Despite decades of research into developing abstract security advice and improving interfaces, users still struggle to make security and privacy decisions. In particular, users often make security and privacy decisions that they are unsure about, that are based on misunderstandings of reality, or that do not reflect their preferences. Prior work suggests that a major cause of these problems is that users do not have the necessary contextual information about themselves and about greater ecosystems to make decisions.
To better support users' decisions, I propose building just-in-time data about a user's own behaviors and situations into security and privacy interfaces. When considered relative to data about greater ecosystems, a single user's own data can help the user make decisions that are objectively more secure or private, that he or she feels more confident about, that reflect a greater awareness of risks, and that better match the user's preferences.
I will examine this premise through one security case study and two privacy case studies. First, I will test the effectiveness of giving users feedback on precisely what they are doing wrong in creating a password. This approach leverages data I have collected through detailed analyses of both the semantic structure and guessability of large data sets of passwords, in addition to my studies of password-strength meters. Second, to counteract users' privacy misunderstandings related to online tracking and help them make privacy decisions that better match their preferences, I will examine the impact of visualizing different abstractions of how a user's own web browsing has been tracked. These visualizations rely on "tracking the trackers," but also build on my qualitative understanding of how users perceive privacy tradeoffs in the context of online behavioral advertising. Third, I will provide average consumers an interactive database that merges data I have collected about over 6,000 U.S. financial institutions' privacy practices with data about those institutions' branch locations. Using this interactive database, I will test whether surfacing this large-scale, comparative privacy information impacts users' willingness to consider switching banks, as well as how a willingness to find a more privacy-protective bank interacts with the logistical barriers of actually switching.
Lorrie Faith Cranor (Chair)
Alessandro Acquisti (Heinz)
Lujo Bauer (ECE/CyLab)
Jason Hong (HCII)
Michael Reiter (University of North Carolina at Chapel Hill)