SOUPS 2024 Poster Session

This study examines the utilization of IoT-enabled and AI-enabled smart tools enabled in academic settings and evaluates the privacy concerns of students, faculty, and staff towards these technologies. Through a comprehensive survey with 22 college students, faculties, and staff memebers, the research identifies significant usage patterns and preferences, revealing that learning management systems are most commonly used, followed by online assessment platforms and personalized learning apps. The study highlights a general comfort with privacy measures, though notable differences exist between faculty and students, with faculty expressing greater concerns, especially with the integration of AI technologies. By comparing attitudes in scenarios with and without AI integration, the findings suggest that while all users value robust privacy protections, specific concerns vary significantly between different academic roles. The study's insights into privacy perceptions and technological acceptance contribute to the discourse on digital ethics and are essential for developing policies that balance technological benefits with privacy protections.

In the face of growing concerns about online privacy and security, this research delves into the perceptions versus the realities of the Tor network's privacy and security features, as experienced by its users. Through an online survey hosted on an onion site (making it accessible only to Tor users), we seek to uncover the nuances of how users engage with Tor, their understanding of its privacy protections, and their general awareness of online security principles. This exploration not only aims to bridge the knowledge gap regarding user expectations and the technical functionalities of Tor but also to shed light on potential areas for improvement in user education regarding Tor. The insights gained from this study are intended to contribute to the enhancement of Tor's utility as a tool for privacy and security, fostering a more informed and empowered user community.

The profile lock feature on Facebook, which provides the users with the opportunity to restrict their contents on the platform in an efficient way, is a region-specific, optional feature that is available only in a few countries, mostly in the Global South. In this work, we conducted semi-structured interviews with 21 users from Bangladesh to understand their motivations, opinions, and practices regarding activating the profile lock feature on Facebook. We found that this feature gives our participants an inflated sense of security and protection, and their adoption decision is entangled with religious and cultural arguments. While prior negative experiences motivate them to lock their profile, they also utilize this feature to develop a nuanced mechanism for managing multiple social media platforms. This work generates novel insights regarding the privacy protection mechanisms of an understudied population in the Global South.

Publishing de-identified research data is beneficial for transparency and the advancement of knowledge, but it creates the risk that research subjects could be re-identified, exposing private information. De-identifying data is difficult, with evolving techniques and mixed incentives. We conducted a thematic analysis of 38 recent online de-identification guides, characterizing the content of these guides and identifying concerning patterns, including inconsistent definitions of key terms, gaps in coverage of threats, and areas for improvement in usability. We also interviewed 26 researchers with experience de-identifying and reviewing data for publication, analyzing how and why most of these researchers may fall short of protecting against state-of-the-art re-identification attacks.

Threat modeling is a process which can be used to understand potential attacks or adversaries and is essential for holistic risk modeling. As privacy moves from a compliance to a risk-based orientation, threat-informed defense will be crucial for organizations' privacy management as it has already become for their cybersecurity management. Yet, privacy lacks a shared threat language and commonly used threat model. This paper describes one effort to address this gap, the development of the Pattern and Action Nomenclature Of Privacy Threats In Context (PANOPTIC\texttrademark). The model’s scope is broader than a cybersecurity threat model by necessity, including both actions and inactions, benign as well as malicious intent, and recognizes the system of concern as a potential threat agent in addition to adversaries outside the system itself. This paper defines a privacy attack – the foundation of the PANOPTIC Privacy Threat Model – and describes the model itself; how it was developed; use cases for the model, such as privacy threat assessments, privacy risk modeling, and privacy red teaming; and future work expanding and enhancing the model.

UsersFirst is a privacy threat modeling framework under development at Carnegie Mellon University (CMU) designed to help identify and mitigate user-oriented privacy threats associated with N & C interfaces. In this poster, we report on the first user study designed to evaluate the usefulness of an initial version of the privacy N & C threat taxonomy that is part of UsersFirst and evaluated its efficacy as compared to an existing taxonomy (LINDDUN PRO’s unawareness threat category). This initial version of the UsersFirst Taxonomy is organized around three major categories of threats (delivery, language & content, and presentation & design) and comprises a total of 27 different threat types. We selected privacy N & C interfaces from a well-known e-commerce platform and conducted semi-structured in-person interview sessions with 14 participants who had prior privacy experience. We found that privacy practitioners who use the UsersFirst Taxonomy were able to identify more user-oriented threats associated with privacy N & C than they identify without the use of a taxonomy, and that all UsersFirst Taxonomy users identify more threats than LINDDUN PRO users. Participants assigned to use the UsersFirst Taxonomy also commented it was easy to use and helped them better organize their thoughts during threat identification.

Cybersecurity clinics, inspired by long-standing university clinics in fields like law and medicine, provide essential cybersecurity services to at-risk groups such as municipal governments and LGBTQ+ support organizations. These clinics aim to bridge this gap in cybersecurity expertise, which is often inaccessible to these groups. However, organizing and running these clinics can be challenging both technically and socially, as clinics have to balance student access to provide services with clinic privacy and autonomy, while also ensuring students are given practical learning experiences and clients are served in a way that respectful and empowering.

In this paper we present the results of initial interviews with clinic stakeholder groups (i.e., clinic leadership, clients, and student clinicians) from a single institution, the Tufts University Cybersecurity Clinic. In these interviews, we investigate each clinic experience and perceptions, as well as their relationships with other stakeholder groups. We apply a critical service learning lens when developing the interview and analyzing results. We found that while clients recognize their need for cybersecurity, logistical challenges, rather than technical ones, often limit the clinics' effectiveness. We also found that the concepts of critical service learning, though emphasized in the clinic's mission, are not always fully instilled in students in practice. This study's findings aim to inform the development of future cybersecurity clinics, ensuring they address both immediate cybersecurity needs and broader social justice issues.

The use of AI assistants in various industries has increased in recent years with the development of tools such as ChatGPT and CoPilot. According to a 2023 Stack Overflow Developer Survey, approximately 70% of professional developers are using or planning to use AI tools within their development processes, highlighting the widespread adoption of these technologies in coding. While this productivity is good, it has been demonstrated that these LLMs often generate insecure code. We aimed to look at how developers view these security issues and their practices in using AI assistants in coding.

To do this we reviewed posts and comments on relevant computer science subreddits and qualitatively coded the results. Overall the relevant discussion fell into two larger categories: about using AI to write code and opinions on using AI assistants for coding related tasks. The most common response we found was that participants used, or wanted to use, these assistants to write code for their projects. While there were not many posts or comments related to the security of code there was a large volume of responses that mentioned AI assistance often generating bad code in response to people using these assistants to write code. We believe the widespread adoption of AI by developers emphasizes its role as an assistant rather than a primary tool. In addition individuals' skepticism towards AI-generated code potentially produces a benefit, when compared to other developer support services, such as Stack Overflow, which prior work has shown developers often are not skeptical of and simply copy/paste insecure code.

Since their release, AirTags have been misused for stalking and other malicious purposes. Their small size, affordability, availability, and precise tracking functionality facilitate the invasion of peoples' privacy. To combat misuse, Apple implemented multiple anti-stalking features that inform potential victims and help them find and disable the location tracker. One of the primary anti-stalking features is unwanted tracking alerts. These smartphone notifications alert users that they have been followed by an AirTag or other Find-My device for some time.

This preliminary work evaluates the reliability of unwanted tracking alerts across platforms. We performed an experiment with N=50 employees at our institution. We found that tracking alerts are very reliable on iOS devices and not as reliable on Android devices, indicating a different implementation of unwanted tracking alerts or hardware limitations.

Trusted Execution Environments (TEEs) are isolated environments for executing code that guarantee the authenticity of the executed code, the integrity of the runtime states, and the confidentiality of its code and data. Previous work investigates how the presence of TEEs affects privacy norms for smart home technology, especially when people understand what a TEE is. While TEEs can fill an important gap in system security, without clear and accessible explanations of TEEs and what guarantees they offer, they may do little to address users' perception of safety.

In this work-in-progress study, we investigate potential TEE explanations to enhance both understanding of the capabilities that a TEE does (and does not) have and trust in TEE-enhanced technologies in the context of specific scenarios.

In organizations, poorly designed security policies and non-usable security mechanisms can cause security friction that leads to a drop in productivity among employees. This friction can occur through different mechanisms, such as losing concentration, frustration, stress, or unwillingness to innovate. We conducted an online survey case study with n=182 employees at a German automotive supplier's site to understand how employees perceive friction. Here, we provide the survey and derive learnings, e.g., that employees can spot different forms of friction and that open-ended questions are suitable to uncover root causes for it.

Cyber security is an increasingly important topic for private citizens. While organisations could provide a supportive environment for secure behaviour, private citizens lack this support. One promising and scaleable method to change behaviour is persuasive technology.

This poster presents a Master's thesis investigating whether smartphone-based behaviour change can be applied to personal cyber security. Therefore, a persuasive app interface was designed after analysing the context of usage. This interface was presented to (n=73) participants via an online survey to assess persuasiveness factors and usage intention.

Participants perceived the app as persuasive and effective in supporting them with security related behaviour, which in turn increased intention to use. Moreover, social comparison led to social pressure and a decrease of intention to use. Persuasive technology seems to be a promising direction for behaviour change in cyber security.

Users often lack awareness of potential security risks on their smartphones and the protective security mechanisms available for securing their devices and information. One way of raising awareness in users is through the use of notifications and nudges. To that end, we designed two notifications for antivirus software, encouraging users to install antivirus software on another platform, namely a smartphone. We first developed the designs through feedback from a semi-structured interview conducted with 12 participants, then further evaluated the designs through a user study with 36 participants. Our preliminary results indicate that notifications on one device, such as a laptop, may be effective in raising awareness of security tools on other device platforms. Our results also highlight the motivators influencing adoption of antivirus software on another device platform and design guidelines for user attention to and implementation of notifications suggesting security behaviors.

This study examines user perceptions of mobile applications (apps) versus web browsers for accessing online services, with an emphasis on security, privacy, and usability aspects. Through a combination of an experiment and a survey with Android smartphone users, the research seeks to identify the key concerns and preferences that influence their choice between mobile apps and web browsers. The findings will offer valuable insights for developers to improve the security, privacy and usability of both platforms by addressing user concerns and misconceptions.

In today’s data-driven economy, the rapid adoption of AI amplifies our dependence on personal data across complex dataflows. In response, emerging data privacy regulations demand usable privacy notice and choice mechanisms, in addition to more stringent data collection and usage practices. Organizations seek guidance to systematically identify and mitigate privacy risks, as penalties for non-compliance have intensified. Privacy threat modeling frameworks like LINDDUN, NIST Privacy Framework, and MITRE’s PANOPTIC framework offer structured methodologies for analyzing and addressing privacy risks, but these frameworks only provide limited guidance on effective privacy notices and choices. This poster introduces UsersFirst, a user-centric framework designed to supplement existing frameworks by helping organizations enhance their privacy notices and choices. UsersFirst emphasizes the need for notices and choices to be noticeable, usable, unambiguous, and free from deceptive designs, reflecting emerging trends in privacy regulations. This framework provides a systematic methodology for identifying and mitigating potential threats, enabling organizations to determine their acceptable risk thresholds and objectives.

According to the World Health Organization, over 466 million people worldwide suffer from disabling hearing loss, with approximately 34 million of these being children. Hearing aids (HA) and cochlear implants (CI) have become indispensable tools for restoring hearing and enhancing the quality of life for individuals with hearing impairments. Clinical research and consumer studies indicate that users of HAs and CIs report significant improvements in their daily lives, including enhanced communication abilities and social engagement and reduced psychological stress. Modern auditory prosthetic devices are more advanced and interconnected with digital networks to add functionality, such as streaming audio directly from smartphones and other devices, remote adjustments by audiologists, integration with smart home systems, and access to artificial intelligence driven sound enhancement features. With this interconnectivity, issues surrounding data privacy and security have become increasingly pertinent. There is limited research on the usability perceptions of current HA and CI models from the perspective of end-users. In addition, no studies have investigated consumer mental models during the purchasing process, particularly which factors they prioritize when selecting a device. We developed a survey on the Research Electronic Data Capture (REDCap) platform. We assessed participants’ satisfaction levels with various features of their auditory prosthesis. 44% of participants reported complete satisfaction with performance, while 48% expressed complete dissatisfaction with flexibility. Comparable to satisfaction levels, 48% of participants considered performance to be the most important factor when making a purchase decision. Reliability (52%), durability (48%) and usability (22%) were the next highly ranked factors. Interestingly, price (30%) and recommendations from healthcare professionals (22%) were ranked the least important factors by most participants, while privacy, security, and customer support garnered mostly neutral sentiments. Most participants (23 out of 27) were found to be uninformed about privacy and security practices (such as password usage and data privacy) associated with the devices. When queried on strategies that could be adopted to enhance user awareness and education on privacy and security issues related to their devices, the most common responses were receiving regular email updates from manufacturers (18/27) and enhanced data security features in their devices (16/27).

We have developed an automated approach for gaining criminal insights with digital evidence networks. This thrust will harness Large Language Models (LLMs) to learn patterns and relationships within forensic artifacts, automatically constructing Forensic Intelligence Graphs (FIGs). These FIGs will graphically represent evidence entities and their interrelations as extracted from mobile devices, while also providing an intelligence-driven approach to the analysis of forensic data. Our preliminary empirical study indicates that the LLM-reconstructed FIG can reveal all suspects' scenarios, achieving 91.67% coverage of evidence entities and 93.75% coverage of evidence relationships for a given Android device.

Generative AI has burgeoned in the past few years, leading to highly interactive and human-like chatbots. Trained on billions of parameters and a vast corpus spanning gigabytes of the public Internet, tools like ChatGPT, Copilot, and Bard (which we refer to as generative AI chatbots) write code, draft emails, provide mental health counseling, teach us about the world, and act as mentors to help people advance their careers.

On the other hand, many communities have expressed reservations about widespread usage of such technology. Artists and writers are concerned about loss of their intellectual property rights and the potential for their work to be plagiarized. Educators are concerned about the potential for students to cheat on assignments, for bias in automated grading platforms, and for the chatbots to provide incorrect information. Medical professionals are concerned about the potential for chatbots to misdiagnose patients, and for patients to rely on inappropriate advice [9]. There is fear of the unknown, justified concerns about the potential for misuse, and worry about societal harm. As with other revolutionary advancements in society, there is pressure to adopt these tools to keep up with technology and remain competitive. Before we can bridge this gap, we must understand the status quo.

Students are likely to be early adopters of new technology. By examining their initial experiences, we can gain insights into concerns faced by young adults about to enter an AI-integrated workplace. We perform an online survey of 86 students, faculty, and staff at our university, focused on security and privacy concerns affecting chatbot use. We found that participants are well aware of the risks of data harvesting and inaccurate responses, and remain cautious in their use of AI in sensitive contexts, which we unpack in later sections.

Research Question
What security and privacy concerns do students at a large public US university have with adopting generative AI, and how can we overcome them?

Cloud security and privacy awareness are crucial for safeguarding information stored in the cloud. Despite their operational proficiency with cloud technologies, the Bangladeshi cloud technology workforce demonstrates gaps in understanding the cloud security associated with inadequate knowledge. This study surveyed 24 members of this workforce to assess their perceptions and knowledge concerning cloud privacy and security. Our findings reveal a fundamental lack of understanding, particularly regarding privacy implementation, security tools, design considerations, and the shared responsibility of securing information. These knowledge gaps may potentially expose vulnerabilities and compromise data integrity in the future. This research contributes significant insights into cloud privacy and security among technology professionals in the Global South, an area that remains relatively understudied.