How WEIRD is Usable Privacy and Security Research? (Extended Version)

In human factor fields such as human-computer interaction (HCI) and psychology, researchers have been concerned that participants mostly come from WEIRD (Western, Educated, Industrialized, Rich, and Democratic) countries. This WEIRD skew may hinder understanding of diverse populations and their cultural differences. The usable privacy and security (UPS) field has inherited many research methodologies from research on human factor fields. We conducted a literature review to understand the extent to which participant samples in UPS papers were from WEIRD countries and the characteristics of the methodologies and research topics in each user study recruiting Western or non-Western participants. We found that the skew toward WEIRD countries in UPS is greater than that in HCI. Geographic and linguistic barriers in the study methods and recruitment methods may cause researchers to conduct user studies locally. In addition, many papers did not report participant demographics, which could hinder the replication of the reported studies, leading to low reproducibility. To improve geographic diversity, we provide the suggestions including facilitate replication studies, address geographic and linguistic issues of study/recruitment methods, and facilitate research on the topics for non-WEIRD populations.Comment: This paper is the extended version of the paper presented at USENIX SECURITY 202

Interest identification from browser tab titles: A systematic literature review

Modeling and understanding users interests has become an essential part of our daily lives. A variety of business processes and a growing number of companies employ various tools to such an end. The outcomes of these identification strategies are beneficial for both companies and users: the former are more likely to offer services to those customers who really need them, while the latter are more likely to get the service they desire. Several works have been carried out in the area of user interests identification. As a result, it might not be easy for researchers, developers, and users to orient themselves in the field; that is, to find the tools and methods that they most need, to identify ripe areas for further investigations, and to propose the development and adoption of new research plans. In this study, to overcome these potential shortcomings, we performed a systematic literature review on user interests identification. We used as input data browsing tab titles. Our goal here is to offer a service to the readership, which is capable of systematically guiding and reliably orienting researchers, developers, and users in this very vast domain. Our findings demonstrate that the majority of the research carried out in the field gathers data from either social networks (such as Twitter, Instagram and Facebook) or from search engines, leaving open the question of what to do when such data is not available

Privacy and Online Social Networks: A Systematic Literature Review of Concerns, Preservation, and Policies

Background: Social media usage is one of the most popular online activities, but with it comes privacy concerns due to how personal data are handled by these social networking sites. Prior literature aimed at identifying users’ privacy concerns as well as user behavior associated with privacy mitigation strategies and policies. However, OSN users continue to divulge private information online and privacy remains an issue. Accordingly, this review aims to present extant research on this topic, and to highlight any potential research gaps. Method: The paper presents a systematic literature review for the period 2006 - 2021, in which 33 full papers that explored privacy concerns in online social networks (OSN), users’ behavior associated with privacy preservation strategies and OSN privacy policies were examined. Results: The findings indicate that users are concerned about their identity being stolen, the disclosure of sensitive information by third-party applications and through data leakage and the degree of control users have over their data. Strategies such as encryption, authentication, and privacy settings configuration, can be used to address users’ concerns. Users generally do not leverage privacy settings available to them, or read the privacy policies, but will opt to share information based on the benefits to be derived from OSNs. Conclusion: OSN users have specific privacy concerns due primarily to the inherent way in which personal data are handled. Different preservation strategies are available to be used by OSN users. Policies are provided to inform users, however, these policies at times are difficult to read and understand, but studies show that there is no direct effect on the behavior of OSN users. Further research is needed to elucidate the correlation between the relative effectiveness of different privacy preservation strategies and the privacy concerns exhibited by users. Extending the research to comparatively assess different social media sites could help with better awareness of the true influence of privacy policies on user behavior

Privacy Intelligence: A Survey on Image Sharing on Online Social Networks

Image sharing on online social networks (OSNs) has become an indispensable part of daily social activities, but it has also led to an increased risk of privacy invasion. The recent image leaks from popular OSN services and the abuse of personal photos using advanced algorithms (e.g. DeepFake) have prompted the public to rethink individual privacy needs when sharing images on OSNs. However, OSN image sharing itself is relatively complicated, and systems currently in place to manage privacy in practice are labor-intensive yet fail to provide personalized, accurate and flexible privacy protection. As a result, an more intelligent environment for privacy-friendly OSN image sharing is in demand. To fill the gap, we contribute a systematic survey of 'privacy intelligence' solutions that target modern privacy issues related to OSN image sharing. Specifically, we present a high-level analysis framework based on the entire lifecycle of OSN image sharing to address the various privacy issues and solutions facing this interdisciplinary field. The framework is divided into three main stages: local management, online management and social experience. At each stage, we identify typical sharing-related user behaviors, the privacy issues generated by those behaviors, and review representative intelligent solutions. The resulting analysis describes an intelligent privacy-enhancing chain for closed-loop privacy management. We also discuss the challenges and future directions existing at each stage, as well as in publicly available datasets.Comment: 32 pages, 9 figures. Under revie

Information-seeking Behavior of Social Sciences and Humanities Researchers in the Internet Age

This study focuses on how Internet technology influences and contributes to the information-seeking process in the social sciences and humanities. The study examines the information-seeking behavior of faculty and doctoral students in these fields and observes and extends Ellis’s model of information-seeking behavior for social scientists, which includes six characteristics: starting, chaining, browsing, differentiating, monitoring, and extracting. The study was conducted at Tennessee State University. Thirty active social sciences and humanities faculty and doctoral students were interviewed about their use of Internet resources, their perception of electronic and print materials, and their opinions concerning the Ellis model and how it might be applicable to them. The research confirmed all the continuing relevance of all characteristics of the Ellis model, and theorized that an extended model could potentially include two additional characteristics: preparation and planning and information management. Based on the interview results, the researcher provides suggestions on how current information services and products can be improved to better serve social sciences and humanities researchers, discusses the implications of these new characteristics for information-searching needs, and makes recommendations for improving library services and technologies that will meet the needs of future social sciences and humanities scholars

Toward A Secure Account Recovery: Machine Learning Based User Modeling for protection of Account Recovery in a Managed Environment

As a result of our heavy reliance on internet usage and running online transactions, authentication has become a routine part of our daily lives. So, what happens when we lose or cannot use our digital credentials? Can we securely recover our accounts? How do we ensure it is the genuine user that is attempting a recovery while at the same time not introducing too much friction for the user? In this dissertation, we present research results demonstrating that account recovery is a growing need for users as they increase their online activity and use different authentication factors. We highlight that the account recovery process is the weakest link in the authentication domain because it is vulnerable to account takeover attacks because of the less secure fallback authentication mechanisms usually used. To close this gap, we study user behavior-based machine learning (ML) modeling as a critical part of the account recovery process. The primary threat model for ML implementation in the context of authentication is poisoning and evasion attacks. Towards that end, we research randomized modeling techniques and present the most effective randomization strategy in the context of user behavioral biometrics modeling for account recovery authentication. We found that a randomization strategy that exclusively relied on the user’s data, such as stochastically varying the features used to generate an ensemble of models, outperformed a design that incorporated external data, such as adding gaussian noise to outputs. This dissertation asserts that account recovery process security posture can be vastly improved by incorporating user behavior modeling to add resiliency against account takeover attacks and nudging users towards voluntary adoption of more robust authentication factors

An Approach to Guide Users Towards Less Revealing Internet Browsers

When browsing the Internet, HTTP headers enable both clients and servers send extra data in their requests or responses such as the User-Agent string. This string contains information related to the sender’s device, browser, and operating system. Previous research has shown that there are numerous privacy and security risks result from exposing sensitive information in the User-Agent string. For example, it enables device and browser fingerprinting and user tracking and identification. Our large analysis of thousands of User-Agent strings shows that browsers differ tremendously in the amount of information they include in their User-Agent strings. As such, our work aims at guiding users towards using less exposing browsers. In doing so, we propose to assign an exposure score to browsers based on the information they expose and vulnerability records. Thus, our contribution in this work is as follows: first, provide a full implementation that is ready to be deployed and used by users. Second, conduct a user study to identify the effectiveness and limitations of our proposed approach. Our implementation is based on using more than 52 thousand unique browsers. Our performance and validation analysis show that our solution is accurate and efficient. The source code and data set are publicly available and the solution has been deployed