05-436 / 05-836 / 08-534 / 08-734 / 19-534 / 19-734 Usable Privacy and Security

Project Choices

This semester students will choose from among the following projects. Please complete the online project preference form emailed to the class.

Cyber Security toolikt for activists

Develop and evaluate a "Cyber Security Toolkit for Activists" in the form of a website, pamphlet, software package, video, or other format. Start by surveying existing materials for activists. You may want to conduct an expert evaluation of these materials. You might develop a completely new toolkit or identify one or more existing toolkits to study. Conduct a study with activists in which you assess their needs and evaluate the suitability of existing tools and/or a new tool.

Suggested reading:

Password managers

As users struggle to remember dozens of passwords, increasingly they turn to password managers for help. There are several well-known password managers available for free or a low cost that are gaining popularity. While initial versions had a reputation of being difficult for non-experts to use, recent versions are reportedly more usable. How do the leading password managers compare in terms of features and usability? What aspects of password managers do non-expert users still struggle with? What reasons do expert and non-expert users give for choosing to adopt or not adopt a password manager? This study will likely include a lab experiment and likely also interviews or surveys.

Suggested reading:

Self-deleting social media apps

Social media applications that feature self-deleting media are hugely popular, especially among younger users. Snapchat (US), Snow (China), and Instagram Stories, which was released just last year, are commonly used to share selfies, life updates, and short videos to friends and followers. But although users might tout the privacy benefits of disappearing content, do they understand who can view their content, and how they can control it? You should survey the privacy controls of self-deleting social media apps, perform a usability study of leading apps' privacy settings, and investigate what users understand about the privacy controls and default settings.

Suggested reading:

Two-factor authentication

CMU has recently joined many other institutions in rolling out two-factor authentication (sometimes known as multi-factor authentication). This project should evaluate the usability of 2FA as compared to password authentication without 2FA. This might be done as a lab study or an online study or some combination and may include collecting data on how long it takes to authenticate and user sentiment towards the authentication process. It should evaluate CMU authentication, but could also evaluate 2FA techniques used by other services.

Suggested reading:

Privacy of personal health data

An NIH-funded project is exploring the impacts of privacy environments for personal health data on patients. The project team is conducting surveys and focus groups to understand individual privacy concerns related to health-related big data technologies and willingness to share personal health data for research. To date, the surveys and focus groups have been conducted on a small scale with select populations. In this project, students will perform a mechanical turk survey with the objectives of 1) comparing the survey responses from these select populations with a larger Mturk sample; 2) assessing Mturk participants' reactions to scenarios discussed in the focus group; 3) looking for correlations between reactions to scenarios and other survey questions. Students who work on this project will be given copies of the existing survey and focus group scripts, as well as preliminary survey results and focus group transcripts.

Suggested reading:

Most usable privacy policies

Can we identify examples of the most usable privacy policies currently posted publicly? Students should develop a set of criteria for usable privacy policies and should review privacy policies on a range of web sites to find those that best meet this criteria. Then they should perform a user study to evaluate the top policies (perhaps compared to some that don't score so well). The final report should highlight what makes a privacy policy usable and useful, and what detracts from usability, and provide actionable advice to policy creators.

Suggested reading:

Opting out

How easy or difficult is it for consumers to find and exercise privacy-related opt-out options on websites? For this project you should identify a set of websites that offer opt-out options and conduct a user study to assess how difficult it is to find the opt-out instructions, understand and follow opt-out instructions, and understand what they are actually opting out of. You might look at website opt-outs or third-party targeted ad opt-outs or both.

Suggested reading: