Indirect Content Privacy Surveys: Measuring Privacy Without Asking About It (paper 15)

Alex Braunstein, Google
Laura Granka, Google
Jessica Staddon, Google

This paper presents an interesting way of measuring people’s privacy concerns indirectly. Why cannot we just ask people about privacy concerns directly? The authors present results of 3 surveys that demonstrate even subtle changes of wording of the questions (e.g., including words such as sensitive and worry) can cause large divergence in responses.

So, is there way to get at people’s privacy concerns without asking about privacy directly. The authors proposed a quite interesting approach. They focused on the question of how private people would think their information is (email, document, etc). They came up with three attributes that indirectly measure the sensitivity of these different types of personal information:

  • important to you
  • important to others
  • infrequently shared

They designed questions to measure each of these attributes and computed a privacy score for each data type by averaging the answers to these questions that measure the three attributes. They then compared the results from this indirect privacy instrument with the direct instruments.

It’s important to note that they didn’t compare the actual privacy scores but rather the relative ranking of these data types (e.g., email is more sensitive than document). Their results showed that the indirect instrument did preserve the same ranking that the direct instrument yield. This suggests that this indirect privacy survey approach may be feasible to assess people’s privacy concerns. They also commented that this indirect approach could be applied to other privacy-related contexts.

Read the paper at:



Home is safer than the cloud! Privacy concerns for consumer cloud storage (Paper 13)

Iulia Ion, ETH Zurich
Niharika Sachdeva, IIIT-Delhi
Ponnurangam Kumaraguru, IIIT-Delhi
Srdjan Capkun, ETH Zurich

Cloud storage seems to promise access to your data from anywhere, security and backups managed for you, and other wonderful features. But there are some catches:

  • Can the cloud provider view and modify my data? Can they sell it?
  • Who is liable in case data is lost?
  • Is the content in the cloud really secure from hackers, government agents, etc?

Prior studies have looked at enterprise concerns about cloud storage, but not end users; also many privacy studies focus on the U.S.

In this paper, the authors chose to examine the attitudes toward cloud storage of end users in Switzerland and in India. They conducted 36 semi-structured interviews in each country, asking about current practices, privacy perceptions, and rights and guarantees related to cloud storage. Based on the interview results, the authors formulated a 20-minute online survey containing multiple-choice and Likert questions on the same topics, with about 400 participants.

Current data storage practices and attitudes:

  • More than 80% keep local backups of data they store on the internet
  • About 80% also “try not to” store sensitive data online; Swiss are less comfortable than Indians storing sensitive information online
  • A majority feel that if their data is hacked it’s their own fault for keeping the data on the internet in the first place

Attitudes toward privacy:

  • No data is safe; anything can be hacked
  • But I’m not very interesting so no one would bother
  • Swiss are less accepting of government monitoring and surveillance than Indians are.

Consumer misperceptions:

  • Don’t realize that the webmail provider can delete/disable your account at any time
  • Don’t realize that the webmail provider can examine your attachments
  • Don’t know what their rights are if data is lost


  • Provide stronger security mechanisms in the cloud
  • Improve presentation of privacy policies
  • Consumer protection rules, agencies for cloud storage
  • Future work: investigate awareness of international laws

Read the full paper at


Privacy: Is There An App For That? (Paper 12)

Jennifer King, University of California, Berkeley
Airi Lampinen, Helsinki Institute for Information Technology HIIT
Alex Smolen, University of California, Berkeley

What do Facebook users understand about Applications on Facebook Platform?

Wrote an app on Facebook to conduct a survey. Then seeded from two Facebook accounts.

Survey results

  • 98% had heard of apps
  • 65% had claimed to have added 10 or fewer apps
  • 77% understood that apps were created by both Facebook and other 3rd parties
  • 48% were uncertain if Facebook reviews apps
  • 28% had never read the “Allow Access” notice where permissions apps use are shown.
  • 58% disagree with the statement “I only add apps from people/companies I’ve heard of”
  • Asked what parts of your facebook account this survey can access, only one person got the question correct.

Using this data the authors tried to determine what information predicted certain traits.

Adverse Events: Asked questions about adverse events on Facebook such as having someone post something negative about you.

Interpersonal Privacy Attitudes: Older people were more concerned with interpersonal.

Those most knowledgeable: appear to use the apps the same way as other users.

Read the full paper at:


ROAuth: Recommendation Based Open Authorization (Paper 11)

Mohamed Shehab, University of North Carolina at Charlotte
Said Marouf, University of North Carolina at Charlotte
Christopher Hudel, University of North Carolina at Charlotte

This paper proposes a collaborative filtering model that utilizes community decisions to help users make informed decisions about third party applications that request access to their private information at installation time.

The authors developed a browser-based extension to intercept the default OAuth 2.0 request flow and to provide users with an easy and usable interface to configure their privacy settings for applications. This extension includes a multi-criteria recommendation system that uses collaborative filtering to incorporate the decisions of the community and previous decisions made by an individual user to provide users with recommendations on permissions requested by applications.

The evaluations show that the recommender system properly predicts the user’s decision with about 90% accuracy and that the recommendation value of 45% or higher indicates that the system recommends granting the requested permission, and lower than 45% is recommends denying the permission.

A user study was conducted to show the effectiveness of the proposed browser extension; one group was provided with privacy recommendations generated by the recommendation system while the other users were not shown any recommendations. The results show that users who were not presented with the recommendation were more likely to grant permissions to applications compared to those who were provided with recommendations.

Read the full paper at:


“I regretted the minute I pressed share”: A Qualitative Study of Regrets on Facebook (Paper 10)

Yang Wang, Carnegie Mellon University
Gregory Norcie, Carnegie Mellon University
Saranga Komanduri, Carnegie Mellon University
Pedro Giovanni Leon, Carnegie Mellon University
Lorrie Faith Cranor, Carnegie Mellon University
Alessandro Acquisti, Carnegie Mellon University

This study looked at what negative experiences people are having on Facebook. In particular the authors asked people if they have ever regretted what they posted on Facebook and why.


  • What do users regret posting?
  • Why do users make these posts?
  • What are the consequences?

Surveyed 321 Facebook users on Mechanical Turk but didn’t get much data. Then did semi-structured interviews of 19 Facebook participants but only got a few regrets. Tried a diary study, but got very few regrets. Finally did a revised online survey.

What did people regret?

  • Things about other people
  • Relationships
  • Controversial topics
  • Negative content
  • Personal information and work

Why post regretable things?

  • “It’s cool”, “It’s funny”
  • “I didn’t think”
  • “Hot” states – angry, frustrated, excited, drunk, etc
  • Unintended audience – “I didn’t know he can see it”
  • Accidents – “I didn’t know I posted”


Q1: Do you think Google+ does any better than Facebook in terms of your design ideas?

A1: Not any better on awareness. They make some progress on Avoiding unintended audiences, they do popup a message before you re-share something? Make people think, I have seen some of this in Gmail. I haven’t seen prediction of regrets.

Q2: Facebook reminds you of people you talk with frequently, but not those you don’t talk with. It is against Facebook’s model to encourage small friend lists.

A2: It is in the interest of these social network operators to think about privacy. I think especially with Google Circle entering the picture.

Read the full paper at:


Heuristics for Evaluating IT Security Management Tools (Paper 7)

Pooya Jaferian, University of British Columbia
Kirstie Hawkey, Dalhousie University
Andreas Sotirakopoulos, University of British Columbia
Maria Velez-Rojas, CA Technologies
Konstantin Beznosov, University of British Columbia

This paper arose from a struggle to evaluate the usability of IT Security Management (ITSM) tools. Recruiting actual IT managers for lab or field studies proved difficult, so the authors chose to use the “discount” usability evaluation technique of asking experts armed with heuristics to evaluate the tools.

For this process to work, you need good heuristics. Building on guidelines from a prior paper as well as HCI activity theory, the authors developed seven heuristics:

  • Visibility of activity status
  • History of actions and changes on artifacts
  • Flexible representation of information
  • Rules and constraints
  • Planning and dividing work between users
  • Capturing, sharing, and discovery of knowledge
  • Verification of knowledge

To evaluate the heuristics, the authors set up a between-subjects study in which experts were asked to evaluate one tool using the new ITSM heuristics or with existing, non-domain-specific Nielsen’s heuristics. The authors then evaluated how successfully participants in each condition identified major and minor problems in the target tool.

Major results include:

  • More high-severity problems were found using the new ITSM heuristics than with the Nielsen’s heuristics.
  • The ITSM heuristics were rated as easy to learn, as easy to apply and as effective as Nielsen’s by the participants, all of whom had used Nielsen’s heuristics before.
  • In general, comprehensively evaluating complex ITSM tools may require more evaluators than for simpler interfaces, to ensure full coverage.
  • The ITSM and Nielsen’s heuristics are complementary and should be used together for maximum effectiveness.

Read the full paper at


Shoulder Surfing Defence for Recall-based Graphical Passwords (Paper 6)

Nur Haryani Zakaria, Newcastle University, UK
David Griffiths, Newcastle University, UK
Sacha Brostoff, University College London, UK
Jeff Yan, Newcastle University, UK

The presenter was Haryani Zakaria of Newcastle University. She began with an introduction to the graphical system they used, called “Draw-A-Secret.” This graphical password system consists of a user drawing a pattern on a screen. The authors were concerned about shoulder surfing attacks on this scheme. The authors considered three defense techniques against shoulder surfing in this paper. Decoy strokes were false strokes made by the system, being drawn automatically to confuse the attacker. Disappearing strokes occur when the system makes the lines drawn by the user vanish as soon as the stylus is lifted. The line snaking defense consists of the lines disappearing as well, but with the disappearance occurring as the user is drawing a line, without waiting for the stylus to be raised. The authors studied these techniques in both their effectiveness and usability.

User Study 1: effectiveness. The non-experimenter participants in the experiment were the attackers. They were introduced and given a demonstration, and an experimenter acted as the victim. The participants observed the victim entering a password, with different defense techniques depending on condition. The results indicate that the control group and the decoy stroke group both were successful in about three-quarters of their attacks, with under half for the disappearing stroke and line snaking techniques.

User Study 2: usability. The authors removed the less successful decoy technique and performed a usability study on the remaining two. There were 30 participants, assigned to these conditions. They looked at login time and login error rate. Line snaking takes longer to log in, and more attempts to log in, than disappearing stroke. And more users preferred the disappearing stroke technique. Participants felt more confident when their lines remained until completion, letting them know their line was drawn correctly. Thus, the disappearing stroke technique appears to offer comparably good protection while being more usable than the snaking technique.

Read the full paper at:


Using Data Type Based Security Alert Dialogs to Raise Online Security Awareness (Paper 2)

Max-Emanuel Maurer, University of Munich
Alexander De Luca, University of Munich
Sylvia Kempe, University of Munich

Passive indicators are not the best approach because users don’t notice them, and users are soon habituated to quickly pass through active blocking of a websites. Maurer et al. came up with a different approach, a semi-blocking dialog, with three versions as shown in the image below. The dialog is positioned near the data entry box, and appears as you type in that box. The warning shows the type of data they are entering (as image and text) and an addition information box that shows whether or not traffic is encrypted and the domain.

Three examples of warnings

A first trial evaluation allowed them to get initial feedback, and also update the design based on feedback and a design exercise. They then ran a field study with 14 participants across 7 days, which people generally liked, and found the warnings did decrease overtime. In general, they repair that semi-blocking dialogs are beneficial, though users won’t find additional information if not shown (required expansion).

From the questions, we learned that the tool does suspend most AJAX submissions by creating an additional text field, though there are of course spoofing attacks that could be attempted, and a longer study with the tool needs to be run to see if they are habituated to it, if they understand the benefits, and if they understand why and when it appears.

Read the full paper at:


A Brick Wall, a Locked Door, and a Bandit: Promoting A Physical Security Metaphor For Firewall Warnings (Paper 1)

Fahimeh Raja, University of British Columbia
Kirstie Hawkey, Dalhousie University
Steven Hsu, University of British Columbia
Kai-Le Clement Wang, University of British Columbia
Konstantin Beznosov, University of British Columbia

“A Brick Wall” aims to design firewall warnings that will accurately communicate risk to users.

The authors designed graphical warnings using a physical security mental-model of a person trying to gain access to a secured door in a brick wall surrounding the users computer room. The user is presented with a security dialog with a color-coded title bar, a short text description of the reason for the warning, the graphical security cartoon illustrating the risk, and a series of actions (allow, deny, etc.) to take depicted by padlocks being opened or remaining secure.

The security cartoon varies based on the severity of the warning:

  • The most severe warning for known-malicious access features a red title bar and depicts a robber approaching the door carrying a knife and a bag labeled “data.”
  • The modest warning for unknown access features a yellow title bar and depicts a grey human-silhouette approaching the door.
  • The safe warning for identified-safe access features a green title bar and depicts a friendly figure approaching the door.

A study was conducted to compare the effectiveness of graphical warnings with text warnings from the Comodo Personal Firewall in conveying risk associated with a given warning. Graphical warnings increased subjects understanding of the protection offered by the firewall over the text-only warnings and increased subjects assessment of risk. Two-thirds of subjects preferred the graphical warnings. The remaining third of the subjects that preferred textual warnings correlated strongly with increased technical capability and held that opinion for interesting reasons (more professional, graphical looks childish).

Read the full paper at


VizSec 2011: Cyber-security analytics

Ankit Singh, Alex Endert, Lauren Bradel, Christopher Andrews, Chris North and Robert Kincaid, “Using Large Displays for Live Visual History of Cyber-security Analytic Process”

Authors worked with eight professional cyber analysts a couple times a week for about three months. Also observed the analysists analyzing a known data set.

Watched analysts use:

  • Multiple data sources
  • Multiple tools/windows
  • Extensive Excel usage

Noticed heavy use of versioning in the analysis. The analysts had difficulty re-creating their steps based on all the versions of documents they were creating.

Authors considered four improvements based on their observations.

  • Make use of the resolution and size of the monitors – Give the users more resolution
  • De-aggregation of data
  • Case Management – They did lots of task switching which cost time and memory load.
  • Process History – the ability to visualize and go back to prior states.

Created an add-on to Excel. The add-on provides a “Fork” option where the user can split off a new version associated with a new subtask. They can also make comments.

Propagating vs. Forking

If a user makes a change to a historical version should that change propagate to latter versions or should it branch? If propagation is used how do we indicate to users what will change?