on Privacy, Austria, Sept. 2007.
J. Cornwell, I. Fette, G. Hsieh, M. Prabaker, J. Rao, K. Tang, K. Vaniea, L. Bauer, L. Cranor, J. Hong, B. McLaren, M. Reiter, N. Sadeh, "User-Controllable Security and Privacy For Pervasive Computing", Proceedings of the 8th IEEE Workshop on Mobile Computing Systems and Applications (HotMobile 2007).
Usable access control with smart phones
The Grey project is an experiment to create a universal and highly secure access-control device via software extensions to off-the-shelf "smart phones." Grey builds from formal techniques for proving authorization that assure sound access decisions and that permit virtually unlimited flexibility in the policies that can be implemented. Moreover, it leverages "capture resilience" to ensure that the device cannot be misused even if captured and reverse-engineered by a skilled attacker. Grey is currently deployed to provide access control for door locks throughout our building. We are working with the Grey team to improve the usability of the system and to study how people use the system.
L. Bauer, L.F. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. A User Study of Policy Creation in a Flexible Access-Control System. ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '08). 2008.
L. Bauer, L. F. Cranor, M. K. Reiter, and K. Vaniea. Lessons Learned from the Deployment of a Smartphone-Based Access-Control System. In Proceedings of the 2007 Symposium On Usable Privacy and Security, Pittsburgh, PA, July 18-20, 2007. [Originally published as Technical Report CMU-CyLab-06-016.
L. Bauer, L. F. Cranor, R. W. Reeder, M. K. Reiter, and K. Vaniea. Comparing Access-Control Technologies: A Study of Keys and Smartphones. Technical Report CMU-CyLab-07-005, CyLab, Carnegie Mellon University, February 2007.
Usable Cyber Trust Indicators
When systems rely on a "human in the loop" to carry out a security-critical function, cyber trust indicators are often employed to communicate when and how to perform that function. Cyber trust indicators typically serve as warnings or status indicators that communicate information, remind users of information previously communicated, and influence user behavior. They include a variety of security- and privacy-related symbols in the operating system status bar or browser chrome, pop-up alerts, security control panels, or symbols embedded in web content. However, a growing body of literature has found the effectiveness of many of these indicators to be rather disappointing. It is becoming increasingly apparent that humans are a major cause of computer security failures and that security warnings and other cyber trust indicators are doing little to prevent humans from making security errors. In some cases, it may be possible to redesign systems to minimize the need for humans to perform security-critical functions, thus reducing or eliminating the need for security warnings. However, in many cases it may be too expensive or difficult to automate security-critical tasks, and systems may need to rely on human judgment. In these cases, it is important to situate security indicators both spatially and temporally to maximize their effectiveness, and to design them to communicate clearly to users. The goal of this research is to systematically study the effectiveness of cyber trust indicators and develop approaches to making these indicators most effective and usable.
As part of this effort we have developed a framework for reasoning about the human in the loop that provides a systematic approach to identifying potential causes for human failure. This framework can be used by system designers to identify problem areas before a system is built and proactively address deficiencies. System operators can also use this framework to analyze the root cause of security failures that have been attributed to "human error." We are using this framework to study and improve a variety of computer security warnings and indicators, and developing approaches to operationalizing this framework in secure system design.
J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. Cranor. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. USENIX Security 2009.
L. Cranor. A Framework for Reasoning About the Human in the Loop. Usability, Psychology and Security 2008. [Originally published as Carnegie Mellon CyLab Technical Report CMU-CyLab-08-001, January 2008.]
Serge Egelman. Trust Me: Design Patterns for Constructing Trustworthy Trust Indicators. PhD Thesis, Computation, Organizations and Society, Carnegie Mellon University, Pittsburgh, PA, CMU-ISR-O9-110, April, 2009.
S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. CHI 2008.
Usable security for digital home storage
We are exploring architecture, mechanisms, and interfaces for making access control usable by laypeople faced with increasing reliance on data created, stored, and accessed via home and personal consumer electronics. Digital content is becoming common in the home, as new content is created in digital form and people digitize existing content (e.g., photographs and personal records). Interesting and fun new devices make creating digital content easier and interacting with it much more flexible than ever before. The transition to digital homes is exciting, but brings many challenges. Perhaps the biggest challenge is dealing with access control. Users want to be able to access their content easily from any of their devices, including shared devices (e.g., the family DVR), and yet they also want to be able to restrict access to certain data among household members and visitors. They also want to be able to share data (e.g., photographs) selectively with friends and family outside their home. Unfortunately, studies repeatedly show that computer users have trouble specifying access-control policies. Worse, we are now injecting the need to do so into an environment with users who are much less technically experienced and notoriously impatient with complex interfaces. Without a holistic, usable approach to access control management, adoption of new technology in the home will be slowed and there will be no effective data security once the transition inevitably occurs. This project builds on the Perspective data management system developed by CMU's Parallel Data Lab.
Access Control for Home Data Sharing: Attitudes, Needs and Practices. Michelle L. Mazurek, J.P. Arsenault, Joanna Bresee, Nitin Gupta, Iulia Ion, Christina Johns, Daniel Lee, Yuan Liang, Jenny Olsen, Brandon Salmon, Richard Shay, Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, Gregory R. Ganger, Michael K. Reiter. Carnegie Mellon University CyLab Technical Report cmu-cylab-09-013, October 2009.
Perspective: Semantic Data Management for the Home. Brandon Salmon, Steven W. Schlosser, Lorrie Faith Cranor, Gregory R. Ganger. 7th USENIX Conference on File and Storage Technologies (FAST '09). February 23-27, 2009, San Francisco, CA.
Usable anonymity tools
A variety of tools have been developed to provide anonymity for various types of online interactions. Most of the work in this area has focused on improving the anonymity properties of these tools, and little has been done to improve their usability. We have been working on developing more usable interfaces for Tor.
FoxTor design document, our entry for the Tor GUI competition (selected as the phase 1 winner)
FoxTor download and FAQ
The economics of privacy
Alessandro Acquisti researches the economic impact of privacy protection and privacy intrusions, the relations between privacy and economic rationality, and the dichotomy between expressed privacy attitudes and actual revealed behavior.
A. Acquisti. Privacy in Electronic Commerce and the Economics of Immediate Gratification. ACM Electronic Commerce Conference (EC '04), 2004.
Earlier Projects
Looking for some of our work that you can't find under "current projects"? Check here for our past projects.
Supporting trust decisions
When Internet users are asked to make "trust" decisions they often make the wrong decision. Implicit trust decisions include decisions about whether or not to open an email attachment or provide information in response to an email that claims to have been sent by a trusted entity. Explicit trust decisions are decisions made in response to specific trust- or security-related prompts such as pop-up boxes that ask the user whether to trust an expired certificate, execute downloaded software, or allow macros to execute. Attackers are able to take advantage of most users' poor trust decision-making skills through a class of attacks known as "semantic attacks." It is not always possible for systems to make accurate trust decisions on a user's behalf, especially when those decisions require knowledge of contextual information. The goal of this research is not to make trust decisions for users, but rather to develop approaches to support users when they make trust decisions. Our research began with a mental models study aimed at understanding and modeling how people make trust decisions in the online context and ultimately resulted in the development of anti-phishing training tools and filtering software. The tools developed by this project our being commercialized by Wombat Security. For our publications, see the Supporting trust decisions project page.
Other Selected Publications
Sarah Spiekermann and Lorrie Faith Cranor. Engineering Privacy. IEEE Transactions on Software Engineering. Vo. 35, No. 1, January/February, 2009, pp. 67-82.
Ahren Studer, Christina Johns, Jaanus Kase, Kyle O'Meara, Lorrie Cranor. A Survey to Guide Group Key Protocol Development. Annual Computer Security Applications Conference (ACSAC) 2008, December 8-12, 2008, Anaheim, CA.
S. Egelman, A.J. Brush, and K. Inkpen. Family Accounts: A new paradigm for user accounts within the home environment. CSCW '08: Proceedings of the 2008 conference on Computer Supported Cooperative Work. 2008.
L. Cranor. What do they "indicate?": evaluating security and privacy indicators. interactions, May/June 2006, p. 45-57.
A. McDonald and L. Cranor. How Technology Drives Vehicular Privacy. I/S: A Journal of Law and Policy for the Information Society Volume 2, Issue 3 (2006).
X. Sheng and L. Cranor. An Evaluation of the Effectiveness of US Financial Privacy Legislation Through the Analysis of Privacy Policies. I/S: A Journal of Law and Policy for the Information Society, Volume 2, Number 3, Fall 2006, pp. 943-979.
L. Cranor. 'I Didn't Buy it for Myself': Privacy and Ecommerce Personalization. Proceedings of the 2nd ACM Workshop on Privacy in the Electronic Society, October 30, 2003, Washington, DC.
L. Cranor, J. Hong, and M. Reiter. Teaching Usable Privacy and Security: A guide for instructors. 2007.
S. Egelman and L. Cranor. The Real ID Act: Fixing Identity Documents with Duct Tape. I/S: A Journal of Law and Policy for the Information Society, Volume 2, Number 1, Winter 2006, pp. 149-183.
M. Geiger and L. Cranor, Counter-Forensic Privacy Tools: A Forensic Evaluation. ISRI Technical Report. CMU-ISRI-05-119, 2005.
B. Kowitz and L. Cranor. Peripheral Privacy Notifications for Wireless Networks. In Proceedings of the 2005 Workshop on Privacy in the Electronic Society, 7 November 2005, Alexandria, VA.
P. Kumaraguru and L. Cranor. Privacy Indexes: A Survey of Westin's Studies. ISRI Technical Report. CMU-ISRI-05-138, 2005.
C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.
S. Romanosky. Private Sector: When it comes to data security, sweat the little things. Pittsburgh Post-Gazette, August 22, 2006.
Romanosky, S., Acquisti, A., Hong, J., Cranor, L. F., and Friedman, B. 2006. Privacy patterns for online interactions. In Proceedings of the 2006 Conference on Pattern Languages of Programs (Portland, Oregon, October 21 - 23, 2006). PLoP '06. ACM, New York, NY, 1-9.
P. Kumaraguru and L. Cranor. Privacy in India: Attitudes and Awareness. In Proceedings of the 2005 Workshop on Privacy Enhancing Technologies (PET2005), 30 May - 1 June 2005, Dubrovnik, Croatia.
Resources
Join our cups-friends mailing list for announcements about our papers and events and discussions about usable privacy and security
Security and Usability: Designing Secure Systems that People Can Use, edited by Lorrie Cranor and Simson Garfinkel, is now available
L. Cranor, J. Hong, and M. Reiter. Teaching Usable Privacy and Security: A guide for instructors. 2007.
The HCISec Bibliography contains a good list of CUPS-related publications.
Usable Security Blog from UC Berkeley
Slides are available from the July 2004 Workshop on Usable Privacy and Security Software
Usability, Psychology, and Security workshop
Vizsec - a research and development community interested in applying information visualization techniques to the problems of computer security