CyLab researchers present their work at 2023 SOUPS

Carnegie Mellon faculty and students shared their research at the 2023 Symposium on Usable Privacy and Security (SOUPS).

Founded by CyLab Director Lorrie Cranor and first hosted by CMU in 2005, the event continues to bring together interdisciplinary groups of researchers who are focused on solving challenges in areas of security, privacy, and human-computer interaction.

Here, we’ve compiled a list of papers co-authored by CyLab Security and Privacy Institute members that were presented at the event.
 

GuardLens: Supporting Safer Online Browsing for People with Visual Impairments

Smirity Kaushik, Natã M. Barbosa, Yaman Yu, Tanusree Sharma, Zachary Kilhoffer, and JooYoung Seo, University of Illinois at Urbana-Champaign; Sauvik Das, Carnegie Mellon University; Yang Wang, University of Illinois at Urbana-Champaign

Abstract: Visual cues play a key role in how users assess the privacy/security of a website but often remain inaccessible to people with visual impairments (PVIs), disproportionately exposing them to privacy and security risks. Researchers employed an iterative, user-centered design process with 25 PVIs to design and evaluate GuardLens, a browser extension that improves the accessibility of privacy/security cues and helps PVIs assess a website's legitimacy (i.e. if it is a spoof/phish). The authors started with a formative study to understand what privacy/security cues PVIs find helpful, and then improved GuardLens based on the results. Next, they further refined GuardLens based on a pilot study, and lastly conducted their main study to evaluate GuardLens' efficacy. The results suggest that GuardLens, by extracting and listing pertinent privacy/security cues in one place for faster and easier access, helps PVIs quickly and accurately determine if websites are legitimate or spoofs. PVIs found cues such as domain age, search result ranking, and the presence/absence of HTTPS encryption, especially helpful. The authors conclude with design implications for tools to support PVIs with safe web browsing.
 

ImageAlly: A Human-AI Hybrid Approach to Support Blind People in Detecting and Redacting Private Image Content

Zhuohao (Jerry) Zhang, University of Washington, Seattle; Smirity Kaushik and JooYoung Seo, University of Illinois at Urbana-Champaign; Haolin Yuan, Johns Hopkins University; Sauvik Das, Carnegie Mellon University; Leah Findlater, University of Washington, Seattle; Danna Gurari, University of Colorado Boulder; Abigale Stangl, University of Washington, Seattle; Yang Wang, University of Illinois at Urbana-Champaign

Abstract: Many people who are blind take and post photos to share about their lives and connect with others. Yet, current technology does not provide blind people with accessible ways to handle when private information is unintentionally captured in their images. To explore the technology design in supporting them with this task, researchers developed a design probe for blind people — ImageAlly — that employs a human-AI hybrid approach to detect and redact private image content. ImageAlly notifies users when potential private information is detected in their images, using computer vision, and enables them to transfer those images to trusted sighted allies to edit the private content. In an exploratory study with pairs of blind participants and their sighted allies, the authors found that blind people felt empowered by ImageAlly to prevent privacy leakage in sharing images on social media. Participants also found other benefits from using ImageAlly, such as potentially improving their relationship with allies and giving allies the awareness of the accessibility challenges they face.
 

Iterative Design of An Accessible Crypto Wallet for Blind Users

Zhixuan Zhou, Tanusree Sharma, and Luke Emano, University of Illinois at Urbana-Champaign; Sauvik Das, Carnegie Mellon University; Yang Wang, University of Illinois at Urbana-Champaign

Abstract: Crypto wallets are a key touch-point for cryptocurrency use. People use crypto wallets to make transactions, manage crypto assets, and interact with decentralized apps (dApps). However, as is often the case with emergent technologies, little attention has been paid to understanding and improving accessibility barriers in crypto wallet software. Researchers present a series of user studies that explored how both blind and sighted individuals use MetaMask, one of the most popular non-custodial crypto wallets. The authors uncovered inter-related accessibility, learnability, and security issues with MetaMask. They also report on an iterative redesign of MetaMask to make it more accessible for blind users. This process involved multiple evaluations with 44 novice crypto wallet users, including 20 sighted users, 23 blind users, and one user with low vision. The study results show notable improvements for accessibility after two rounds of design iterations. Based the authors’ their results, they discuss design implications for creating more accessible and secure crypto wallets for blind users.
  

Towards Usable Security Analysis Tools for Trigger-Action Programming

McKenna McCall and Eric Zeng, Carnegie Mellon University; Faysal Hossain Shezan, University of Virginia; Mitchell Yang and Lujo Bauer, Carnegie Mellon University; Abhishek Bichhawat, IIT Gandhinagar; Camille Cobb, University of Illinois Urbana-Champaign; Limin Jia, Carnegie Mellon University; Yuan Tian, University of California, Los Angeles

Abstract: Research has shown that trigger-action programming (TAP) is an intuitive way to automate smart home IoT devices, but can also lead to undesirable behaviors. For instance, if two TAP rules have the same trigger condition, but one locks a door while the other unlocks it, the user may believe the door is locked when it is not. Researchers have developed tools to identify buggy or undesirable TAP programs, but little work investigates the usability of the different user-interaction approaches implemented by the various tools.

This paper describes an exploratory study of the usability and utility of techniques proposed by TAP security analysis tools. The authors surveyed 447 Prolific users to evaluate their ability to write declarative policies, identify undesirable patterns in TAP rules (anti-patterns), and correct TAP program errors, as well as to understand whether proposed tools align with users' needs. The researchers find considerable variation in participants' success rates writing policies and identifying anti-patterns. For some scenarios over 90% of participants wrote an appropriate policy, while for others nobody was successful. They also find that participants did not necessarily perceive the TAP anti-patterns flagged by tools as undesirable. Their work provides insight into real smart-home users' goals, highlights the importance of more rigorous evaluation of users' needs and usability issues when designing TAP security tools, and provides guidance to future tool development and TAP research.