The U-PriSM workshop is an opportunity for researchers and
practitioners to discuss research challenges and experiences around
the usable privacy and security of mobile devices (smartphones and tablets).
SCOPE AND FOCUS
The workshop seeks two types of original submissions: (1) short
papers describing new research outcomes and (2) position papers
describing new research challenges and worthy topics to discuss in
all areas of usable privacy and security of mobile devices.
Submissions should relate to both usability and either
privacy or security in mobile devices (smartphones or tablets).
Topics may include (but are not limited to):
user authentication on mobile devices
permission management of applications
secure mobile payment
do-not-track on mobile devices
protecting location privacy of mobile users
physical security of mobile devices (against loss or
theft)
new security or privacy functionality and design for mobile
devices
user testing of mobile security or privacy features
lessons learned from deployment of mobile security or privacy
features
comparisons of usable privacy or security features between
mobile platforms
Short papers are 2-6 pages in length and may cover: research
results, work in progress, and practitioner/industry or experience
reports focused on any workshop topic. Papers should describe the
purpose and goals of the work, cite related work, and clearly state
the contributions to the field (innovation, lessons learned).
Position papers are 1 page in length and present an arguable
opinion about an issue. A position paper may include new ideas or
discussions of topics at various stages of completeness. Position
papers that present speculative or creative out-of-the-box ideas are
welcome. While completed work is not required, position papers
should still provide reasonable evidence to support their claims.
Workshop papers will be available on the SOUPS website, but will
not be included in the ACM Digital library. Authors of accepted
papers will be invited to present their work at the workshop.
"Honey, I Shrunk the Auth!" - Authentication and Authorization on Mobile Devices
Dirk Balfanz (Google)
Abstract: Mobile devices present both challenges and opportunities in the field of online authentication and authorization. On the challenge side we have the problem that typing passwords is much more of a burden than on larger devices, as well as the fact that mobile devices tend to be always-connected, always-syncing, thus essentially eliminating the ability or at least making it very inconvenient for the user to log out, or disconnect. On the opportunities side there is the fact that an always-on, always-connected personal device can actually help users authenticate when they are on the go, promising to eliminate such long-standing threats as phishing or keylogging malware. In my talk, I will give real-world examples for the two sides of the mobile auth coin, having worked both on authentication and authorization for Android, as well as on projects that aim to utilize mobile devices for authentication to desktop computers.
Bio: Dirk is a software engineer in Google's Security Team, focusing on user authentication. He is currently working on strengthening authentication on the Web through the use of public-key cryptography. Dirk worked on Google's OpenID and OAuth implementations, as well as different pieces of Google's (and Android's) authentication and authorization infrastructure. He holds a PhD in Computer Science from Princeton University.
10:15am
Break
10:40am
Session A: Users and mobile devices
Chair: Mary Ellen Zurko (Cisco)
A-1 (10 min): I've Got 99 Problems, But Vibration Ain't One: A Survey of Smartphone Users' Concerns
Adrienne Porter Felt, Serge Egelman, David Wagner (UC Berkeley)
Abstract: Smartphone operating systems expose a wide range of functions and user data to third-party applications. However, past research on mobile privacy has focused exclusively on the risks pertaining to sharing location. To expand the scope of smartphone security and privacy research, we surveyed 3,115 smartphone users about 99 risks associated with 54 smartphone privileges. We asked participants to rate how upset they would be if a given risk occurred. Based on this data, we ranked risks by the number of users who stated that they would be “very upset” if the risks occurred. We then performed an open-ended survey of 41 smartphone users, which let respondents discuss the risks in their own words. The follow-up study confirmed that people find the lowest-ranked risks merely annoying but might seek legal or financial retribution for the highest-ranked risks. Our ranking could be used to guide the severity or selection of warnings on smartphone platforms. Notably, our results show that location is not a high-ranked user concern.
Discussion points:
The importance of location, and how/why so much research has been focused on location despite it potentially not being the most concerning resource.
How to observe users' true levels of concern. This has two challenges: first, how to do it realistically; and second, how to do it ethically.
What kinds of data analysis would the audience be interested in seeing in completed work? We have not done many statistical tests, for fear of performing too many and encountering a false positive. If there were specific hypotheses that the audience were interested in, we could test those.
Does the audience believe that our confirmation study (the second study with short essay answers) is sufficient?
Paper: This paper is not available per the authors' request.
A-2 (10 min): Privacy as Part of the App Selection Process
Patrick Kelly (CMU)
Abstract: The current Android Market relegates permission information to an afterthought, a mandatory click-through after a user has look at screenshots, videos, feature lists, ratings, text reviews, and similar apps. At this point, their decision is made. Through a series of online studies and an ongoing laboratory test we show that we can bring data privacy information earlier in the decision process and that privacy information can nudge users towards different application selections.
Discussion points:
There has been a significant amount of discussion that (Android) permissions are not suitable in assisting user choice and that certain much-hyped permissions (location) are not *that* important. What are the important "permissions" to show users?
If we had a list of important permissions/metrics, could we come up with a privacy score for applications, or would the functionality/context be too tied to metric for it to be meaningful?
The loudest question from users is "why does the app need X?" -- How can we encourage explanation of privacy that doesn't lead to terribly long/legalistic/vague/weasely privacy policies being displayed on a mobile screen?
Paper: This paper is not available per the authors' request.
A-3 (20 min): Discussion
Session B: User privacy vs. mobile apps
Chair: Kristie Hawkey (Dalhousie University)
B-1 (10 min): "How Come I'm Allowing Strangers to Go Through My Phone?": Smart Phones and Privacy Expectations
Jen King (UC Berkeley)
Abstract: This study examines the privacy expectations of smart phone users by exploring two specific dimensions to smart phone privacy: participants’ concerns with other people accessing the personal data stored on their smart phones, and applications accessing this data via platform APIs. We interviewed 24 Apple iPhone and Google Android users about their smart phone usage, using Altman’s theory of boundary regulation and Nissenbaum’s theory of contextual integrity to shape our inquiry. We found these theories provided a strong rationale for explaining participants’ privacy expectations, but there were discrepancies between users’ privacy expectations, smart phone usage, and the current information access practices by application developers. We conclude by exploring this “privacy gap” and recommending design improvements to both the platforms and applications to address it.
Discussion points:
. Privacy choices in technology are often presented with a rational actor in mind---one that can logically evaluate the privacy risks and make informed, thoughtful decisions. User research in privacy points towards the opposite---that the choices we offer don't map to how users think about privacy, and that instead a "notice" model like that practiced by Android is generally ineffective in informing users about potential risks and helping them make well-informed decisions. How might we change the rational actor paradigm into one that takes into account human cognitive limitations and biases and doesn't presume a well-articulated understanding both of privacy and the technology at hand?
How do we inform users of access to sensitive information on their smartphones without over-inundating them with run time notices or forcing them to make complex choices? Discuss.
How significant is the divide between app and browser? Should be we concerned that many people don't understand what apps are and assume they act like browsers? Do we need to educate users (explicitly or through better design) to understand this? Does the potential convergence of apps and browsers (w/r/t proposed W3C specs giving browsers more app-like capabilities) muddy this future enough that we should be thinking of a different strategy?
Paper: This paper is not available per the authors' request.
B-2 (10 min): Privacy in Mobile Personalized Systems: The Effect of Disclosure Justifications
Bart P. Knijnenburg (UC Irvine, Samsung R&D), Alfred Kobsa (UC Irvine), Gokay Saldamli (Samsung R&D)
Abstract: The current Android Market relegates permission information to an afterthought, a mandatory click-through after a user has look at screenshots, videos, feature lists, ratings, text reviews, and similar apps. At this point, their decision is made. Through a series of online studies and an ongoing laboratory test we show that we can bring data privacy information earlier in the decision process and that privacy information can nudge users towards different application selections.
Discussion points:
None of our justification messages seemed to work very well. Is there a "golden justification" out there? What would that be?
Our justification messages did not work for everyone, but we have some evidence that different messages may work for different types of users. Has the audience encountered any other privacy issues that required a tailored approach?
Providing justifications decreased disclosure as well as subjective valuations. Should we give users objective information about their privacy decision even if this reduces their satisfaction?
C-1 (10 min): To Share or Not To Share? An Activity-centered Approach for Designing Usable Location Sharing Tools
Marcello Paolo Scipioni, Marc Langheinrich (University of Lugano)
Abstract: Location sharing has recently become one of the most discussed topics in Ubiquitous Computing. Although it looks very attractive to users, there are still many privacy issues that refrain users from using location sharing tools. Many researchers proposed theoretical solutions for the problem of location privacy, but users still lack usability and control over their location data in tools for location sharing currently available on market. In this paper, we present the results of a qualitative user study conducted with 14 people. We devised a set of activities around location sharing, and we designed a prototype interface for a new location sharing app in which the sharing behaviour is based on activities rather than on people. Participants to the study, guided through a semi-structured interview, express the privacy concerns and issues that they feel more compelling while using location sharing tools, and comment on the usefulness of such tools in different cases and situations. Our concept of activity-based sharing is then evaluated by users. Our findings suggest that ad-hoc tools provide more versatility and are preferred by users, while long-standing location sharing functionalities look more invasive and are considered only for a limited group of trusted contacts.
C-2 (10 min): Position Paper: Privacy-Preserving Location Tracking with Client-based Modeling
Janne Lindqvist, Mor Naaman, Marco Gruteser (Rutgers University), Winter Mason (Stevens Institute of Technology)
Abstract: Several research projects gather and use location data for various purposes. In this short note, we argue for preserving participant privacy with client-based modeling of location.
Paper: This paper is not available per the authors' request.
C-3 (20 min): Discussion
Session D: Potpourri
Chair: Janne Lindqvist (Rutgers)
D-1 (10 min): Understanding the user experience of secure mobile online transactions in realistic contexts of use
Julio Angulo, Erik Wastlund, Peter Gullberg, Daniel Kling, Daniel Tavemark, Simone Fischer-Hubner (Karlstad University)
Abstract: Possible attacks on mobile smart devices demand higher security for applications handling payments or sensitive information. The introduction of a tamper-proof area on future generations of mobile devices, called Trusted Execution Environment (TEE), is being implemented. Before devices with embedded TEEs can be deployed to the public, investigations on usability aspects of Trusted User Interfaces (TUI) are needed. This article describes the process we have followed at gathering requirements, prototyping and testing suitable designs for TUIs in combination with a touch-screen biometric system. At the end, we present relevant findings of a pilot study that we have conducted using an Experience Sampling Method (ESM) as part of our ongoing work.
D-2 (10 min): Position Paper: Motivating the need for evaluation criteria for CAPTCHAS
Gerardo Reynaga (Carleton University)
Abstract: We argue that a set of usability heuristics are needed for easy and quick evaluation of Captchas implementations. With this set of heuristics we contribute to sustain the Captcha Mantra: "Easy for humans, hard for machines". In particular, the usability of Captcha schemes change radically when utilized on mobile environments. We are developing a set of heuristics for use by practitioners wishing to evaluate which Captcha scheme is most appropriate for their website.
Eiji Hayashi, Sauvik Das, Shahriyar Amini, Emmanuel Owusu, Jun Han, Jason Hong, Ian Oakley, Adrian Perrig, Joy Zhang (Carnegie Mellon University)
Abstract: We introduce context-aware scalable authentication (CASA) as a way of balancing security and usability for authentication. Our core idea is to combine a number of passive factors for authentication (e.g., a user's current location) with appropriate active factors. In this paper, we provide a probabilistic framework for dynamically selecting an active authentication scheme that satisfies a security requirement given passive factors about a user. We also present the results of two user studies evaluating the feasibility and users. receptiveness of our concept. Our results suggest that location data has good potential as a passive factor, and that users can reduce up to 68% of the number of user authentication when using the user authentication system designed with CASA compared to a authentication that requires a fixed active authentication consistently. Furthermore, more than half of the participants who tested our prototype preferred to use our user authentication system on their phones.
Hyoungshick Kim, Konstantin Beznosov (University of British Columbia)
Abstract: Providing a secure and usable user authentication scheme for mobile phones is a major challenge. Though there are many proposals for user authentication, PIN or passwords only are popularly used for mobile phones, which are inherently weak since users tend to choose PINs or passwords that are easy to remember and reuse, making it also easy for attackers to guess and compromise them. We introuduce a framework using the personal information stored inside a user's mobile phone. if this information is private and memorable for the phone owner alone, we may use this for user authentication. To verify this idea, we performed a pilot study to observe the knowledge gap between the phone owner and the other people. Findings from this study confirmed the feasibility of this idea. The proposed idea may give some new angles to old authentication problems.
E-3 (10 min): Anomaly detection--a possible way to address physical threats to smartphones
Ildar Muslukhov, Yazan Boshmaf, Hyoungshick Kim, Konstantin Beznosov (University of British Columbia), Cynthia Kuo, Jonathan Lester (Nokia Research Center)
Abstract: In this paper we discuss a problem of data protection against the physical threats of loss and theft. We highlight the current challenges and propose a heuristic approach based on users. smartphone use patterns to address them. Anomaly detection might be effectively used for at least an additional measure with the existing authentication methods to enhance usability and security against the physical threats.
Please contact Serge, [email: serge at guanotronics.com] if you would like to have 5-10 minutes to talk about your research, this workshop, or something interesting and relevant to the audience.
4:20pm
Closing remarks (10 min)
ORGANIZERS
Jaeyeon Jung
Microsoft Research jjung@microsoft.com
