Access Control for Home Data Sharing: Attitudes, Needs and Practices


Published on

From the "At Home with Computing" session of CHI2010.

Presented by Michelle L. Mazurek.
Work done in collaboration with J.P. Arsenault, Joanna Bresee, Nitin Gupta, Iulia Ion*, Christina Johns, Daniel Jonggyu Lee, Yuan Liang, Jennifer Olsen, Brandon Salmon, Rich Shay, Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, Gregory R. Ganger, and Michael K. Reiter^.

Carnegie Mellon University, *ETH Zurich, ^UNC Chapel Hill

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Presence = most; location = many Device, time of day not as popular
  • - Violations can happen too fast to prevent - Can’t necessarily monitor across the room
  • Access Control for Home Data Sharing: Attitudes, Needs and Practices

    1. 1. Access Control at Home: Attitudes, Needs, Practices Michelle Mazurek J.P. Arsenault, Joanna Bresee, Nitin Gupta, Iulia Ion 1 , Christina Johns, Daniel Jonggyu Lee, Yuan Liang, Jennifer Olsen, Brandon Salmon, Rich Shay, Kami Vaniea Lujo Bauer, Lorrie Cranor, Greg Ganger, Mike Reiter 2 Carnegie Mellon University, 1 ETH Zürich, 2 UNC Chapel Hill
    2. 2. Access control comes home Tax return The Sopranos Sesame Street The Wiggles The Sopranos The Sopranos Sesame Street Sesame Street The Wiggles The Wiggles Tax return Tax return Tax return The Sopranos Sesame Street The Wiggles
    3. 3. Old approaches aren’t enough <ul><li>Traditional physical and social boundaries are no longer effective </li></ul><ul><ul><li>We need a way to reconstruct these boundaries in the digital world </li></ul></ul><ul><li>Traditional enterprise approaches won’t translate to the home </li></ul><ul><ul><li>Specifying policy is hard, even for experts [MR05] </li></ul></ul><ul><ul><li>No sysadmin in your house </li></ul></ul>
    4. 4. Our goal: A more usable approach <ul><li>Make it easy for users to specify, view and understand policies </li></ul><ul><li>Provide confidence that the system is trustworthy </li></ul><ul><li>This talk : As a first step, understand how non-experts think about access control </li></ul>
    5. 5. Outline <ul><li>Introduction and motivation </li></ul><ul><li>Goals and study design </li></ul><ul><li>Key findings </li></ul><ul><li>Design guidelines </li></ul>
    6. 6. Exploring access control at home <ul><li>Current practices: digital, paper </li></ul><ul><li>Different policy dimensions: person, location, device, presence, time of day </li></ul><ul><li>Additional features: </li></ul><ul><ul><li>Logs </li></ul></ul><ul><ul><li>Reactive policy creation </li></ul></ul>
    7. 7. Designing a user study <ul><li>In-situ interviews </li></ul><ul><ul><li>Non-programmer households </li></ul></ul><ul><ul><li>Interviewed at home </li></ul></ul><ul><ul><li>Together and separately </li></ul></ul><ul><ul><li>Recruited via craigslist, flyers </li></ul></ul><ul><li>Semi-structured </li></ul><ul><ul><li>Specific initial questions </li></ul></ul><ul><ul><li>Continue free-form </li></ul></ul>
    8. 8. Question structure <ul><li>For each dimension, start with specific scenario </li></ul><ul><ul><li>Imagine that [a friend] is in your house when you are not. What kinds of files would you (not) want them to be able to [view, change]? </li></ul></ul><ul><ul><li>Would it be different if you were also in the [house, room]? </li></ul></ul><ul><li>Extend to discuss that dimension in general </li></ul><ul><li>Rate concern over specific policy violations: </li></ul><ul><ul><li>From 1 = don’t care to 5 = devastating </li></ul></ul>
    9. 9. Data analysis <ul><li>Initial rough analysis identified areas of interest; fed back into later interviews </li></ul><ul><li>Two-phase main coding process </li></ul><ul><ul><li>Example to follow </li></ul></ul><ul><li>Results are qualitative </li></ul>
    10. 10. Data analysis -- example “ If I use a work file, I’m very careful not to step away without logging out.” Code Person Page Log out / lock computer when getting up 10A 3
    11. 11. Study demographics <ul><li>Ages 8 to 59 </li></ul><ul><li>Wide range of computer skills, household devices </li></ul>Households People Families 6 16 Couples 5 10 Roommates 4 11 Total 15 37
    12. 12. Outline <ul><li>Introduction and motivation </li></ul><ul><li>Goals and study design </li></ul><ul><li>Key findings </li></ul><ul><li>Design guidelines </li></ul>
    13. 13. Four key findings <ul><li>People have important data to protect, and the methods they currently use don’t provide enough assurance </li></ul><ul><li>Policy needs are complicated </li></ul><ul><li>Permission and control are important </li></ul><ul><li>Current systems and mental models are misaligned </li></ul>
    14. 14. F1: Current methods are insufficient <ul><li>“ Maybe someone sort of e-mails you a sexy e-mail or something, and I wouldn’t want the kids to see it.” – single mom with teenage sons </li></ul>
    15. 15. Current methods are insufficient <ul><li>Almost everyone worries sometimes </li></ul><ul><li>Many potential breaches rated “devastating” </li></ul><ul><li>Several reported actual breaches </li></ul><ul><li>Mechanisms vary (often ad-hoc) </li></ul><ul><ul><li>Do nothing, just worry </li></ul></ul><ul><ul><li>Encryption, user accounts (some people) </li></ul></ul><ul><ul><li>Hiding in the file system </li></ul></ul><ul><ul><li>“ If I didn’t want everyone to see them, I just had them for a little while and then I just deleted them.” </li></ul></ul>
    16. 16. F2: Policy needs are complex <ul><li>Fine-grained divisions of people and files </li></ul><ul><li>One policy: </li></ul>[Reeder08] shared mixed restricted
    17. 17. Dimensions beyond person <ul><li>Presence </li></ul><ul><ul><li>“ If you have your mother in the room, you are not going to do anything bad. But if your mom is outside the room you can sneak.” </li></ul></ul><ul><ul><li>Also can provide a chance to explain </li></ul></ul>
    18. 18. Dimensions beyond person <ul><li>Location </li></ul><ul><ul><li>People in my home are trusted </li></ul></ul><ul><ul><li>Higher level of “lockdown” when elsewhere </li></ul></ul><ul><li>Read-only is needed but not sufficient </li></ul>
    19. 19. F3: Permission and control <ul><li>People want to be asked for permission </li></ul><ul><ul><li>“ I’m very willing to be open with people, I think I’d just like the courtesy of someone asking me.” </li></ul></ul><ul><ul><li>Positive response to reactive policy creation </li></ul></ul>
    20. 20. Setting policy doesn’t convey control <ul><li>“ If I’m present, I can say, ‘These are the things that you could see’.” </li></ul><ul><li>“ I can’t be giving you permission while I sleep because I am sleeping.” </li></ul>
    21. 21. Up-front policy isn’t enough <ul><li>Last-minute decisions </li></ul><ul><li>Review logs and fine-tune: </li></ul><ul><ul><li>“ If someone has been looking at something a lot, I am going to be a little suspicious. In general, I would [then] restrict access to that specific file.” </li></ul></ul><ul><li>People want to know why as well as who </li></ul><ul><ul><li>“ I might be worried about who else was watching.” </li></ul></ul><ul><ul><li>“ From my devices they would be able to view it but not save it.” </li></ul></ul>
    22. 22. F4: Mental models ≠ systems <ul><li>Desktop search finds “hidden” files </li></ul><ul><li>Being present isn’t enough </li></ul><ul><ul><li>“ If anything were to happen, I’m right there to say, ‘OK, what just happened?’ So I’m not as worried.” </li></ul></ul><ul><ul><li>But violations can be fast or invisible </li></ul></ul>
    23. 23. Outline <ul><li>Introduction and motivation </li></ul><ul><li>Goals and study design </li></ul><ul><li>Key findings </li></ul><ul><li>Design guidelines </li></ul>
    24. 24. Design guidelines <ul><li>Allow fine-grained control </li></ul><ul><ul><li>Specification at multiple levels of granularity to support varying needs </li></ul></ul><ul><li>Include reactive policy creation </li></ul><ul><ul><li>“ Sounds like the best possible scenario.” </li></ul></ul><ul><ul><li>“ It would be easy access for them while still allowing me to control what they see.” </li></ul></ul>
    25. 25. More design guidelines <ul><li>Reduce up-front complexity </li></ul><ul><ul><li>“ If I had to sit down and sort everything into what people can view and cannot view, I think that would annoy me. I wouldn’t do that.” </li></ul></ul><ul><ul><li>Reactive policy creation can help </li></ul></ul><ul><li>Support iterative policy specification </li></ul><ul><ul><li>View/change effective policy, not just rules </li></ul></ul><ul><ul><li>Human-readable logs </li></ul></ul>
    26. 26. Even more guidelines <ul><li>Acknowledge social conventions </li></ul><ul><ul><li>Requesting permission (reactive again) </li></ul></ul><ul><ul><li>Plausible deniability: “I don’t want people to feel that I am hiding things from them.” </li></ul></ul><ul><li>Account for mental models </li></ul><ul><ul><li>Incorrect analogies to physical systems </li></ul></ul><ul><ul><li>Fit into existing models or guide users to new ones </li></ul></ul>
    27. 27. Conclusion <ul><li>Access control for personal data is increasingly important </li></ul><ul><li>Ideal policies are complex, multidimensional </li></ul><ul><li>People want control </li></ul><ul><ul><li>To be asked permission </li></ul></ul><ul><ul><li>To iteratively fine-tune policy </li></ul></ul><ul><li>Systems must account for mental models </li></ul>
    28. 29. References <ul><li>[BCR08] L. Bauer, L.F. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. A user study of policy creation in a flexible access-control system. In CHI ’08: Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems , 2008. </li></ul><ul><li>[BGR05] L. Bauer, S. Garriss, and M. K. Reiter. Distributed proving in access-control systems. In Proceedings of the 2005 IEEE Symposium on Security & Privacy , 2005. </li></ul><ul><li>[BB07] K. Beznosov and O. Beznosova. On the imbalance of the security problem space and its expected consequences. In Information Management & Computer Security , 15:420–431, 2007. </li></ul><ul><li>[BI07] A. Brush and K. Inkpen. Yours, mine and ours? Sharing and use of technology in domestic environments. In Ubicomp , 2007. </li></ul><ul><li>[GBG07] R. Geambasu, M. Balazinska, S.D. Gribble, and H.M. Levy. HomeViews: Peer-to-peer middleware for personal data sharing applications. In Proceedings of SIGMOD International Conference on Management of Data , 2007. </li></ul>
    29. 30. References (II) <ul><li>[KBS09] A. K. Karlson, A. B. Brush, and S. Schechter. Can I borrow your phone? Understanding concerns when sharing mobile phones. In CHI ’09: Proceedings of the 27th international conference on Human factors in computing systems , 2009. </li></ul><ul><li>[LSB09] L. Little, E. Sillence, and P. Briggs. Ubiquitous systems and the family: thoughts about the networked home. In SOUPS ’09: Proceedings of the 5th Symposium on Usable Privacy and Security , 2009. </li></ul><ul><li>[MR05] R. A. Maxion and R. W. Reeder. Improving user-interface dependability through mitigation of human error. In Int. J. Hum.-Comput. Stud ., 2005. </li></ul><ul><li>[MAB09] M. L. Mazurek, J. P. Arsenault, J. Bresee, N. Gupta, I. Ion, C. Johns, D. Lee, Y. Liang, J. Olsen, B. Salmon, R. Shay, K. Vaniea, L. Bauer, L. F. Cranor, G. R. Ganger, and M. K. Reiter. Access control for home data sharing: attitudes, needs and practices. Technical Report CMU-Cylab-09-013, CyLab, Carnegie Mellon University, October 2009. </li></ul>
    30. 31. References (III) <ul><li>[OGH05] J. S. Olson, J. Grudin, and E. Horvitz. A study of preferences for sharing and privacy. In CHI ’05: CHI ’05 extended abstracts on Human factors in computing systems , 2005. </li></ul><ul><li>[RRT08] V. Ramasubramanian, T. Rodeheffer, D.B. Terry, M. Walraed-Sullivan, T. Wobber, C. Marshall, and A. Vahdat. Cimbiosys: A platform for content-based partial replication. Technical Report MSR-TR-2008-116, Microsoft Research, August 2008. </li></ul><ul><li>[RI06] M.N. Razavi and L. Iverson. A grounded theory of information sharing behavior in a personal learning space. In CSCW ’06: Proceedings of the 2006 20th anniversary conference on Computer supported cooperative work , 2006. </li></ul><ul><li>[RBC08] R.W. Reeder, L. Bauer, L.F. Cranor, M.K. Reiter, K. Bacon, K. How, and H. Strong. Expandable Grids for Visualizing and Authoring Computer Security Policies. In Proceedings of ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '08). 2008. </li></ul>
    31. 32. References (IV) <ul><li>[SSCG09] B. Salmon, S.W. Schlosser, L.F. Cranor, and G.R. Ganger. Perspective: Semantic data management for the home. In Proceedings of 7th USENIX Conference on File and Storage Technologies (FAST’09) , 2009. </li></ul><ul><li>[VEN06] S. Voida, W.K. Edwards, M.W. Newman, R.E. Grinter, and N. Ducheneaut. Share and share alike: exploring the user interface affordances of file sharing. In CHI ’06: Proceedings of the SIGCHI conference on Human Factors in computing systems , 2006. </li></ul>