CyLab researchers present their work at 2024 SOUPS

Carnegie Mellon faculty and students shared their research at the 2024 Symposium on Usable Privacy and Security (SOUPS), which took place August 11-13 in Philadelphia.

Founded by CyLab Director Lorrie Cranor and first hosted by CMU in 2005, the event brings together interdisciplinary groups of researchers who are focused on solving challenges in areas of security, privacy, and human-computer interaction. SOUPS celebrated its 20th anniversary this year, and Cranor participated in a panel discussion at the conference reflecting on the past, present, and future of usable privacy and security.

Here, we’ve compiled a list of technical papers co-authored by CyLab Security and Privacy Institute members that were presented at the event. CyLab researchers also presented a number of posters and workshop papers at SOUPS.

Exploring Expandable-Grid Designs to Make iOS App Privacy Labels More Usable

Authors: Shikun Zhang and Lily Klucinec, Carnegie Mellon University; Kyerra Norton, Washington University in St. Louis; Norman Sadeh and Lorrie Faith Cranor, Carnegie Mellon University

Abstract: People value their privacy but often lack the time to read privacy policies. This issue is exacerbated in the context of mobile apps, given the variety of data they collect and limited screen space for disclosures. Privacy nutrition labels have been proposed to convey data practices to users succinctly, obviating the need for them to read a full privacy policy. In fall 2020, Apple introduced privacy labels for mobile apps, but research has shown that these labels are ineffective, partly due to their complexity, confusing terminology, and suboptimal information structure. We propose a new design for mobile app privacy labels that addresses information layout challenges by representing data collection and use in a color-coded, expandable grid format. We conducted a between-subjects user study with 200 Prolific participants to compare user performance when viewing our new label against the current iOS label. Our findings suggest that our design significantly improves users' ability to answer key privacy questions and reduces the time required for them to do so.

Privacy Requirements and Realities of Digital Public Goods

Authors: Geetika Gopi and Aadyaa Maddi, Carnegie Mellon University; Omkhar Arasaratnam, OpenSSF; Giulia Fanti, Carnegie Mellon University

Abstract: In the international development community, the term “digital public goods” is used to describe open-source digital products (e.g., software, datasets) that aim to address the United Nations (UN) Sustainable Development Goals. DPGs are increasingly being used to deliver government services around the world (e.g., ID management, healthcare registration). Because DPGs may handle sensitive data, the UN has established user privacy as a first-order requirement for DPGs. The privacy risks of DPGs are currently managed in part by the DPG standard, which includes a prerequisite questionnaire with questions designed to evaluate a DPG’s privacy posture.

This study examines the effectiveness of the current DPG standard for ensuring adequate privacy protections. We present a systematic assessment of responses from DPGs regarding their protections of users’ privacy. We also present in-depth case studies from three widely-used DPGs to identify privacy threats and compare this to their responses to the DPG standard. Our findings reveal serious limitations in the current DPG standard’s evaluation approach. We conclude by presenting preliminary recommendations and suggestions for strengthening the DPG standard as it relates to privacy. Additionally, we hope this study encourages more usable privacy research on communicating privacy, not only to end users but also third-party adopters of user-facing technologies.

"It was honestly just gambling": Investigating the Experiences of Teenage Cryptocurrency Users on Reddit

Authors: Elijah Bouma-Sims, Hiba Hassan, Alexandra Nisenoff, Lorrie Faith Cranor, and Nicolas Christin, Carnegie Mellon University

Abstract: Despite fears that minors may use unregulated cryptocurrency exchanges to gain access to risky investments, little is known about the experience of underage cryptocurrency users. To learn how teenagers access digital assets and the risks they encounter while using them, we conducted a multi-stage, inductive content analysis of 1,676 posts made to teenage communities on Reddit containing keywords related to cryptocurrency. We identified 1,409 (84.0%) posts that meaningfully discussed cryptocurrency, finding that teenagers most often use accounts in their parents' names to purchase cryptocurrencies, presumably to avoid age restrictions. Teenagers appear motivated to invest by the potential for relatively large, short-term profits, but some discussed a sense of entertainment, ideological motivation, or an interest in technology. We identified many of the same harms adult users of digital assets encountered, including investment loss, victimization by fraud, and loss of keys. We discuss the implications of our results in the context of the ongoing debates over cryptocurrency regulation.