05-436 / 05-836 / 08-534 / 08-734 / 19-534 / 19-734 Usable Privacy and Security

Class Project Ideas

This page describes possible class projects. These will be research projects that you will work on in small groups.

Please indicate your preferences for which project you will work on by Wednesday, February 10th.

Usability of crptocurrencies

An obscure area of research for many years, cryptocurrencies have hit the mainstream in the past couple of years, spearheaded by Bitcoin’s success. Using cryptocurrencies presents however significant usability challenges, especially when it comes to advanced features such as multi-signature contracts. The goal of this project is to conduct a thorough evaluation of cryptocurrency usability and security. Can people exchange money without making dire mistakes (e.g., revealing wallet private keys), while preserving their pseudonymity (which is one of the main reasons for adoption of cryptocurrencies)? This project will have to conduct a thorough evaluation of the usability and security aspects of Bitcoin and related cryptocurrencies, including using Bitcoin exchanges to procure the money in the first place.

Related items:

Usability of client side anonymity tools

Many users are interested in anonymous communications, for a number of reasons. In particular, journalists and activists may want to protect their sources, receive anonymous tips, and so forth. The Tor Browser Bundle is probably one of the best known anonymous software tools, and allows clients to browse the web anonymously. There has however not be any principled usability study of Tor and its alternatives (e.g., I2P, Freenet) showing whether or not users might be making very dangerous mistakes. The first study here would be to look at the usability of such tools including anonymity bundles like Whonix and Tails from a client perspective. Since those are supposed to be providing complete anonymity out-of-the-box, do people configure them properly? Do they engage in activities that could actually reveal information about them (e.g., activating JavaScript, etc). This project could be merged with the next project.

Related items:

Usability of server side anonymity tools

Likewise, on the server side, setting up setting up anonymous communication servers ("hidden services" in Tor parlance) is a priori very easy. There are however a number of risks linked to misconfiguration that may considerably complicate the picture. The goal of this second study is to test potential disconnects between user security knowledge and their expectations in terms of security guarantees. Perhaps think about targeting, in your study, a specific user population that could be interested in deploying such tools (journalists, activists) This project could be merged with the previous project.

Related items:

Risk homeostasis in the field

Behavioral economists have long known about "risk homeostasis" or the "Peltzman effect," which has shown that people who believe they are being protected from a risk tend to engage in even riskier behavior (e.g., driving more recklessly because a car is equipped with airbags). The

question is, does this occur with desktop security software? For instance, do users who believe they are being protected by A/V software engage in riskier security practices? Does the software effectively protect them (i.e., do users of security software experience lower infection rates than non-users)? Data collected through the Security Behavior Observatory (SBO) may be able to help answer this question. The SBO is a panel of ~100 home computer users who have agreed to let us instrument their systems. Using the data that has been collected, we could attempt to answer these questions by examining which users have evidence of malware or other infections, and then which of them also have security software installed

Related items:

Usability of private browsing

Most web browsers provide an "incognito" or "private browsing" mode. While such modes to provide some privacy protection, the level of protection they provide is usually substantially different from what users expect. Such a gap between perception and reality can lead users to users feeling protected when they actually aren't, and can lead them to behave in ways that they think are safe when they in fact aren't.

This project will examine the differences between the perceived and actual protections provided by "incognito" modes (and / or other tools meant to provide additional privacy during web browsing).

Related items:

Testing the usability of two-factor authentication

Two-factor authentication is a way to help users protect their online accounts. Instead of logging on using only a password, users enter a password and are sent a code on their mobile devices. They need to enter that code to authenticate. This protects their accounts because an attacker would need both their password and their mobile device. However, this also introduces usability problems, such as needing to enter another item and needing to have the mobile device. This project will examine the usability implications of two-factor authentication. Does it make users feel more secure? Does it make users feel annoyed? Why are users using or not using this technology?

Related items:

Assessing the actual threat posed by typosquatting

Typosquatting is a speculative behavior that leverages Internet naming and governance practices to extract profit from users' misspellings and typing errors. Simple and inexpensive domain registration motivates speculators to register domain names in bulk to profit from display advertisements, to redirect traffic to third party pages, to deploy phishing sites, or to serve malware. Numerous papers have analyzed the extent to which such domains are registered, but very few have actually tried to quantify, through user studies, the extent to which users might fall victim for it. This study would attempt to answer this question.

Related items:

Usability of Parental Control Software

Parental control software is used by parents in order to prevent their children from accessing age-inappropriate or otherwise disallowed content on the internet, with the goal of keeping children safe online. Many parents, though, find these software tools difficult to use, easily circumvented by their children, and overly invasive of their children's online privacy. Compounding this, we do not know what types of features parents want in a software tool in order to feel like their children are safe online. This study would conduct a usability test of current parental control software and interview participants about their software needs in order to propose new ideas that would be both more usable and less privacy invasive.

Related items:

Exploring Users' Attitudes and Fears Towards Sensing in the Internet of Things

The Internet of Things (IoT) promises great advances in convenience and efficiency. This comes at potentially a significant cost to privacy, however, as both our devices (e.g., mobile phones, health and fitness devices) and sensors in our environment (e.g., cameras, presence sensors, microphones) track where we are and what we do, anytime and anywhere. A prerequisite for building mechanisms to help users maintain control of their privacy is understanding users' concerns: which types of sensing are users most or least comfortable with and why. This project will examine (potentially via an experience-sampling study) users' concerns to sensing based on type of data collected (e.g., audio, video, heart rate, location), where the sensing happens (e.g., home, work, restaurant, street, shopping mall), how the collected data is used (e.g., to provide users with specific features that benefit them, to provide better ads, to make city infrastructure more efficient), how long the collected data is kept, and other dimensions.

Related items: