access control for home data sharing: attitudes, needs and practices
DESCRIPTION
From the "At Home with Computing" session of CHI2010. Presented by Michelle L. Mazurek. Work done in collaboration with J.P. Arsenault, Joanna Bresee, Nitin Gupta, Iulia Ion*, Christina Johns, Daniel Jonggyu Lee, Yuan Liang, Jennifer Olsen, Brandon Salmon, Rich Shay, Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, Gregory R. Ganger, and Michael K. Reiter^. Carnegie Mellon University, *ETH Zurich, ^UNC Chapel HillTRANSCRIPT
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 1
CyLab Usable Privacy and Security Laboratoryhttp://cups.cs.cmu.edu/
Access Control at Home: Attitudes, Needs, Practices
Michelle MazurekJ.P. Arsenault, Joanna Bresee, Nitin Gupta, Iulia Ion1,
Christina Johns, Daniel Jonggyu Lee, Yuan Liang, Jennifer Olsen, Brandon Salmon, Rich Shay, Kami Vaniea
Lujo Bauer, Lorrie Cranor, Greg Ganger, Mike Reiter2
Carnegie Mellon University, 1ETH Zürich, 2UNC Chapel Hill
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 2
Access control comes home
Tax return
The Sopranos
Sesame Street
The Wiggles
The Sopranos
The Sopranos
Sesame Street
Sesame Street
The WigglesThe Wiggles
Tax return
Tax returnTax return
The Sopranos
Sesame Street
The Wiggles
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 3
Old approaches aren’t enough
Traditional physical and social boundaries are no longer effective– We need a way to reconstruct these boundaries in
the digital world Traditional enterprise approaches won’t
translate to the home– Specifying policy is hard, even for experts [MR05]– No sysadmin in your house
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 4
Our goal: A more usable approach
Make it easy for users to specify, view and understand policies
Provide confidence that the system is trustworthy
This talk: As a first step, understand how non-experts think about access control
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 5
Outline
Introduction and motivation Goals and study design Key findings Design guidelines
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 6
Exploring access control at home
Current practices: digital, paper Different policy dimensions: person, location,
device, presence, time of day Additional features:– Logs– Reactive policy creation
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 7
Designing a user study In-situ interviews– Non-programmer households– Interviewed at home– Together and separately– Recruited via craigslist, flyers
Semi-structured– Specific initial questions – Continue free-form
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 8
Question structure
For each dimension, start with specific scenario– Imagine that [a friend] is in your house when you are
not. What kinds of files would you (not) want them to be able to [view, change]?
– Would it be different if you were also in the [house, room]?
Extend to discuss that dimension in general Rate concern over specific policy violations:– From 1 = don’t care to 5 = devastating
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 9
Data analysis
Initial rough analysis identified areas of interest; fed back into later interviews
Two-phase main coding process– Example to follow
Results are qualitative
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 10
Data analysis -- example
“If I use a work file, I’m very careful not to step away without logging out.”
Code Person
Page
Log out / lock computer when getting up
10A 3
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 11
Study demographicsHouseholds Peopl
eFamilies 6 16Couples 5 10
Roommates 4 11
Total 15 37 Ages 8 to 59 Wide range of computer skills, household devices
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 12
Outline
Introduction and motivation Goals and study design Key findings Design guidelines
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 13
Four key findings
1. People have important data to protect, and the methods they currently use don’t provide enough assurance
2. Policy needs are complicated3. Permission and control are important4. Current systems and mental models are
misaligned
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 14
F1: Current methods are insufficient
“Maybe someone sort of e-mails you a sexy e-mail or something, and I wouldn’t want the kids to see it.” – single mom with teenage sons
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 15
Current methods are insufficient Almost everyone worries sometimes Many potential breaches rated “devastating” Several reported actual breaches Mechanisms vary (often ad-hoc)– Do nothing, just worry– Encryption, user accounts (some people)– Hiding in the file system– “If I didn’t want everyone to see them, I just had them
for a little while and then I just deleted them.”
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 16
F2: Policy needs are complex Fine-grained divisions of people and files One policy:
shared
mixed
restricted
[Reeder08]
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 17
Dimensions beyond person Presence– “If you have your mother in the
room, you are not going to do anything bad. But if your mom is outside the room you can sneak.”
– Also can provide a chance to explain
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 18
Dimensions beyond person
Location– People in my home are trusted– Higher level of “lockdown” when elsewhere
Read-only is needed but not sufficient
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 19
F3: Permission and control People want to be asked for permission– “I’m very willing to be open with people, I think I’d
just like the courtesy of someone asking me.”– Positive response to reactive policy creation
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 20
Setting policy doesn’t convey control
“If I’m present, I can say, ‘These are the things that you could see’.”
“I can’t be giving you permission while I sleep because I am sleeping.”
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 21
Up-front policy isn’t enough
Last-minute decisions Review logs and fine-tune: – “If someone has been looking at something a lot, I am
going to be a little suspicious. In general, I would [then] restrict access to that specific file.”
People want to know why as well as who– “I might be worried about who else was watching.”– “From my devices they would be able to view it but
not save it.”
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 22
F4: Mental models ≠ systems Desktop search finds “hidden” files Being present isn’t enough– “If anything were to happen, I’m right there to say, ‘OK, what just happened?’ So I’m not as worried.”– But violations can be fast or invisible
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 23
Outline
Introduction and motivation Goals and study design Key findings Design guidelines
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 24
Design guidelines
Allow fine-grained control– Specification at multiple levels of granularity to
support varying needs Include reactive policy creation– “Sounds like the best possible scenario.”– “It would be easy access for them while still
allowing me to control what they see.”
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 25
More design guidelines Reduce up-front complexity– “If I had to sit down and sort everything into what
people can view and cannot view, I think that would annoy me. I wouldn’t do that.”
– Reactive policy creation can help Support iterative policy specification– View/change effective policy, not just rules– Human-readable logs
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 26
Even more guidelines Acknowledge social conventions– Requesting permission (reactive again)– Plausible deniability: “I don’t want people to feel
that I am hiding things from them.” Account for mental models– Incorrect analogies to physical
systems– Fit into existing models or guide
users to new ones
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 27
Conclusion
Access control for personal data is increasingly important
Ideal policies are complex, multidimensional People want control– To be asked permission– To iteratively fine-tune policy
Systems must account for mental models
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 28
CMU Usable Privacy and Security Laboratory
http://cups.cs.cmu.edu/
Thank you
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 29
References [BCR08] L. Bauer, L.F. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. A user
study of policy creation in a flexible access-control system. In CHI ’08: Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, 2008.
[BGR05] L. Bauer, S. Garriss, and M. K. Reiter. Distributed proving in access-control systems. In Proceedings of the 2005 IEEE Symposium on Security & Privacy, 2005.
[BB07] K. Beznosov and O. Beznosova. On the imbalance of the security problem space and its expected consequences. In Information Management & Computer Security, 15:420–431, 2007.
[BI07] A. Brush and K. Inkpen. Yours, mine and ours? Sharing and use of technology in domestic environments. In Ubicomp, 2007.
[GBG07] R. Geambasu, M. Balazinska, S.D. Gribble, and H.M. Levy. HomeViews: Peer-to-peer middleware for personal data sharing applications. In Proceedings of SIGMOD International Conference on Management of Data, 2007.
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 30
References (II) [KBS09] A. K. Karlson, A. B. Brush, and S. Schechter. Can I borrow your phone?
Understanding concerns when sharing mobile phones. In CHI ’09: Proceedings of the 27th international conference on Human factors in computing systems, 2009.
[LSB09] L. Little, E. Sillence, and P. Briggs. Ubiquitous systems and the family: thoughts about the networked home. In SOUPS ’09: Proceedings of the 5th Symposium on Usable Privacy and Security, 2009.
[MR05] R. A. Maxion and R. W. Reeder. Improving user-interface dependability through mitigation of human error. In Int. J. Hum.-Comput. Stud., 2005.
[MAB09] M. L. Mazurek, J. P. Arsenault, J. Bresee, N. Gupta, I. Ion, C. Johns, D. Lee, Y. Liang, J. Olsen, B. Salmon, R. Shay, K. Vaniea, L. Bauer, L. F. Cranor, G. R. Ganger, and M. K. Reiter. Access control for home data sharing: attitudes, needs and practices. Technical Report CMU-Cylab-09-013, CyLab, Carnegie Mellon University, October 2009.
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 31
References (III)
[OGH05] J. S. Olson, J. Grudin, and E. Horvitz. A study of preferences for sharing and privacy. In CHI ’05: CHI ’05 extended abstracts on Human factors in computing systems, 2005.
[RRT08] V. Ramasubramanian, T. Rodeheffer, D.B. Terry, M. Walraed-Sullivan, T. Wobber, C. Marshall, and A. Vahdat. Cimbiosys: A platform for content-based partial replication. Technical Report MSR-TR-2008-116, Microsoft Research, August 2008.
[RI06] M.N. Razavi and L. Iverson. A grounded theory of information sharing behavior in a personal learning space. In CSCW ’06: Proceedings of the 2006 20th anniversary conference on Computer supported cooperative work, 2006.
[RBC08] R.W. Reeder, L. Bauer, L.F. Cranor, M.K. Reiter, K. Bacon, K. How, and H. Strong. Expandable Grids for Visualizing and Authoring Computer Security Policies. In Proceedings of ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '08). 2008.
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 32
References (IV)
[SSCG09] B. Salmon, S.W. Schlosser, L.F. Cranor, and G.R. Ganger. Perspective: Semantic data management for the home. In Proceedings of 7th USENIX Conference on File and Storage Technologies (FAST’09), 2009.
[VEN06] S. Voida, W.K. Edwards, M.W. Newman, R.E. Grinter, and N. Ducheneaut. Share and share alike: exploring the user interface affordances of file sharing. In CHI ’06: Proceedings of the SIGCHI conference on Human Factors in computing systems, 2006.