Access Control for Home Data Sharing: Attitudes, Needs and Practices

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 1

CyLab Usable Privacy and Security Laboratoryhttp://cups.cs.cmu.edu/

Access Control at Home: Attitudes, Needs, Practices

Michelle MazurekJ.P. Arsenault, Joanna Bresee, Nitin Gupta, Iulia Ion1,

Christina Johns, Daniel Jonggyu Lee, Yuan Liang, Jennifer Olsen, Brandon Salmon, Rich Shay, Kami Vaniea

Lujo Bauer, Lorrie Cranor, Greg Ganger, Mike Reiter2

Carnegie Mellon University, 1ETH Zürich, 2UNC Chapel Hill


Access control comes home

Tax return

The Sopranos

Sesame Street

The Wiggles

The Sopranos

The Sopranos

Sesame Street

Sesame Street

The WigglesThe Wiggles

Tax return

Tax returnTax return

The Sopranos

Sesame Street

The Wiggles


Old approaches aren’t enough

Traditional physical and social boundaries are no longer effective– We need a way to reconstruct these boundaries in

the digital world Traditional enterprise approaches won’t

translate to the home– Specifying policy is hard, even for experts [MR05]– No sysadmin in your house


Our goal: A more usable approach

Make it easy for users to specify, view and understand policies

Provide confidence that the system is trustworthy

This talk: As a first step, understand how non-experts think about access control


Outline

Introduction and motivation Goals and study design Key findings Design guidelines


Exploring access control at home

Current practices: digital, paper Different policy dimensions: person, location,

device, presence, time of day Additional features:– Logs– Reactive policy creation


Designing a user study In-situ interviews– Non-programmer households– Interviewed at home– Together and separately– Recruited via craigslist, flyers

Semi-structured– Specific initial questions – Continue free-form


Question structure

For each dimension, start with specific scenario– Imagine that [a friend] is in your house when you are

not. What kinds of files would you (not) want them to be able to [view, change]?

– Would it be different if you were also in the [house, room]?

Extend to discuss that dimension in general Rate concern over specific policy violations:– From 1 = don’t care to 5 = devastating


Data analysis

Initial rough analysis identified areas of interest; fed back into later interviews

Two-phase main coding process– Example to follow

Results are qualitative


Data analysis -- example

“If I use a work file, I’m very careful not to step away without logging out.”

Code Person

Page

Log out / lock computer when getting up

10A 3


Study demographicsHouseholds Peopl

eFamilies 6 16Couples 5 10

Roommates 4 11

Total 15 37 Ages 8 to 59 Wide range of computer skills, household devices


Outline



Four key findings

1. People have important data to protect, and the methods they currently use don’t provide enough assurance

2. Policy needs are complicated3. Permission and control are important4. Current systems and mental models are

misaligned


F1: Current methods are insufficient

“Maybe someone sort of e-mails you a sexy e-mail or something, and I wouldn’t want the kids to see it.” – single mom with teenage sons


Current methods are insufficient Almost everyone worries sometimes Many potential breaches rated “devastating” Several reported actual breaches Mechanisms vary (often ad-hoc)– Do nothing, just worry– Encryption, user accounts (some people)– Hiding in the file system– “If I didn’t want everyone to see them, I just had them

for a little while and then I just deleted them.”


F2: Policy needs are complex Fine-grained divisions of people and files One policy:

shared

mixed

restricted

[Reeder08]


Dimensions beyond person Presence– “If you have your mother in the

room, you are not going to do anything bad. But if your mom is outside the room you can sneak.”

– Also can provide a chance to explain


Dimensions beyond person

Location– People in my home are trusted– Higher level of “lockdown” when elsewhere

Read-only is needed but not sufficient


F3: Permission and control People want to be asked for permission– “I’m very willing to be open with people, I think I’d

just like the courtesy of someone asking me.”– Positive response to reactive policy creation


Setting policy doesn’t convey control

“If I’m present, I can say, ‘These are the things that you could see’.”

“I can’t be giving you permission while I sleep because I am sleeping.”


Up-front policy isn’t enough

Last-minute decisions Review logs and fine-tune: – “If someone has been looking at something a lot, I am

going to be a little suspicious. In general, I would [then] restrict access to that specific file.”

People want to know why as well as who– “I might be worried about who else was watching.”– “From my devices they would be able to view it but

not save it.”


F4: Mental models ≠ systems Desktop search finds “hidden” files Being present isn’t enough– “If anything were to happen, I’m right there to say, ‘OK, what just happened?’ So I’m not as worried.”– But violations can be fast or invisible


Outline



Design guidelines

Allow fine-grained control– Specification at multiple levels of granularity to

support varying needs Include reactive policy creation– “Sounds like the best possible scenario.”– “It would be easy access for them while still

allowing me to control what they see.”


More design guidelines Reduce up-front complexity– “If I had to sit down and sort everything into what

people can view and cannot view, I think that would annoy me. I wouldn’t do that.”

– Reactive policy creation can help Support iterative policy specification– View/change effective policy, not just rules– Human-readable logs


Even more guidelines Acknowledge social conventions– Requesting permission (reactive again)– Plausible deniability: “I don’t want people to feel

that I am hiding things from them.” Account for mental models– Incorrect analogies to physical

systems– Fit into existing models or guide

users to new ones


Conclusion

Access control for personal data is increasingly important

Ideal policies are complex, multidimensional People want control– To be asked permission– To iteratively fine-tune policy

Systems must account for mental models


CMU Usable Privacy and Security Laboratory

http://cups.cs.cmu.edu/

Thank you


References [BCR08] L. Bauer, L.F. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. A user

study of policy creation in a flexible access-control system. In CHI ’08: Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, 2008.

[BGR05] L. Bauer, S. Garriss, and M. K. Reiter. Distributed proving in access-control systems. In Proceedings of the 2005 IEEE Symposium on Security & Privacy, 2005.

[BB07] K. Beznosov and O. Beznosova. On the imbalance of the security problem space and its expected consequences. In Information Management & Computer Security, 15:420–431, 2007.

[BI07] A. Brush and K. Inkpen. Yours, mine and ours? Sharing and use of technology in domestic environments. In Ubicomp, 2007.

[GBG07] R. Geambasu, M. Balazinska, S.D. Gribble, and H.M. Levy. HomeViews: Peer-to-peer middleware for personal data sharing applications. In Proceedings of SIGMOD International Conference on Management of Data, 2007.


References (II) [KBS09] A. K. Karlson, A. B. Brush, and S. Schechter. Can I borrow your phone?

Understanding concerns when sharing mobile phones. In CHI ’09: Proceedings of the 27th international conference on Human factors in computing systems, 2009.

[LSB09] L. Little, E. Sillence, and P. Briggs. Ubiquitous systems and the family: thoughts about the networked home. In SOUPS ’09: Proceedings of the 5th Symposium on Usable Privacy and Security, 2009.

[MR05] R. A. Maxion and R. W. Reeder. Improving user-interface dependability through mitigation of human error. In Int. J. Hum.-Comput. Stud., 2005.

[MAB09] M. L. Mazurek, J. P. Arsenault, J. Bresee, N. Gupta, I. Ion, C. Johns, D. Lee, Y. Liang, J. Olsen, B. Salmon, R. Shay, K. Vaniea, L. Bauer, L. F. Cranor, G. R. Ganger, and M. K. Reiter. Access control for home data sharing: attitudes, needs and practices. Technical Report CMU-Cylab-09-013, CyLab, Carnegie Mellon University, October 2009.


References (III)

[OGH05] J. S. Olson, J. Grudin, and E. Horvitz. A study of preferences for sharing and privacy. In CHI ’05: CHI ’05 extended abstracts on Human factors in computing systems, 2005.

[RRT08] V. Ramasubramanian, T. Rodeheffer, D.B. Terry, M. Walraed-Sullivan, T. Wobber, C. Marshall, and A. Vahdat. Cimbiosys: A platform for content-based partial replication. Technical Report MSR-TR-2008-116, Microsoft Research, August 2008.

[RI06] M.N. Razavi and L. Iverson. A grounded theory of information sharing behavior in a personal learning space. In CSCW ’06: Proceedings of the 2006 20th anniversary conference on Computer supported cooperative work, 2006.

[RBC08] R.W. Reeder, L. Bauer, L.F. Cranor, M.K. Reiter, K. Bacon, K. How, and H. Strong. Expandable Grids for Visualizing and Authoring Computer Security Policies. In Proceedings of ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '08). 2008.


References (IV)

[SSCG09] B. Salmon, S.W. Schlosser, L.F. Cranor, and G.R. Ganger. Perspective: Semantic data management for the home. In Proceedings of 7th USENIX Conference on File and Storage Technologies (FAST’09), 2009.

[VEN06] S. Voida, W.K. Edwards, M.W. Newman, R.E. Grinter, and N. Ducheneaut. Share and share alike: exploring the user interface affordances of file sharing. In CHI ’06: Proceedings of the SIGCHI conference on Human Factors in computing systems, 2006.

Documents

Access Control for Home Data Sharing: Attitudes, Needs and Practices