Alfred Kobsa - US grants

This project aims at reconciling the benefits that personalization of web-based systems has demonstrably brought about with current privacy concerns of Internet users and with upcoming privacy regulation and legislation. The project will analyze and systemize these impacts, and
develop principled solutions as to how privacy requirements and benefits through personalization can be reconciled. Specifically, an architecture for personalized systems will be developed that can be dynamically configured, so that the personalization methods in use are always in agreement with the current individual privacy preferences as well as the privacy policies and legislation that apply to the given user and the site of the application. Privacy will -- for the first time -- become a design requirement in the development of personalized software systems. The results of the project will benefit researchers in the area of privacy-enhancing technology, and developers of personalized websites who need to respect user privacy. The project outcomes will be published at academic venues, and disseminated to industry and the general public. The project will also contribute to the integration of research and teaching through the employment of undergraduate and graduate students, and through the inclusion of privacy issues into academic syllabi.

The popularity of personal gadgets opens up many new services for ordinary users. Many everyday usage scenarios involve two or more devices "working together". (Emerging scenarios are beginning to involve sensors and personal RFID tags.) Before working together, devices must be securely "paired" to enable secure and private communication.

However, the human-imperceptible nature of wireless communication prompts the very real threat of Man-in-the-Middle (MiTM) attacks. Another challenge arises due to the lack of a global security infrastructure. Consequently, traditional cryptographic means alone are unsuitable, since unfamiliar devices have no prior security context and no common point of trust. Therefore, some human involvement in secure device pairing is unavoidable. At the same time, most devices have limited hardware and/or user interfaces, thus complicating human involvement.

This project?s goals are three-fold: (1) design a set of pairing methods suitable for most common devices and a general user population, based on comprehensive and comparative usability studies, (2) develop secure pairing techniques for personal RFID tags, and (3) construct a set of user-friendly, scalable and secure methods for sensor initialization.

Benefits of this project will include accumulation of valuable expertise in designing truly usable security methods. Notably, the project expects to experimentally assess the value of usable security with respect to the general population. Furthermore, the need for, and the utility of, user-centric secure control of personal RFID tags and sensors will be demonstrated. Since device pairing is one of the very few areas where security directly involves and affects the average user, the greatest impact of proposed research is expected to be the broader participation in security practices and better appreciation of security and its benefits. The project also emphasizes industry outreach and technology transfer by working with manufacturers and industrial consortia.

In addition, students taking part in the project are expected to acquire currently uncommon skills at the cusp of Human-Computer Interaction, Usability and Cyber Trust.

This project is focused on a potentially transformational research study involving the simultaneous investigation of usability and security/privacy technologies for location-based geo-social applications, with the objective of studying the usability, feasibility, and scalability of privacy-preserving and secure location-aware geo-social networking platforms for mobile devices. The approach is based on a belief that usability and security/privacy are addressed properly and most effectively from the start. In particular, the project will study the usability of privacy-agile secure location-based communication and associated supporting protocols that scale to large numbers of users and accommodate various privacy levels suitable for different application domains. By studying the usability of location-aware protocols, the investigators propose methods that provide seamless connectivity and functionality over different networking technologies, without sacrificing the user experience. The investigators also plan to address other security issues in privacy-preserving operation, including authentication, access control and accountability. This project envisions a wide range of future applications with three unifying factors: (1) a geo-social undertone, i.e., applications that combine social groups and locality, (2) lack of, or desire to avoid using, fixed infrastructure facilities, and (3) need for both security and privacy. Although progress is starting on technologies for supporting such applications, there has been precious little work done on the study of usability factors with respect to the privacy and security users expect with their small-device location-based applications. The proposed project therefore has an ambitious goal: to study the usability of privacy-preserving geo-social technologies, including the user models, perceptions, interfaces, and feasible communication/computation technologies for supporting futuristic geo-social applications on portable mobile devices in the aforementioned setting. Methods employed may include interviews, focus groups, and cognitive walkthroughs. One key feature of the approach is to study methods that shield location from identity, thereby allowing for location-based services and geo-social applications while also protecting user privacy, and, most importantly, to do so in a way that is most usable and effective from the user?s point of view.

Technologies using location and small devices are growing at a rapid rate, while techniques considering security and location and identity privacy are only now being addressed. Thus, usable systems that protect location-sensitive privacy concerns could have a major impact on society. The tools developed in this project will enable important and economically beneficial technologies to be developed for location-aware geo-social networks preserving privacy rights for the individuals using such services. In addition, a vital part of this project involves graduate-student participation in research. Thus, this project has the potential of bringing expanded research opportunities for developing the next generation of information technology researchers. Likewise, it also includes an important educational component.

Numerous surveys find that Internet users want to limit the personal data that is being collected about them, as well as control the usage of their data. Existing and proposed regulation in the U.S. accords users such rights, in the form of a "transparency and control" obligation on personal data collectors: users should be informed about the rationale of requests for personal data so that they can make an informed decision on whether or not to disclose their data.

In the past few years, it became apparent that the transparency and control paradigm "does not work." It overburdens users by the sheer amount of decisions that must be made in a very short period of time. Recent research moreover shows that users are not cognitively able to make rational decisions when they have to trade off immediate benefits of data disclosure with uncertain and unspecific privacy threats sometimes in the future.

Based on empirical studies, this research helps predict what privacy decisions would be consistent with users' preferences, and generate personalized default settings for privacy choices as well as rationales for disclosure that best suits users' predicted decision-making. Users can override any of the predictions, and such corrections will modify the prediction algorithm over time. The proposed approach thus affords "realistic empowerment": it allows Internet users to make their own privacy decisions if they wish, and also helps them overcome the limits of their bounded rationality by first making personalized default decisions on behalf of them. The multiple methods used in the research design build upon one another, representing a rigorous and systematic approach to develop an in-depth understanding of designing and developing smart default privacy settings. This project can have a transformative impact on the privacy literature by providing a systematic understanding on predicting individuals' contextual privacy preferences.

User errors or delays while performing security-critical tasks can lead to undesirable or even disastrous consequences. The impact of both accidental and intentional distractions on users in such situations has received little investigation. In particular, it is unclear whether and how sensory stimuli (e.g., sound or light) influence users' behavior and trigger mistakes. Better understanding of the effects of such distractions can lead to increased user awareness and countermeasures. Preliminary studies suggest somewhat surprising effects of auditory distractions; this project develops an unattended study allowing more rigorous evaluation of the impact of distractions.

The project conducts controlled user studies to examine the effects of different sound variations on participants' speed and accuracy when logging into a computer network, controlling for participants' awareness of the distraction event. Existing theory suggests auditory distractions can both improve and degrade performance; this will be carefully evaluated to determine how various stimuli impact security actions. The experiments will be conducted in a fully automated manner, which makes large-scale studies feasible and also avoids any potential experimenter bias.

Household Internet-of-Things (IoT) devices are intended to collect information in the home and to communicate with each other, to create powerful new applications that support our day-to-day activities. Existing research suggests that users have a difficult time selecting their privacy settings on such devices. The goal of this project is to investigate how, why and when privacy decisions of household IoT users are suboptimal, and to use the insights from this research to create and test a simple single user interface that integrates privacy settings across all devices within a household. This interface will have a flexible set of privacy profiles that fits a wide range of privacy preferences and also helps US companies to comply with EU privacy regulations when they operate in the European market.

Unlike existing privacy research, which assumes that users employ limited but essentially rational decision-making practices, this project aims to understand consumers' actual decision processes. In this way we can improve theories about privacy decision making using part-worth utility mapping and process tracing (including eye-tracking). The results of these efforts are used to develop a data-driven set of privacy profiles that cover the privacy preferences of most users. These profiles are then integrated into a privacy management interface (an open-source contribution to an existing IoT management platform) that does not overload users with information and control, but instead leverages their existing decision processes and avoids their biases.