July 9-11, 2014
Menlo Park, CA


Call for papers





Impact Award

Symposium On Usable Privacy and Security

In-cooperation with USENIX


Open access to the full proceedings is provided through USENIX:

Wednesday, July 9

8-9 am: breakfast


9-10:30 am: morning workshop sessions part 1

10:30-11 am: break

11 am-12:30 pm: morning workshop sessions part 2

12:30-1:30 pm: lunch

1:30-3 pm: afternoon workshop sessions part 1

3-3:30 pm: break

3:30-5 pm: afternoon workshop sessions part 2

walk to poster* session

5:15-7 pm: poster session with dinner reception*

*Both the poster session and dinner reception will be outside in the evening. It can be chilly this time of year at night, so consider bringing a sweater or light jacket.

Thursday, July 10

8-9 am: breakfast

9-9:30 am: welcome and awards presentation

  • Distinguished Poster Awards
  • Distinguished Paper Award
  • IAPP SOUPS Privacy Award
  • 2014 SOUPS Impact Award

9:30-10:30 am: keynote speaker: Chris Soghoian,
Sharing the blame for the NSA's dragnet surveillance program

10:30-11 am: break

11 am-12:30 pm: Perspectives on Privacy
Session chair: Heather Lipford, UNC Charlotte

Would a privacy fundamentalist sell their DNA for $1000... if nothing bad happened thereafter? A study of the Westin categories, behavioral intentions, and consequences (IAPP Privacy Paper Award)
Allison Woodruff, Vasyl Pihur (Google); Alessandro Acquisti (Carnegie Mellon University); Sunny Consolvo, Lauren Schmidt (Google); Laura Brandimarte (Carnegie Mellon University)

Parents' and Teens' Perspectives on Privacy In a Technology-Filled World
Lorrie Faith Cranor, Adam Durity, Abigail Marsh, Blase Ur (Carnegie Mellon University)

Privacy attitudes of Mechanical Turk workers and the U.S. public
Ruogu Kang (Carnegie Mellon University); Stephanie Brown (American University); Laura Dabbish, Sara Kiesler (Carnegie Mellon University)

Awareness of Behavioral Tracking and Information Privacy Concern in Facebook and Google
Emilee Rader (Michigan State University)

12:30-1:30 pm: lunch

1:30-3 pm: Warnings and Decisions
Session chair: Mary Ellen Zurko, Cisco Systems

Too Much Choice: End-User Privacy Decisions in the Context of Choice Proliferation
Stefan Korff and Rainer Böhme (University of Münster)

Out of the Loop: How Automated Software Updates Cause Unintended Security Consequences
Rick Wash, Emilee Rader, Kami Vaniea, Michelle Rizor (Michigan State University)

Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It
Cristian Bravo-Lillo, Lorrie Cranor, Saranga Komanduri (Carnegie Mellon University); Stuart Schechter (Microsoft Research); Manya Sleeper (Carnegie Mellon University)

Your Reputation Precedes You: Reputation and the Chrome Malware Warning
Hazim Almuhimedi (Carnegie Mellon University); Adrienne Porter Felt, Rob Reeder, Sunny Consolvo (Google)

3-3:30 pm: break

3:30-5 pm: Users and Security
Session chair: Sunny Consolvo, Google

Exploring Internet Security Attitudes and Practices in Urban Ghana
Kelly McCabe, Jay Chen, Michael Paik (New York University - Abu Dhabi)

The Effect of Social Influence on Security Sensitivity (slides)
Sauvik Das, Hyun Jin Kim, Laura Dabbish, Jason Hong (Carnegie Mellon University)

Privacy Concerns in Online Recommender Systems: Influences of Control and User Data Input
Bo Zhang, Na Wang (Pennsylvania State University); Hongxia Jin (Samsung Research America)

Behavioral Experiments Exploring the Impact of Attack and Attacker on Victims’ Response to Cyber-based Financial Fraud and Identity Theft Scenario Simulations
Heather Rosoff, Jinshu Cui, Richard S. John (University of Southern California)

5:15 pm: shuttles to Palo Alto for attendees taking the SOUPS shuttle from the conference hotel, shuttles will return to the hotel after dinner

5:30-8 pm: SOUPS dinner at Caffe Riace, 200 Sheridan Avenue, Palo Alto

Friday, July 11

8-9 am: breakfast

9-10:30 am: Mobile
Session chair: Joseph Bonneau, Princeton University

Towards Continuous and Passive Authentication via Touch Biometrics: An Experimental Study on Smartphones
Hui Xu (Shenzhen Research Institute, The Chinese University of Hong Kong); Yangfan Zhou, Michael R. Lyu (The Chinese University of Hong Kong)

Modeling Users’ Mobile App Privacy Preferences: Restoring Usability in a Sea of Permission Settings
Jialiu Lin, Bin Liu, Jason I. Hong, Norman Sadeh (Carnegie Mellon University)

It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception
Marian Harbach (Leibniz University Hannover); Emanuel von Zezschwitz, Andreas Fichtner, Alexander De Luca (University of Munich (LMU)); Matthew Smith (University of Bonn)

Demo: Obidroid: Monitoring the Android App Store for Unfair or Deceptive Practices
Luis Aguilar, Shreyas, Kristine Yoshihara, Marti A. Hearst (University of California Berkeley)

Lightning talk: Can I Trust You? The Future of Ephemeral Text Messages and Photo Sharing
Khalia Braswell (University of North Carolina at Charlotte)

10:30-11 am: break

11 am-12:30 pm: Authentication
Session chair: Sonia Chiasson, Carleton University

Applying Psychometrics to Measure User Comfort when Constructing a Strong Password
S M Taiabul Haque, Shannon Scielzo, Matthew Wright (University of Texas at Arlington)

The Password Life Cycle: User Behaviour in Managing Passwords
Elizabeth Stobert and Robert Biddle (Carleton University)

Crowdsourcing Attacks on Biometric Systems (Distinguished Paper Award)
Saurabh Panjwani (Independent Consultant) and Achintya Prakash (University of Michigan)

Lightning talk: Memorizing 56-bit random passwords through spaced repetition
Joe Bonneau (Princeton); Stuart Schechter (Microsoft Research)

Lightning talk: 534 simple steps to stay safe online: Security advice for non-tech-savvy users
Iulia Ion, Rob Reeder, Sunny Consolvo (Google)

12:30-1:30 pm: lunch

1:30-3 pm: Social Networks and Access Control
Session chair: Yang Wang, Syracuse University

Understanding and Specifying Social Access Control Lists (Distinguished Paper Award)
Mainack Mondal (MPI-SWS); Yabing Liu (Northeastern University); Bimal Viswanath, Krishna Gummadi (MPI-SWS); Alan Mislove (Northeastern University)

To Befriend Or Not? Friend Request Acceptance Model on Facebook
Hootan Rashtian, Yazan Boshmaf, Pooya Jaferian, Konstantin Beznosov (University of British Columbia)

To authorize or not authorize: helping users review access policies in organizations
Pooya Jaferian, Hootan Rashtian, Konstantin Beznosov (University of British Columbia)

Lightning talk: Context-Adaptive Privacy Mechanisms
Florian Schaub (Carnegie Mellon University)

Lightning talk: Network Text Analysis for Understanding Privacy and Security Updates
Michael W. Bigrigg (General Dynamics C4 Systems)

Lightning talk: How Neuroscience Can Improve Security Warnings: Insights from fMRI
Bonnie Brinton Anderson, Anthony Vance, Brock Kirwan (Brigham Young University); David Eargle (University of Pittsburgh); Seth Howard (Google)

3-3:30 pm: break

3:30-4:45 pm: panel, "Division of labor between people and technology: just right or dumping the burden on users?"

4:45 pm: SOUPS social

KEYNOTE: Christopher Soghoian

Christopher Soghoian, American Civil Liberties Union (ACLU)

Sharing the blame for the NSA's dragnet surveillance programs [YouTube]

Fifteen years after the publication of "Why Johnny Can't Encrypt", most users still can't, and thus don't encrypt. Even in the wake of the Snowden disclosures, the best that the tech industry has delivered (after years of begging, pleading and harassment by activists) is default HTTPS between the user and server. Emails are still stored in plain text at the service provider, and in many cases, sent between different email services without any encryption. Files are often not encrypted on our computers or devices, and then when they are backed up to the cloud, the companies providing those services generally have access to all of our data. We know how to do this in a more secure way, but the mainstream products provided by big tech companies to consumers rarely do so.

Because so much of our sensitive data is transmitted or stored in unencrypted form, the biggest problem for the NSA is not code breaking, but analysis: How to parse all of those emails, instant messages, web browsing records, and location data. For all of the fantastic cryptographic algorithms and security protocols that the security community has created, they aren't much of a problem for governments that seek to collect as much private information as they can. The blame for this is ours - our academic community that evaluates success by published papers, not on whether or not the security innovations ever reach users. We have failed to protect the public, and, in many ways, have made things even worse.

That needs to change. There are of course real barriers - including serious usability issues and advertising supported business models - that make default use of crypto difficult. We must identify these, and then find innovative ways around them. Post Snowden, this community has a big job, but, if we want to avoid living in a surveillance state, we must do it.

Bio: Christopher Soghoian is a privacy researcher and activist, working at the intersection of technology, law and policy. He is the Principal Technologist with the Speech, Privacy and Technology Project at the American Civil Liberties Union. Soghoian completed his Ph.D. at Indiana University in 2012, which focused on the role that third party service providers play in facilitating law enforcement surveillance of their customers.


Division of labor between people and technology: just right or dumping the burden on users?

Cormac Herley (Microsoft), Moderator
Christian Rohrer (McAfee)
Adrienne Porter Felt (Google)
Paul van Oorschot (Carleton University)
Scott Renfro (Faceook)


Input Password Only with Four Keys, Three Times
Akane Ito; Yui Ohtaka; Yoshie Yamada; Manabu Okamoto (Kanagawa Institute of technology)

Mobile Security for Dummies: Designing Mobile Security Interfaces for the Non-Expert
Ann-Marie Horcher; Gurvirender Tejay; Maxine Cohen (Nova Southeastern University)

Clarity of Facebook Connect login permissions
Nicky Robinson; Joseph Bonneau (Princeton University)

Towards Continuous Authentication Based on Mobile Messaging App Usage
Eric Klieme (NovaTec Consulting GmbH); Klaus-Peter Engelbrecht, Sebastian Möller (Quality and Usability Lab, Telekom Innovation Laboratories, TU Berlin)

Who Has My Data? Illuminating Renters' Smart Meter Privacy Concerns
Germaine Irwin, Nilanjan Banerjee, Amy Hurst (University of Maryland Baltimore County); Sami Rollins (University of San Francisco)

Adaptive Disclosure Control System Using Detection of Sensitive Information in SNSs
Shimon Machida (The Graduate University for Advanced Studies); Tomoko Kajiyama (Aoyama Gakuin University); Shigeru Shimada (Tokyo Metropolitan University AIIT); Isao Echizen (National Institute of Informatics)

Towards an Instrument to Measure Everyday Privacy and Security Knowledge
Lydia Kraus; Tobias Hirsch; Ina Wechsung; Maija Poikela; Sebastian Möller (TU Berlin, Telekom Innovation Labs)

Designing a Persuasive Application to Improve Organizational Information Security Policy Awareness, Attitudes and Behavior
Marc Busch; Peter Wolkerstorfer; Christina Hochleitner; Georg Regal; Manfred Tscheligi (AIT - Austrian Institute of Technology GmbH)

Transitive Privacy Concern in Social Networks
Yumi Jung; Emilee Rader (Michigan State University)

Towards Usable Privacy Policies: Semi-automatically Extracting Data Practices From Websites' Privacy Policies
Norman Sadeh, Alessandro Acquisti, Travis D. Breaux, Lorrie Faith Cranor (Carnegie Mellon University); Aleecia M. McDonald (Stanford University); Joel Reidenberg (Fordham University); Noah A. Smith, Fei Liu (Carnegie Mellon University); N. Cameron Russell (Fordham University); Florian Schaub, Shomir Wilson, James T. Graves, Pedro Giovanni Leon, Rohan Ramanath, Ashwini Rao (Carnegie Mellon University)

A Preliminary Study of Users' Experiences and Beliefs about Software Update Messages
Michael Fagan; Mohammad Maifi Hasan Khan; Ross Buck (University of Connecticut)

Computer security information in stories, news articles, and education documents
Katie Hoban; Emilee Rader; Rick Wash; Kami Vaniea (Michigan State University)---Distinguished Poster Award

Exploring the Usability of Pronounceable Passwords
Shing-hon Lau; Stephen Siena; Ashutosh Pandey; Sroaj Sosothikul; Lorrie Faith Cranor; Blase Ur; Richard Shay (Carnegie Mellon University)

Preliminary Investigation of Cognitive Effort in Privacy Decision-Making: Sharing Personal Information vs. 3 X 4
Kovila P.L. Coopamootoo; Thomas Gross (Newcastle University)

Will this Onion Make You Cry? A Usability Study of Tor-enabled Mobile Apps
Hala Assal; Sonia Chiasson (Carleton University)---Distinguished Poster Award

Assessing Privacy Awareness from Browser Plugins
Aditya Marella; Chao Pan; Ziwei Hu; Florian Schaub; Blase Ur; Lorrie Faith Cranor (Carnegie Mellon University)

Factors Associated with Online Privacy Knowledge
Masooda Bashir; Kevin Hoff; Gahyun Jeon (University of Illinois at Urbana Champaign)

Users' Perceptions of and Willingness to Use Single-Sign-On Functionality
Lujo Bauer; Christian Bravo-Lillo; Elli Fragkaki; William Melicher; Michael Stroucken (Carnegie Mellon University)

Obidroid: Monitoring the Android App Store for Unfair or Deceptive Practices
Luis Aguilar; Shreyas; Kristine Yoshihara; Marti A. Hearst (University of California, Berkeley)

Privacy in Emotion Sharing on Social Media
Yun Huang; Yang Wang; Ying Tang (Syracuse University)

Privacy Concerns in Repairing
Syed Ishtiaque Ahmed, Shion Guha (Cornell University); Md. Rashidujjaman Rifat (Bangladesh University of Engineering and Technology)

Study on User's Attitude and Behavior towards Android Application Update Notification
Yuan Tian; Bin Liu; Weisi Dai; Lorrie Faith Cranor; Blase Ur; Weisi Dai (Carnegie Mellon University)

A Game Storyboard Design for Avoiding Phishing Attacks
Nalin A.G. Arachchilage (University of British Columbia); Ivan Flechais (University of Oxford); Konstantin Beznosov (University of British Columbia)

Usability Analysis of Biometric Authentication Systems on Mobile Phones
Chandrasekhar Bhagavatula, Kevin Iacovino (Carnegie Mellon University); Su Mon Kywe (Singapore Management University); Lorrie Faith Cranor, Blase Ur (Carnegie Mellon University)

Enforcing Least Privilege with Android Permissions in Mobile App Development
Emmanuel Bello-Ogunu; Mohamed Shehab (University of North Carolina, Charlotte)

Posters Showcasing Usable Privacy and Security Papers Published in the Past Year at Other Conferences

The Privacy and Security Behaviors of Smartphone App Developers
Rebecca Balebako; Abigail Marsh; Jialiu Lin; Jason Hong; Lorrie Faith Cranor (Carnegie Mellon University)
(Previously published at USEC 2014)

Counteracting the negative effect of form auto-completion on the privacy calculus
Bart P. Knijnenburg, Alfred Kobsa (University of California, Irvine); Hongxia Jin (Samsung Research America - Silicon Valley)
(Previously published at ICIS 2013)

A Field Trial of Privacy Nudges for Facebook
Yang Wang (Syracuse University); Pedro Giovanni Leon, Alessandro Acquisti, Lorrie Faith Cranor, Alain Forget, Norman Sadeh (Carnegie Mellon University)---Distinguished Poster Award
(Previously published at CHI 2014)

An implicit author verification system for text messages based on gesture typing biometrics
Ulrich Burgbacher; Klaus Hinrichs (University of Münster)
(Previously published at CHI 2014)


SOUPS 2014 is sponsored by Carnegie Mellon CyLab