December 2024
·
3 Reads
This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.
December 2024
·
3 Reads
December 2024
·
6 Reads
November 2024
October 2024
·
51 Reads
Proceedings on Privacy Enhancing Technologies
Apple introduced privacy labels in Dec. 2020 as a way for developers to report the privacy behaviors of their apps. While Apple does not validate labels, they also require developers to provide a privacy policy, which offers an important comparison point. In this paper, we fine-tuned BERT-based language models to extract privacy policy features for 474,669 apps on the iOS App Store, comparing the output to the privacy labels. We identify discrepancies between the policies and the labels, particularly as they relate to data collected linked to users. We find that 228K apps' privacy policies may indicate data collection linked to users than what is reported in the privacy labels. More alarming, a large number (97%) of the apps with a Data Not Collected privacy label have a privacy policy indicating otherwise. We provide insights into potential sources for discrepancies, including the use of templates and confusion around Apple's definitions and requirements. These results suggest that significant work is still needed to help developers more accurately label their apps. Our system can be incorporated as a first-order check to inform developers when privacy labels are possibly misapplied.
August 2024
·
16 Reads
·
1 Citation
ACM Transactions on Computer-Human Interaction
We draw on the Protection Motivation Theory (PMT) to design interventions that encourage users to change breached passwords. Our online experiment ( n =1,386) compared the effectiveness of a threat appeal (highlighting the negative consequences after passwords were breached) and a coping appeal (providing instructions on changing the breached password) in a 2×2 factorial design. Compared to the control condition, participants receiving the threat appeal were more likely to intend to change their passwords, and participants receiving both appeals were more likely to end up changing their passwords. Participants’ password change behaviors are further associated with other factors, such as their security attitudes (SA-6) and time passed since the breach, suggesting that PMT-based interventions are useful but insufficient to fully motivate users to change their passwords. Our study contributes to PMT’s application in security research and provides concrete design implications for improving compromised credential notifications.
July 2024
·
3 Reads
May 2024
·
115 Reads
We draw on the Protection Motivation Theory (PMT) to design nudges that encourage users to change breached passwords. Our online experiment (n=1,386) compared the effectiveness of a threat appeal (highlighting negative consequences of breached passwords) and a coping appeal (providing instructions on how to change the breached password) in a 2x2 factorial design. Compared to the control condition, participants receiving the threat appeal were more likely to intend to change their passwords, and participants receiving both appeals were more likely to end up changing their passwords; both comparisons have a small effect size. Participants' password change behaviors are further associated with other factors such as their security attitudes (SA-6) and time passed since the breach, suggesting that PMT-based nudges are useful but insufficient to fully motivate users to change their passwords. Our study contributes to PMT's application in security research and provides concrete design implications for improving compromised credential notifications.
May 2024
·
23 Reads
April 2024
·
22 Reads
Proceedings on Privacy Enhancing Technologies
Data dashboards are designed to help users manage data collected about them. However, prior work showed that exposure to some dashboards, notably Google’s My Activity dashboard, results in significant decreases in perceived concern and increases in perceived benefit from data collection, contrary to expectations. We theorize that this result is due to the fact that data dashboards currently do not sufficiently “connect the dots” of the data food chain, that is, by connecting data collection with the use of that data. To evaluate this, we designed a study where participants assigned advertising interest labels to their own real activities, effectively acting as a behavioral advertising engine to “connect the dots.” When comparing pre- and post-labeling task responses, we find no significant difference in concern with Google’s data collection practices, which indicates that participants’ priors are maintained after more exposure to the data food chain (differing from prior work), suggesting that data dashboards that offer deeper perspectives of how data collection is used have potential. However, these gains are offset when participants are exposed to their true interest labels inferred by Google. Concern for data collection dropped significantly as participants viewed Google’s labeling as generic compared to their own more specific labeling. This presents a possible new paradox that must be overcome when designing data dashboards, the generic paradox, which occurs when users misalign individual, generic inferences from collected data as benign compared to the totality and specificity of many generic inferences made about them.
February 2024
·
6 Reads
·
2 Citations
To protect their security, users are instructed to use unique passwords for all their accounts. Password managers make this possible, as they can generate, store, and autofill passwords within a user's browser. Unfortunately, prior work has identified usability issues which may deter users from using password managers. In this paper, we measure the prevalence of usability issues affecting four popular password managers (Chrome, Safari, Bitwarden, and Keeper). We tested these password managers with their out-of-the-box settings on 60 randomly sampled websites. We show that users are likely to encounter issues using password managers during account registration and authentication. We found that usability issues were widespread, but varied by password manager. Common issues included password managers not prompting the user to generate passwords, autofilling web forms incorrectly or not at all, and generating passwords that were incompatible with websites' password policies. We found that Chrome and Safari had fewer interaction issues than the other password managers we tested. We conclude by suggesting ways that websites and password managers can improve their compatibility with each other. For example, we recommend that password managers tailor their passwords to websites' requirements (like Chrome and Safari), or adopt alphanumeric-only password generation by default (like Bitwarden).
... Although our tool aims to detect whether PMs autofill data into hidden fields, common operations, including triggering the autofill functionality and recording the filled results, are the same. Thus, our tool can be applied in recent empirical PM studies [20], [21], [41]. Figure 2: Users need to click the form field to trigger the PM's autofill functionality. ...
February 2024
... . Prior studies[30],[37],[45],[48] consider Safari's PM as part of OS-integrated PMs, provided by the macOS's KeyChain. However, as we focus on web scenarios, we regard Safari as a browser-based PM here. ...
November 2023
... (3) Credential Availability: That passkeys are bound to the trusted hardware of specific devices is a major advantage from a security standpoint but can pose a significant disadvantage for widespread usability and availability, particularly for at-risk demographics. Shared devices (including public computers [250]) are common, with users sharing devices for financial, cultural, and personal reasons [16,47,54,174,189,271], including temporary sharing (e.g., showing a friend or relative a photo slideshow [174,236]). Conversely, this also raises privacy concerns over inadvertent account sharing depending on passkey access duration before requiring reauthentication in a particular implementation. ...
May 2023
... H6: Cyber attack awareness positively affect customer trust [8,54,55]. When customers know that the bank has taken appropriate security measures against cyber threats, customers are more confident in the digital banking services offered [8,56]. ...
April 2023
ACM Transactions on Computer-Human Interaction
... Another strand of research proposes the use of password meters to diversify input and enhance awareness [13][14][15]. However, Golla et al. [44] demonstrated that meters based on visual estimators should be treated with caution. Nevertheless, they state that the inclusion of such measures (i.e., strength meters) can be eventually beneficial. ...
January 2019
... For example, in the "DNS-based routing" mechanism, the website domain is first resolved to a subdomain assigned by the CDN. Then, the CDN's DNS system [19] is responsible for selecting and returning the ingress node IP. After this DNS resolution process, the user sends the request to the ingress node returned in the DNS response. ...
December 2022
... Our findings echo the misconceptions observed by Wu et al. [54], where participants believed that five-word passwords were insecure due to the lack of symbols and numbers. Wu et al. emphasised the need for user education on the security of using computer-generated passwords, despite their research indicating a low recall rate when using such passwords. ...
December 2022
... Although the study did not mention password managers to participants, previous research acknowledges user reluctance to adopt them [53]. Anxiety also emerged as a significant barrier to adopt password managers in Mayer et al.'s study [34], where respondents expressed concerns about the security of password managers and the risk of storing all their passwords into one system. ...
August 2022
... By identifying 51 representative digital credit lenders, analyzing their privacy policies, and then comparing them to the data gathered by the apps, Bowers et al. [31] found numerous security and privacy issues with these apps, including the collection of previously undisclosed data types. Munyendo et al. [32] interviewed users of mobile loan apps in Kenya and learned about issues such as social shaming when users default in repayment. Similar concerns have been noted in India, sometimes driving loan app users to suicide [33], [34], [35], [36]. ...
May 2022
... Moreover, in the Web3 ecosystem, public keys serve as identifiers, offering better anonymity. In contrast, Web2 authentication methods [30,34,50,57] often require users to provide personally identifiable information (PII), such as phone numbers and email addresses. These are stored on centralized servers, exposing users to risks like privacy breaches. ...
August 2022