July 24-26, 2013
Newcastle, UK


Call for participation





Symposium On Usable Privacy and Security


The SOUPS proceedings are archived in the ACM Digital Librarye. All papers are also available on this website, linked from the program (below on this page). You may also view the proceedings front matter and the SOUPS 2013 photo collection.

Wednesday, July 24

Registration, breakfast, lunch, breaks, and the poster session will be held in the Student Union, Domain

8-9 am: breakfast

9 am - noon: morning workshop sessions

Noon - 1 pm: lunch

1-4:30 pm: afternoon workshop sessions

5-7 pm: poster session with dinner reception

Thursday, July 25

All talks will be held in the Student Union, Stage 2. Breakfast, lunch and breaks will be held in the Student Union, Domain

8-9 am: breakfast

9-9:20 am: welcome and awards presentation

9:20-10:45 am: Authentication and Authorization
Chair, Robert Reeder (Google)

When It's Better to Ask Forgiveness than Get Permission: Attribution Mechanisms for Smartphone Resources
Christopher Thompson, Maritza Johnson, Serge Egelman, David Wagner, and Jennifer King (UC Berkeley)

[Distinguished paper award] Formal Definitions for Usable Access Control Rule Sets - From Goals to Metrics
Matthias Beckerle (Technische Universität Darmstadt) and Leonardo Augusto Martucci (Karlstad University)

CASA: Context-Aware Scalable Authentication
Eiji Hayashi, Sauvik Das, Shahriyar Amini, and Jason Hong (Carnegie Mellon University) and Ian Oakley (University of Madeira)

10:45-11:10 am: break

11:10 am - 12:35 pm: SOUPS du jour
Chair, Serge Egelman (UC Berkeley)

Retrospective Privacy: Managing Longitudinal Privacy in Online Social Networks
Oshrat Ayalon and Eran Toch (Department of Industrial Engineering , Tel Aviv University)

Confused Johnny: When Automatic Encryption Leads to Confusion and Mistakes
Scott Ruoti, Nathan Kim, Ben Burgon, Timothy W. van der Horst, and Kent E. Seamons (Brigham Young University)

[Distinguished paper award] Your Attention Please: Designing security-decision UIs to make genuine risks harder to ignore
Cristian Bravo-Lillo, Lorrie Faith Cranor, Julie Downs, Saranga Komanduri, and Robert W. Reeder (Carnegie Mellon University), Stuart Schechter (Microsoft Research), and Manya Sleeper (Carnegie Mellon University)

12:35-1:30 pm: lunch

1:30-2:30 pm: Keynote talk
Harold Thimbleby: Security & safety overlaps

2:30-3:45 pm: Lightning Talks, Session chair: Alain Forget (Carnegie Mellon University)

  • Too Smart for Your Own Good: Regulatory Beginnings for Ubiquitous Computing - Janice Tsai (Microsoft Research)
  • Why mobile privacy policies suck, and the need to design for trust in an age of complexity - Patrick Walshe (GSMA)
  • Understanding location-based privacy decision making - Aristea Maria Zafeiropoulou (University of Southampton)
  • Applying contextual integrity to incentivised location sharing - Luke Hutton (University of St Andrews)
  • Designing defenses against socio-technical attacks - Ana Ferreira (University of Luxembourg)
  • Interactive User Requirements Extraction for Security and Privacy - Akira Kanaoka (National Institute of Information and Communications Technology, Japan)
  • Data leakage from contactless payment cards - Martin Emms (Newcastle University)
  • Ethics as a Service - Stuart Schechter (Microsoft Research)
  • Mimicry as a Security Interaction Design Lens - Arne Renkema-Padmos (TU Darmstadt)
  • Enhancing Location Disclosure by Distinguishing between Public and Private Spaces - Jeremy Wood (LocationAnonymization)
  • Device Dash: An Educational Computer Security Game - Era Vuksani (MIT Lincoln Laboratory)

3:45-4:15 pm: break

4:15-5:40 pm: Privacy
Chair, Sebastian Möller (Technische Universität Berlin and Telekom Innovation Laboratories)

What Matters to Users? Factors that Affect Users' Willingness to Share Information with Online Advertisers
Pedro G. Leon and Blase Ur (Carnegie Mellon University), Yang Wang (Syracuse University), Manya Sleeper, Rebecca Balebako, Richard Shay, and Lujo Bauer (Carnegie Mellon University), Mihai Christodorescu (Qualcomm Research Silicon Valley), and Lorrie Faith Cranor (Carnegie Mellon University)

Do Not Embarrass: Re-Examining User Concerns for Online Tracking and Advertising
Lalit Agarwal, Nisheeth Shrivastava, Sharad Jaiswal, and Saurabh Panjwani (Bell Labs India)

Sleights of Privacy: Framing, Disclosures, and the Limits of Transparency
Idris Adjerid, Alessandro Acquisti, Laura Brandimarte, and George Loewenstein (Carnegie Mellon University)

6-11:30 pm SOUPS dinner at Alnwick Garden. Transportation will be provided.

The Alnwick Garden is one of the most exciting contemporary gardens on earth. A garden for gardeners with a design that looks to the future. It's a stunning attraction and a floral wonderland. You can see acres of fascinating plants, water sculptures and the infamous Poison Garden. The landscape is eclectic, from the gentle waves of colour and scent in the Rose Garden to the riotous, spellbinding water displays of the centrepiece the Grand Cascade. The pergola-covered paths of the rose garden combine shrub and climbing roses with clematis and honeysuckle, and the Ornamental Garden features the best of European garden design and planting. In the Serpent Garden, eight water sculptures nestle in the coils of a topiary serpent, while the Poison Garden holds dangerous plants and their stories. A short walk from the Garden is Alnwick Castle, one of the largest inhabited castles in England, and proudly known as 'The Windsor of the North'. Built as a medieval fortress, today it is home to the Duke and Duchess of Northumberland and their family. Alnwick Castle was featured as Hogwarts in the first two Harry Potter films. Scenes filmed at the castle include the first Quidditch lesson in Harry Potter and The Philosopher's Stone and the crash landing of the flying Ford Anglia in Harry Potter and The Chamber of Secrets.

Friday, July 26

All talks will be held in the Student Union, Stage 2. Breakfast, lunch and breaks will be held in the Student Union, Domain

8-9 am: breakfast

9-9:20 am: Lightning Talks, Session chair: Alain Forget (Carnegie Mellon University)

  • Telepathwords - Stuart Schechter (Microsoft Research)
  • Online privacy: a matter of market and publisher’s will - Ivan Chardin (AVG Innovation)
  • Security Behavior Observatory - Alain Forget (Carnegie Mellon University)

9:20-10:45 am: Mobile Devices
Chair, Robert Biddle (Carleton University)

Modifying Smartphone User Locking Behavior
Dirk Van Bruggen, Shu Liu, Mitch Kajzer, Aaron Striegel, and Charles R. Crowell (University of Notre Dame) and John D'Arcy (University of Delaware)

Exploring the Design Space of Graphical Passwords on Smartphones
Florian Schaub, Marcel Walch, Bastian Könings, and Michael Weber (Ulm University)

"Little Brothers Watching You:" Raising Awareness of Data Leaks on Smartphones
Rebecca Balebako (Carnegie Mellon University), Jaeyeon Jung (Microsoft Research), Wei Lu (Microsoft), Lorrie Cranor (Carnegie Mellon University), and Carolyn Nguyen (Microsoft)

10:45-11:10 am: break

11:10 am - 12:35 pm: Passwords
Chair, Sameer Patil (Helsinki Institute for Information Technology)

On The Ecological Validity of a Password Study
Sascha Fahl, Matthew Smith, and Marian Harbach (DCSEC, Leibniz University Hannover)

Usability and Security Evaluation of GeoPass: a Geographic Location-Password Scheme
Julie Thorpe and Brent MacRae (University of Ontario Institute of Technology) and Amirali Salehi-Abari (University of Toronto)

Memory Retrieval and Graphical Passwords
Elizabeth Stobert and Robert Biddle (Carleton University)

12:35-1:30 pm: lunch

1:30-3 pm panel session - Who Sets the Privacy Bar?

3 pm SOUPS social

Keynote talk

Keynote speaker: Harold Thimbleby, Swansea University

Security & safety overlaps

Safety is a dual of security: while security is about stopping bad people doing bad things, safety is about stopping good people doing bad things. However, by definition, there are no good people who want to do bad things, and this changes everything.

This talk, based in experience of medical safety particularly with embedded computers, explores the cultural misdirection that presents system error as human error, and the ubiquitous consequences of that. The dual process model of human cognition (popularized by Nobel Prize winner Daniel Kahneman) is shown to lead to a pro-active role for engineering approaches to improve safety. We thus show some automated techniques that can be used to criticize defective designs in hindsight, can be used proactively in procurement, or can be used to improve future systems.

If we could miraculously improve medical engineering, hospitals would kill fewer people. The practical problem facing us is therefore to find out how to align the interests of victims with the interests of the providers, another overlap between security and safety.

Bio: Prof Harold Thimbleby is well known for his work in human-computer interaction, but he recently turned his attention more specifically to human-computer interaction in the medical context after one of his students spent time in intensive care. He has been elected an honorary fellow of the Royal College of Physicians, “the highest honour the RCP can bestow on a non-medically qualified person.” See

Panel: Who Sets the Privacy Bar?

Privacy is very personal, but for users to control their online privacy they often have to rely on companies and other organizations to provide privacy tools, or governments to set privacy regulations. Who decides where the privacy bar should be set and how users can adjust it? Panelists will discuss the forces at play in the privacy space - governments, businesses, and the users - and the convergent and divergent interests these communities have in user-managed privacy. Panelists will try to identify ways these groups can work together to improve the capabilities of users to manage their privacy while having effective online interactions.

Moderator: Ken Klingenstein, Internet2
Lorrie Cranor, Carnegie Mellon University
Konstantin (Kosta) Beznosov, University of British Columbia
Robin Wilton, Technical Outreach for Identity and Privacy, the Internet Society (ISOC)
James Varga, CEO,


UserCSP- User Specified Content Security Policies
Kailas Patil (National University of Singapore), Tanvi Vyas, Frederik Braun, and Mark Goodwin (Mozilla Corporation), and Zhenkai Liang (National University of Singapore)

Anti-phishing System Link-back to Login Page from Footprint
Saki Naguchi, Nami Hidaka, and Manabu Okamoto (Kanagawa Institute of Technology)

Input Password Only with Arrow Keys
Nami Hidaka, Saki Naguchi, and Manabu Okamoto (Kanagawa Institute of Technology)

Identity Management Futures: Assessing Privacy and Security Concerns of the Young and Old
Lisa Thomas and Pam Briggs (Northumbria University)

Information Disclosure between Different Groups on Social Networking Sites
Lili Nemec Zlatolas and Tatjana Welzer Druzovec (University of Maribor, Faculty of Electrical Engineering and Computer Science)

Hide and seek: On the disparity of browser security settings
Alexios Mylonas, Nikolaos Tsalis, and Dimitris Gritzalis (Athens University of Economics & Business)

Towards an app-driven Mobile Authentication Model
Nicholas Micallef, Mike Just, Lynne Baillie, and Gunes Kayacik (Glasgow Caledonian University)

Handsfree ZRTP - A Novel Key Agreement for RTP, Protected by Voice Commitments
Dominik Schürmann and Stephan Sigg (TU Braunschweig)

Balancing usability and security in the business cloud authentication
Joona Kurikka and Marko Nieminen (Aalto University)

Influence of the knowledge level about information security on Anshin factors
Dai Nishioka, Yoshia Saito, and Yuko Murayama (Software and Information Science, Iwate Prefectural University, Japan)

SHRT – New method of URL shortening including relative word of target URL
Soojin Yoon, Jeongeun Park, Changkuk Choi, and Seungjoo Kim (CIST(Center for Information Security Technologies), Korea University)

Similarity Assessment Metrics of Hybrid Images for Graphical Password
Madoka Hasegawa, Keita Takahashi, and Shigeo Kato (Utsunomiya University)

Highlighting Disclosure of Sensitive Data on Android Application with Static Analysis
Takuya Sakashita, Shinpei Ogata, Haruhiko Kaiya, and Kenji Kaijiri (Shinshu University)

Memorability of Computer Security Posters as Affected by Message Type
Mitchell Kajzer, Charles R. Crowell, and Angela Ferreira (University of Notre Dame), John D’Arcy (University of Delaware), and Dirk VanBruggen and Aaron Striegel (University of Notre Dame)

Android + Open Wi-Fis = Broken SSL?
Marten Oltrogge, Sascha Fahl, Marian Harbach, and Matthew Smith (DCSEC, Leibniz University Hannover)

Visual Password Checker
Kyriakos Kafas (University of Cambridge, UK) and Nouf Aljaffan and Shujun Li (University of Surrey, UK)

Towards a Model for Analysing Anti-Phishing Authentication Ceremonies
Edina Hatunic-Webster, Fred Mtenzi, and Brendan O'Shea (Dublin Institute of Technology)

Ephermality in Social Media
Erik Northrop and Heather Lipford (UNC Charlotte)

Content and Context for Browser Warnings
Melanie Volkamer and Steffen Bartsch (CASED, TU Darmstadt) and Erik Northrop (UNC Charlotte)

Understanding and Using Anonymous Credentials
Zinaida Benenson (University of Erlangen-Nuremberg), Ioannis Krontiris (Goethe University Frankfurt), Dominik Schröder and Alexander Schopf (University of Erlangen-Nuremberg), Kai Rannenberg (Goethe University Frankfurt), and Yannis Stamatiou and Vasia Liagkou (Computer Technology Institute Patras)

Waiting Makes the Heart Grow Fonder and the Password Grow Stronger: Experiments in Nudging Users to Create Stronger Passwords
Nathan Malkin, Shriram Krishnamurthi, and David H. Laidlaw (Brown University)

Exploring user perceptions of authentication scheme security
Ann Nosseir (British University in Egypt) and Sotirios Terzis (University of Strathclyde)

Preliminary Investigation of an NFC-Unlock Mechanism for Android
Sandra Flügge, Hannes Scharf, Sascha Fahl, and Matthew Smith (University of Hannover)

On the Usability of Secure GUIs
Atanas Filyanov and Aysegul Nas (Ruhr-University Bochum), Melanie Volkamer (TU Darmstadt), and Marcel Winandy (Ruhr-University Bochum)

Helping users review and make sense of access policies in organizations
Pooya Jaferian, Hootan Rashtian, and Konstantin Beznosov (University of British Columbia)

Posters Showcasing Usable Privacy and Security Papers Published in the Past Year at Other Conferences

The post that wasn’t: exploring self-censorship on Facebook
Manya Sleeper, Rebecca Balebako, Sauvik Das, Amber Lynn McConahy, Jason Wiese, and Lorrie Faith Cranor (Carnegie Mellon University)
(Previously published at CSCW 2013)

Secure communication based on ambient audio
Dominik Schürmann and Stephan Sigg (TU Braunschweig)
(Previously published in IEEE Transactions on Mobile Computing 2013)

Someone To Watch Over Me
Heather Richter Lipford (University of North Carolina at Charlotte) and Mary Ellen Zurko (Cisco Systems)
(Previously published at NSPW 2012)

To Deceive or Not to Deceive! Ethical Questions in Phishing Research
Rasha Salah El-Din (University of York)
(Previously published in the British HCI 2012 Workshop Proceedings)

Usable Security in the Developing World: The Case of Mobile-Based Branchless Banking
Saurabh Panjwani (Bell Labs India)
Previously published at ACM DEV 2013 as Practical Receipt Authentication for Branchless Banking


SOUPS 2013 is sponsored by Carnegie Mellon CyLab