Why do people use unsecure public Wi-Fi? An investigation of behaviour and factors driving decisions

© 2016 Copyright is held by the owner/author(s). Public Wi-Fi networks are now widely available in many countries. Though undoubtedly convenient, such networks have potential security and privacy risks. The aim of this study was to understand if people are aware of those risks, and - if so - why they decide to take them. We set up an experimental free Wi-Fi network at 14 locations in central London, UK, for a period of 150 hours, and people connected most often to use instant messaging, search engines, and social networks, and sensitive data (such as name, date of birth, and sexual orientation) were transmitted. We subsequently investigated people's risk awareness and risk behaviour through semi-structured interviews with 14 participants, and an online scenario-based survey with 102 participants. The majority of participants said they would use public Wi-Fi under circumstances where the risks taken are not consistent with maximising utility. Female participants rated the risks associated with public Wi-Fi use, more highly - and yet more females than males said they would use them to save their data plans. These findings align with insights from behavioural economics, specifically the insight that people can misjudge risky situations and do not make decisions consistent with expected utility theory

SSIDs in the Wild: Extracting Semantic Information from WiFi SSIDs

International audienceWiFi networks are becoming increasingly ubiquitous. In addition to providing network connectivity, WiFi finds applications in areas such as indoor and outdoor localisation, home automation, and physical analytics. In this paper, we explore the semantics of one key attribute of a WiFi network, SSID name. Using a dataset of approximately 120,000 WiFi access points and their corresponding geo-locations, we use a set of similarity metrics to relate SSID names to known business venues such as cafes, theatres, and shopping centres. Such correlations can be exploited by an adversary who has access to smartphone users preferred networks lists to build an accurate profile of the user and thus can be a potential privacy risk to the users

SSIDs in the wild: Extracting semantic information from WiFi SSIDs

International audienceWiFi networks are becoming increasingly ubiquitous. In addition to providing network connectivity, WiFi finds applications in areas such as indoor and outdoor localisation, home automation, and physical analytics. In this paper, we explore the semantics of one key attribute of a WiFi network, SSID name. Using a dataset of approximately 120,000 WiFi access points and their corresponding geo-locations, we use a set of similarity metrics to relate SSID names to known business venues such as cafes, theatres, and shopping centres. Such correlations can be exploited by an adversary who has access to smartphone users preferred networks lists to build an accurate profile of the user and thus can be a potential privacy risk to the users

The simpler, the better? Presenting the COPING Android permission-granting interface for better privacy-related decisions

One of the great innovations of the modern world is the Smartphone app. The sheer multitude of available apps attests to their popularity and general ability to satisfy our wants and needs. The flip side of the functionality these apps offer is their potential for privacy invasion. Apps can, if granted permission, gather a vast amount of very personal and sensitive information. App developers might exploit the combination of human propensities and the design of the Android permission-granting interface to gain permission to access more information than they really need. This compromises personal privacy. The fact that the Android is the globally dominant phone means widespread privacy invasion is a real concern. We, and other researchers, have proposed alternatives to the Android permission-granting interface. The aim of these alternatives is to highlight privacy considerations more effectively during app installation: to ensure that privacy becomes part of the decision-making process. We report here on a study with 344 participants that compared the impact of a number of permission-granting interface proposals, including our own (called the COPING interface — COmprehensive PermIssioN Granting) and two Android interfaces. To conduct the comparison we carried out an online study with a mixed-model design. Our main finding is that the focus in these interfaces ought to be on improving the quality of the provided information rather than merely simplifying the interface. The intuitive approach is to reduce and simplify information, but we discovered that this actually impairs the quality of the decision. Our recommendation is that further investigation is required in order to find the “sweet spot” where understandability and comprehensiveness are maximised

When Data Protection by Design and Data Subject Rights Clash

• Data Protection by Design (DPbD), a holistic approach to embedding principles in technical and organisational measures undertaken by data controllers, building on the notion of Privacy by Design, is now a qualified duty in the GDPR. • Practitioners have seen DPbD less holistically, instead framing it through the confidentiality-focussed lens of Privacy Enhancing Technologies (PETs). • While focussing primarily on confidentiality risk, we show that some DPbD strategies deployed by large data controllers result in personal data which, despite remaining clearly reidentifiable by a capable adversary, make it difficult for the controller to grant data subjects rights (eg access, erasure, objection) over for the purposes of managing this risk. • Informed by case studies of Apple’s Siri voice assistant and Transport for London’s Wi-Fi analytics, we suggest three main ways to make deployed DPbD more accountable and data subject–centric: building parallel systems to fulfil rights, including dealing with volunteered data; making inevitable trade-offs more explicit and transparent through Data Protection Impact Assessments; and through ex ante and ex post information rights (arts 13–15), which we argue may require the provision of information concerning DPbD trade-offs. • Despite steep technical hurdles, we call both for researchers in PETs to develop rigorous techniques to balance privacy-as-control with privacyas-confidentiality, and for DPAs to consider tailoring guidance and future frameworks to better oversee the trade-offs being made by primarily wellintentioned data controllers employing DPbD

Modeling and analysis of influence power for information security decisions

Users of computing systems and devices frequently make decisions related to information security, e. g., when choosing a password, deciding whether to log into an unfamiliar wireless network. Employers or other stakeholders may have a preference for certain outcomes, without being able to or having a desire to enforce a particular decision. In such situations, systems may build in design nudges to influence the decision making, e. g., by highlighting the employer’s preferred solution. In this paper we model influencing information security to identify which approaches to influencing are most effective and how they can be optimized. To do so, we extend traditional multi-criteria decision analysis models with modifiable criteria, to represent the available approaches an influencer has for influencing the choice of the decision maker. The notion of influence power is introduced to characterize the extent to which an influencer can influence decision makers. We illustrate our approach using data from a controlled experiment on techniques to influence which public wireless network users select. This allows us to calculate influence power and identify which design nudges exercise the most influence over user decisions

Do graphical cues effectively inform users? A socio-technical security study in accessing wifi networks.

We study whether the padlock and the signal strength bars, two visual cues shown in network managers, convey their intended messages. Since users often choose insecure networks when they should not, finding the answer is not obvious; in our study we clarify whether the problem lies in uninformative and ambiguous cues or in the user who, despite understanding the cues, chooses otherwise. This paper describes experiments and comments the results that bring evidence to our study

From Social Data Mining to Forecasting Socio-Economic Crisis

Socio-economic data mining has a great potential in terms of gaining a better understanding of problems that our economy and society are facing, such as financial instability, shortages of resources, or conflicts. Without large-scale data mining, progress in these areas seems hard or impossible. Therefore, a suitable, distributed data mining infrastructure and research centers should be built in Europe. It also appears appropriate to build a network of Crisis Observatories. They can be imagined as laboratories devoted to the gathering and processing of enormous volumes of data on both natural systems such as the Earth and its ecosystem, as well as on human techno-socio-economic systems, so as to gain early warnings of impending events. Reality mining provides the chance to adapt more quickly and more accurately to changing situations. Further opportunities arise by individually customized services, which however should be provided in a privacy-respecting way. This requires the development of novel ICT (such as a self- organizing Web), but most likely new legal regulations and suitable institutions as well. As long as such regulations are lacking on a world-wide scale, it is in the public interest that scientists explore what can be done with the huge data available. Big data do have the potential to change or even threaten democratic societies. The same applies to sudden and large-scale failures of ICT systems. Therefore, dealing with data must be done with a large degree of responsibility and care. Self-interests of individuals, companies or institutions have limits, where the public interest is affected, and public interest is not a sufficient justification to violate human rights of individuals. Privacy is a high good, as confidentiality is, and damaging it would have serious side effects for society.Comment: 65 pages, 1 figure, Visioneer White Paper, see http://www.visioneer.ethz.c

WELCOME TO DIGITAL TRANSFORMATION ERA: FROM PROOF-OF-CONCEPT TO BIG DATA INSIGHTS CREATION

Digital transformation (DT) is no longer an optional strategic priority, but the direction for managers of traditional firms that their success is built in the pre-digital era. With all hype around DT opportunities, it is rather a highly complex challenge that affects many or all segments of a firm and more so at the early stages of DT. Firms at the early stage of DT face the challenge of choosing among a big variety of existing and emerging technologies on the market, neglecting technological uncertainty, navigating through the technological solutions ocean, and avoiding hype-driven decisions while being technology competence-less. With this respect, the phase preceding any adoption or rejection of a new DT initiative and aiming at the first meeting and proving feasibility and commercial opportunities becomes increasingly important. The thesis investigates three particular phenomena of the earliest Digital Transformation (DT) stage, that are seemingly well-known and intuitively clear but suffer from the lack of empirical and conceptual evidence base as well as theoretical ground on closer inspection, namely, proof-of-concept, data-driven decision-making, and Big Data insights creation. Focusing on the three aspects of the early stage of DT allows building a research agenda that consists of complementing each other parts. Three-essays research was run with three related objectives. Each objective is addressed by conducting independent research using comparative methods. The thesis applies the qualitative approach as the overarching, with the relative to the three essays methodologies, namely, qualitative case study, ethnography, and participatory observation. The thesis uses qualitative methods to derive main findings and quantitative methods based on novel computational techniques to add more nuances to the results. This allows a new empirical and conceptual perspective on the earliest stages of DT. The findings suggest that a) cognitive biases drive what I labeled as perceived technology potentiality, moreover, technology awareness develops step-wise as PoC is run moving from borrowed technology awareness to minimum acquired technology awareness and enhanced technology awareness. These findings were used to explain how PoC dynamic changes with time. Further, findings show how b) different types of traps (cognitive and data) drive managerial trust in data when data-driven decision-making is first used. The findings were taken as the ground to build the three traps zones notion, where the decisions and trust in data are driven by different combinations of traps. Finally, findings reveal that c) Big Data dimensions have their related sub-dimensions, differences and similarities of which led to the discovery of the two effects of Big Data dimensions, namely, Proliferation and Additive. These findings helped to explain how exactly Big Data dimensions participate in the Big Data insights creation and to build the conceptual matrix of Big Data insights creation. In this vein, the research contributes to the technology innovation literature by shedding light on the phenomena of the earliest stage of DT and by initiating the first comprehensive conversation on PoC, data-driven decision-making, and Big Data insights creation. Further, the research contributes to the existing literature on managerial cognition, decision-making, and Big Data usefulness. Finally, contributions to methods in the technology innovation field are drawn