05-436 / 05-836 / 08-534 / 08-734 / 19-534 / 19-734 Usable Privacy and Security

Homework 2

Print your homework out and submit it in person at the start of class (3:00pm) on Monday, February 6. Homework will not be accepted after 3:00pm on that day.

Part 1 (50 points):

The Lazar et al. textbook and our class discussion on January 27th present a number of different research methods useful in usable privacy and security. For this part of your homework, pick one research area within usable security and privacy that seems interesting to you (ideas are listed below). Then, for that single research area, think of five research studies that you might conduct in that areas. Describe one study from each of the following five areas:
(1) A survey (Lazar et al. Chapter 5)
(2) A diary study (Lazar et al. Chapter 6)
(3) Interviews (Lazar et al. Chapter 8)
(4) A usability test (Lazar et al. Chapter 10)
(5) Collecting observational or experimental data in the field (see, e.g., Lazar et al. Section 12.2.2 or this page or the Jagatic et al. reading from February 1)

For each of those fives types of studies you imagined, write a paragraph that states in one sentence what research question you hope to answer using that particular method, gives 3-4 sentences outlining the design of the study, and ends with one sentence explaining why you chose that particular method to investigate your stated research question. Note, you do NOT need to read all of the above chapters in order to do this assignment. They will be assigned later in the semester but if you are uncertain as to what any of these study types are, you can refer to these chapters.

Pick any usable privacy and security research area that is interesting to you. Suggested areas include the following: privacy on social networking sites; how users avoid (and remove) computer viruses; what role security concerns play in deciding whether to install a smartphone app; the usability of password manager software; what average people think private browsing mode does in their web browser; how average people protect (or do not protect) photos they consider especially private; how parents help teenagers protect their privacy online; what people think about websites tracking their online activities; how average users try to stay anonymous online; users' perceptions of the warnings that pop up when they install a program that they downloaded; users' decision making about revealing personal information online; how people choose passwords for very high-value accounts.

Part 2 (30 points): Pretend that you are an IRB reviewer and you have received the experimental protocol described below:

We will follow a two-part protocol to study the usability of fingerprint readers on ATMs. This experiment is particularly timely since many Pittsburgh-area banks have recently installed fingerprint scanners on their ATMs to make sure that only verified account owners can withdraw money. The first part will be an observational field study. We will conduct this field study at the bank branch on Craig St. because there is a coffee shop located across the street. We will sit at an outdoor table at the coffee shop and watch everyone who goes to the ATM across the street. To make sure we don't miss anyone, we will also have a video camera at our table pointed at the ATM. The camera will be recording continuously. For each person who comes up to the ATM, we will record how many attempts are necessary for them to successfully authenticate to the fingerprint reader, as well as approximately how much money they take out. From the video recording, we will also estimate their height, weight, and ethnicity to see if those impact success using the fingerprint reader. To make it easier on our research team, we will crowdsource the estimation of height/weight/ethnicity by posting screencaptures on Amazon's Mechanical Turk platform and letting crowdworkers vote.

The second part of our study will be a between-subjects, in-lab experiment comparing the usability of different brands of fingerprint readers commonly used on ATMs. Participants will come to our lab, and we will begin by giving them a detailed demographics survey (age, occupation, annual income, and past experience using biometric systems). Afterwards, they will use each fingerprint scanner on the market in randomized order. To understand the tolerance of the fingerprint reader at accepting partial matches of the fingerprints, we will retain participants' fingerprint readings from each device so that undergraduate students in a security class at our institution can analyze the tolerance as part of a class project. We will then administer a survey about participants' perceptions of the usability and comfort of each fingerprint scanner. We will try to recruit students in grades 6-12 by posting flyers for the study in front of local schools. To reflect the amount of free time participants have, we will compensate students $5.00 for the study. Any non-student participants will receive $10.00 for the study.

2-A. Create a bulleted list of potential ethics concerns raised by this protocol.

2-B. Write two paragraphs suggesting modifications to the study protocol that would better protect human subjects. The first paragraph should cover the first part of the protocol, and the second paragraph should cover the second part of the protocol.

Part 3 (9-unit students should not do this part. 12-unit students will receive between 0 and 30 points for this part): Write a 3-7 sentence summary and short "highlight" for each of the following two readings: Jagatic et al. (assigned for February 1) and Kang et al. (assigned for February 6).