The Saucer

The Saucer Summer 2015Recent PublicationsMost CUPS publications are available on the CUPS website. Thefollowing are a selection of publications from the past year.Privacy Decision MakingYour Location has been Shared 5,398 Times!: A FieldStudy on Mobile App Privacy NudgingH. Almuhimedi, F. Schaub, I. Adjerid, A. Acquisti, J. Gluck, L. Cranor, Y. AgarwalCHI 2015Smartphone users are often unaware of the data collected byapps running on their devices. We report on a study thatevaluates the benefits of giving users an app permissionmanager and sending them nudges intended to raise theirawareness of the data collected by their apps. Our studyprovides both qualitative and quantitative evidence that theseapproaches are complementary and can each play a significantrole in empowering users to more effectively control theirprivacy. For instance, even after a week with access to thepermission manager, participants benefited from nudgesshowing them how often some of their sensitive data was beingaccessed by apps, with 95% of participants reassessing theirpermissions, and 58% of them further restricting some of theirpermissions. We discuss how participants interacted both withthe permission manager and the privacy nudges, analyze theeffectiveness of both solutions, and derive somerecommendations.A Design Space for Effective Privacy NoticesF. Schaub, R. Balebako, A. Durity, and L. CranorSOUPS 2015Notifying users about a system’s data practices is supposed toenable users to make informed privacy decisions. Yet, currentnotice and choice mechanisms, such as privacy policies, areoften ineffective because they are neither usable nor useful, andare therefore ignored by users. Constrained interfaces onmobile devices, wearables, and smart home devices connectedin an Internet of Things exacerbate the issue. Much researchhas studied usability issues of privacy notices and manyproposals for more usable privacy notices exist. Yet, there islittle guidance for designers and developers on the designaspects that can impact the effectiveness of privacy notices. Inthis paper, we make multiple contributions to remedy this issue.We survey the existing literature on privacy notices and identifychallenges, requirements, and best practices for privacy noticedesign. Further, we map out the design space for privacynotices by identifying relevant dimensions. This provides ataxonomy and consistent terminology of notice approaches tofoster understanding and reasoning about notice optionsavailable in the context of specific systems. Our systemizationof knowledge and the developed design space can helpdesigners, developers, and researchers identify notice andchoice requirements and develop a comprehensive noticeconcept for their system that addresses the needs of differentaudiences and considers the system’s limitations andopportunities for providing notice.What do they know about me? Contents and Concernsof Online Behavioral ProfilesA. Rao, F. Schaub, N. SadehUbiComp 2014Data aggregators collect large amount of information aboutindividual users and create detailed online behavioral profiles ofindividuals. Behavioral profiles benefit users by improvingproducts and services. However, they have also raised concernsregarding user privacy, transparency of collection practices andaccuracy of data in the profiles. To improve transparency, somecompanies are allowing users to access their behavioral profiles.In this work, we investigated behavioral profiles of users byutilizing these access mechanisms. Using in-person interviews(n=8), we analyzed the data shown in the profiles, elicited userconcerns, and estimated accuracy of profiles. We confirmed ourinterview findings via an online survey (n=100). To assess theclaim of improving transparency, we compared data shown inprofiles with the data that companies have about users. Morethan 70% of the participants expressed concerns aboutcollection of sensitive data such as credit and healthinformation, level of detail and how their data may be used. Wefound a large gap between the data shown in profiles and thedata possessed by companies. A large number of profiles wereinaccurate with as much as 80% inaccuracy. We discussimplications for public policy management.PasswordsMeasuring Real-World Accuracies and Biases inModeling Password GuessabilityB. Ur, S. Segreti, L. Bauer, N. Christin, L. Cranor, S. Komanduri, D. Kurilova, M.Mazurek, W. Melicher, R. ShayUSENIX Security 2015 (forthcoming)Parameterized password guessability—how many guesses aparticular cracking algorithm with particular training data wouldtake to guess a password—has become a common metric ofpassword security. Unlike statistical metrics, it aims to modelreal-world attackers and to provide per-password strengthestimates. We investigate how cracking approaches often usedby researchers compare to real-world cracking by professionals,as well as how the choice of approach biases researchconclusions. We find that semi-automated cracking byprofessionals outperforms popular fully automated approaches,but can be approximated by combining multiple suchapproaches. These approaches are only effective, however, withcareful configuration and tuning; in commonly used defaultconfigurations, they underestimate the real-world guessabilityof passwords. We find that analyses of large password sets areoften robust to the algorithm used for guessing as long as it isconfigured effectively. However, cracking algorithms differsystematically in their effectiveness guessing passwords withcertain common features (e.g., character substitutions). Ourresults highlight the danger of relying only on a single crackingalgorithm as a measure of password strength and constitute thefirst scientific evidence that automated guessing can oftenapproximate guessing by professionals.6