2. Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter http://cups.cs.cmu.edu/courses/ups-sp06/ 1 Course Overview January 17, 2006

3. Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter http://cups.cs.cmu.edu/courses/ups-sp06/ 2 Outline Introduction to usable privacy and security Review syllabus and course policies Distribute survey Faculty research overview Introduce students

4. 3 Unusable security & privacy -Unpatched Windows machines compromised in minutes -Phishing web sites increasing by 28% each month -Most PCs infected with spyware (avg. = 25) -Users have more passwords than they can remember and practice poor password security -Enterprises store confidential information on laptops and mobile devices that are frequently lost or stolen

5. 4 Grand Challenge “Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.” - Computing Research Association 2003

6. Just work

7. 6 security/privacy researchers and system developers human computer interaction researchers and usability professionals

8. 7 Symposium On Usable Privacy and Security (SOUPS) July 6-8, 2005 Pittsburgh, PA USA http://cups.cs.cmu.edu/soups/ Mark your calendar for SOUPS 2006 - July 14-16 at CMU

9. 8 A preview of some topics we’ll cover in this course 1.Problems and approaches 2.Passwords 3.Symbols & metaphors 4.Rethinking cookies 5.Making Web privacy visible

10. Problems and approaches 1.

11. 10 How do you stay safe online?

12. Experts recommend…

13. 12 POP!

14. 13 After installing all that security and privacy software

15. 14 Do you have any time left to get any work done?

16. Secondary tasks

17. 16 Approaches to usable security -Make it “just work” -Invisible security -Make security/privacy understandable -Make it visible -Make it intuitive -Use metaphors that users can relate to -Train the user

18. 17 Make decisions -Developers should not expect users to make decisions they themselves can’t make

19. Present choices, not dilemmas - Chris Nodder (in charge of user experience for XP SP2)

20. 19

21. 20

22. Passwords 2.

23. 22 Typical advice -Pick a hard to guess password -Don’t use it anywhere else -Change it often -Don’t write it down

24. What do users do when every web site wants a password?

25. 24 Bank = b3aYZ Amazon = aa66x! Phonebill = p$2$ta1

26. 25

27. Symbols & Metaphors 3.

28. 27 Netscape SSL icons Cookie flag IE6 cookie flag Firefox SSL icon

29. 28 Privacy Bird icons Privacy policy matches user’s privacy preferences Privacy policy does not match user’s privacy preferences

30. Rethinking cookies 4.

31. 30

32. 31

33. Making Web privacy visible 5.

34. 33 Web site privacy policies -Many posted -Few read

35. What if your browser could read privacy policies for you?

36. 35 Platform for Privacy Preferences (P3P) -2002 W3C Recommendation -XML format for Web privacy policies -Protocol enables clients to locate and fetch policies from servers

37. 36 Privacy Bird -P3P user agent -Free download http://privacybird.com/ -Compares user preferences with P3P policies

38. Chirping bird is privacy indicator

39. Red bird indicates mismatch

40. Privacy settings

41. Example: Sending flowers

44. 43 Wireless privacy -Many users unaware that communications over wireless computer networks are not private

45. Wall of sheep

46. Photo credit: Kyoorius @ techfreakz.org http://www.techfreakz.org/defcon10/?slide=38 Defcon 2001

47. Photo credit: http://www.timekiller.org/gallery/DefconXII/photo0003 Defcon 2004

48. 47 Peripheral display -Help users form more accurate expectations of privacy -Without making the problem worse

49. 48

50. 49 Experimental trial -11 subjects in student workspace -Data collected by survey and traffic analysis -Did they refine their expectations of privacy?

51. 50 Results -No change in behavior -Peripheral display raised privacy awareness in student workspace -But they didn’t really get it

52. 51 Privacy awareness increased “I feel like my information /activity / privacy are not being protected …. seems like someone can monitor or get my information from my computer, or even publish them.”

53. 52 But only while the display was on “Now that words [projected on the wall] are gone, I'll go back to the same.”

54. 53 Questions to ask about a security or privacy cue - Do users notice it? -Do they know what it means? -Do they know what they are supposed to do when they see it? -Will they actually do it? -Will they keep doing it?

55. Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter http://cups.cs.cmu.edu/courses/ups-sp06/ 54 Syllabus http://cups.cs.cmu.edu/courses/ups-sp06/ Homework (25%) Lecture (25%) Project (50%) Textbook and readings Schedule

56. Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter http://cups.cs.cmu.edu/courses/ups-sp06/ 55 Survey Please fill out course survey and bring it with you to class on Thursday

57. Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter http://cups.cs.cmu.edu/courses/ups-sp06/ 56 Faculty research overview Lorrie Cranor Michael Reiter Jason Hong

58. Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter http://cups.cs.cmu.edu/courses/ups-sp06/ 57 Student introductions Introduce yourself to your neighbor and tell them your background. Tell them why you’re taking the course and what you want to get out of the course Form a group of ~4 and repeat Form a group of ~8 and repeat Pick someone to stand up in front of the class, introduce your group members, and summarize the reasons people in your group are taking the course and what you want to get out of the course