Workshop on Home Usable Privacy and Security (HUPS)
Wedneday, July 24, 2013 - Place: Northumbria Building 324
Welcome and opening remarks
"Accelerating innovation in technologies for the home"
Ratul Mahajan (Microsoft Research)
Abstract: A range of compelling applications in the home, from security to health care to energy reduction, can be enabled by connected devices (e.g. sensors). But experimental work on these applications is hampered by two challenges: 1) considerable custom engineering is required to ensure that hardware and software prototypes work robustly; and 2) recruiting and managing more than a handful of homes is difficult and cost-prohibitive. To lower these barriers, Microsoft Research is developing Lab-of-Things@Home (LoT@Home), a communal, research platform. LoT@Home will consist of a large number of geographically distributed homes, each running a common framework for implementing experimental applications. Participating research groups recruit and contribute a small number of homes, and in return, they can run experiments on homes recruited by others. I will describe the design of LoT@Home, what it takes to conduct experiments, and the security and privacy issues that it raises.
Bio: Ratul Mahajan is a Senior Researcher at Microsoft Research and an Affiliate Professor at the University of Washington. His research interests include all aspects of networked systems. His current work focuses on smart home technologies, software-defined networks, and network verification, and his past work spans Internet routing and measurements, incentive-compatible protocol design, practical models for wireless networks, and vehicular networks. He has published over 30 papers in top-tier venues such as SIGCOMM, SOSP, MobiCom, and CHI. He is a winner of the ACM SIGCOMM Rising Star award, the William R. Bennett prize, the SIGCOMM best paper award, and Microsoft Research Graduate Fellowship. He obtained his Ph.D. from the University of Washington (2005) and B.Tech. from Indian Institute of Technology, Delhi (1999).
Session A: People
Chair: Lujo Bauer (CMU)
A-1 (10 min): The User IS the Enemy, and (S)he Keeps Reaching for that Bright Shiny Power Button!
Stuart Schechter (Microsoft Research)
Children represent a unique challenge to the security and privacy considerations of the home and technology deployed within it. While these challenges posed by children have long been researched, there is a gaping chasm between the traditional approaches technologists apply to problems of security and privacy and the approaches used by those who deal with this adversary on a regular basis. Indeed, addressing adversarial threats from children via traditional approaches to computer and information security would be a recipe for disaster: it is rarely appropriate to remove a child.s access to the home or its essential systems; children require flexibility; children are often threats to themselves; and children may use the home as a theater of conflict with each other. Further, the goals of security and privacy must be adjusted to account for the needs of childhood development. A home with perfect security . one that prevented all inappropriate behavior or at least ensured that it was recorded so that the adversary could be held accountable . could severely stunt children.s moral and personal growth. We discuss the challenges posed by children and childhood on technologies for the home, the philosophical gap between parenting and security technologists, and design approaches that technology designers could borrow when building systems to be deployed within homes containing this special class of user/adversary.
Can you think of any additional threats from children, or unique aspects of children in threat modeling, that should be accounted for?
Can you think of design principles, parenting-inspired or otherwise, that should be included in a discussion of children as a threat model?
Can you think of ways to improve existing systems by re-thinking security design with more focus on the threat of children?
A-2 (10 min):Empowering Consumer Security and Privacy Choices
Tamara Denning and Tadayoshi Kohno (University of Washington)
Currently, the casual consumer has few available resources on product security and privacy with which to inform purchasing decisions. This absence of coherent information becomes increasingly important as we incorporate an increasing level of sensors, actuators, and connectivity into the technologies in our homes. We wish to initiate a discussion on the potential utility of an organized entity which provides understandable, coherent security reviews and ratings of a large range of consumer technologies. In this paper, we first provide a background of our stance on security and privacy for consumer technologies in the modern home. We then sketch out a proposed resource for security and privacy information on consumer technologies. We discuss some of the potential benefits, obstacles to implementation, and propose potential areas of research that would improve the design of such a resource.
We wish to discuss a Consumer Reports-style resource providing reviews and ratings of security and privacy properties of consumer electronic technologies, particularly in the context of the modern home:
In your mind, what are the primary benefits offered by such a resource?
What are the primary obstacles to such a resource being successful?
What research avenues could move such a resource closer to being realized?
Elizabeth Stobert and Robert Biddle (Carleton University)
Smart homes are distinguished not by the technology used in them, but by the relationships between the people using those technologies. These relationships may be social, cultural, or legal, and can affect how people choose to share their homes. One implication of this sharing is the need for authentication. This may involve sharing passwords or accounts. In this paper, we consider the issues of authentication and shared passwords in the home. We conducted a card-sorting study to examine how users think about their accounts and passwords. We found that users consider many aspects when categorizing their accounts, including social, financial, and pragmatic factors.
What existing authentication is transferable to the home? The factors that distinguish authentication in a smart home are related less to the specific types of technology found in the home, and related more to the relationships between the people who use them. These relationships may be complex, context-specific and changeable. What kind of lessons can we draw from enterprise access control and authentication systems, and what can't be directly applied?
How can we draw design lessons from real world examples? There are many examples of shared accounts in the "real world", including shared physical resources, such as post office boxes, and shared assets like cars. What kind of inspiration can we draw from authentication to these resources to apply to the design of shared smart home systems?
Session B: Access Control
Chair: Tadayoshi Kohno (University of Washington)
B-1 (10 min): The Current State of Access Control for Smart Devices in Homes
Blase Ur (Carnegie Mellon University), Jaeyeon Jung and Stuart Schechter (Microsoft Research)
Although connected devices and smart homes are now marketed to average consumers, little is known about how access-control systems for these devices fare in the real world. In this paper, we conduct three case studies that evaluate the extent to which commercial smart devices provide affordances related to access control. In particular, we examine an Internet-connected lighting system, bathroom scale, and door lock. We find that each device has its own siloed access-control system and that each approach fails to provide seemingly essential affordances. Furthermore, no system fully supports user understanding of access control for the home. We discuss future directions for usable access control in the home.
Is there any hope of having a single access-control system that supports all devices in a home and is usable? As a straw man, consider the following proposition: Devices inside the home differ greatly in the privacy and security concerns they raise, as well as their functions and availability requirements. Therefore, the current array of siloed access-control systems that each provide their own mechanisms and affordances, in concert with overrides of the access-control system based on physical proximity, might actually be the best way forward.
What types of roles do we need to support to capture the access-control policies of different people in the home (e.g., overnight guests, children, temporary visitors)?
Devices have the opportunity to log tons of information about past accesses, as well as to notify users about current access attempts. How can this information help users better understand the security (or the lack thereof) of these devices? What audit information should be most salient to users? What are interesting ways to present this information without causing information overload?
B-2 (10 min): Policies in Context: Factors Influencing the Elicitation and Categorisation of Context-Sensitive Security Policies
Shamal Faily, John Lyle, and Ivan Flechais (University of Oxford), Andrea Atzeni and Cesare Cameroni (Politecnico di Torino), Hans Myrhaug and Ayse Goker (AmbieSense Ltd), and Robert Kleinfeld (Fraunhofer FOKUS)
With sensitive information about ourselves now distributed across personal devices, people face need to make access control decisions for different contexts of use. However, despite advances in improving the usability of access control policy authoring tools for both developers and users in recent years, we still lack insights about how the intentions behind policy decisions in different contexts are shaped. Based on a study of how specific types of user make policy designs in meaningful scenarios, we describe how framing, biases, and expectations influence the elicitation and categorisation of contextsensitive security and privacy policies. From these factors, we make three proposals to help guide the design of context-sensitive policy management tools.
The role of context - is it a help or a hindrance? For example, we can use it to make access control decisions, but we then have to manage access _to_ context, so is it worth it?
(as a follow up) To what extent do access control decisions depend on context? Is the added complexity actually worth it?
Is context more useful for privacy-sensitive decisions as opposed to security?
If there is time, then we'd also be interested in kicking around the below discussion point as well: Are there any factors that are 'special' - e.g., is location data a special case in access control?
Paper: This paper is not available per the authors' request.
B-3 (10 min): Under control: Requirements for access control for personal data
Michelle L. Mazurek, Lujo Bauer, and Gregory R. Ganger (Carnegie Mellon University) and Michael K. Reiter (University of North Carolina)
Personal digital content is proliferating, and much of this content can be easily shared with others, both within homes and more widely across the internet. Controlling access to this content can be difficult, time-consuming, and seemingly unimportant, but errors can lead to regrets and problems ranging from relationship difficulties to job loss. In this paper, we draw on prior research, including our own, to identify eight requirements for building new access-control systems for personal data that are both secure and usable. We also discuss challenges associated with evaluating new access-control mechanisms.
How can we effectively evaluate new systems in the personal-access-control space?
How can we reconcile people's complex ideal policies with their inability to correctly specify them and/or disinterest in spending the time to do so?
Paper: This paper is not available per the authors' request.
B-4 (30 min): Discussion
Session C: Privacy
Chair: Rainer Böhme (University of Münster)
C-1 (10 min): DigiSwitch: Who is viewing my daily activity?
Robyn Evans (Indiana University - Bloomington), Kay Connelly (Indiana University- Bloomington), Kelly Caine (Clemson University), and Kalpana Shankar (University Colleague Dublin)
DigiSwitch is designed to enhance the privacy of a suite of aging in place technologies by allowing older adults to view information as it is collected about them and maintain control over who else has access to this information. In previous work, we designed the DigiSwitch to be used with older adults who had informal caregivers because, previous aging in place research has focused on a one-to-one relationship amongst older adults and a caregiver. In this model, the caregiver primarily receives monitoring data. However, our research uncovered that for a low-SES population, older adults relied more on each other for support than family caregivers. In this paper we explore the design constraints and opportunities for designing a version of the DigiSwitch where older adults are aware of information that is collected about them and choose who among a group of peer older adults receives that information. Specifically, we focus on the major usability differences in redesigning the DigiSwitch from a one-to-one function to a one-to-many function.
What are the usability challenges in designing for low-SES rural and urban older adults?
What are the major usability differences in designing a DigiSwitch from a one-to-one function to a one-to-many function?
"Me time" was controversial in the older adult to caregiver model. Is it more or less controversial in the older adult to many older adult model?
Paper: This paper is not available per the authors' request.
C-2 (10 min): PETs in Your Home --- How Smart is That?
Stefan Korff (University of Münster , Department of Information Systems)
Information technology has reached a level of sophistication so that its users leave detailed traces of the parts of their lives when they knowingly interact with information systems (e.g., Internet use) or participate in the social sphere (e.g., video surveillance). The recent advent of the smart home technology, that is residential properties being equipped with sensors and interconnected smart devices, expands the realm of unavoidable data collection further. This exacerbates people.s fear of privacy breaches. The purpose of this paper is to evaluate how reasonably the known privacy-enhancing technologies can be applied in the case of a fictional smart home scenario. It briefly discusses potential areas of privacy problems specific to this new technology, then recalls the fundamental ideas behind known privacy-enhancing technologies, and critically evaluates their applicability in an intelligent home with special emphasis on usability. The paper concludes with a discussion of ways forward to effectively adapt privacy protection concepts in this particular environment.
Searching for usable PETs in the smart home environment . a wild goose chase?
Is it realistic to find applicable PETs based on existing concepts?
Should we invest more time on finding new concepts?
Usability for privacy as a secondary goal.
Can we maintain a reasonable privacy level invisible from the user?
Can we piggyback PETs on existing access control models and mechanisms?
Privacy in smart homes . are traditional usability/business models still feasible?
Can there be a secondary market for smart home devices?
Is a seamless combining (marriage) and splitting (divorce) of smart homes devices realistic?
C-3 (10 min): The Valuation of Smart Metering Privacy
Dipayan Ghosh, Jubo Yan, William Schulze, Dawn Schrader, and Stephen Wicker (Cornell University)
Smart metering initiatives have caused division among electricity consumers and utility companies since their inception. Advocates of smart metering expound the technological functionalities of smart meters that can help lower electricity production costs and reduce dependency on fossil fuels. However, smart meters can also collect sensitive information about the power consumption habits of consumers, causing critics to argue that consumer privacy is left exposed. How much do consumers value their privacy in this context? Do the benefits of smart metering outweigh the loss of privacy? In this paper, consumer willingness to adopt smart metering is investigated. A set of research questions around consumer decision-making related to smart metering and privacy is first developed. To address these questions, a national survey was implemented to examine consumer willingness to adopt standard smart metering and privacy-aware smart metering. Results indicate that the average consumer is willing to pay $11 each month to ensure privacy protection in smart metering. Several other key insights are constructed from the survey results, which are used to suggest policy recommendations for smart metering.
We found that the value of location privacy is $12. What does this mean for consumers, service providers, and policymakers?
What is the best way to promote a market for privacy in cellular and location technology?
Considerable number of respondents were not fully aware of cellular privacy risks. What's the best strategy to educate them?
Paper: This paper is not available per the authors' request.
C-4 (10 min): . Read My Lips: Towards Use of the Microsoft Kinect as a Visual-Only Automatic Speech Recognizer
Peter McKay, Bryan Clement, Sean Haverty, Elijah Newton, and Kevin Butler (University of Oregon)
Consumer devices used in the home are capable of collecting ever more information from users, including audio and video. The Microsoft Kinect is particularly well-designed for tracking user speech and motion. In this paper, we explore the ability of current models of the Kinect to support use as an automatic speech recognizer (ASR). Lip reading is known to be difficult due to the many possible lip motions. Our goals were to quantify lip movement while observing the correlation with recognized words. Our preliminary results show that word recognition through the audio interface and with use of the Microsoft Speech API can provide upwards of 90% accuracy over a corpus of words, and that the visual acuity of the Kinect is such that we can capture a total of 22 data points representing the lip model through the Face Tracking API at a high resolution. Based on these results and that of recent work, we forecast that the Kinect has the ability to act as an ASR and that words can potentially be reconstructed through the observation of lip movement without the presence of sound. Such an ability for household devices to observe and parse communication presents a new set of privacy challenges within the home.
If the upcoming Kinect is supposed to be capable of carrying out lip-reading directly out of the box, what is the relevance of examining lip-reading with the current model?
What sort of network environment does the Microsoft Xbox currently reside in? What previously existing threat models can be studied to give us a better idea of how this relatively closed system of Microsoft's Xbox Live operates?
The HUPS workshop is an opportunity for researchers and
practitioners to discuss research challenges and experiences
around the usable privacy and security of smart homes
(e.g., home automation systems; smart appliances in the home;
smart meters; domestic healthcare devices).
The workshop seeks two types of original submissions: (1) short papers describing research outcomes
and (2) position papers describing new research challenges and worthy topics to discuss in all
areas of usable privacy and security of smart homes. Submissions should relate to both human
factors and either privacy or security in smart homes.
Topics may include (but are not limited to):
potential security attacks against in-home technologies and their impact on residents
access control for home data sharing (e.g., photos, documents)
access control for shared data among neighbors (e.g., smart meter data, security camera data)
user authentication on devices in the home
understanding user privacy concerns/expectations regarding sensing and inference systems in the home
designing privacy notifications for recording devices in the home
user testing of home security or privacy features
Short papers may cover research results, work in progress, or experience reports focused on any workshop topic. Papers should describe the purpose and goals of the work, cite related work, and clearly state the contributions to the field (innovation, lessons learned).
Position papers present an arguable opinion about an issue. A position paper may include new ideas or discussions of topics at various stages of completeness. Position papers that present speculative or creative out-of-the-box ideas are welcome. While completed work is not required, position papers should still provide reasonable evidence to support their claims.
Workshop papers will be available on the SOUPS website (if chosen by the authors), but will not be included in the ACM Digital library. This means that the works will not be considered peer-reviewed publications from the perspective of SOUPS/HUPS and hence should not preclude subsequent publication at another venue. Authors of accepted papers will be invited to present their work at the workshop.
We invite authors to submit the following types of papers using the
SOUPS 2-column formatting template (available here for MS
Word or LaTeX):
Submissions should be 1 to 6 pages in length, excluding references and appendices. The paper should be self-contained without requiring that readers also read the appendices.
User experiments should follow the basic principles of ethical research, e.g., beneficence (maximizing the benefits to an individual or to society while minimizing harm to the individual), minimal risk (appropriateness of the risk versus benefit ratio), voluntary consent, respect for privacy, and limited deception. Authors may be asked to include explanation of how ethical principles were followed in their final papers should questions arise during the review process.
Email inquiries to: email@example.com or firstname.lastname@example.org
STUDENT TRAVEL GRANTS
The HUPS workshop committee is pleased to announce that we will provide travel support to graduate students or post-doctoral scholars who otherwise have financial hardship to attend the workshop. The travel support is sponsored by Microsoft Connections. The amount of support depends on the type of attendee and available funding but we expect to support at least 3 to 5 students. Qualified attendees are encouraged to apply and a priority will be given to students who submitted a paper to the workshop.
How to apply: Email email@example.com by June 9, 2013 5pm PDT with the subject [HUPS student travel grant application] and provide a few paragraphs on how the workshop would benefit you and your research, as well as how the community would benefit from your involvement in the workshop. Please indicate whether you have submitted a paper to HUPS and if so include the title of the paper.
Notification: Submissions will be reviewed by a committee. We will respond by June 15, 2013 5pm PDT. Note that travel grant awards *partially* cover the cost of attending HUPS. The only reimbursable expenses are air travel, hotel and SOUPS/HUPS registration. The amount of support provided may vary.