SOUPS 2022 List of Accepted Papers

Password managers help users more effectively manage their passwords, yet the adoption of password generation is minimal. One explanation for this problem is that websites' password composition policies (PCPs) can reject generated passwords, creating a usability impediment. To address this issue, we design a PCP language that websites use to describe their PCP and that managers use to generate compliant passwords. We develop this language using an iterative process involving an extensive collection of PCPs scraped from the Web. We provide libraries for adopting our PCP language into websites and password managers and build proof-of-concept prototypes to verify the real-world feasibility of our PCP language. Using a 25-person user study, we demonstrate that our language and libraries are easy to pick up and correctly use for novice developers. Finally, we replicate and extend past research evaluating Web PCPs, showing that half of PCPs fail to require passwords that resist offline attacks when considering that users prefer certain character classes when selecting their passwords.

From light bulbs to smart locks, IoT is increasingly embedded into our homes and lives. This opens up new vulnerabilities as IoT devices can be hacked and manipulated to cause harm or discomfort. In this paper we document users' experiences of having their IoT systems hacked through 210 self-reports from Reddit, device support forums, and Amazon review pages. These reports and the discussion around them show how uncertainty is at the heart of 'being hacked'. Hacks are sometimes difficult to detect, and users can mistake unusual IoT behaviour as evidence of a hack, yet this can still cause considerable emotional hurt and harm. In discussion, we shift from seeing hacks as technical system failings to be repaired, to seeing them as sites for care and user support. Such a shift in perspective opens a new front in designing for hacking - not just prevention but alleviating harm.

Women who identify with Islam in the United States come from many different race, class, and cultural communities. They are also more likely to be first or second-generation immigrants. This combination of different marginal identities (religious affiliation, gender, immigration status, and race) exposes Muslim-American women to unique online privacy risks and consequences. We conducted 21 semi-structured interviews to understand how Muslim-American women perceive digital privacy risks related to three contexts: government surveillance, Islamophobia, and social surveillance. We find that privacy concerns held by Muslim-American women unfolded with respect to three dimensions of identity: as a result of their identity as Muslim-Americans broadly (e.g., Islamophobic online harassment), as Muslim-American women more specifically (e.g., reputational harms within one's cultural community for posting taboo content), and as a product of their own individual practices of Islam (e.g., constructing female-only spaces to share photos of oneself without a hijab). We discuss how these intersectional privacy concerns add to and expand on existing pro-privacy design principles, and lessons learned from our participants' privacy-protective strategies for improving the digital experiences of this community.

Usable security and privacy researchers use many study methodologies, including interviews, surveys, and laboratory studies. Of those, lab studies allow for particularly flexible setups, including programming experiments or usability evaluations of software. However, lab studies also come with challenges: Often, it is particularly challenging to recruit enough skilled participants for in-person studies. Especially researchers studying security information workers reported on similar recruitment challenges in the past. Additionally, situations like the COVID-19 pandemic can make in-person lab studies even more challenging. Finally, institutions with limited resources may not be able to conduct lab studies. Therefore, we present and evaluate a novel virtual study environment prototype, called OLab, that allows researchers to conduct lab-like studies remotely using a commodity browser. Our environment overcomes lab-like study challenges and supports flexible setups and comprehensive data collection. In an iterative engineering process, we design and implement a prototype based on requirements we identified in previous work and conduct a comprehensive evaluation including a cognitive walkthrough with usable security experts, a guided and supervised online study with DevOps, and an unguided and unsupervised online study with computer science students. We can confirm that our prototype supports a wide variety of lab-like study setups and received positive feedback from all study participants.

Anecdotal stories about security threats told to non-experts by friends, peers, or the media have been shown to be important in forming mental models and secure behaviors. In 2012, Rader et al. conducted a survey (n=301) of security stories with a student sample to determine factors that influence security perceptions and behavior. We replicated this survey with a more diverse sample (n=299), including different age groups and educational backgrounds. We were able to confirm many of the original findings, providing further evidence that certain characteristics of stories increase the likelihood of learning and retelling. Moreover, we contribute new insights into how people learn from stories, such as that younger and higher educated people are less likely to change their thinking or be emotionally influenced by stories. We (re)discovered all of the threat themes found by Rader et al., suggesting that these threats have not been eliminated in the last decade, and found new ones such as ransomware and data breaches. Our findings help to improve the design of security advise and education for non-experts.

Privacy choice interfaces commonly take the form of cookie consent banners, advertising choices, sharing settings, and prompts to enable location and other system services. However, a growing body of research has repeatedly demonstrated that existing consent and privacy choice mechanisms are difficult for people to use. Our work synthesizes the approaches used in prior usability evaluations of privacy choice interactions and contributes a framework for conducting future evaluations. We first identify a comprehensive definition of usability for the privacy-choice context consisting of seven aspects: user needs, ability & effort, awareness, comprehension, sentiment, decision reversal, and nudging patterns. We then classify research methods and study designs for performing privacy choice usability evaluations. Next, we draw on classic approaches to usability testing and prior work in this space to identify a framework that can be applied to evaluations of different types of privacy choice interactions. Usability evaluations applying this framework can yield design recommendations that would improve the usability of these choice mechanisms, ameliorating some of the considerable user burden involved in privacy management.

Learning online safety and ethics is becoming more critical for the general user population. However, they do not receive such learning opportunities regularly, and are often left behind. We were therefore motivated to design an interactive system to provide more frequent learning opportunities to the general user population. This paper presents our explorations on the integration of opportunistic microlearning about online safety and ethics into human verification. Our instantiation of this concept, called DualCheck, asks users to respond to questions related to online safety and ethics while human verification would be executed in a similar manner to reCAPTCHA v2. In this manner, DualCheck offers users microlearning opportunities when they use online services. Our 15-day user study confirmed the positive learning effect of DualCheck. The quantitative and qualitative results revealed participants' positive experience with attitude toward DualCheck, and also found its significantly higher perceived usability than text-based CAPTCHA and picture-based reCAPTCHA.

Phishing requires humans to fall for impersonated sources. Sender authenticity can often be inferred from e-mail header information commonly displayed by e-mail clients, such as sender and recipient details. People may be biased by convincing e-mail content and overlook these details, and subsequently fall for phishing. This study tests whether people are better at detecting phishing e-mails when they are only presented with user-facing e-mail headers, instead of full e-mails. Results from a representative sample show that most phishing e-mails were detected by less than 30% of the participants, regardless of which e-mail part was displayed. In fact, phishing detection was worst when only e-mail headers were provided. Thus, people still fall for phishing, because they do not recognize online impersonation tactics. No personal traits, e-mail characteristics, nor URL interactions reliably predicted phishing detection abilities. These findings highlight the need for novel approaches to help users with evaluating e-mail authenticity.

Misinformation can spread easily in end-to-end encrypted messaging platforms such as WhatsApp where many groups of people are communicating with each other. Approaches to combat misinformation may also differ amongst younger and older adults. In this paper, we investigate how young adults encountered and dealt with misinformation on WhatsApp in private group chats during the first year of the COVID-19 pandemic. To do so, we conducted a qualitative interview study with 16 WhatsApp users who were university students based in the United States. We uncovered three main findings. First, all participants encountered misinformation multiple times a week in group chats, often attributing the source of misinformation to be well-intentioned family members. Second, although participants were able to identify misinformation and fact-check using diverse methods, they often remained passive to avoid negatively impacting family relations. Third, participants agreed that WhatsApp bears a responsibility to curb misinformation on the platform but expressed concerns about its ability to do so given the platform's steadfast commitment to content privacy. Our findings suggest that conventional content moderation techniques used by open platforms such as Twitter and Facebook are unfit to tackle misinformation on WhatsApp. We offer alternative design suggestions that take into consideration the social nuances and privacy commitments of end-to-end encrypted group chats. Our paper also contributes to discussions between platform designers, researchers, and end users on misinformation in privacy-preserving environments more broadly.

Modern technologies including smartphones, AirTags, and tracking apps enable surveillance and control in interpersonal relationships. In this work, we study videos posted on TikTok that give advice for how to surveil or control others through technology, focusing on two interpersonal contexts: intimate partner relationships and parent-child relationships. We collected 98 videos across both contexts and investigate (a) what types of surveillance or control techniques the videos describe, (b) what assets are being targeted, (c) the reasons that TikTok creators give for using these techniques, and (d) defensive techniques discussed. Additionally, we make observations about how social factors -- including social acceptability, gender, and TikTok culture -- are critical context for the existence of this anti-privacy and anti-security advice. We discuss the use of TikTok as a rich source of qualitative data for future studies and make recommendations for technology designers around interpersonal surveillance and control.

Privacy scales are frequently used to capture survey participants' perspectives on privacy, but their utility hangs on their ability to reliably measure constructs associated with privacy. We investigate a set of common constructs (the intended objects of measurement by privacy scales) used in privacy surveys: privacy attitude, privacy preference, privacy concern, privacy expectation, privacy decision, and privacy behavior. First, we explore expert understanding of these constructs. Next, we investigate survey participants' understanding of statements used in privacy scales aimed at measuring them. We ask a balanced sample of Prolific participants in the United States to identify the extent to which different constructs describe each of a set of 30 statements drawn from scales used commonly in the privacy literature and 39 that we developed. Our analysis reveals considerable misalignment between the constructs associated with the statements and participant understanding. Many statements used in scales or that we developed with the intention to measure constructs such as privacy concern, are seen by survey participants as describing other constructs, such as privacy preferences. We also find that no statement uniquely measured any one construct, though some more reliably track their target construct than others. Our findings constitute an epistemological problem for use of scales in the existing literature (are they capturing what we think they capture?) and a practical problem for construction of new scales (how to ensure construct validity in the face of ill-defined constructs and evolving privacy landscape?). We use methods from corpus linguistics to identify characteristics of those statements most reliably associated with their target construct, and provide a set of provisional suggestions for future statement construction. Finally, we discuss the implication of our results for the privacy research community.

Windows Hello for Business is Microsoft's latest attempt to replace passwords in Windows enterprise environments introduced with Windows 10. It addresses some of the common password problems like password leaks or phishing attacks, comes with built-in support for biometric authentication methods like fingerprint or facial recognition, and a new user interface. We conducted a qualitative study with 13 employees accompanying the introduction of Windows Hello in a small business studying its usability and deployability. Over five weeks, we measured authentication times, let participants rate their user experience, and conducted interviews at the end. In general, participants liked Windows Hello and found it more usable than the traditional Windows sign-in scheme. Windows Hello was faster and perceived as more responsive than the traditional Windows login. However, participants tended to use PINs as a replacement for their (longer) passwords instead of using biometrics. Lack of hardware support (no biometric hardware available), the form factor of device or setup of their workplace (e.g., biometric hardware on the other side of the table) were some reasons to not use biometrics but stick with a well-known authentication method like a PIN.

Electronic voting researchers advocate for verifiable voting schemes to maximise election integrity. In order to maximise vote secrecy, so-called code-voting approaches were proposed. Both verifiability and code voting require voters to expend additional effort during vote casting. Verifiability has been used in actual elections, but this is not the case for code voting due to usability concerns. There is little evidence from empirical studies attesting to its usability. Our main contribution is to extend an existing verifiable voting system (used for real world elections) with a code-voting approach to improve the system's security properties. We minimise voter effort as corresponding QR codes are scanned instead of requiring manual code entry. We conducted a user study to evaluate the general usability of this proposal as well as its manipulation-detection efficacy. In particular, we found that extending the considered verifiable voting systems with code-voting approaches to enhance vote secrecy is feasible because we could not observe a significant decrease in general usability while manipulation detection improved significantly.

Trusted Platform Modules (TPMs) provide a hardware-based root of trust and secure storage and help verify their host's integrity. Software developers can interact with a TPM and utilize its functionalities using standardized APIs that various libraries have implemented. We present a qualitative study (n=9) involving task analysis and cognitive interviews that uncovered several usability and security issues with tpm2-tools, one of the widely used TPM library APIs. Towards this end, we implemented a study environment that we will release as open source to support further studies.

Our results support two major conclusions: 1) tpm2-tools APIs, as designed, are not designed to be developer-friendly, and 2) One of the major causes for these usability issues is in the TPM specifications. Since other libraries also mirror the specifications and provide no significant usability improvements, our results are likely to indicate similar issues with all current TPM library APIs. We provide recommendations for improving the TPM library APIs documentation and software, and we highlight the need for HCI experts to review TPM specifications to preemptively address usability pitfalls.

There are several ways to inform individuals about secure and privacy-preserving behavior in private social environments. Experts who are versed in security and privacy (S&P), who might be social peers, such as family members or friends, can provide advice or give recommendations. In this paper, we specifically investigate how S&P adepts inform peers in their private social environment about security and privacy. For this, we first conducted thirteen in-depth interviews with S&P adepts, revealing 1) their own S&P behavior and strategies in their personal lives, 2) obstacles in S&P conversations with peers, 3) situations in which S&P adepts intervene in the behavior of others, and 4) the perception of S&P adepts and stereotypes. Based on the interview results, we conducted three co-design workshop sessions with S&P adepts to explore options to better support S&P adepts informing their peers about secure and privacy-preserving behavior.

OpenPGP is one of the two major standards for end-to-end email security. Several studies showed that serious usability issues exist with tools implementing this standard. However, a widespread assumption is that expert users can handle these tools and detect signature spoofing attacks. We present a user study investigating expert users' strategies to detect signature spoofing attacks in Thunderbird. We observed 25 expert users while they classified eight emails as either having a legitimate signature or not. Studying expert users explicitly gives us an upper bound of attack detection rates of all users dealing with PGP signatures. 52% of participants fell for at least one out of four signature spoofing attacks. Overall, participants did not have an established strategy for evaluating email signature legitimacy. We observed our participants apply 23 different types of checks when inspecting signed emails, but only 8 of these checks tended to be useful in identifying the spoofed or invalid signatures. In performing their checks, participants were frequently startled, confused, or annoyed with the user interface, which they found supported them little. All these results paint a clear picture: Even expert users struggle to verify email signatures, usability issues in email security are not limited to novice users, and developers may need proper guidance on implementing email signature GUIs correctly.

Passwords are the most popular authentication method due to their simplicity and widespread adoption. However, the prevalence of password reuse undermines its security. A promising strategy to mitigate the risks of password reuse is to use random passwords generated and stored by password managers, yet many users do not use them. Many web browsers have built-in password managers that employ nudges at the time of password creation. These nudges aim to persuade the selection of more secure random passwords; however, little is known about which designs are most effective. We study (n = 558) the efficacy of nudges used by three popular web browsers: Chrome, Firefox, and Safari. Our results suggest Safari’s nudge implementation is significantly more effective than the others at nudging users to adopt a randomly generated password. We examine factors that may contribute to the adoption of randomly generated passwords, reasons that people adopt a randomly generated password (or not), as well as discuss elements of Safari’s nudge design that may contribute to its success. Our findings can be useful in informing both future password manager nudge designs and interventions to encourage password manager use.

CAPTCHAs are necessary to protect websites from bots and malicious crawlers, yet are increasingly solvable by automated systems. This has led to more challenging tests that require greater human effort and cultural knowledge; they may prevent bots effectively but sacrifice usability and discourage the human users they are meant to admit. We propose a new class of challenge: a Cryptographic Attestation of Personhood (CAP) as the foundation of a usable, pro-privacy alternative. Our challenge is constructed using the open Web Authentication API (WebAuthn) that is supported in most browsers. We evaluated the CAP challenge through a public demo, with an accompanying user survey. Our evaluation indicates that CAP has a strong likelihood of adoption by users who possess the necessary hardware, showing good results for effectiveness and efficiency as well as a strong expressed preference for using CAP over traditional CAPTCHA solutions. In addition to demonstrating a mechanism for more usable challenge tests, we identify some areas for improvement for the WebAuthn user experience, and reflect on the difficult usable privacy problems in this domain and how they might be mitigated.

Smart home cameras raise privacy concerns in part because they frequently collect data not only about the primary users who deployed them but also other parties -- who may be targets of intentional surveillance or incidental bystanders. Domestic employees working in smart homes must navigate a complex situation that blends privacy and social norms for homes, workplaces, and caregiving.

This paper presents findings from 25 semi-structured interviews with domestic childcare workers in the U.S. about smart home cameras, focusing on how privacy considerations interact with the dynamics of their employer-employee relationships. We show how participants’ views on camera data collection, and their desire and ability to set conditions on data use and sharing, were affected by power differentials and norms about who should control information flows in a given context. Participants’ attitudes about employers’ cameras often hinged on how employers used the data; whether participants viewed camera use as likely to reinforce negative tendencies in the employer-employee relationship; and how camera use and disclosure might reflect existing relationship tendencies.

We also suggest technical and social interventions to mitigate the adverse effects of power imbalances on domestic employees’ privacy and individual agency.