Web Privacy and Security Part II. Agenda Project proposal grades Project proposal grades –Average: 87.5 –Divide by 5 for contribution to final grade Lecture/discussion.

Web Privacy and Web Privacy and SecuritySecurity

Part IIPart II

AgendaAgenda

Project proposal gradesProject proposal grades– Average: 87.5Average: 87.5– Divide by 5 for contribution to final Divide by 5 for contribution to final

gradegrade Lecture/discussionLecture/discussion Test infoTest info Heuristic eval of Firefox pluginHeuristic eval of Firefox plugin

Thinking about Thinking about CookiesCookies Because cookies can be used Because cookies can be used

beneficially, disallowing their use is not beneficially, disallowing their use is not an acceptable solutionan acceptable solution

Many sites collecting information Many sites collecting information about users do not explicitly inform about users do not explicitly inform them that they are doing sothem that they are doing so

Your browser is implicitly giving Your browser is implicitly giving consent on your behalf when consent on your behalf when accepting cookies accepting cookies

Problems with Cookie Problems with Cookie ManagementManagement People claim to want the browser to People claim to want the browser to

seek their consent before giving up seek their consent before giving up information in this mannerinformation in this manner– Asking every time is too intrusive and Asking every time is too intrusive and

annoying, and leads to users clicking annoying, and leads to users clicking through without paying attentionthrough without paying attention

Accept/Reject decision is not clear in Accept/Reject decision is not clear in all casesall cases

Because the perceived risks are low, Because the perceived risks are low, very little action can be required on very little action can be required on the part of the user or they will simply the part of the user or they will simply avoid using the toolavoid using the tool

Informed consentInformed consent

DisclosureDisclosure ComprehensionComprehension VoluntarinessVoluntariness CompetenceCompetence AgreementAgreement Minimal distractionMinimal distraction

Examples: current IE cookie Examples: current IE cookie management system, Amazon.com management system, Amazon.com recommendation system, recommendation system,

Consent continued…Consent continued…

How important is informed consent?How important is informed consent? Given the knowledge and behavior of Given the knowledge and behavior of

an average user, how much consent an average user, how much consent are people really currently giving?are people really currently giving?

How can we improve?How can we improve? Comparison to offline: bank, credit Comparison to offline: bank, credit

cards. Are people reading those cards. Are people reading those either?either?

What should people be giving explicit What should people be giving explicit consent for?consent for?– (no harm, purpose is known, no coercion)(no harm, purpose is known, no coercion)

Cookie-Watcher Cookie-Watcher PrototypePrototype Enhancements to cookie manager toolEnhancements to cookie manager tool

– Additional cookie informationAdditional cookie information Minimal distraction importantMinimal distraction important

– If overwhelmed with queries with low perceived If overwhelmed with queries with low perceived benefits and risks, attention to each will become benefits and risks, attention to each will become lowlow

– After some threshold, users will simply seek to After some threshold, users will simply seek to disable the mechanism to avoid the annoyances it disable the mechanism to avoid the annoyances it presentspresents

Just-in-time interventions for cookie eventsJust-in-time interventions for cookie events– Difficult to tell which are actually important to a Difficult to tell which are actually important to a

useruser

Friedman, Howe, and Felton.Friedman, Howe, and Felton. Informed Consent in the Mozilla Browser: Implementing Value-Sensitive Design. In HICSS 2002.

Prototype – contPrototype – cont

Instead of interrupting current work with Instead of interrupting current work with decisions, give peripheral notificationdecisions, give peripheral notification– Users can then identify themselves which Users can then identify themselves which

events are important and need their attentionevents are important and need their attention Cookie information box displays currently Cookie information box displays currently

set cookies on side of browser areaset cookies on side of browser area Color and formatting in cookie information Color and formatting in cookie information

dialog box make cookies easier to identifydialog box make cookies easier to identify– 33rdrd party cookies in party cookies in redred– Long cookie expiration durations Long cookie expiration durations boldedbolded– Cookie expiration durations for current session Cookie expiration durations for current session

in in italicsitalics

User StudyUser Study

Increased awareness of cookie Increased awareness of cookie eventsevents

More likely to respond to cookie More likely to respond to cookie eventsevents

More likely to make cookie More likely to make cookie management actionsmanagement actions

DoppelgangerDoppelganger

More fun with cookies!More fun with cookies! When deciding to accept a cookie or When deciding to accept a cookie or

not, users would like to compare the not, users would like to compare the privacy cost to the functionality benefit privacy cost to the functionality benefit but are ill equipped to do sobut are ill equipped to do so

Doppelganger aims to assist the user Doppelganger aims to assist the user in making these decisions and learn in making these decisions and learn and make simple generalizations of and make simple generalizations of these rules to remove later instances these rules to remove later instances of repeated promptsof repeated prompts

Shankar and Karlof. Doppelganger: Better browser privacy without the bother. Proceedings of Conference on Computer and Communications Security, 2006.

DoppelgangerDoppelganger

Mirrors session in hidden windowMirrors session in hidden window Detects differences in sessionsDetects differences in sessions If there is no detected difference, If there is no detected difference,

cookies are assumed to have no cookies are assumed to have no benefit and are ignoredbenefit and are ignored

If there is a difference, present it to the If there is a difference, present it to the user, give them information relevant user, give them information relevant to the cookie and let them decide to to the cookie and let them decide to accept or rejectaccept or reject– Now has information necessary to make Now has information necessary to make

informed functionality vs. privacy decisioninformed functionality vs. privacy decision

DoppelgangerDoppelganger

““Fix Me” button for user-initiated repairFix Me” button for user-initiated repair– Attempts to rewind and replay sequence of Attempts to rewind and replay sequence of

actions with cookies onactions with cookies on– Needed incase no difference was detected Needed incase no difference was detected

and cookies were automatically rejectedand cookies were automatically rejected Learns policies per domainLearns policies per domain Configuration modes allow for automatic Configuration modes allow for automatic

acceptance of 1acceptance of 1stst party session cookies party session cookies– Other modes allow for different trade off of Other modes allow for different trade off of

privacy and intrusivenessprivacy and intrusiveness

EvaluationEvaluation

Simulated UserSimulated User– Willing to give up privacy at some sitesWilling to give up privacy at some sites

Yahoo!, Netflix, GMailYahoo!, Netflix, GMail

– Not willing to give up privacy at sites which they Not willing to give up privacy at sites which they had no relationshiphad no relationship

CNN, PCMagazine, etcCNN, PCMagazine, etc

5 Conditions5 Conditions– All cookies enabledAll cookies enabled– Reject 3Reject 3rdrd party cookies party cookies– Reject 3Reject 3rdrd party cookies + Reject persistent cookies party cookies + Reject persistent cookies– Ask user for every cookieAsk user for every cookie– DoppelgangerDoppelganger

MeasurementsMeasurements

Number of sites whose cookies were Number of sites whose cookies were acceptedaccepted– Grouped by persistence and contextGrouped by persistence and context– Doesn’t directly measure privacy lossDoesn’t directly measure privacy loss

Inconveniences suffered by userInconveniences suffered by user– Dialog boxes and promptsDialog boxes and prompts– Lost functionalityLost functionality

Looking for low values both timesLooking for low values both times Set of common tasks was repeated Set of common tasks was repeated

three timesthree times

ResultsResults

Doppelganger had the best fit for accepted Doppelganger had the best fit for accepted cookies vs. lost functionalitycookies vs. lost functionality– More prompts than the conditions that never More prompts than the conditions that never

promptprompt– Fewer prompts than the condition that always Fewer prompts than the condition that always

promptsprompts– After the 2After the 2ndnd visit to any given site, no further visit to any given site, no further

prompts were required for any of the test prompts were required for any of the test scriptsscripts

– After navigating prompts, there was no lost After navigating prompts, there was no lost functionalityfunctionality

– Required use of “Fix Me” button once upon Required use of “Fix Me” button once upon returning to a site that needed a persistent returning to a site that needed a persistent cookie for functionalitycookie for functionality

http://www.umeshshankar.com/doppelganger/

AcumenAcumen

Use social recommendations to make Use social recommendations to make cookie decisionscookie decisions– Mavens vs. all usersMavens vs. all users

Issues:Issues:– DeploymentDeployment– CoverageCoverage– GamingGaming

Website reputation system: WOTWebsite reputation system: WOT

http://www.cc.gatech.edu/fce/ecl/projects/acumen/

RevisitingRevisiting

3 tools3 tools– Cookie WatcherCookie Watcher– DoppelgangerDoppelganger– AcumenAcumen

Advantages and disadvantages?Advantages and disadvantages? Which would you like to use?Which would you like to use? Which would you give your parent to Which would you give your parent to

use?use?

Other AlternativesOther Alternatives

Many existing extensions and add-ons to Many existing extensions and add-ons to enhance cookie managementenhance cookie management– Cookie ButtonCookie Button– Cookie ToggleCookie Toggle– Permit CookiesPermit Cookies– Add N Edit CookiesAdd N Edit Cookies– Cookie CullerCookie Culler– View CookiesView Cookies

But they still focus on the low level task of But they still focus on the low level task of cookie managementcookie management

FirefoxFirefox

Make decisions for the userMake decisions for the user– More likely to make the right decision than More likely to make the right decision than

the userthe user– Users won’t read it anywayUsers won’t read it anyway– Can’t ask too much or you will overwhelmCan’t ask too much or you will overwhelm

When you must interruptWhen you must interrupt– Perhaps use something besides a dialogPerhaps use something besides a dialog

Maintain trust so users will tolerate Maintain trust so users will tolerate your mistakesyour mistakes

Educate as simply as possibleEducate as simply as possible– because users really don’t care that muchbecause users really don’t care that much

Question – how does this compare to informed consent?

Why Extensions?Why Extensions?

Why aren’t these built into the default Why aren’t these built into the default behavior of browsers?behavior of browsers?– Chances are, users won’t take the Chances are, users won’t take the

proactive action required of going out to proactive action required of going out to acquire these toolsacquire these tools

– Highest risk users likely not aware of their Highest risk users likely not aware of their existenceexistence

They all make tradeoffsThey all make tradeoffs– User effortUser effort– DistractionsDistractions– Blocking use of often-abused functionalityBlocking use of often-abused functionality

But potentially useful functionalityBut potentially useful functionality

Firefox ExtensionsFirefox Extensions

151 Extensions in the Security and Privacy 151 Extensions in the Security and Privacy Section at mozilla.orgSection at mozilla.org

Scripting-relatedScripting-related– NoScript, JSView, QuickJavaNoScript, JSView, QuickJava

AnonymizingAnonymizing– TorButton, FoxyProxy, FoxTorTorButton, FoxyProxy, FoxTor

Site IdentitySite Identity– RedirectRemover, ShowIP, Locationbar, PhishTank RedirectRemover, ShowIP, Locationbar, PhishTank

SiteCheckerSiteChecker CookiesCookies

– Add N Edit Cookies, CookieSafe, CookieCullerAdd N Edit Cookies, CookieSafe, CookieCuller OtherOther

– KeyScrambler Personal, TrackMeMot, WOTKeyScrambler Personal, TrackMeMot, WOT

TestTest

Some short answer questionsSome short answer questions– Give 3 advantages and 3 disadvantages of Give 3 advantages and 3 disadvantages of

X over Y.X over Y.– Given a scenario/tool/set of users, etc. List Given a scenario/tool/set of users, etc. List

3 potential design issues, or 2 methods of 3 potential design issues, or 2 methods of evaluating, etc.evaluating, etc.

A couple longer answer questionsA couple longer answer questions– Given a scenario, which tool would you use Given a scenario, which tool would you use

and why?and why?– Design study to examine blah.Design study to examine blah.

Let’s review the topicsLet’s review the topics

HCI MethodsHCI Methods– Why is it important?Why is it important?– Types of user evaluations, typical user studyTypes of user evaluations, typical user study

SecuritySecurity– General definition and goalsGeneral definition and goals

PrivacyPrivacy– Several definitionsSeveral definitions– How differs from securityHow differs from security– Issues with bounded rationalityIssues with bounded rationality

Usable Privacy and SecurityUsable Privacy and Security– Weakest linkWeakest link– Secondary taskSecondary task– Product, process, panoramaProduct, process, panorama– Tog’s RingWall metaphorTog’s RingWall metaphor

More topicsMore topics

AuthenticationAuthentication– Factors (know, have, are)Factors (know, have, are)– Various types (text, graphical, biometrics)Various types (text, graphical, biometrics)– Issues and tradeoffs with each (for example: Issues and tradeoffs with each (for example:

accessibility, memorability, security, cost, accessibility, memorability, security, cost, environmental)environmental)

PhishingPhishing– Why do people fall for it?Why do people fall for it?– Potential solutions to fix itPotential solutions to fix it

TrustTrust– General definitions and layersGeneral definitions and layers– relationship to privacy and securityrelationship to privacy and security– What contributes to trustWhat contributes to trust

And final topicsAnd final topics

PKI & certificatesPKI & certificates– Generally, what are they and why are they so hard to Generally, what are they and why are they so hard to

use?use?– Suggested improvements or solutions?Suggested improvements or solutions?

Privacy policiesPrivacy policies– What are user issues? What are solutions?What are user issues? What are solutions?– P3P: generally what is it and what is its use?P3P: generally what is it and what is its use?– Tools for dealing with privacy policies?Tools for dealing with privacy policies?

CookiesCookies– Informed consent modelInformed consent model– What are they and what are issues?What are they and what are issues?– What are techniques for dealing with them?What are techniques for dealing with them?

Generic topicsGeneric topics– Training & educationTraining & education– UsabilityUsability

StudyingStudying

What I expect you to knowWhat I expect you to know– General topic of each chapter/paperGeneral topic of each chapter/paper– General conclusions, issues, tradeoffs for each topicGeneral conclusions, issues, tradeoffs for each topic– How to compare/contrast techniques, tools, and methodsHow to compare/contrast techniques, tools, and methods

What I don’t expect you to knowWhat I don’t expect you to know– Specific statistics of any studySpecific statistics of any study– All issues or conclusionsAll issues or conclusions– Detailed implementation or interface of any technique or Detailed implementation or interface of any technique or

tooltool Advice: go through slides, go through summaries, Advice: go through slides, go through summaries,

flip through book and look at headings and bulletsflip through book and look at headings and bullets Advice on Test: structure your response, use terms Advice on Test: structure your response, use terms

from the book or class when giving answerfrom the book or class when giving answer

Heuristic EvaluationHeuristic Evaluation

uses simple and uses simple and natural dialognatural dialog

speaks user’s speaks user’s languagelanguage

is consistentis consistent

provides provides feedback feedback

provides good provides good error messageserror messages

prevents errorsprevents errors

awareness of security/privacy tasksawareness of security/privacy tasks

aids user in making correct and safe aids user in making correct and safe decisionsdecisions