Cross Cutting Thrusts: Usable Privacy and Security
Scope: Our proposed project weaves together issues of security, privacy and usability to systematically evaluate key tradeoffs between expressiveness, tolerance for errors, burden on users and overall user acceptance, and develop novel mechanisms and technologies that help mitigate these tradeoffs—maximizing accuracy and trustworthiness while minimizing the time and effort required by end users. The focus of our multidisciplinary research effort will be on capturing end-user security and privacy policies in pervasive computing environments. This research will combine three strands: (1) Developing novel user interfaces and supporting technologies to enhance usability, (2) Weaving learning, dialog, and explanation technologies to minimize end-user burden, and (3) Short- and long-term field studies aimed at evaluating combinations of the above techniques in practical settings. We will focus on the user interface and policy creation and refinement problems posed by three sets of pervasive computing scenarios: access control to resources, people finder applications, and privacy policies and notifications in pervasive computing spaces. In each of these scenarios, users interact with their devices (e.g., smartphones) to specify, understand, and adjust their security, privacy, and notification policies. Through our work, we will aim to enhance the policy engines our team has already developed with novel interfaces leveraging learning, dialog, and explanation functionality. The resulting Policy Support Agents (PSAs) will help users to effectively control their policies and gain sufficient understanding of the policies enforced by systems and users they interact with.
Outcomes: This project has produced a family of technologies and interfaces that have been shown to empower users to more effectively and efficiently specify security and privacy policies. They include auditing functionality, visual policy editors, methodologies to quantify the benefits associated with exposing different combinations of policy settings to users, and user-oriented machine learning techniques capable of generating user-understandable personas for security and privacy.