CUPS - CyLab Usable Privacy and Security Laboratory - Carnegie Mellon University, 5000 Forbes Ave., Pittsburgh, PA 15213

User controllable security and privacy

Managing security and privacy policies is known to be a difficult problem. It is important that new user interfaces be developed to effectively and efficiently support lay users in understanding and managing security and privacy policies - their own as well as those implemented by systems and individuals with whom they interact. Solutions in this area have traditionally taken a relatively narrow view of the problem by limiting the expressiveness of policy languages or the number of options available in templates, restricting some decisions to specific roles within the enterprise, etc. As systems grow more pervasive and more complex, and as demands for increasing flexibility and delegation continue to grow, it is imperative to take a more fundamental view that weaves together issues of security, privacy and usability to systematically evaluate key tradeoffs between expressiveness, tolerance for errors, burden on users and overall user acceptance; and develop novel mechanisms and technologies that help mitigate these tradeoffs, maximizing accuracy and trustworthiness while minimizing the time and effort required by end users. The objective of this project is to develop new interfaces that combine user-centered design principles with dialog, explanation and learning technologies to assist users in specifying and refining policies. One new policy authoring interface we have developed is a visualization technique for displaying policies in a two-dimensional "expandable grid". (See also the User controllable security and privacy project page, the Expandable grids project, Grey project, and Locaccino.)

K. Vaniea, L. Bauer, L.F. Cranor, and M.K. Reiter. Studying access control usability in the lab: Lessons learned from four studies. In LASER 2012–Learning from Authoritative Security Experiment Results, July 2012.

K. Vaniea, L. Bauer, L.F. Cranor, and M.K. Reiter. Out of sight, out of mind: Effects of displaying access-control information near the item it controls. In Proceedings of the Tenth Annual Conference on Privacy, Security and Trust, July 2012.

P. Klemperer, Y. Liang, M. Mazurek, M. Sleeper, B. Ur, L. Bauer, L.F. Cranor, N. Gupta, and M. Reiter. Tag, You Can See It! Using Tags for Access Control in Photo Sharing. CHI 2012.

J. Cranshaw, J. Mugan, and N. Sadeh. 2011. User-Controllable Learning of Location Privacy Policies with Gaussian Mixture Models. Proceedings of the Twenty-Fifth Conference on Artificial Intelligence (AAAI-11) San Francisco, California.

P. G. Kelley, R. Brewer, P. Mayer, L. F. Cranor, and N. Sadeh. An investigation into facebook friend grouping. In Proceedings of 13th IFIP TC13 Conference on Human-Computer Interaction (INTERACT'2011), 2011.

Robert W. Reeder, Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea. More than skin deep: Measuring effects of the underlying model on access-control system usability. In CHI 2011: Conference on Human Factors in Computing Systems, May 2011.

Kelley, P.G., Benisch, M., Cranor, L.F., and Sadeh, N. When Are Users Comfortable Sharing Locations with Advertisers? CHI 2011.

Michelle L. Mazurek, Peter F. Klemperer, Richard Shay, Hassan Takabi, Lujo Bauer, and Lorrie Faith Cranor. Exploring reactive access control. In CHI 2011: Conference on Human Factors in Computing Systems, May 2011.

Janne Lindqvist and Jason Hong. Undistracted Driving: A Mobile Phone that Doesn’t Distract, in HotMobile 2011: 12th Workshop on Mobile Computing Systems and Applications, Phoenix, Arizona, USA, March 1-2, 2011.

M. Mazurek, J.P. Arsenault, J. Bresee, N. Gupta, I. Ion, C. Johns, D. Lee, Y. Liang, J. Olsen, B. Salmon, R. Shay, K. Vaniea, L. Bauer, L.F. Cranor, G.R. Ganger, and M.K. Reiter. Access Control for Home Data Sharing: Attitudes, Needs and Practices. CHI 2010.

M. Benisch, P.G. Kelley, N. Sadeh, and L.F. Cranor. Capturing location-privacy preferences: quantifying accuracy and user-burden tradeoffs. Personal and Ubiquitous Computing. Published online 07 December 2010.

E. Toch, J. Cranshaw, P.H. Drielsma, J.Y. Tsai, P.G. Kelley, J. Springfield, L. Cranor, J. Hong, N. Sadeh. Empirical Models of Privacy in Location Sharing. Ubicomp 2010.

Tang, K, J. Lin, J. Hong, N. Sadeh. Rethinking Location Sharing: Exploring the Implications of Social-Driven vs. Purpose-Driven Location Sharing. Ubicomp 2010.

Lin, J, G. Xiang, J. Hong, N. Sadeh. Modeling People's Place Naming Preferences in Location Sharing. Ubicomp 2010.

J. Tsai, P. Kelley, L. Cranor, and N. Sadeh. Location-Sharing Technologies: Privacy Risks and Controls. TPRC 2009.

J.Tsai, P. Kelley, P. Drielsma, L. Cranor, J. Hong, and N. Sadeh. Who's Viewed You? The Impact of Feedback in a Mobile-location System. CHI 2009

L. Bauer, L. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. Real life challenges in access-control management. In CHI 2009: Conference on Human Factors in Computing Systems, pages 899-908, April 2009.

R.W. Reeder, P.G. Kelley, A.M. McDonald, and L.F. Cranor. A User Study of the Expandable Grid Applied to P3P Policy Visualization. Workshop on Privacy in the Electronic Society (WPES 2008). Oct. 2008.

R. W. Reeder, L. Bauer, L.F. Cranor, M.K. Reiter, K. Bacon, K. How, and H. Strong. Expandable Grids for Visualizing and Authoring Computer Security Policies. ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '08). 2008.

R. W. Reeder. Expandable Grids: A user interface visualization technique and a policy semantics to support fast, accurate security and privacy policy authoring. PhD Thesis, Computer science department, Carnegie Mellon University, Pittsburgh, PA, July 2008. Available as tech report number CMU-CS-08-143.

L. Bauer, L.F. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. A User Study of Policy Creation in a Flexible Access-Control System. ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '08). 2008.

M. Prabaker, J. Rao, I. Fette, P. Kelley, L. Cranor, J. Hong, and N. Sadeh, Understanding and Capturing People's Privacy Policies in a People Finder Application, 2007 Ubicomp Workshop on Privacy, Austria, Sept. 2007.

J. Cornwell, I. Fette, G. Hsieh, M. Prabaker, J. Rao, K. Tang, K. Vaniea, L. Bauer, L. Cranor, J. Hong, B. McLaren, M. Reiter, N. Sadeh, "User-Controllable Security and Privacy For Pervasive Computing", Proceedings of the 8th IEEE Workshop on Mobile Computing Systems and Applications (HotMobile 2007).

L. Bauer, L. F. Cranor, M. K. Reiter, and K. Vaniea. Lessons Learned from the Deployment of a Smartphone-Based Access-Control System. In Proceedings of the 2007 Symposium On Usable Privacy and Security, Pittsburgh, PA, July 18-20, 2007.

Privacy policy