05-436 / 05-836 / 08-534 / 08-734 / 19-534 / 19-734 Usable Privacy and Security
Print your homework out and submit it in person at the start of class
(3:00pm) on Monday, February 1st. Homework will not be accepted after 3:00pm on that day.
- Part 1 (55 points):
The Lazar et al. textbook and our class discussion on January 27th present a number of different research methods useful in usable privacy and security. For this part of your homework, pick one research area within usable security and privacy that seems interesting to you (ideas are listed below). Then, for that single research area, think of separate research studies using each of the following five types of methods that you would be interested to conduct in that area:
(1) A survey (Lazar et al. Chapter 5)
(2) A diary study (Lazar et al. Chapter 6)
(3) Interviews (Lazar et al. Chapter 8)
(4) A usability test (Lazar et al. Chapter 10)
(5) Collecting observational or experimental data in the field (see, e.g., Lazar et al. Section 12.2.2 or this page or the Jagatic et al. reading from January 27th)
For each of those fives types of studies you imagined, write a paragraph that states in one sentence what research question you hope to answer using that particular method, gives 3-4 sentences outlining the design of the study, and ends with one sentence explaining why you chose that particular method to investigate your stated research question.
Pick any usable privacy and security research area that is interesting to you.
Suggested areas include the following: privacy on social networking sites; how
users avoid (and remove) computer viruses; what role security concerns play in
deciding whether to install a smartphone app; the usability of password manager
software; what average people think private browsing mode does in their web
browser; how average people protect (or do not protect) photos they consider
especially private; how parents help teenagers protect their privacy online;
what people think about websites tracking their online activities; how average
users try to stay anonymous online; users' perceptions of the warnings that pop
up when they install a program that they downloaded; users' decision making
about revealing personal information online; how people choose passwords for
very high-value accounts.
- Part 2 (30 points): Pretend that you are an IRB reviewer and you have received the experimental protocol described below.
Proposed protocol: We will follow a two-part protocol to study the usability of fingerprint readers on ATMs. This experiment is particularly timely since many Pittsburgh-area banks have recently installed fingerprint scanners on their ATMs to make sure that only verified account owners can withdraw money. The first part will be an observational field study. We will conduct this field study at the First Bank of Cranor branch on Forbes Avenue because there is a coffee shop located across the street. We will sit at an outdoor table at the coffee shop and watch everyone who goes to the ATM across the street. To make sure we don't miss anyone, we will also have a video camera at our table pointed at the ATM. The camera will be recording continuously. For each person who comes up to the ATM, we will record how many attempts are necessary for them to successfully authenticate to the fingerprint reader, as well as approximately how much money they take out. From the video recording, we will also estimate their height, weight, and ethnicity to see if those impact success using the fingerprint reader. To make it easier on our research team, we will crowdsource the estimation of height/weight/ethnicity by posting screencaptures on Amazon's Mechanical Turk platform and letting crowdworkers vote.
The second part of our study will be a between-subjects, in-lab experiment comparing the usability of different brands of fingerprint readers commonly used on ATMs. Participants will come to our lab, and we will begin by giving them a detailed demographics survey (age, occupation, annual income, and past experience using biometric systems). Afterwards, they will use each fingerprint scanner on the market in randomized order. To understand the tolerance of the fingerprint reader at accepting partial matches of the fingerprints, we will retain participants' fingerprint readings from each device so that undergraduate students in a security class at our institution can analyze the tolerance as part of a class project. We will then administer a survey about participants' perceptions of the usability and comfort of each fingerprint scanner. To make sure our participants have enough free time to do our study, we will try to recruit students in grades 6-12 by posting flyers for the study in front of local schools. To reflect the amount of free time participants have, we will compensate students $5.00 for the study. Any non-student participants will receive $10.00 for the study.
Task 3-A: Create a bulleted list of potential ethics concerns raised by this protocol.
Task 3-B: Write two paragraphs suggesting modifications to the study protocol that would better protect human subjects. The first paragraph should cover the first part of the protocol, and the second paragraph should cover the second part of the protocol.
- Part 3 (9-unit students should not do this part. 12-unit students will
receive between 0 and 30 points for this part): Write a 3-7 sentence
summary and short "highlight" for each of the following two readings: Jagatic
et al. (assigned for January 27th) and Kang et al. (assigned for February 1st).