Skip to main content

CyLab News

A Decade Into Its Vital Work, A Savory SOUPS, A Report from the 10th Annual Symposium On Usable Privacy and Security

posted by Richard Power
July 13, 2014

Cranor addresses the attendees

The CyLab Usable Privacy and Security Laboratory (CUPS) 10th Annual Symposium on Usable Privacy and Security (SOUPS) was hosted by Facebook at its headquarters in Menlo Park, California (7/9/14 - 7/11/14). CUPS Director Lorrie Cranor welcomed the attendees, with the record-breaking numbers in both attendance and papers submitted. For three full days of proceedings, hundreds of researchers from business, academia and government communed together amidst the proliferation of signage which has come to characterize the social media giant's corporate culture: e.g., "Ship Love," "Ruthless Prioritization," "Demand Success," Nelson Mandela, arms outstretched, with the caption, "Open the Doors," etc. (Not so subliminal messaging.)

Perhaps more poignantly than any previous SOUPS keynote, Christopher Soghoian of American Civil Liberties Union (ACLU) articulated the vital nature of research into usable privacy and security. Putting flesh and blood on these issues, Soghoian used examples from the shadow world of investigative reporters and whistle-blowers to highlight the need for privacy and security software that is not only robust, but also eminently usable. One great benefit of the revelations brought forth by Glenn Greenwald in the Edward Snowden affair, Soghoian opined, is that there has been increased crypto adoption by journalists.

But the heightened engagement has also brought long-standing problems into a harsh new light. For example, Soghoian told SOUPS attendees, many investigative journalists using PGP still do not realize subject lines are not encrypted. "The best our community has to offer sucks, the usability and the default values suck," Soghoian declared, "the software is not protecting journalists and human rights activists, and that's our fault as researchers"

As contributing markets factors for why we still don't have usable encryption, Soghoian cited: 1) potential data loss ("telling your customer that they've just lost every photo of their children is a non-starter"), 2) current business models, and of course, 3) government pressure.

In other parts of his very substantive keynote, Soghoian touched on consumer issues related to the efficacy of privacy and security. He elucidated the differences in privacy and security between the iPhone and the Android: "The privacy and security differences ... are not advertised." He also shed light on a new aspect of the growing gap between rich and poor, "security by default for the rich," and "insecurity by default for the poor." "Those who are more affluent get the privacy benefits without shopping around," he explained, because the discounted and mass-marketed versions of software often do not have the same full-featured privacy and security as the more expensive business or professional versions.

[NOTE: Full-length video of Soghoian's keynote is available via the CyLab YouTube Channel.]

Several awards were also announced during the opening sessions, including:

The 2014 IAPP SOUPS Privacy Award for the paper with the most practical application in the field of privacy went to Would a Privacy Fundamentalist Sell Their DNA for $1000...If Nothing Bad Happened as a Result? The Westin Categories, Behavioral Intentions, and Consequences authored by Allison Woodruff, Vasyl Pihur, Sunny Consolvo, and Lauren Schmidt of Google; and Laura Brandimarte and Alessandro Acquisti of Carnegie Mellon University.

The 2014 SOUPS Impact Award for a SOUPS paper "published between 2005 and 2009 that has had a significant impact on usable privacy and security research and practice" went to Usability of CAPTCHAs or Usability Issues in CAPTCHA Design authored in 2008 by Jeff Yan and Ahmad Salah El Ahmad of Newcastle University (UK).

Two Distinguished Papers awards were presented:

Carnegie Mellon University (CMU), home to the CyLab Usable Privacy and Security (CUPS) Lab and the MSIT-Privacy Engineering Masters Program, was well-represented in the proceeding.

In addition to the IAPP SOUPS Privacy Award winning "Would a Privacy Fundamentalist Sell Their DNA for $1000...If Nothing Bad Happened as a Result? The Westin Categories, Behavioral Intentions, and Consequences," co-authored with Google researchers, several other CMU papers were presented:

Kang presenting paper

Check out CyLab CyBlog's Archive of SOUPS Coverage

See all CyLab News articles