Recently, I attended SOUPS 2014 held at Facebook Headquarters, Menlo Park CA from July 9-11. Although I didn’t get a chance to explore the Facebook Headquarters much, I managed to take a few photos of the part I saw :-)
There were many great talks but I will briefly explain the ones I found particularly interesting.
Under the privacy track, the first two talks I enjoyed were related to the validity of Westin’s privacy index for the segmentation of user study population. Being a regular user of the well known Westin’s privacy index in user data analysis, I was surprised to find out from the speakers’ results that they did not find any correlation between users’ behavior and their responses to the three standard Westin questions. They proposed that the survey measures should be combined with behavioral data. One of the speakers proposed a clustering based technique to segment the user population. An interesting statistic in their study was that the US based users were less private than EU users, pointing me to another important conclusion—every country has different privacy preferences and that should be kept in mind while conducting a Mechanical turk study. In other words, the entire user study population should be from the same country to confirm homogeneity. The next interesting study was on the classification of Facebook users based on their privacy concerns. They collected Facebook user privacy preferences through an online survey, and based on their responses divided the user population into various groups. They analyzed these groups w.r.t various categories and presented their results using an interactive chart http://www.usabart.nl/chart/. For example, it was interesting to find out that the number of people who created friend lists was larger than the number of people who actually used these lists in their privacy settings. This can be attributed to the fact that when they create the lists there is no context since the interface for creating friend lists is on the homepage/newsfeed, but when they post something there is always a context but they are not able to use these lists since they were created out of context. Another interesting talk targeted a specific population— i.e., the unconcerned, or those with "nothing to hide" persona. These people do not care about privacy and do not think that they should be worried about their information being leaked or stolen. The summary of that talk was that the unconcerned people need to be educated about privacy since they have these attitudes because they are unaware of the possible consequences. The speaker gave a grocery list example, in which the students were told about what could be derived about them from the items in their shopping cart, e.g., cheap food items = person is poor. The study about privacy attitudes of mechanical turk workers was also interesting, where the US turkers were compared to the US internet users in hiding their online content and anonymity. The results showed that the turkers have more privacy concerns as compared to the other internet users. Next, the US turkers were compared to the indian turkers based on 1) how they managed their information online, and 2) what are their privacy preferences. They found out that the US turkers are more worried about anonymity and are unsatisfied with the laws compared to the indian turkers. Also, the indian turkers are more educated.
Under the mobile track, I enjoyed the talk on continuous passive touch based biometric authentication for smartphones. The speaker came up with a scheme to authenticate the smartphone user based on their usage behavior in order to prevent someone other than the owner of the phone from using it. This scenario can occur if someone gets access to the unlock code through shoulder surfing. Their proposed scheme used a machine learning approach using various slide/swipe and pinch features. Another great talk was on mobile application permission privacy. A huge number of free android mobile application apk files were downloaded and their binaries were analyzed. Permissions requested by each application were studied by going through their source code. They found out that either the third party libraries like social network service, analytics, and ads included in the application were requesting the
permissions or they were being directly asked by the developer inside the application source code. The speaker also captured user privacy preferences through a crowd sourcing study. The users were showed screenshots from one of the mobile applications telling them that the location permission was being used for targeted advertising. The user had to tell how comfortable or uncomfortable they were with that. After capturing the responses, the user were clustered into four groups based on their privacy preferences. The study however only focused on free apps. So, the question about its validity on paid apps still remains.
Under the access control track, I liked the talk focusing on how to help users construct access control lists (ACL) on Facebook and help them in using them in their privacy settings. Previous work on presenting the users with automatically detected friend groups using CNM clustering does not significantly reduce user overhead. The speaker created a Facebook app to help the Facebook users create and manage friend lists apps.facebook.com/friendlist_manager/. They proposed and studied the use of caching on last used ACLs, and most used acls, and provided them to the users when they intend to share something on Facebook.
Under the warnings and dialogues track, I found the talk on the use of neuroscience to improve security warnings interesting. The static vs polymorphic warnings were presented to the users while they were going through fMRI scan. The users did not have to do anything. The results showed that the brain responses to polymorphic warnings were different even though the user didn't do anything. Therefore, they were more attention capturing and engaging. Thus, habituation is not equal to the user being lazy or careless but rather because of the neurologic effects it has. People ignore important information in dialogues, and are habituated to accept all dialogues. Another study showed that swipe and type on the dialogues rather than just using standard ANSI labeling guidelines can force people to pay attention to the status messages in the warning dialogues.
