Month: October 2014

SOUPS Roundup – Privacy Preferences, Authentication Aspects, and Social Security

I had originally intended posting blog updates on my 3 days spent at SOUPS 2014, but with research/teaching/my own classes/startup(!?) work getting in the way I figured I’ll just fold all of that into this post. Since I don’t remember all the twists and turns of my SOUPS experience, I’ll leave this as my selection of papers I found interesting (based on my notes).

Here’s a list of the SOUPS papers I still want to read more in-depth:
It’s a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception
Password Activity Lifecycle
Privacy Attitudes of Mechanical Turk Workers and the U.S. Public (I was left feeling wanting during the presentation of this paper … lots of odd, unanswered questions were in my mind. Reading this may answer them???)
Behavioral Experiments Exploring Victims’ Response to Cyber-based Financial Fraud and Identity Theft Scenario Simulations

Moving on to the ones I did listen to AND read (:D):
Would a privacy fundamentalist sell their DNA for $1000… if nothing bad happened as a result? The Westin categories, behavioral intentions, and consequences ( Best Paper )
Allison Woodruff, Vasyl Pihur, Sunny Consolvo, Lauren Schmidt, Laura Brandimarte, Alessandro Acquisti

This paper was an in-depth exploration of Westin’s Privacy Segmentation Index as it applies to behavioral intent and user consequences. The authors explored whether there was a correlation to users segmentation into Westin’s privacy groups (fundamentalists, pragmatists, unconcerned) and their actions & behaviors. Of course, the lack of correlation of contextual responses between privacy groups is not in-and-of itself a novel result (by 2014’s standards), the consequences analysis is novel. The authors performed a large scale MTurk study involving first segmenting the users into Westin’s groups and then providing the Turkers with situations with which the privacy implications and outcomes vary and checking how the users respond (would a fundamentalist object more strongly if their image is disseminated on the net?). Of course, this is known as the privacy paradox, wherein users attitudes about privacy clash with their actions regarding it. THere are assumed reasons for why this is the case: Westin’s PI is about general attitudes, not context-specific cases; users might compromise their privacy concerns under contexts for the matters of convenience, trust, or profit (this ties to other aspects of human psychology I’ve noticed in currency/finance studies; people do not pursue the best financial decisions when there is some emotional motivator at play). The authors conducted a two phase study: Phase 1 involved survey of privacy attitudes involving 4 different privacy scales, personal information misuse questions, and personality/demographic characteristics; Phase II involved asking what these now-segmented people would do under privacy-compromising situations. The scenario that the title relates to is:

‘A marketing company offers you $1000 and free genetic testing in exchange for the rights to all your current and future medical records. They will have the right to resell or publish your data (anonymously or with information that could identify you, at their discretion)’.

There are 20 of these scenarios in total, relating to many different fields beyond health (social, finance, etc). Results involved: suggested improvements to Westin’s segmentation (which didn’t work too well, by their own admission. Too bad, really!), effect of brand manipulations on privacy concerns (meaning: people trust Amazon, Google, etc. more with their information than IWillStealYourIdentity.com), and predictors for disclosure (is there some combination of known variables that will work with these privacy segmentations to figure out if someone will give their DNA away on the internet!? The answer: Sorta; not exactly.). Overall some cool stuff, certainly a shoe-in for the award it got given the quality research, work, and writing done by the authors. I, of course, am always left wanting for perfect endings and I didn’t get that here like I felt I did when I saw Gone Girl (ah, but that is a different blog post….).

Towards Continuous and Passive Authentication via Touch Biometrics: An Experimental Study on Smartphones
Hui Xu, Yangfang Zhou, Michael R. Lyu
This is a paper about a continuous authentication method for smartphones. I didn’t feel the concept of continuous authentication in a paper was novel enough in its own right. Is this because I went to the WAY Workshop at SOUPS!? Answer: No, because continuous authentication has been done a bit before. Plus, I recently tore up a paper in review at another venue for some fairly lazy continuous authentication work. Actually, the contribution of this paper is the implementation of the continuous authentication method via a 30-person user study. Let’s dig in a bit more.
The paper goes into using biometric characteristics of stroke dynamics and the like. They separate user operations into: keystrokes, slides, pinch, and handwriting. They programmed an application to put their users through a training phase and asked them to perform tasks. In total: 32 people recruited with the singular goal of collecting training data on an Android device. I would classify the chief contributions of this paper to be analyzing the EER effects of the behavioral biometrics of: keystroke, slide, handwriting, and pinch. I was expecting a real system to be implemented and tested on users based on my reading of the abstract but didn’t get that.

One of my peeves about this paper is that the writing really isn’t up to the standards I normally hold from conference papers. I forgive the authors some because they are from international institutions and may lack people who have english as a first language, but a language mistake in the abstract is hard for me to get over. This goes back to my early college years as an English major, I think. 🙁 Another objection is the idea that, for smartphones, we have a multi-class classification problem; these phones tend to belong to just one user so it should just be one-versus-all. Of course, multi-class is when these authentication models start to fall apart and that’s when things really get interesting … how do you avoid collisions? Furthermore, I found the ‘month-long’ description there to be misleading … I thought 30 users were authenticating on this thing for a month and giving their feedback but that wasn’t the case at all. That was something I was really interested in. I’m actually surprised these metrics aren’t combined to authenticate the user; it’s only mentioned off-handedly. There’s also no true “attacker” in the sense of having participants deliberately try to mime another person … another thing I dislike about some authentication papers. This isn’t a bad paper by any sense of the word … I just expected more and didn’t get what I came for. :/

The Effect of Social Influence on Security Sensitivity
Sauvik Das, Tiffany Hyun-Jin Kim, Laura A. Dabbish, Jason I. Hong
This is an interview study designed at understanding why the public doesn’t adhere to suggested privacy/security instructions from experts & researcher nor use their tools. Results indicate that social processes play a role in influencing people’s behaviors concerning privacy and security. The crux here is that security tools need to be visible and apparent to the users and their role needs to be well-understood before being used. Not a lot to say here, the work is really quite good. This is a useful paper to cite when doing work on security preferences and users. 😀

Stray Observations: Media

I’ve been trying to cobble together a few blog posts in my mind about a variety of topics but never seem to find time to develop a full, detailed post about them.
So I’ll just throw together some musings in one post and justify an update. 😀

Films/Television/Media
I very strongly hold the opinion that we live in a golden age of entertainment. The advent of cable television has given rise to programming with grand, sweeping aspirations that is endlessly fascinating. Often, new cable series don’t just feel fresh but are endlessly self-referential and enjoyed on multiple levels. Attention to detail is literally astounding. A simple example of this is what is likely my favorite show, Breaking Bad, where I recently noticed that any time Walter White is operating from his Heisenberg mindset in the early seasons he is almost always viewed through reflective surfaces. A simple example of this that I can remember is the first meeting with Gustavo Fringe at Los Pollos Hermanos in Season 2. This was something I didn’t know about the show until after it ended, which fuels my desire for rewatching.

Every type of genre is seeing a renaissance on cable television. Case in point: the mundane cop show. Network television has been saturated with many terrible procedural dramas with no overarcing theme or story; they only exist to be sold in syndication and have no running plotlines so the show can be picked up and abandoned at the start of a dedicated programming hour. There are endless examples of these dull, plodding shows: Law & Order, Blue Bloods, Grimm, NCIS, … repeat ad nauseum. It is extremely irritating that we still live in a world where [Insert Thing Here] of the Week occupies a half hour on television. There’s no real audience involvement; no expectation of a growing story with evolving characters and elevated circumstances … just repetitive drivel. One could argue this is an allegory on life — that we can’t expect weekly excitement and often things are the same week to week. I disagree; when you can literally interchange episodes and not miss a single beat about what’s going on then it is not a commentary on life. I could not exchange weeks of my life and expect everything to line up, and that’s true for most anyone. That’s why True Detective was such a refreshing cleanser for the procedural palate. This was a deep, complicated, and multilayered cop drama that extended way above all the network rubbish to tell the story of both a meaningful hunt for a killer and the devolution of its two main leads. Truly inspiring.

Even the soap opera has renewed vitality on cable. The titillatingly titled Masters of Sex is one of the most pleasant viewing surprises I’ve had in recent memory. I went in expecting absolutely nothing and got really layered, attention grabbing detail and development of the lives of these characters in cloistered 1960s society. Will Masters continues to be one of my favorite leads on current television, played awesomely by Michael Sheen (whom I loved in Frost/Nixon). Lizzy Caplan is similarly a delight to watch on television, and their exchanges are endlessly interesting. What I find most impressive is the fact that, after some reflection, what I was effectively watching was a highbrow soap opera. And I’ll be honest: I still really enjoy it even after the fact. I suppose this feels as new to me as soap operas did to housewives way back in the ’60s. 😀