Adam J. Aviv’s research while affiliated with George Washington University and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (109)


A Qualitative Analysis of Practical De-Identification Guides
  • Conference Paper

December 2024

·

3 Reads

Wentao Guo

·

Aditya Kishore

·

Adam J. Aviv

·

Michelle L. Mazurek



Figure 1: Anatomy of a Privacy Label.
Figure 5: The ratios of the six purposes for the Data Linked to You and Data Not Linked to You privacy types. The denominator is the number of apps with the designated privacy type either in their privacy label or their privacy policy, i.e., 419,504 apps with a Data Linked to You label and 294,391 with a Data Not Linked to You label. It is helpful to note here that privacy types shown here are not mutually exclusive. Two other Privacy Types are not shown here; the Data Used to Track You privacy type refers to collection for the purpose of tracking, while the Data Not Collected refers to the absence of any data collection.
Figure 6: The ratios of data categories against privacy types. The denominator is the number of apps with the designated privacy type either in their privacy label or their privacy policy, i.e., 232,648 apps with Data Used to Track You, 419,504 apps with Data Linked to You, and 294,391 apps with Data Not Linked to You. The three privacy types shown here are not mutually exclusive.
Deriving privacy label entries directly from segment annotations created using the Polisis framework.
Inferring privacy label entries from segment anno- tations created using the Polisis framework.

+2

Honesty is the Best Policy: On the Accuracy of Apple Privacy Labels Compared to Apps' Privacy Policies
  • Article
  • Full-text available

October 2024

·

51 Reads

Proceedings on Privacy Enhancing Technologies

Apple introduced privacy labels in Dec. 2020 as a way for developers to report the privacy behaviors of their apps. While Apple does not validate labels, they also require developers to provide a privacy policy, which offers an important comparison point. In this paper, we fine-tuned BERT-based language models to extract privacy policy features for 474,669 apps on the iOS App Store, comparing the output to the privacy labels. We identify discrepancies between the policies and the labels, particularly as they relate to data collected linked to users. We find that 228K apps' privacy policies may indicate data collection linked to users than what is reported in the privacy labels. More alarming, a large number (97%) of the apps with a Data Not Collected privacy label have a privacy policy indicating otherwise. We provide insights into potential sources for discrepancies, including the use of templates and confusion around Apple's definitions and requirements. These results suggest that significant work is still needed to help developers more accurately label their apps. Our system can be incorporated as a first-order check to inform developers when privacy labels are possibly misapplied.

Download

Encouraging Users to Change Breached Passwords Using the Protection Motivation Theory

August 2024

·

16 Reads

·

1 Citation

ACM Transactions on Computer-Human Interaction

We draw on the Protection Motivation Theory (PMT) to design interventions that encourage users to change breached passwords. Our online experiment ( n =1,386) compared the effectiveness of a threat appeal (highlighting the negative consequences after passwords were breached) and a coping appeal (providing instructions on changing the breached password) in a 2×2 factorial design. Compared to the control condition, participants receiving the threat appeal were more likely to intend to change their passwords, and participants receiving both appeals were more likely to end up changing their passwords. Participants’ password change behaviors are further associated with other factors, such as their security attitudes (SA-6) and time passed since the breach, suggesting that PMT-based interventions are useful but insufficient to fully motivate users to change their passwords. Our study contributes to PMT’s application in security research and provides concrete design implications for improving compromised credential notifications.



Nudging Users to Change Breached Passwords Using the Protection Motivation Theory

May 2024

·

115 Reads

We draw on the Protection Motivation Theory (PMT) to design nudges that encourage users to change breached passwords. Our online experiment (n=1,386) compared the effectiveness of a threat appeal (highlighting negative consequences of breached passwords) and a coping appeal (providing instructions on how to change the breached password) in a 2x2 factorial design. Compared to the control condition, participants receiving the threat appeal were more likely to intend to change their passwords, and participants receiving both appeals were more likely to end up changing their passwords; both comparisons have a small effect size. Participants' password change behaviors are further associated with other factors such as their security attitudes (SA-6) and time passed since the breach, suggesting that PMT-based nudges are useful but insufficient to fully motivate users to change their passwords. Our study contributes to PMT's application in security research and provides concrete design implications for improving compromised credential notifications.



How Does Connecting Online Activities to Advertising Inferences Impact Privacy Perceptions?

April 2024

·

22 Reads

Proceedings on Privacy Enhancing Technologies

Data dashboards are designed to help users manage data collected about them. However, prior work showed that exposure to some dashboards, notably Google’s My Activity dashboard, results in significant decreases in perceived concern and increases in perceived benefit from data collection, contrary to expectations. We theorize that this result is due to the fact that data dashboards currently do not sufficiently “connect the dots” of the data food chain, that is, by connecting data collection with the use of that data. To evaluate this, we designed a study where participants assigned advertising interest labels to their own real activities, effectively acting as a behavioral advertising engine to “connect the dots.” When comparing pre- and post-labeling task responses, we find no significant difference in concern with Google’s data collection practices, which indicates that participants’ priors are maintained after more exposure to the data food chain (differing from prior work), suggesting that data dashboards that offer deeper perspectives of how data collection is used have potential. However, these gains are offset when participants are exposed to their true interest labels inferred by Google. Concern for data collection dropped significantly as participants viewed Google’s labeling as generic compared to their own more specific labeling. This presents a possible new paradox that must be overcome when designing data dashboards, the generic paradox, which occurs when users misalign individual, generic inferences from collected data as benign compared to the totality and specificity of many generic inferences made about them.


Fig. 4. Usually, Safari displays a default nudge to encourage users to adopt randomly generated passwords.
Measuring the Prevalence of Password Manager Issues Using In-Situ Experiments

February 2024

·

6 Reads

·

2 Citations

To protect their security, users are instructed to use unique passwords for all their accounts. Password managers make this possible, as they can generate, store, and autofill passwords within a user's browser. Unfortunately, prior work has identified usability issues which may deter users from using password managers. In this paper, we measure the prevalence of usability issues affecting four popular password managers (Chrome, Safari, Bitwarden, and Keeper). We tested these password managers with their out-of-the-box settings on 60 randomly sampled websites. We show that users are likely to encounter issues using password managers during account registration and authentication. We found that usability issues were widespread, but varied by password manager. Common issues included password managers not prompting the user to generate passwords, autofilling web forms incorrectly or not at all, and generating passwords that were incompatible with websites' password policies. We found that Chrome and Safari had fewer interaction issues than the other password managers we tested. We conclude by suggesting ways that websites and password managers can improve their compatibility with each other. For example, we recommend that password managers tailor their passwords to websites' requirements (like Chrome and Safari), or adopt alphanumeric-only password generation by default (like Bitwarden).


Citations (69)


... Although our tool aims to detect whether PMs autofill data into hidden fields, common operations, including triggering the autofill functionality and recording the filled results, are the same. Thus, our tool can be applied in recent empirical PM studies [20], [21], [41]. Figure 2: Users need to click the form field to trigger the PM's autofill functionality. ...

Reference:

Leaky Autofill: An Empirical Study on the Privacy Threat of Password Managers' Autofill Functionality
Measuring the Prevalence of Password Manager Issues Using In-Situ Experiments

... . Prior studies[30],[37],[45],[48] consider Safari's PM as part of OS-integrated PMs, provided by the macOS's KeyChain. However, as we focus on web scenarios, we regard Safari as a browser-based PM here. ...

"I just stopped using one and started using the other": Motivations, Techniques, and Challenges When Switching Password Managers
  • Citing Conference Paper
  • November 2023

... (3) Credential Availability: That passkeys are bound to the trusted hardware of specific devices is a major advantage from a security standpoint but can pose a significant disadvantage for widespread usability and availability, particularly for at-risk demographics. Shared devices (including public computers [250]) are common, with users sharing devices for financial, cultural, and personal reasons [16,47,54,174,189,271], including temporary sharing (e.g., showing a friend or relative a photo slideshow [174,236]). Conversely, this also raises privacy concerns over inadvertent account sharing depending on passkey access duration before requiring reauthentication in a particular implementation. ...

"In Eighty Percent of the Cases, I Select the Password for Them": Security and Privacy Challenges, Advice, and Opportunities at Cybercafes in Kenya
  • Citing Conference Paper
  • May 2023

... H6: Cyber attack awareness positively affect customer trust [8,54,55]. When customers know that the bank has taken appropriate security measures against cyber threats, customers are more confident in the digital banking services offered [8,56]. ...

Awareness, Intention, (In)Action: Individuals’ Reactions to Data Breaches
  • Citing Article
  • April 2023

ACM Transactions on Computer-Human Interaction

... Another strand of research proposes the use of password meters to diversify input and enhance awareness [13][14][15]. However, Golla et al. [44] demonstrated that meters based on visual estimators should be treated with caution. Nevertheless, they state that the inclusion of such measures (i.e., strength meters) can be eventually beneficial. ...

Work in Progress: On the In-Accuracy and Influence of Android Pattern Strength Meters
  • Citing Conference Paper
  • January 2019

... For example, in the "DNS-based routing" mechanism, the website domain is first resolved to a subdomain assigned by the CDN. Then, the CDN's DNS system [19] is responsible for selecting and returning the ingress node IP. After this DNS resolution process, the user sends the request to the ingress node returned in the DNS response. ...

User Perceptions of the Privacy and Usability of Smart DNS
  • Citing Conference Paper
  • December 2022

... Our findings echo the misconceptions observed by Wu et al. [54], where participants believed that five-word passwords were insecure due to the lack of symbols and numbers. Wu et al. emphasised the need for user education on the security of using computer-generated passwords, despite their research indicating a low recall rate when using such passwords. ...

User Perceptions of Five-Word Passwords
  • Citing Conference Paper
  • December 2022

... Although the study did not mention password managers to participants, previous research acknowledges user reluctance to adopt them [53]. Anxiety also emerged as a significant barrier to adopt password managers in Mayer et al.'s study [34], where respondents expressed concerns about the security of password managers and the risk of storing all their passwords into one system. ...

Why Users (Don’t) Use Password Managers at a Large Educational Institution
  • Citing Conference Paper
  • August 2022

... By identifying 51 representative digital credit lenders, analyzing their privacy policies, and then comparing them to the data gathered by the apps, Bowers et al. [31] found numerous security and privacy issues with these apps, including the collection of previously undisclosed data types. Munyendo et al. [32] interviewed users of mobile loan apps in Kenya and learned about issues such as social shaming when users default in repayment. Similar concerns have been noted in India, sometimes driving loan app users to suicide [33], [34], [35], [36]. ...

“Desperate Times Call for Desperate Measures”: User Concerns with Mobile Loan Apps in Kenya
  • Citing Conference Paper
  • May 2022

... Moreover, in the Web3 ecosystem, public keys serve as identifiers, offering better anonymity. In contrast, Web2 authentication methods [30,34,50,57] often require users to provide personally identifiable information (PII), such as phone numbers and email addresses. These are stored on centralized servers, exposing users to risks like privacy breaches. ...

“The Same PIN, Just Longer”: On the (In)Security of Upgrading PINs from 4 to 6 Digits