Web Privacy and Web Privacy and Security Security Part II Part II
Dec 20, 2015
AgendaAgenda
Project proposal gradesProject proposal grades– Average: 87.5Average: 87.5– Divide by 5 for contribution to final Divide by 5 for contribution to final
gradegrade Lecture/discussionLecture/discussion Test infoTest info Heuristic eval of Firefox pluginHeuristic eval of Firefox plugin
Thinking about Thinking about CookiesCookies Because cookies can be used Because cookies can be used
beneficially, disallowing their use is not beneficially, disallowing their use is not an acceptable solutionan acceptable solution
Many sites collecting information Many sites collecting information about users do not explicitly inform about users do not explicitly inform them that they are doing sothem that they are doing so
Your browser is implicitly giving Your browser is implicitly giving consent on your behalf when consent on your behalf when accepting cookies accepting cookies
Problems with Cookie Problems with Cookie ManagementManagement People claim to want the browser to People claim to want the browser to
seek their consent before giving up seek their consent before giving up information in this mannerinformation in this manner– Asking every time is too intrusive and Asking every time is too intrusive and
annoying, and leads to users clicking annoying, and leads to users clicking through without paying attentionthrough without paying attention
Accept/Reject decision is not clear in Accept/Reject decision is not clear in all casesall cases
Because the perceived risks are low, Because the perceived risks are low, very little action can be required on very little action can be required on the part of the user or they will simply the part of the user or they will simply avoid using the toolavoid using the tool
Informed consentInformed consent
DisclosureDisclosure ComprehensionComprehension VoluntarinessVoluntariness CompetenceCompetence AgreementAgreement Minimal distractionMinimal distraction
Examples: current IE cookie Examples: current IE cookie management system, Amazon.com management system, Amazon.com recommendation system, recommendation system,
Consent continued…Consent continued…
How important is informed consent?How important is informed consent? Given the knowledge and behavior of Given the knowledge and behavior of
an average user, how much consent an average user, how much consent are people really currently giving?are people really currently giving?
How can we improve?How can we improve? Comparison to offline: bank, credit Comparison to offline: bank, credit
cards. Are people reading those cards. Are people reading those either?either?
What should people be giving explicit What should people be giving explicit consent for?consent for?– (no harm, purpose is known, no coercion)(no harm, purpose is known, no coercion)
Cookie-Watcher Cookie-Watcher PrototypePrototype Enhancements to cookie manager toolEnhancements to cookie manager tool
– Additional cookie informationAdditional cookie information Minimal distraction importantMinimal distraction important
– If overwhelmed with queries with low perceived If overwhelmed with queries with low perceived benefits and risks, attention to each will become benefits and risks, attention to each will become lowlow
– After some threshold, users will simply seek to After some threshold, users will simply seek to disable the mechanism to avoid the annoyances it disable the mechanism to avoid the annoyances it presentspresents
Just-in-time interventions for cookie eventsJust-in-time interventions for cookie events– Difficult to tell which are actually important to a Difficult to tell which are actually important to a
useruser
Friedman, Howe, and Felton.Friedman, Howe, and Felton. Informed Consent in the Mozilla Browser: Implementing Value-Sensitive Design. In HICSS 2002.
Prototype – contPrototype – cont
Instead of interrupting current work with Instead of interrupting current work with decisions, give peripheral notificationdecisions, give peripheral notification– Users can then identify themselves which Users can then identify themselves which
events are important and need their attentionevents are important and need their attention Cookie information box displays currently Cookie information box displays currently
set cookies on side of browser areaset cookies on side of browser area Color and formatting in cookie information Color and formatting in cookie information
dialog box make cookies easier to identifydialog box make cookies easier to identify– 33rdrd party cookies in party cookies in redred– Long cookie expiration durations Long cookie expiration durations boldedbolded– Cookie expiration durations for current session Cookie expiration durations for current session
in in italicsitalics
User StudyUser Study
Increased awareness of cookie Increased awareness of cookie eventsevents
More likely to respond to cookie More likely to respond to cookie eventsevents
More likely to make cookie More likely to make cookie management actionsmanagement actions
DoppelgangerDoppelganger
More fun with cookies!More fun with cookies! When deciding to accept a cookie or When deciding to accept a cookie or
not, users would like to compare the not, users would like to compare the privacy cost to the functionality benefit privacy cost to the functionality benefit but are ill equipped to do sobut are ill equipped to do so
Doppelganger aims to assist the user Doppelganger aims to assist the user in making these decisions and learn in making these decisions and learn and make simple generalizations of and make simple generalizations of these rules to remove later instances these rules to remove later instances of repeated promptsof repeated prompts
Shankar and Karlof. Doppelganger: Better browser privacy without the bother. Proceedings of Conference on Computer and Communications Security, 2006.
DoppelgangerDoppelganger
Mirrors session in hidden windowMirrors session in hidden window Detects differences in sessionsDetects differences in sessions If there is no detected difference, If there is no detected difference,
cookies are assumed to have no cookies are assumed to have no benefit and are ignoredbenefit and are ignored
If there is a difference, present it to the If there is a difference, present it to the user, give them information relevant user, give them information relevant to the cookie and let them decide to to the cookie and let them decide to accept or rejectaccept or reject– Now has information necessary to make Now has information necessary to make
informed functionality vs. privacy decisioninformed functionality vs. privacy decision
DoppelgangerDoppelganger
““Fix Me” button for user-initiated repairFix Me” button for user-initiated repair– Attempts to rewind and replay sequence of Attempts to rewind and replay sequence of
actions with cookies onactions with cookies on– Needed incase no difference was detected Needed incase no difference was detected
and cookies were automatically rejectedand cookies were automatically rejected Learns policies per domainLearns policies per domain Configuration modes allow for automatic Configuration modes allow for automatic
acceptance of 1acceptance of 1stst party session cookies party session cookies– Other modes allow for different trade off of Other modes allow for different trade off of
privacy and intrusivenessprivacy and intrusiveness
EvaluationEvaluation
Simulated UserSimulated User– Willing to give up privacy at some sitesWilling to give up privacy at some sites
Yahoo!, Netflix, GMailYahoo!, Netflix, GMail
– Not willing to give up privacy at sites which they Not willing to give up privacy at sites which they had no relationshiphad no relationship
CNN, PCMagazine, etcCNN, PCMagazine, etc
5 Conditions5 Conditions– All cookies enabledAll cookies enabled– Reject 3Reject 3rdrd party cookies party cookies– Reject 3Reject 3rdrd party cookies + Reject persistent cookies party cookies + Reject persistent cookies– Ask user for every cookieAsk user for every cookie– DoppelgangerDoppelganger
MeasurementsMeasurements
Number of sites whose cookies were Number of sites whose cookies were acceptedaccepted– Grouped by persistence and contextGrouped by persistence and context– Doesn’t directly measure privacy lossDoesn’t directly measure privacy loss
Inconveniences suffered by userInconveniences suffered by user– Dialog boxes and promptsDialog boxes and prompts– Lost functionalityLost functionality
Looking for low values both timesLooking for low values both times Set of common tasks was repeated Set of common tasks was repeated
three timesthree times
ResultsResults
Doppelganger had the best fit for accepted Doppelganger had the best fit for accepted cookies vs. lost functionalitycookies vs. lost functionality– More prompts than the conditions that never More prompts than the conditions that never
promptprompt– Fewer prompts than the condition that always Fewer prompts than the condition that always
promptsprompts– After the 2After the 2ndnd visit to any given site, no further visit to any given site, no further
prompts were required for any of the test prompts were required for any of the test scriptsscripts
– After navigating prompts, there was no lost After navigating prompts, there was no lost functionalityfunctionality
– Required use of “Fix Me” button once upon Required use of “Fix Me” button once upon returning to a site that needed a persistent returning to a site that needed a persistent cookie for functionalitycookie for functionality
http://www.umeshshankar.com/doppelganger/
AcumenAcumen
Use social recommendations to make Use social recommendations to make cookie decisionscookie decisions– Mavens vs. all usersMavens vs. all users
Issues:Issues:– DeploymentDeployment– CoverageCoverage– GamingGaming
Website reputation system: WOTWebsite reputation system: WOT
http://www.cc.gatech.edu/fce/ecl/projects/acumen/
RevisitingRevisiting
3 tools3 tools– Cookie WatcherCookie Watcher– DoppelgangerDoppelganger– AcumenAcumen
Advantages and disadvantages?Advantages and disadvantages? Which would you like to use?Which would you like to use? Which would you give your parent to Which would you give your parent to
use?use?
Other AlternativesOther Alternatives
Many existing extensions and add-ons to Many existing extensions and add-ons to enhance cookie managementenhance cookie management– Cookie ButtonCookie Button– Cookie ToggleCookie Toggle– Permit CookiesPermit Cookies– Add N Edit CookiesAdd N Edit Cookies– Cookie CullerCookie Culler– View CookiesView Cookies
But they still focus on the low level task of But they still focus on the low level task of cookie managementcookie management
FirefoxFirefox
Make decisions for the userMake decisions for the user– More likely to make the right decision than More likely to make the right decision than
the userthe user– Users won’t read it anywayUsers won’t read it anyway– Can’t ask too much or you will overwhelmCan’t ask too much or you will overwhelm
When you must interruptWhen you must interrupt– Perhaps use something besides a dialogPerhaps use something besides a dialog
Maintain trust so users will tolerate Maintain trust so users will tolerate your mistakesyour mistakes
Educate as simply as possibleEducate as simply as possible– because users really don’t care that muchbecause users really don’t care that much
Question – how does this compare to informed consent?
Why Extensions?Why Extensions?
Why aren’t these built into the default Why aren’t these built into the default behavior of browsers?behavior of browsers?– Chances are, users won’t take the Chances are, users won’t take the
proactive action required of going out to proactive action required of going out to acquire these toolsacquire these tools
– Highest risk users likely not aware of their Highest risk users likely not aware of their existenceexistence
They all make tradeoffsThey all make tradeoffs– User effortUser effort– DistractionsDistractions– Blocking use of often-abused functionalityBlocking use of often-abused functionality
But potentially useful functionalityBut potentially useful functionality
Firefox ExtensionsFirefox Extensions
151 Extensions in the Security and Privacy 151 Extensions in the Security and Privacy Section at mozilla.orgSection at mozilla.org
Scripting-relatedScripting-related– NoScript, JSView, QuickJavaNoScript, JSView, QuickJava
AnonymizingAnonymizing– TorButton, FoxyProxy, FoxTorTorButton, FoxyProxy, FoxTor
Site IdentitySite Identity– RedirectRemover, ShowIP, Locationbar, PhishTank RedirectRemover, ShowIP, Locationbar, PhishTank
SiteCheckerSiteChecker CookiesCookies
– Add N Edit Cookies, CookieSafe, CookieCullerAdd N Edit Cookies, CookieSafe, CookieCuller OtherOther
– KeyScrambler Personal, TrackMeMot, WOTKeyScrambler Personal, TrackMeMot, WOT
TestTest
Some short answer questionsSome short answer questions– Give 3 advantages and 3 disadvantages of Give 3 advantages and 3 disadvantages of
X over Y.X over Y.– Given a scenario/tool/set of users, etc. List Given a scenario/tool/set of users, etc. List
3 potential design issues, or 2 methods of 3 potential design issues, or 2 methods of evaluating, etc.evaluating, etc.
A couple longer answer questionsA couple longer answer questions– Given a scenario, which tool would you use Given a scenario, which tool would you use
and why?and why?– Design study to examine blah.Design study to examine blah.
Let’s review the topicsLet’s review the topics
HCI MethodsHCI Methods– Why is it important?Why is it important?– Types of user evaluations, typical user studyTypes of user evaluations, typical user study
SecuritySecurity– General definition and goalsGeneral definition and goals
PrivacyPrivacy– Several definitionsSeveral definitions– How differs from securityHow differs from security– Issues with bounded rationalityIssues with bounded rationality
Usable Privacy and SecurityUsable Privacy and Security– Weakest linkWeakest link– Secondary taskSecondary task– Product, process, panoramaProduct, process, panorama– Tog’s RingWall metaphorTog’s RingWall metaphor
More topicsMore topics
AuthenticationAuthentication– Factors (know, have, are)Factors (know, have, are)– Various types (text, graphical, biometrics)Various types (text, graphical, biometrics)– Issues and tradeoffs with each (for example: Issues and tradeoffs with each (for example:
accessibility, memorability, security, cost, accessibility, memorability, security, cost, environmental)environmental)
PhishingPhishing– Why do people fall for it?Why do people fall for it?– Potential solutions to fix itPotential solutions to fix it
TrustTrust– General definitions and layersGeneral definitions and layers– relationship to privacy and securityrelationship to privacy and security– What contributes to trustWhat contributes to trust
And final topicsAnd final topics
PKI & certificatesPKI & certificates– Generally, what are they and why are they so hard to Generally, what are they and why are they so hard to
use?use?– Suggested improvements or solutions?Suggested improvements or solutions?
Privacy policiesPrivacy policies– What are user issues? What are solutions?What are user issues? What are solutions?– P3P: generally what is it and what is its use?P3P: generally what is it and what is its use?– Tools for dealing with privacy policies?Tools for dealing with privacy policies?
CookiesCookies– Informed consent modelInformed consent model– What are they and what are issues?What are they and what are issues?– What are techniques for dealing with them?What are techniques for dealing with them?
Generic topicsGeneric topics– Training & educationTraining & education– UsabilityUsability
StudyingStudying
What I expect you to knowWhat I expect you to know– General topic of each chapter/paperGeneral topic of each chapter/paper– General conclusions, issues, tradeoffs for each topicGeneral conclusions, issues, tradeoffs for each topic– How to compare/contrast techniques, tools, and methodsHow to compare/contrast techniques, tools, and methods
What I don’t expect you to knowWhat I don’t expect you to know– Specific statistics of any studySpecific statistics of any study– All issues or conclusionsAll issues or conclusions– Detailed implementation or interface of any technique or Detailed implementation or interface of any technique or
tooltool Advice: go through slides, go through summaries, Advice: go through slides, go through summaries,
flip through book and look at headings and bulletsflip through book and look at headings and bullets Advice on Test: structure your response, use terms Advice on Test: structure your response, use terms
from the book or class when giving answerfrom the book or class when giving answer
Heuristic EvaluationHeuristic Evaluation
uses simple and uses simple and natural dialognatural dialog
speaks user’s speaks user’s languagelanguage
is consistentis consistent
provides provides feedback feedback
provides good provides good error messageserror messages
prevents errorsprevents errors
awareness of security/privacy tasksawareness of security/privacy tasks
aids user in making correct and safe aids user in making correct and safe decisionsdecisions