5-899 / 17-500 / 17-800 Usable Privacy and Security

Spring 2007: Porter Hall A22, Tuesdays and Thursdays 3-4:20 pm
Class web site: http://cups.cs.cmu.edu/courses/ups-sp07/
Class mailing list: http://cups.cs.cmu.edu/mailman/listinfo/ups

Professor: Lorrie Cranor

• Email: lorrie AT cs DOT cmu DOT edu
• Web: http://lorrie.cranor.org/
• Phone: 412-268-7534
• Office: CIC 2207
• Office hours: Tuesdays 1:45-2:45 pm or by appointment

Professor: Jason Hong

• Email: jasonh AT cs DOT cmu DOT edu
• Web: http://www.cs.cmu.edu/~jasonh/
• Phone: 412-268-1251
• Office: NSH 2504D
• Office hours: TBA or by appointment

There is growing recognition that technology alone will not provide all of the solutions to security and privacy problems. Human factors play an important role in these areas, and it is important for security and privacy experts to have an understanding of how people will interact with the systems they develop. This course is designed to introduce students to a variety of usability and user interface problems related to privacy and security and to give them experience in designing studies aimed at helping to evaluate usability issues in security and privacy systems. The course is suitable both for students interested in privacy and security who would like to learn more about usability, as well as for students interested in usability who would like to learn more about security and privacy. Much of the course will be taught in a graduate seminar style in which all students will be expected to do a weekly reading assignment and each week different students will prepare a presentation for the class. Students will also work on a group project throughout the semester.

Readings will be assigned from the following text (available in the CMU bookstore and from all the usual online stores). Additional readings will be assigned from papers available online or handed out in class.

• Security and Usability: Designing Secure Systems that People Can Use, edited by Lorrie Cranor and Simson Garfinkel

Note, this is subject to change. The class web site will have the most up-to-date version of this calendar.

Week 1 (January 16, 18): Course overview / Introduction to HCI methods

• January 16: Introductions, review syllabus and course policies, course overview, introduce project [Cranor/Hong] [slides]
• January 18: Introduction to HCI Methods [Hong] [slides]

Week 2 (January 23, 25): Introduction to privacy and security

• January 23: Introduction to Privacy [Cranor] [slides]
• January 25: Introduction to Security [Reiter][slides]
• Reading assignment:
  • Chapter 1 Psychological Acceptability Revisited
  • Chapter 2 The Case for Usable Security
  • Chapter 3 Design for Usability
  • Chapter 32 Users are not the Enemy
  • 'I Didn't Buy it for Myself'
• All students who have not completed human subjects training should do so this week and submit a copy of their certificate (counts as one homework).

Week 3 (January 30, February 1): User studies

• January 30: User studies motivation [Cranor] [slides]
• February 1: User studies methods [Hong] [slides]
• Reading assignment:
• Chapter 4 Usability Design and Evaluation for Privacy and Security Solutions
• Chapter 17 Simple Desktop Security with Chameleon
• Chapter 33 Usability and Privacy: A Study of Kazaa P3P File Sharing
• Chapter 34 Why Johnny Can't Encrypt
• Optional readings:
• A. DeWitt and J. Klujis. Aligning Usability and Security: A usability study of Polaris. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
• Designing for Usability: Key Principles and What Designers Think, by John D. Gould and Clayton Lewis, in Communications of the ACM 28, 3 (Mar. 1985), pp. 300 - 311.
• J. Nielsen. Guerrilla HCI: Using Discount Usability Engineering to Penetrate the Intimidation Barrier, 1994.
• J. Nielsen. How to Conduct a Heuristic Evaluation, 1994.
• Lo fidelity Prototyping: Prototyping for Tiny Fingers, by Marc Rettig, in Communications of the ACM, Vol. 37, No. 4, pp. 21-27, April 1994.
• Task Analysis and the Design of Functionality, by David Kieras, in The Computer Science and Engineering Handbook, CRC Press, pp. 1401-1423, 1997.

Week 4 (February 6, 8): Secure interaction design

• February 6: Guest lecture - Cynthia Kuo [slides] / student presentation on paper prototyping [Low] [slides]
• February 8: Guest lecture - Rob Reeder [slides] / student presentation on wizard of oz studies [Solano Leonce] [slides]
• Reading assignment:
• Chapter 13 Goals and Strategies for Secure Interaction Design
• Chapter 15 Sanitization and Usability
• Chapter 27 Creating Usable Security Products for Consumers
• Optional readings:
• R. Maxion and R. Reeder. Improving user-interface dependability through mitigation of human error. International Journal of Human-Computer Studies Volume 63, Issues 1-2 , July 2005, p. 25-50.
• C. Kuo, V. Goh, A. Tang, A. Perrig, and J. Walker. Empowering Ordinary Consumers to Securely Configure Their Mobile Devices and Wireless Networks. Carnegie Mellon CyLab Technical Report CMU-CyLab-05-005. December 7, 2005.

Week 5 (February 13, 15): User studies exercises / Project group formation

• February 13: Observations discussion and User study exercise [Hong]
• February 15: Project group formation
• Observations of people using technology due February 13 (counts as one homework)
• Project groups will be formed in class on February 15. If you have an idea for a project, come to class prepared to pitch it to your classmates.

Week 6 (February 20, 22: Design for privacy

• February 20: Design for Privacy [Cranor] [slides]
• February 22: Design for Privacy [Wyrick] [slides]
• Reading assignment:
• Chapter 19 Privacy Issues and Human-Computer Interaction
• Chapter 20 A User-Centric Privacy Space Framework
• Chapter 21 Five Pitfalls in the Design for Privacy
• Optional readings:
• G. Iachello, I. Smith, S. Consolvo, M. Chen, and G. Abowd. Developing Privacy Guidelines for Social Location Disclosure Applications and Services. In Proceedings of the Symposium On Usable Privacy and Security 2005, Pittsburgh, PA, July 6-8, 2005.
• Tor GUI design competition overview, entries, and judges' comments
• C. Jensen, C. Potts, and C. Jensen. Privacy practices of Internet users: Self-reports versus observed behavior. International Journal of Human-Computer Studies Volume 63, Issues 1-2, July 2005, p. 203-227.

Week 7 (February 27, March 1): Visualizing privacy

• February 27: Guest speaker - Janice Tsai [slides] / student presentation [You] [slides]
• March 1: Visualizing privacy [McDonald] [slides]
• Reading assignment:
• Chapter 22 Privacy Policies and Privacy Preferences
• Chapter 23 Privacy Analysis for the Casual User Through Bugnosis
• Chapter 26 Anonymity Loves Company: Usability and the Network Effect
• Optional readings:
• N. Good, R. Dhamija, J. Grossklags, D. Thaw, S. Aronowitz, D. Mulligan, and J. Konstan. Stopping Spyware at the Gate: A User Study of Privacy, Notice and Spyware. In Proceedings of the Symposium On Usable Privacy and Security 2005, Pittsburgh, PA, July 6-8, 2005.
• B. Kowitz and L. Cranor. Peripheral Privacy Notifications for Wireless Networks. In Proceedings of the 2005 Workshop on Privacy in the Electronic Society, 7 November 2005, Alexandria, VA, pp. 90-96.
• C. Brodie, C. Karat, and J. Karat. An Empirical Study of Natural Language Parsing of Privacy Policy Rules Using the SPARCLE Policy Workbench. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
• J. Gideon, S. Egelman, L. Cranor, and A. Acquisti. Power Strips, Prophylactics, and Privacy, Oh My!. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
• L. Cranor, P. Guduru, and M. Arjula. User Interfaces for Privacy Agents. ACM Transactions on Computer-Human Interaction, June 2006.
• Evolution of a Prototype Financial Privacy Notice - Report by Kleimann Communication Group for the FTC, 28 February, 2006.

Week 8 (March 6, 8): Web browser privacy and security

• March 6: Web browser privacy and security [Hong] [slides]
• March 8: Web browser privacy and security [Simmons] [slides]
• Reading assignment:
• Chapter 24 Informed Consent by Design
• Chapter 25 Social Approaches to End-User Security and Privacy Management
• Chapter 28 Firefox and the Worry-free Web
• Optional readings:
  • H. Xia and J. Brustoloni. Hardening Web browsers against man-in-the-middle and eavesdropping attacks. In Proceedings of the 14th international conference on World Wide Web, Chiba, Japan, 2005.

Spring Break

Week 9 (March 20, 22): Authentication and access control overview / text passwords

• March 20: Authentication and access control overview [Cranor] [slides] / student presentation [James][slides]
• March 22 Text passwords [Andreou]
• Reading assignment:
• Chapter 6 Evaluating Authentication Mechanisms
• Chapter 7 The Memorability and Security of Passwords
• Chapter 8 Designing Authentication Systems with Challenge Questions
• Chapter 12 The Usability of Security Devices
• Optional readings:
• K. Yee and K. Sitaker. Passpet: Convenient password management and phishing protection. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
• S. Gaw and E. Felten. Password Management Strategies for Online Accounts. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
• C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
• Niklas Frykholm and Ari Juels, Error-Tolerant Password Recovery. In P. Samarati, ed., Eighth ACM Conference on Computer and Communications Security, pp. 1-8. ACM Press. 2001.
• Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford. CAPTCHA: Using Hard AI Problems for Security. In Advances in Cryptology, Eurocrypt 2003.
• Passwords Chapter 3 of Security Engineering by Ross Anderson
• Bruce Schneier. Real-World Passwords. Crypto-Gram Newsletter, December 15, 2006.
• D. Ferraiolo, D. Gilbert and N. Lyncho. Assessing Federal and Commercial Information Security Needs. NIST Technical Report, November 1992.

Week 10 (March 27, 29): Biometrics / Graphical passwords

• March 27: Biometrics [Kirubanandan] [slides]
• March 29: Graphical passwords [McGuire] [slides]
• Reading assignment:
• Chapter 9 Graphical Password Schemes
• Chapter 10 Biometric Authentication
• Chapter 11 Identifying Users from Their Typing Patterns
• Optional readings:
• S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon. Authentication Using Graphical Passwords: Effects of Tolerance and Image Choice. In Proceedings of the Symposium On Usable Privacy and Security 2005, Pittsburgh, PA, July 6-8, 2005.
• A. De Angeli, L. Coventry, G. Johnson, and K. Renaud. Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies Volume 63, Issues 1-2, July 2005, Pages 128-152.
• X. Suo and Y. Zhu. Graphical Passwords: A Survey. In Proceedings of the 21st Annual Computer Security Applications Conference December 5-9, 2005, Tucson, Arizona.
• F. Tari, A. Ozok, and S. Holden. A Comparison of Perceived and Real Shoulder-surfing Risks Between Alphanumeric and Graphical Passwords. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
• Biometrics Chapter 13 of Security Engineering by Ross Anderson
• Rachna Dhamija and Adrian Perrig, Deja Vu: A User Study Using Images for Authentication. In Proceedings of the 9th USENIX Security Symposium, August 2000, Denver, Colorado.

Week 11 (April 3, 5): Project progress report presentations

• April 3: Project progress report presentations [groups TBA]
• April 5: Project progress report presentations [groups TBA]
• Written project progress reports due April 3

Week 12 (April 10, 12): Trust and semantic attacks

• April 10: Guest lecture - Ponnurangam Kumaraguru / student presentation [Williamson]
• April 12: Trust and semantic attacks [Bethencourt]
• Reading assignment:
• Chapter 5 Designing Secure Systems that People will Trust
• Chapter 14 Fighting Phishing at the User Interface
• Chapter 29 Usability and Security at Microsoft
• Optional readings:
• R. Dhamija and J.D. Tygar. The Battle Against Phishing: Dynamic Security Skins. In Proceedings of the Symposium On Usable Privacy and Security 2005, Pittsburgh, PA, July 6-8, 2005.
• M. Wu, R. Miller, and S. Garfinkel. Do Security Toolbars Actually Prevent Phishing Attacks? In Proceedings of CHI 2006, Montreal, Quebec, Canada, April 22-28, 2006.
• User Study for the Web Wallet Prototype from the SOUPS 2006 Security User Studies Workshop User Studies Construction Kits collection
• R. Dhamija, J.D. Tygar, and M. Hearst. Why Phishing Works. In Proceedings of CHI 2006, Montreal, Quebec, Canada, April 22-28, 2006.
• J. Downs, M. Holbrook, and L. Cranor. Decision Strategies and Susceptibility to Phishing. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
• A. Fu, X. Deng, W. Liu, and G. Little. The Methodology and an Application to Fight Against Unicode Attacks. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
• M. Wu, R. Miller, and G. Little. Web Wallet: Preventing Phishing Attacks by Revealing User Intentions. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
• Blake Ross, Collin Jackson, Nicholas Miyake, Dan Boneh and John C. Mitchell Stronger Password Authentication Using Browser Extensions. Proceedings of the 14th Usenix Security Symposium, 2005.
• Jagatic, T., Johnson, N., Jakobsson, M., Menczer, F. Social Phishing. Commun. ACM. To appear.
• M. Wu. 2006. Fighting Phishing at the User Interface. Thesis submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science and Engineering at the Massachusetts Institute of Technology.

Week 13 (April 17): Trust and semantic attacks

• April 17: In class exercise and discussion [Hong]
• April 19: Spring Carnival, no class
• Phishing assignment due April 17 (counts as one homework)

Week 14 (April 24, 26): PKIs and secure communications / Tools for security administration

• April 24: PKIs and secure communications [Kim][slides]
• April 26: Tools for security administration [Salmon]
• Reading assignment:
• Chapter 16 Making the Impossible Easy: Usable PKI
• Chapter 18 Security Administration Tools and Practices
• Chapter 30 Embedding Security in Collaborative Applications: A Lotus/Domino Perspective
• Chapter 31 Achieving Usable Security in Groove Virtual Office
• Optional readings:
• Yurcik, W., Thompson, R. S., Twidale, M. B., and Rantanen, E. M. 2007.If you can't beat 'em, join 'em: combining text and visual interfaces for security-system administration. interactions 14, 1 (Jan. 2007), 12-14.
• G. Conti, M. Ahamad, and J. Stasko. Attacking Information Visualization System Usability Overloading and Deceiving the Human. In Proceedings of the Symposium On Usable Privacy and Security 2005, Pittsburgh, PA, July 6-8, 2005.
• Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook Express
• The Johnny 2 Construction Kit for Testing Email Security from the SOUPS 2006 Security User Studies Workshop User Studies Construction Kits collection
• Compliance Defects in Public-Key Cryptography

Week 15 (May 2, 4):

• May 2: CHI2007 and CFP2007 - no class
• May 4: CHI2007 and CFP2007 - no class

This class will have no final exam, however, the final exam period on May 8, 5:30-8:30 pm (Porter Hall A18A) will be used for final project presentations. Final project papers will be due May 11 at 4pm.

Cheating and plagiarism will not be tolerated. Students caught cheating or plagiarizing will receive no credit for the assignment on which the cheating occurred. Additional actions -- including assigning the student a failing grade in the class or referring the case for disciplinary action -- may be taken at the discretion of the instructors.

Your final grade in this course will be based on:

• 25% Homework
• 25% Lecture
• 50% Project

Homework

Homework assignments for this class will include reading summaries as well as written assignments. All homework is due in class at 3:15 pm each Tuesday. Homework will not be accepted late. If you do not attend class, you will not be permitted to submit your homework. Homework will be graded as check-plus (100%), check (80%), check-minus (60%) or 0. Your two lowest homework grades will be dropped from your homework average.

Students are expected to do reading assignments prior to class so that they can participate fully in class discussions. Students must submit a short summary (3-8 sentences) and a "highlight" for each chapter or article in the reading assignment. The highlight may be something you found particularly interesting or noteworthy, a question you would like to discuss in class, a point you disagree with, etc.

Students in 17-800 and 5-899 are expected to include a summary and highlight for one optional reading of their choice each week (only for weeks when optional readings are provided). All other students are encouraged to review some of the optional readings that they find interesting, but they need not submit summaries or highlights of the optional readings.

Lecture

Each student will be assigned a class lecture to prepare and present. The lecture should be based on the topics covered in that week's reading assignment, but it should go beyond the materials in the required reading. For example, you might read and present some of the related work mentioned in the reading or that you find on your own (the HCISec Bibliography is a good starting point for finding relevant papers), you might present some of the optional reading materials, you might demonstrate software mentioned in the reading, you might critique a design discussed in the reading, or you might design a class exercise for your classmates. As part of your lecture you should prepare several discussion questions and lead a class discussion. You should also introduce your fellow students to terminology and concepts they might not be familiar with that are necessary to understand the material you are presenting. You should email to the instructors a set of PowerPoint slides including lecture notes and discussion questions. These slides will be posted on the class web site. In addition, the instructors may include all or part of your presentation slides and notes in an instructor's guide they are writing for future usable privacy and security courses.

Students in 17-800 and 5-899 will be assigned all or most of a class period for their lecture. Other students will be assigned a time slot of no more than 30 minutes.

Project

Students will work on semester projects in small groups that include students with a variety of areas of expertise. Each project group will propose a project. It is expected that most projects will involve the design of a user study to evaluate the design of an existing or proposed privacy- or security-related system or gain insight into users' attitudes or mental models related to some aspect of security or privacy. Groups with ideas for other types of projects should discuss them with the professors before submitting their project proposals. As part of the project students will:

• Submit a one-page project proposal by March 8.
• Complete an IRB application with all necessary attachments.
• Design all questionnaires, scripts, scenarios, interview protocols, etc. necessary to carry out the user study.
• Develop any prototypes necessary to carry out the user study.
• Test the user study protocol on at least two members of the class and refine it based on these tests.
• Give a 10-15 minute progress report presentation on April 3 or April 5.
• Submit a written progress report by April 3.
• Conduct a pilot study using the revised protocol with at least 5 subjects.
• Give a 15-minute final project presentation during final exam period.
• Write a paper giving an overview of the proposed study, what you hope to learn from it, what you learned from the pilot study, etc. and submit it by May 11 at 4 pm. Your IRB forms, survey forms, etc. should be included as appendices.
• Submit a poster abstract to SOUPS (and turn in a copy with your paper on May 11).

Students signed up for 17-800 and 5-899 are expected to play a leadership role in a project group and write a project paper suitable for publication.