July 14-16, 2010
Redmond, WA


Call for participation





Symposium On Usable Privacy and Security


The following is a preliminary program, subject to change.

Wednesday, July 14

8 - 9 am: Breakfast and registration

9 am - 12:45 pm: Workshops

12:45-2 pm: Lunch

2-3:30 pm: Workshops

3:45 - 5:45 pm: Poster session

6:00 - 8:00 pm: Dinner BBQ, outside Microsoft Commons

Thursday, July 15

7:30 - 8:30 am: Breakfast and registration

8:30 am - 9:30 am: Opening session

  • Welcome and best paper award presentation
    • Lorrie Cranor, SOUPS General Chair
    • Andrew Patrick and Stuart Schechter, SOUPS Technical Papers Co-Chairs
    • Jeffrey Friedberg, Microsoft Chief Trust Privacy Architect
  • 8:45 am Invited talk: Adam Shostack - Engineers are People Too [slides]

9:30-11 am: Technical paper session: Passwords and Accounts, Chair: Rob Reeder, Microsoft

11 - 11:30 am: break

11:30 am - 1 pm: Technical paper session: Authentication for Mobile Devices, Chair: Robert Biddle, Carleton University

1 - 2:15 pm: Lunch

2:15 - 3:45 pm: Technical paper session: Privacy, Serge Egelman, Brown University

3:45 - 5 pm: Discussion sessions

Grab a snack and join a discussion session

  • Privacy, Security, and Public Policy
    Discussion leader: Janice Tsai, California Council on Science and Technology, CA Senate
  • IRB and HCI-Sec Research
    Discussion leader: Simson Garfinkel, Naval Postgraduate School
  • Usable Security and Privacy for Mobile Devices
    Discussion leader: Marc Langheinrich, Universita della Svizzera italiana (USI)
  • Integrating Usable Security and Privacy into Security Education
    Discussion leader: Heather Lipford, UNC Charlotte
  • Health Security and Privacy
    Discussion leader: Tadayoshi Kohno, University of Washington

5 - 5:15 pm - Board buses for dinner cruise

Buses will depart at 5:15 pm for our dinner cruise, which leaves from the Kirkland City Dock at 6 pm. Tickets (included in registration) are required for the cruise. The cruise will return to the dock by 9 pm and buses will return to the conference hotel and the Microsoft Commons. We will be cruising the waterways of Lake Washington and Lake Union. Guests will enjoy the beautiful scenery, views of Mt. Rainier, the University of Washington Husky Stadium, and homes of Seattle's rich and famous. You will also see the historic houseboat community including the "Sleepless in Seattle" houseboat, and the view of downtown Seattle.

Friday, July 16

7:45 - 8:45 am: Breakfast and registration

8:45 - 10:45 am: Technical paper session: Security Models and Decision Making, Chair: Angela Sasse, University College London

10:45 - 11:15 am: Break

11:15 am - 12:45 pm: Technical paper session: SOUPS du Jour, Chair: Andrew Patrick, Office of the Privacy Commissioner of Canada

12:45 - 2 pm: Lunch

2 - 3:15 pm: Panel: New Research Tools: Crowdsourcing and Cloud Computing

  • Moderator: Cynthia Kuo, Nokia
  • Sharon Chiarella, VP of Amazon Mechanical Turk
  • Lukas Biewald, Founder and CEO of Crowdflower
  • Dave Dittrich, University of Washington
  • Lee Tien, Senior Staff Attorney, Electronic Frontier Foundation
  • Patrick Gage Kelley, Carnegie Mellon University

3:15 pm: Ice cream social, Microsoft Research

The SOUPS ice cream social will be held at Microsoft Research (building 99). From 3:30 to 4:45 laboratory tours will leave every 15 minutes from the building 99 atrium. Tours will last about 15 minutes.

The Microsoft laboratory tour will be conducted by Stuart Schechter and Jess Holbrook. Stuart is a Researcher at MSR and SOUPS program co-chair. Jess is a UX Research Lead on the Windows team who serves on the Trust User eXperience (TUX) advisory board. We will tour a laboratory in building 99, the heart of Microsoft Research Redmond. Topics to be discussed will include:

  • Types of research (from both product-side research and MSR research)
  • Types of researchers (dedicated UX engineers, MSR researchers)
  • Product group engagement in research studies (or why we keep tissues in the observation room)
  • Typical lab layout and equipment (cameras, microphones, eye trackers, etc.)
  • Recruiting and demographic screening
  • Gratuity offerings, and how they can be customized for study goals


Usable Security Experiment Reports (USER) Workshop

Security & Privacy Usability Technology Transfer: Emerging Research (SPUTTER) Workshop


Adam Shostack, Microsoft - Engineers are People Too


In "Engineers Are People, Too" Adam Shostack will address an often invisible link in the chain between research on usable security and privacy and delivering that usability: the engineer. All too often, engineers are assumed to have infinite time and skills for usability testing and iteration. They have time to read papers, adapt research ideas to the specifics of their product, and still ship cool new features. This talk will bring together lessons from enabling Microsoft's thousands of engineers to threat modeling effectively, share some new approaches to engineering security usability, and propose new directions for research.

Adam Shostack is a program manager in Microsoft's Trustworthy Computing Initiative, where he's focused on security and usability. He's a veteran of several successful startups, a co-founder of the CVE (Common Vulnerabilities and Exposures project), and co-author of the acclaimed New School of Information Security.


New Research Tools: Crowdsourcing and Cloud Computing

Researchers can now "outsource" work or service infrastructure to Internet-based services, such as Amazon Mechanical Turk, Amazon EC2, or CrowdFlower. What benefits can these services offer to researchers? When are these services appropriate or inappropriate? This panel will discuss best practices for deriving useful results from these services. Also, it will debate the implications of allowing research data - particularly human subjects' data - to reside in the cloud.


Sharon Chiarella
Vice President, Mechanical Turk

Sharon Chiarella joined Amazon in December 2007 as Vice President of Amazon Mechanical Turk, an online marketplace for outsourcing work. Sharon has over 20 years of experience developing and managing innovative high-technology products and businesses with over 15 years focused on Internet technologies and connected devices. Prior to joining Amazon, Sharon was Vice President of Product Management and Business Development at Presto Services, a Kleiner Perkins funded startup. Sharon has held leadership positions at Yahoo!, Microsoft and Kodak. She developed the business plan, prototypes and early partnerships for Yahoo!’s connected device business; ran Microsoft's WebTV and MSN dial-up businesses; led Product Management for Microsoft's first DVR product (UltimateTV) and created the business plan, developed and launched Kodak's online photo business. Sharon earned her bachelor's degree in computer science from Manhattan College and her MBA from Harvard Business School.

Lukas Biewald
Founder and CEO of CrowdFlower

Founded in 2007, CrowdFlower provides Labor-on-Demand to help companies outsource high-volume, repetitive tasks to a massively-distributed global workforce. Before founding CrowdFlower, Lukas was a senior scientist and manager within the Ranking and Management Team at Powerset, Inc., acquired by Microsoft in 2008. He led the Search Relevance Team for Yahoo! Japan after graduating from Stanford University with a B.S. in Mathematics and an M.S. in Computer Science. Recently, Lukas won the Netexplorateur Award for GiveWork - a collaboration with Samasource that brings digital work to refugees worldwide. Lukas is also an expert level Go player.

Dave Dittrich
Senior Security Engineer and Researcher, University of Washington

Dave Dittrich is a security researcher at the Applied Physics Laboratory at the University of Washington. Dave has a long history of dealing with computer intrusions and security operations and has expertise in computer forensics, botnets and the ethical/legal/technical issues associated with responding to computer attacks. Dave also sits on the UW's Institutional Review Board Committee K (combined behavioral and biomedical research) and has written several documents that deal with ethics in computer security research. (See

Lee Tien
Senior Staff Attorney, Electronic Frontier Foundation.

Lee Tien is a senior staff attorney with the Electronic Frontier Foundation specializing in free speech, privacy and security issues. As part of his practice, he represents security researchers and works on legal/ethical policy relating to cybersecurity research.

Patrick Gage Kelley
Ph.D. Student, Carnegie Mellon University

Patrick Kelley is a Computation, Organizations and Society Ph.D. student in the CyLab Usable Privacy and Security (CUPS) Lab at Carnegie Mellon University. His work centers around designing interfaces to help users control and understand privacy policies and settings. His research towards "Designing a Privacy Label" has been selected as one of the top three pieces in the ACM Grand Finals for 2010.


Poster: Assessing the Usability of the new Radio Clip-based Human Interaction Proofs
Jonathan Lazar, Heidi Feng, Olusegun Adelegan, Anna Giller, Andrew Hardsock, Ron Horney, Ryan Jacob, Edward Kosiba, Gergory Martin, Monica Misterka, Ashley O'Connor, Andrew Prack, Roland Roberts, Gabe Piunti and Robert Schober

Poster: Social Sharing of Security Expertise
Puneet Kaur, Olli Immonen, Alexey Kirichenko and Kristiina Karvonen

Poster: OpenID-email Enabled Browser
San-Tsai Sun, Kirstie Hawkey and Konstantin Beznosov

Poster: Expectations, Perceptions, and Misconceptions of Personal Firewalls
Fahimeh Raja, Kirstie Hawkey, Pooya Jaferian, Konstantin Beznosov and Kellogg Booth

Poster: User preferences for biometric authentication methods and graded security on mobile phones
Hanul Sieger, Niklas Kirschnick and Sebastian Moller

Poster: Community-Based Security and Privacy Protection During Web Browsing
Max-Emanuel Maurer

Poster: An Improved Approach to Gesture-Based Authentication for Mobile Devices
Niklas Kirschnick, Sven Kratz and Sebastian Moller

Poster: Privacy Attitudes of Facebook Users
Gregory Norcie

Poster: MVP: A web-based framework for user studies in authentication
Sonia Chiasson, Chris Deschamps, Max Hlywa, Gerry Chan and Robert Biddle

Poster: Online Privacy Perception in Central Asia
Colin Birge, Cynthia Putnam and Beth Kolko

Poster: Trustworthiness and the Perception of Security
Max Shoka, Tim McKay and Valerie M. Sue

Poster: Security Through Entertainment: Using a Memory Game for Secure Device Pairing
Alexander Gallego, Nitesh Saxena and Jonathan Voris

Poster: Validating and Extending a Study on the Effectiveness of SSL Warnings
Andreas Sotirakopoulos, Kirstie Hawkey and Konstantin Beznosov

Poster: What is still wrong with security warnings: a mental models approach
Cristian Bravo-Lillo, Lorrie Cranor, Julie Downs and Saranga Komanduri

Poster: Universally Usable Privacy in Write-In Voting
Shanee Dawkins, Lauren Hamilton, Tony Sullivan and Juan Gilbert

Poster: Exploring Reactive Access Control
Michelle Mazurek, Peter Klemperer, Richard Shay, Hassan Takabi, Lujo Bauer and Lorrie Cranor

Poster: Draw a line on your PDA to authenticate
Xiyang Liu, Zhongjie Ren, Xiuling Chang, Haichang Gao and Uwe Aickelin

Posters Showcasing Usable Privacy and Security Papers Published in the Past Year at Other Conferences

Poster: Access Control for Home Data Sharing: Attitudes, Needs and Practices
Michelle L. Mazurek, J.P. Arsenault, Joanna Bresee, Nitin Gupta, Iulia Ion, Christina Johns, Daniel Lee, Yuan Liang, Jenny Olsen, Brandon Salmon, Richard Shay, Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, Gregory R. Ganger and Michael K. Reiter

Poster: Shoulder-Surfing Resistance with Eye-Gaze Entry in Click-Based Graphical Passwords
Alain Forget, Sonia Chiasson and Robert Biddle

Poster: A Practical Attack to De-Anonymize Social Network Users
Gilbert Wondracek, Thorsten Holz, Engin Kirda and Christopher Kruegel

Poster: Visual vs. compact: a comparison of privacy policy interfaces
Heather Lipford, Jason Watson, Michael Whitney, Katherine Froiland and Robert Reeder

Poster: ColorPIN - Securing PIN entry through indirect input
Alexander De Luca, Katja Hertzschuch and Heinrich Hussmann

Poster: The True Cost of Unusable Password Policies: Password Use in the Wild
Philip George Inglesant and Martina Angela Sasse

Poster: Who Falls for Phish? A Demographic Analysis of Phishing Susceptibility and Effectiveness of Interventions
Steve Sheng, Mandy Holbrook, Ponnurangam Kumaraguru, Lorrie Cranor and Julie Downs

Poster: Improving Phishing Countermeasures: An Analysis of Expert Interviews
Steve Sheng, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Cranor and Jason Hong

Poster: Soramame: what you see is what you control access control user interface
Nachi Ueno, Ryota Hashimoto, Michio Shimomura and Kenji Takahashi

Poster: Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach
Patrick Gage Kelley, Lucian Cesca, Joanna Bresee and Lorrie Faith Cranor

Poster: Modeling PLA Variation of Privacy-Enhancing Personalized Systems
Scott Hendrickson, Yang Wang, Andre van der Hoek, Richard Taylor and Alfred Kobsa


Privacy, Security, and Public Policy
Discussion leader: Janice Tsai, California Council on Science and Technology, CA Senate

The last year has been a time of significant focus on privacy. Congress has had several hearings regarding online privacy, and the FTC has become involved in issues related to online privacy, behavioral advertising, and privacy and security in cloud computing. How effective has this attention been? What kinds of issues are being discussed and what issues are actually being acted upon? This breakout session will discuss privacy and security as public policy issues and how and what should be passed into law.

IRB and HCI-Sec Research
Discussion leader: Simson Garfinkel, Naval Postgraduate School

Increasingly security researcher at universities in the US and abroad is focusing on the importance of the user---and usability research, especially field research, invariably requires the involvement of human beings. In the US such research is governed by the Common Rule (45 CFR 46) and enforced by Institutional Review Boards. (Outside the US research is typically governed by Ethics Boards that satisfy much the same function.)

For example, a significant amount of important research in computer science is performed using electronic mail archives as a data source. Many researchers have traditionally used email messages that they have personally received from friends and correspondents as the basis of their work. A significant number of publications are based on personally received messages. It is relatively rare for computer scientists and linguists to receive IRB approval for the use of such archives. Is such approval required?

The Common Rule does not apply to data sets that are anonymous. But what about data sets that can be re-identified? Are embedded names in email headers and/or bodies considered sufficient for identifying research subjects? That is, does an email message that contains a name fail to meet the requirement of 45 CFR 46.101 b(4)) of being "recorded in such a manner that subjects cannot be identified, directly or through identifiers linked to the subject?" Is English text authored by the research subject considered an identifier that can be linked to the subject? There has been considerable work in the past 20 years of using authorship patterns such as word choice and grammar to determine the identity of an author.

This breakout session will discuss the difficulty of applying the current IRB regulations to computer security research and possible ways of approaching these issues. Particular attention will be paid to email archives, network packet captures, and the re-identification of apparently anonymous data sets.

Usable Security and Privacy for Mobile Devices
Discussion leader: Marc Langheinrich, Universita della Svizzera italiana (USI)

Mobile devices in general, and mobile phones in particular, present unique challenges not only in terms of user interface, battery life, and form factor, but also in terms of ensuring their users' privacy and security. Privacy and security are often in conflict with another and have been the topic of many research projects. In this discussion session, we will try to discuss open research issues in bringing usable privacy and security to mobile phones. Possible questions include: Can we combine today's popular location sharing applications with effective privacy controls? How can we mitigate the privacy and security risks of loosing one's mobile phone? What novel challenges do mobile browsers pose in terms of security controls? And what kind of approaches are most effective for conveying security advice on mobile devices?

Integrating Usable Security and Privacy into Security Education
Discussion leader: Heather Lipford, UNC Charlotte

The importance of usability in security and privacy has been gaining acceptance in the security research community, but what about security educators? A number of faculty in our community have offered usable security and privacy courses at various universities. Yet these course are still rare. So what should the “average” security professional know about usable security? There are countless educational programs in security offered at universities and in industry training. How should usable security lessons and principles be integrated into those programs? How can we as a community impact general security and privacy education? In this discussion session we will focus on these issues, and discuss our experiences and ideas on usable security education and training.

Health Security and Privacy
Discussion leader: Tadayoshi Kohno, University of Washington

Healthcare is going digital. An increasing amount of health information is being gathered, stored, and shared digitally. There are a variety of institutions advocating the wide-scale deployment of electronic health records. Google and Microsoft and others have introduced online personal health systems for individuals to manage their own information. Advanced medical devices will be gathering health information in the home and hospital. These devices will also be affecting patients' physiology. All of these systems have important security, privacy, and safety implications, and need useful and usable mechanisms and solutions. In this breakout session we will focus on the usable security and privacy issues in health care technologies. What are the current and future usability challenges and research questions for the variety of health systems that are being developed?


SOUPS 2010 is sponsored by Carnegie Mellon CyLab and Microsoft.