Upload
precog
View
824
Download
1
Embed Size (px)
DESCRIPTION
Several studies ranked security and privacy to be major areas of concern and impediments of cloud adoption for companies, but none have looked into end-users’ attitudes and practices. Not much is known about consumers’ privacy beliefs and expectations for cloud storage, such as webmail, document and photo sharing platforms, or about users’ awareness of contractual terms and conditions. We conducted 36 in-depth interviews in Switzerland and India (two countries with different privacy perceptions and expectations); and followed up with an online survey with 402 participants in both countries. We study users’ privacy attitudes and beliefs regarding their use of cloud storage systems. Our results show that privacy requirements for consumer cloud storage differ from those of companies. Users are less concerned about some issues, such as guaranteed deletion of data, country of storage and storage outsourcing, but are uncertain about using cloud storage. Our results further show that end-users consider the Internet intrinsically insecure and prefer local storage for sensitive data over cloud storage. However, users desire better security and are ready to pay for services that provide strong privacy guarantees. Participants had misconceptions about the rights and guarantees their cloud storage providers offers. For example, users believed that their provider is liable in case of data loss, does not have the right to view and modify user data, and cannot disable user accounts. Finally, our results show that cultural differences greatly influence user attitudes and beliefs, such as their willingness to store sensitive data in the cloud and their acceptance that law enforcement agencies monitor user accounts. We believe that these observations can help in improving users privacy in cloud storage systems.
Citation preview
Home is Safer than the Cloud! Privacy Concerns for Consumer Cloud Storage
Iulia Ion, Niharika Sachdeva, Ponnurangam Kumaraguru, Srdjan Capkun
Cloud Storage
Wednesday 4 December 13 2 SOUPS 2011
Cloud Storage
Wednesday 4 December 13 3 SOUPS 2011
(Foreign) Governments
Hacker
Data Owner
Friend
Internet Service
Provider
Legal Courts
Law Enforcement
Third-Party
Storage Provider
“GOOGLE […] SHALL NOT BE LIABLE TO YOU FOR […] ANY LOSS OR DAMAGE”
“Dropbox may sell […] your Personal Information, in connection with a merger, acquisition, reorganization or sale of assets or in the event of bankruptcy.”
“Google reserves the right […] to pre-screen, review, flag, filter, modify, […] any Content”
Cloud Storage
Wednesday 4 December 13 4 SOUPS 2011
(Foreign) Governments
Hacker
Data Owner
Friend
Internet Service
Provider
Legal Courts
Law Enforcement
Third-Party
Storage Provider
Related Work
§ Enterprise studies: security and privacy are top concerns in cloud adoption [1]
§ No study looked into end-users’ practices and concerns § Most previous privacy studies focused on US § Known issue: users don’t read the privacy policies
Wednesday 4 December 13 5 SOUPS 2011
[1] E. Schindler. Cloud development survey. Evans Data Corporation, Strategic Reports, July 2010. http://www.evansdata.com/reports/viewRelease.php?reportID=27.
Our Contributions
§ Conducted interviews in India and Switzerland and an online survey
§ Showed that: § Users trust local storage more than the cloud § Users assume higher protection than actual § Cultural differences influence cloud privacy attitudes
Wednesday 4 December 13 6 SOUPS 2011
Cultural Differences
Wednesday 4 December 13 7 SOUPS 2011
Switzerland India
§ Individualistic vs. collectivist society § Right to privacy guaranteed/not guaranteed by
constitution § People accept that power is distributed equally/unequally
Agenda
§ Study setup/ Methodology § Interview studies § Online questionnaires
§ Results § Current practices § Perceived privacy § Terms of service
§ Conclusions
Wednesday 4 December 13 8 SOUPS 2011
Online Survey
Swiss Indians All 132 190 402
Interviews
Delhi 20
Interviews
Zurich 16
Methodology
Wednesday 4 December 13 9 SOUPS 2011
Multiple choice
Likert scale
II. ONLINE SURVEY
1. Current practices
2. Privacy perceptions
3. Rights & guarantees
I. INTERVIEWS
Mann-Whittney test
Fisher’s exact test
Results
§ Current practices § Perceived privacy § Awareness of terms and conditions
Wednesday 4 December 13 10 SOUPS 2011
§ The cloud is my folder § Email accounts are subfolders: private, official, spam
§ With further folders…
Current Practices
Wednesday 4 December 13 11 SOUPS 2011
Survey: Data Storage and Internet Attitudes
!"#
$!"#
%!"#
&!"#
'!"#
(!"#
)!"#
*#+,,-#./01.#
210+3-#
4/#5,65789,#
/6.76,#
:;6#<13.=#7<#
>10+,?#
4/#0/653@,A#
-A/=,08/6#
B=A/6C.D#ECA,,# B/@,;>1=#ECA,,# B/@,;>1=#F751CA,,# B=A/6C.D#F751CA,,#
G,A0,6
=1C,#/<#G1A807-16=5# !"#$%&'()*+*(!+,#*-%(*./(0.+%#.%+(12+"/%3(
Wednesday 4 December 13 12 SOUPS 2011
I try to keep local backups of every important document I store on the Internet. I try not to store important, sensitive documents on the Internet, and instead keep them offline, on my personal computers. If people put their private data on the Internet and it gets hacked, it is their own fault. They should know that nothing is really safe on the Internet. There is no such thing as consumer protection service or police on the Internet whom I could turn to, if I felt that my rights were violated.
Perceived Privacy
§ “Nothing on the Internet is safe” § Anybody can see my data if they want to:
§ Hackers § Employees § Governments
§ But I am not interesting to them § “I am not criminal” § “I am not Obama”
Wednesday 4 December 13 13 SOUPS 2011
Survey: My data is safer…
§ On my computer: § I look after my
computer myself
§ I can go offline
§ In the cloud: § My computer
might crash
Wednesday 4 December 13 14 SOUPS 2011
0%
20%
40%
60%
80%
On my computer In the cloud Swiss Indians
Per
cent
age
of p
artic
ipan
ts
Users would pay for better privacy in the cloud
Wednesday 4 December 13 15 SOUPS 2011
“Dropbox may sell, transfer or otherwise share some or all of its assets, including your Personal Information, in connection with a merger, acquisition, reorganization or sale of assets or in the event of bankruptcy.”
Results
§ Current practices § Perceived privacy § Terms and conditions
Wednesday 4 December 13 16 SOUPS 2011
Results
§ Privacy concerns for users differ from those of companies § Users are less concerned with:
§ Country of storage § Storage outsourcing § Guaranteed deletion of data
§ Users have misconceptions about the cloud architecture § The cloud/Internet is everywhere § “Why would they keep a backup?”
Wednesday 4 December 13 17 SOUPS 2011
Survey: Does your webmail provider have the right to disable your account?
0%
10%
20%
30%
40%
50%
Yes Only with advanced notice & reason
Only if used for criminal purposes
No I don't know
Swiss Indians
Wednesday 4 December 13 18 SOUPS 2011
Yes, at any time, without advanced notice and without explanation. Yes, but only with advanced notice and a valid reason. Only if I am using it for criminal purposes. No.
Per
cent
age
of p
artic
ipan
ts
Survey: Does your webmail provider have the right to see or modify your email attachments?
0%
10%
20%
30%
40%
50%
No Can see, but not modify
Only in criminal cases
Yes I don't know
Swiss Indians
Wednesday 4 December 13 19 SOUPS 2011
They don't have the right to look at nor modify any of my documents. They can see them, but not modify them, because these are my documents and they belong to me, even if I store them there. They have the right to see and modify my documents only in criminal or terrorists cases.
They have the right to see and modify any of the documents I store.
Per
cent
age
of p
artic
ipan
ts
Survey: If your webmail provider lost some of your data, what would your rights be?
0%
10%
20%
30%
40%
50%
Pay me for damages
Pay me if not a free service
I have no rights
Don't care I don't know
Swiss Indians
Wednesday 4 December 13 20 SOUPS 2011
They should pay me for the damages, regardless whether it was a paid for or free service. We had a contract. If it is a free service, I have no rights, but if I paid for it, they would have to pay me for the damages. I have no rights even if it is a paid-for service. There are no guarantees. My data is lost anyway. I wouldn't care about money. An apology would be enough.
Per
cent
age
of p
artic
ipan
ts
Survey: Internet Surveillance Attitudes
!"#
$!"#
%!"#
&!"#
'!"#
(!"#
)!"#
*!"#
+,-..# /01-20.# +,-..# /01-20.#
+3450678#964::# +5;:,<23#964::# +5;:,<23#=-.264::# +3450678#=-.264::#
>:4?:0326:#5@#>24A?-B203.#
!"#$%&'$&()*+%#$,--.&/$)01(+2$34)*5,33)#36)7&2,.&3)
C5DE#2??:..#35#B4-D23:#15?.#-.#F21E# /03:40:3#;50-354-06#-.#6551E#
Wednesday 4 December 13 21 SOUPS 2011
If the government had access to every document users store on the Internet, that would be a major violation of individual privacy. It is good if the government monitors every Internet communication and all user accounts. National security comes first.
Conclusions
§ Users trust local storage more than the cloud § Users assume to have more rights than stated in the
agreement § Cultural differences influence privacy and attitudes and
behavior
Wednesday 4 December 13 22 SOUPS 2011
Recommendations
§ Provide stronger security mechanisms in the cloud § Improve presentation of privacy policies § Create consumer protection agencies for the cloud § Investigate awareness of international laws
Wednesday 4 December 13 23 SOUPS 2011
Thank you!
Wednesday 4 December 13 24 SOUPS 2011
For any further information, please write to [email protected] precog.iiitd.edu.in
Wednesday 4 December 13 25 SOUPS 2011