SOUPS Roundup – Privacy Preferences, Authentication Aspects, and Social Security

I had originally intended posting blog updates on my 3 days spent at SOUPS 2014, but with research/teaching/my own classes/startup(!?) work getting in the way I figured I’ll just fold all of that into this post. Since I don’t remember all the twists and turns of my SOUPS experience, I’ll leave this as my selection of papers I found interesting (based on my notes).

Here’s a list of the SOUPS papers I still want to read more in-depth:
It’s a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception
Password Activity Lifecycle
Privacy Attitudes of Mechanical Turk Workers and the U.S. Public (I was left feeling wanting during the presentation of this paper … lots of odd, unanswered questions were in my mind. Reading this may answer them???)
Behavioral Experiments Exploring Victims’ Response to Cyber-based Financial Fraud and Identity Theft Scenario Simulations

Moving on to the ones I did listen to AND read (:D):
Would a privacy fundamentalist sell their DNA for $1000… if nothing bad happened as a result? The Westin categories, behavioral intentions, and consequences ( Best Paper )
Allison Woodruff, Vasyl Pihur, Sunny Consolvo, Lauren Schmidt, Laura Brandimarte, Alessandro Acquisti

This paper was an in-depth exploration of Westin’s Privacy Segmentation Index as it applies to behavioral intent and user consequences. The authors explored whether there was a correlation to users segmentation into Westin’s privacy groups (fundamentalists, pragmatists, unconcerned) and their actions & behaviors. Of course, the lack of correlation of contextual responses between privacy groups is not in-and-of itself a novel result (by 2014’s standards), the consequences analysis is novel. The authors performed a large scale MTurk study involving first segmenting the users into Westin’s groups and then providing the Turkers with situations with which the privacy implications and outcomes vary and checking how the users respond (would a fundamentalist object more strongly if their image is disseminated on the net?). Of course, this is known as the privacy paradox, wherein users attitudes about privacy clash with their actions regarding it. THere are assumed reasons for why this is the case: Westin’s PI is about general attitudes, not context-specific cases; users might compromise their privacy concerns under contexts for the matters of convenience, trust, or profit (this ties to other aspects of human psychology I’ve noticed in currency/finance studies; people do not pursue the best financial decisions when there is some emotional motivator at play). The authors conducted a two phase study: Phase 1 involved survey of privacy attitudes involving 4 different privacy scales, personal information misuse questions, and personality/demographic characteristics; Phase II involved asking what these now-segmented people would do under privacy-compromising situations. The scenario that the title relates to is:

‘A marketing company offers you $1000 and free genetic testing in exchange for the rights to all your current and future medical records. They will have the right to resell or publish your data (anonymously or with information that could identify you, at their discretion)’.

There are 20 of these scenarios in total, relating to many different fields beyond health (social, finance, etc). Results involved: suggested improvements to Westin’s segmentation (which didn’t work too well, by their own admission. Too bad, really!), effect of brand manipulations on privacy concerns (meaning: people trust Amazon, Google, etc. more with their information than, and predictors for disclosure (is there some combination of known variables that will work with these privacy segmentations to figure out if someone will give their DNA away on the internet!? The answer: Sorta; not exactly.). Overall some cool stuff, certainly a shoe-in for the award it got given the quality research, work, and writing done by the authors. I, of course, am always left wanting for perfect endings and I didn’t get that here like I felt I did when I saw Gone Girl (ah, but that is a different blog post….).

Towards Continuous and Passive Authentication via Touch Biometrics: An Experimental Study on Smartphones
Hui Xu, Yangfang Zhou, Michael R. Lyu
This is a paper about a continuous authentication method for smartphones. I didn’t feel the concept of continuous authentication in a paper was novel enough in its own right. Is this because I went to the WAY Workshop at SOUPS!? Answer: No, because continuous authentication has been done a bit before. Plus, I recently tore up a paper in review at another venue for some fairly lazy continuous authentication work. Actually, the contribution of this paper is the implementation of the continuous authentication method via a 30-person user study. Let’s dig in a bit more.
The paper goes into using biometric characteristics of stroke dynamics and the like. They separate user operations into: keystrokes, slides, pinch, and handwriting. They programmed an application to put their users through a training phase and asked them to perform tasks. In total: 32 people recruited with the singular goal of collecting training data on an Android device. I would classify the chief contributions of this paper to be analyzing the EER effects of the behavioral biometrics of: keystroke, slide, handwriting, and pinch. I was expecting a real system to be implemented and tested on users based on my reading of the abstract but didn’t get that.

One of my peeves about this paper is that the writing really isn’t up to the standards I normally hold from conference papers. I forgive the authors some because they are from international institutions and may lack people who have english as a first language, but a language mistake in the abstract is hard for me to get over. This goes back to my early college years as an English major, I think. 🙁 Another objection is the idea that, for smartphones, we have a multi-class classification problem; these phones tend to belong to just one user so it should just be one-versus-all. Of course, multi-class is when these authentication models start to fall apart and that’s when things really get interesting … how do you avoid collisions? Furthermore, I found the ‘month-long’ description there to be misleading … I thought 30 users were authenticating on this thing for a month and giving their feedback but that wasn’t the case at all. That was something I was really interested in. I’m actually surprised these metrics aren’t combined to authenticate the user; it’s only mentioned off-handedly. There’s also no true “attacker” in the sense of having participants deliberately try to mime another person … another thing I dislike about some authentication papers. This isn’t a bad paper by any sense of the word … I just expected more and didn’t get what I came for. :/

The Effect of Social Influence on Security Sensitivity
Sauvik Das, Tiffany Hyun-Jin Kim, Laura A. Dabbish, Jason I. Hong
This is an interview study designed at understanding why the public doesn’t adhere to suggested privacy/security instructions from experts & researcher nor use their tools. Results indicate that social processes play a role in influencing people’s behaviors concerning privacy and security. The crux here is that security tools need to be visible and apparent to the users and their role needs to be well-understood before being used. Not a lot to say here, the work is really quite good. This is a useful paper to cite when doing work on security preferences and users. 😀