>> Helen Wang: Good morning everyone. It's my pleasure to welcome back Serge Engelman, and Serge, we all know him very well. He interned here twice and he’s a frequent collaborator with some of us. And today Serge is interviewing with a security privacy research group, and he's going to tell us about his work over the past couple years at UC Berkeley as a postdoc. Thank you, Serge. >> Serge Egelman: Thanks for the introduction. I was going to preface this with, so this is mostly work that I've been doing over the past year and a half at Berkeley, looking at permissions on mobile devices and helping users to make better decisions about how they grant third-party applications access to their personal data. Helena graciously invited me to speak about this in July, and so I've been agonizing about what news data to put in here, whereas what background information to leave, and so I'll warn you, for those of you who saw the talk in July, that the first 20 minutes or so might be a repeat. So feel free to take a nap, and I’ll wake you when I get to the new stuff. >>: [inaudible]. >> Serge Egelman: That works too. So to step back for a second, so most of the stuff that I do is within the usable security space, and what that means is I try and solve computer security problems by designing interfaces that are better suited for humans, so applying HCI methodologies to solve security problems. And within that space, there are generally two recognized major problems that we see frequently. So the first problem is there are a lot of unnecessary security interactions and these result in habituation, and what that means is people become accustomed to seeing lots of security information that they otherwise might not care about, to the point that when they see the information that they do care about, they’re used to just swatting it away. The second problem is frequently users are asked to make decisions that very simply aren’t unqualified to make. So that's another big problem. And a lot of the solutions to these though, can be learned from looking at the classic hazard avoidance literature, and so looking at that, we see there are really three different ways of dealing with hazards, in order of preference. So, in the best case when we can eliminate a hazard we should do so, that way there's nothing really for the user to fall victim to or anything extra for them to do. If we can't do that, we should try and mitigate the hazard in some way. And then in the worst case, if we can't do any sort of mitigation, we are stuck with warning of the user. And frequently what we see within the computer security space is that we jump to the third one, warning, when we could probably be doing other things that are preferable. And so looking at the mobile space, why is mobile interesting? Well, 50 percent of the US population has a smart phone, which means if they have a mobile device which has the ability to install third-party apps, and you know these apps can take advantage of all sorts of sensor data, which create really rich user experiences, but with great power comes great responsibility. We see threats such as malware and grayware, so malware, unwanted apps that can cause damage, so taking your personal information, maybe holding your data hostage, stuff that users don't want on their devices. But that's pretty rare since most of these marketplaces are centralized; when that stuff gets identified it's removed quickly and pulled from the users’ devices. More frequently what we see as grayware. So these are apps that users actually desired, they intentionally installed on their devices, but the apps might be using data in ways that were unexpected to the user. And so the question is how can we make them aware of this? So looking at one scenario, say a user finds unexpected SMS charges on their bill. They suspect an app might be responsible. What could they do to determine what app is responsible? So here's a screenshot from Android, a lot of this work was done on Android, but I firmly believe that the results are generalizable to most of the mobile platforms out there. So the first step would be, you know, selecting the menu, brings up all the apps, and now we have to find the settings app, they scroll down, click the settings app, it brings up this whole new screen, they have to know to click the applications sub panel, which then brings up more information to read, they have to know to click manage applications, and then that brings up a list of applications on the device. And then they have to sequentially go through, app by app, bringing up those app settings, knowing to scroll to the bottom to see the list of permissions that that app has been granted. And so ostensibly, the user would do this for every single app on their device to determine a sub set of apps that have the ability to send SMS messages. And even then, once they've done all that, it's not clear what app is actually responsible; they've just narrowed the list down. So there's a lot we can do to better convey information about how apps are using their data. So in the talk for today, I was going to talk about some of these problems with the current choice architectures: how users make decisions about what apps do with their data, how we can improve this by applying some better intelligence, in terms of choosing permission mechanisms, and then finally, showing that in some cases, it's much better to simply beg for forgiveness than ask permission. And then I'm going to talk about some future work. So with regard to the current problems, we did some work about a year ago, looking at whether Android users understand permissions on their devices. So we did this online survey of a little over 300 actual Android users, we were sure that they were Android users because we recruited them using AdMob so we could be assured that they were seeing the survey on their device because we advertise within another Android app. And we showed every participant three different permission requests, and we have multiple-choice questions asking them to define what this permission allowed an application to do. So in this example we have granting Internet access, there are four options plus none of these and I don't know, we removed the people who left these completely blank since we had an explicit none of these option. We also removed people who answered I don't know. So we only looked at people who selected one of the five options. In this case, the correct answer would be loading advertisements and sending information to the application server. So every participant had three of these, and what we found was, on average of the three, they got .6 questions correct. And so we can, you know, calculate the distribution of expected answers from random guessing, we have four multiple-choice responses, three times the expected value would be, I guess about a third of what we observed. So this is statistically significant; it indicates the people weren't just randomly guessing, they put some effort into this. But, at the same time, the majority of people weren't able to identify any of these permissions. Only eight people got all three correct. So there are some problems here with comprehension. We followed this up with a laboratory experiment to get qualitative data on why these comprehension rates were so low. We recruited 24 Android users from Craigslist, and we had them do three different things. The first two tasks, using their own devices, we observed them install two applications. We gave them scenarios, for instance, install a coupon saver application. And so they went to the market and were allowed to download whatever application they wanted that they felt fulfilled the scenario, and we observed whether they viewed the permission request screen during this process. They did that twice, and then the third task was, using their device again, we asked them about an application, their choice, that they've used frequently. And we had them open that application, interact with it, then we had them go to the permission screen that I showed you at the beginning of the talk, which list all the permissions that that application had been granted, and we simply asked them whether the application had the ability to send SMS messages. So what we observed was, during the installation task, fewer than 20 percent viewed the permissions during the install. The request came up after they clicked the install button, and then they simply click through them without reading them which was kind of expected. This is also likely an upper bound. We performed this in the laboratory, so it's likely that they were under pressure to maybe apply more diligence to the task than they would've otherwise. And then also, when we asked them whether this app that they were already familiar with and for which they could view the permissions, could send SMS messages, a majority of them were unable to answer this correctly. And the reason for this is they knew the permissions that it was granted, but they didn't know that the permissions it hadn't requested. So they didn't know that SMS was a separate permission. So being able to state definitively whether an app can do a particular action requires some sort of familiarity with both the granted permissions as well as the ones that weren't granted. So from this we came up with several suggestions on how permissions could be improved more generally. So one, people were habituated to the requests since they'd seen these requests with every single application they’ve installed, they were used to clicking through them. So one suggestion might be only prompting when necessary. >>: You mentioned that these application stores are well curated and [inaudible] taking down, so might not be rational to ignore the permission screen? >> Serge Egelman: Yes and no. So they’re curated for stuff that's, you know, outright bad, right? So things that’s malicious. But things where it comes down to user preference, so specifically privacy stuff, so people have a wide range of privacy preferences, in some cases some people care about disclosing location, others do not. And so basically it comes down to user choice. So the next suggestion was people were, a plurality of our participants were simply unaware that these things even existed. Since they were so habituated to clicking this after the install screen, a lot of them said, well, they thought this was just another EULA, and it wasn't really about granting abilities to an application. So the information was maybe being presented at the wrong time during the installation process. Another thing is there are possible cognitive biases, so maybe after clicking install seeing this; they were subject to choice confirmation bias. They don't want to revisit that choice they are ready made. So maybe this information needs to be provided at a different time, maybe earlier when they’re browsing applications, or maybe even later at runtime, for instance, when the permissions are actually used. And finally, there's this problem of understanding what an application is doing requires understanding what it's not doing or what is not asking to do. So maybe we should narrow the list of possible permissions. So in Android they have over 100 different permissions. I think Window’s phone is a lot better; there are fewer than 20. iOS has, they've changed. It used to be that only location and notifications were prompted at runtime, and they’ve expanded that to add photo, access the photo library and contacts. And so this brought about a much broader discussion on permission granting mechanisms generally. So these were all problems with install time mechanisms. But maybe there are other ways of asking for permission. And this is applicable to more than just smart phones. Frequently, I guess we’re heading towards an environment where there's a lot more centralized app distribution, such as having a store or bundled with the OS. We see this both in Windows now as well as on the Mac. Certainly their permission requests are integrated in that. So again, looking at install time warnings, there are pros and cons to these. They're adaptable to many different permissions because it's simply just a little text box here where you describe what's being requested. So there's nothing really dynamic about that; it's easy to write these. They could also be used to grant future abilities. So at the time that the permission’s granted isn't the time that it's actually used. The problem is, especially in the mobile space, there's limited real estate. So in this case, there are just three different permissions that the user sees by default unless they scroll all the way down, so it's easy to overlook. The other problem is they lack context. So when these are actually used, it's not clear what they're going to be used for as opposed to maybe a runtime warning which adds contextual information, so when the user sees a request for location, they were doing something to trigger that request, and so they might have a better idea of why it's being requested. Likewise, these could made dynamic by including other environmental information. So over here we have a Bluetooth request, we could state the name of the device. Obviously you can't do that at install time. But these have problems too. So everyone's probably familiar with this. So habituation. When users see these frequently they stop paying attention to them and so they're used to the benign situations, but when there's a potentially malicious one, they've now become trained to dismissing these without reading because they see them as a barrier to completing a primary task. But at the same time there are also things that we could do to grant permission without interrupting the user. So there's curation. So if we have in our market some sort of review process so that every app that's distributed has gone through some sort of heuristics, maybe that's a way of preventing the user from being inundated with too much security information. The problem with this is it’s very resource intensive, so it's really hard to do this automatically, there needs to be some sort of human oversight, especially if you're going to be either revisiting decisions and pulling apps off devices or rejecting apps from paying developers. The process is also completely opaque to both users and developers alike. This is what Apple has been doing, but we've seen lots of problems with it. So everyone's probably familiar with the Path fiasco. So Path was a sort of social networking app. Turns out that in Apple's terms of service, they prevent developers from accessing the contact list on the device, but there is no actual enforcement of this. It's supposed to be enforced through the curation process, somehow this slipped through the cracks. Millions of users were using this application when it became clear that it had been pretty frequently violating the terms of service agreement. So curation might not be the best way. But there are other emerging approaches for granting permission without interrupting the user. So what I call Trusted UI elements. So these are system drawn components or access control gadgets. The developer essentially specifies an area on their app to draw a button or some other component and then the OS is responsible for drawing that. And these are advantageous because the only way of granting the permission is by interacting with the OS drawn widget rather than made developer drawn one, so there's no real way to spoof them. Certainly developers could spoof the look and feel, but interacting with that spoofed widget doesn't actually grant permission. Another thing you could do with this is granular access control which doesn't really, hasn't really been enforced before. So maybe you have a widget for adding stuff to the calendar, an app requests this, the user then interacts with the system drawn widget and can add a subset of the events or can make changes to the request before it's granted, and then the app can't override those decisions. But these have some drawbacks. So one case is you can't, it's hard to grant staff in perpetuity, also it's hard to grant stuff where the initial request wasn't generated by the user. Certainly you could do this with the various callbacks, but I argue that this breaks the user's flow and sort of these devolve into just another confirmation dialog if they are explicitly performing some permission granting task to grant a future permission. And then this came, this idea of implicit access came up. So in certain cases, if our goal is to minimize habituation by not bothering the user with unwanted interactions, when the risks are really minor or can be completely reversed, maybe we shouldn't ask a priority, instead we should grant the permissions, but allow the user to audit what happens so that when the misbehavior occurs, they can go back and undo it. And so from this, we've created sort of a mechanism hierarchy in terms of desirability. The base case are the install time warnings, which are generally undesirable, but they're sort of a one-size-fits-all approach for applicable to pretty much any permission. The other end of the spectrum there's the implicit access, which are most desirable, but you can’t always use them. Or to put another way, so then the issue is deciding between which one of these mechanisms is most appropriate for a given situation. Or to put another way, grant me the serenity to accept that some permission requests cannot be eliminated, the courage to eliminate the ones that I can, and the wisdom to know the difference. So then that brings up the question is: how do we know the difference? So we did this thought experiment, me and a couple grad students in the group, where we amassed a collection of all of the possible permission requests that a user might see. We came to this by gathering all the permissions from Android, Windows phone, iOS, and the Mozilla WebAPI. We removed all the duplicates, and we also removed the ones that the user probably has no business seeing. You know, things like enabling multicast, most users that's one of those decisions that most users just aren't qualified to make. And for each of these, we individually asked what’s the best way of granting permission. We went through and then met together to try and reach consensus. And we found that the way we'd reasoned about this, there were a couple common questions that arose. So the first factor that we looked at is what’s the risk level of granting one of these? What are the consequences if this were to be abused? So one example might be a permission to permanently disable the device. So you might have some sort of security software on there, so if your device is stolen, you go to some website and it destroys all your data. So this is pretty severe, especially now that we see a lot of malware, which is holding devices hostage hoping to try and profit. Is this reversible? Well, it's specifically designed to not be reversible. Is there an incentive for widespread abuse? Yeah. So the consensus here is since we’re granting a future permission, really the only way of doing this is would be an install time warning. Another example on the other end of the spectrum is changing the time. So what's the risk level here? Well, certainly you can come up with some sort of James Bond style plot that hinges on changing the time on someone's phone, but for the most part, that's not really applicable to most people. And really the risk is just an annoyance. The user could go and change the time back. >>: So slides ago you asked the question what’s the best way, and then you give this example. Do you come up with objective way to decide what’s the best and how it's coming out? >> Serge Egelman: Next slide. >>: Good. I’ve been waiting two slides. >> Serge Egelman: Okay. And so based on the patterns that emerged in terms of how we reasoned about these individually, we came up with a flowchart for determining the most effective way for granting permissions. I'm not going to say this is the best way, this is a formal way that we came up with based on a lot of discussions, and I think this still needs to be validated. But I think this is an improvement, and it provides a process to aid developers, platform developers in choosing what mechanisms to use. So we have five questions here. And so the first is, and we have this notion of revert ability, so could the device be reverted to a previous state if something were to go wrong? If the answer is yes, then you should always just grant those permissions implicitly but offer some sort of audit mechanism so that users can identify misbehaving apps. Likewise, if it can't be necessarily undone but it is just an annoyance, then we should do the same thing there. But if the risk level rises above that, the question is did the user initiate the request, and if so, then in every case we should be able to use Trusted UI components or ACG's. And if the user didn't necessarily initiate it but maybe we can allow the user to grant a subset of the request, we could still use system drawn components or choosers to allow the user to do so. And then finally, if the answer to that is no, we are stuck with either a runtime warning or an install time warning and the way that you differentiate those is whether the ability needs to be granted in the future, in which case you really need an install time warning. So using this model, we went back and looked at our list of permissions, and what we found was that the majority of them could simply be done away with and replaced with audit mechanisms. We found that a quarter could also be replaced with Trusted UI, and at the other end of the spectrum, there are the install time warnings. Now recall that on Android, that was 100 percent. We've now reduced that to six percent by applying this model. So this could dramatically reduce unnecessary interactions. >>: So presumably the reason why implicit access you do more often. You put that at the top of the flowchart as opposed to Trusted UIs. Every Trusted UI component creates a cognitive load, they to recognize a certain type of widget; they have to know about it. So 23 percent sounds like a lot of widgets to know about. >> Serge Egelman: It's not necessarily the user has to know about it because honestly if the only way of granting, well, okay. It needs to be intuitive that that widget does the desired thing, so maybe a button for the shutter of the camera. But if the only way of achieving those actions is through the Trusted UI, it just needs to be made obvious that those components will complete the primary task. The user doesn't have to memorize all the Trusted UI components. >>: Why not have the flowchart to start with Trusted UI. Shouldn't Trusted UI be the first to go to thing, I mean because if it's so easy. >>: Can I make a first clarification? >> Serge Egelman: Sure. >>: The user does not need to recognize the Trusted UI. >> Serge Egelman: Right. >>: If the Trusted UI is not used, permission is not granted. Now they will not be achieved. >> Serge Egelman: Well, it needs to be, so the user is trying to complete a primary task, right? And so the Trusted UI components need to facilitate that. But the user doesn't have to be cognizant of the fact that these are, they’re granting permission through these. >>: Given that, why isn’t Trusted UI at the beginning of your flowchart instead of partway through? >> Serge Egelman: Because there are also, you know, other constraints, so balancing needs of developers. So simply telling developers that you no longer have the flexibility to do this, you have to use a system drawn component, might be overreaching and might stifle some innovation. So for the things that are truly minor, we should just not care about that. >>: Can you give an example, something that [inaudible] implicit access and [inaudible] Trusted UI [inaudible]? >> Serge Egelman: Connecting to the Internet. >>: So why do user needs to care about connecting to the Internet? >> Serge Egelman: They don't. That's my point. >>: So we when were doing ACG work, we only spoke to what we called the user home resources. I don’t think the network is[inaudible]. >> Serge Egelman: Sure. I mean, we arrived at this by starting with, what are all the permissions that users are confronted with now, rather than>>: [inaudible]. >> Serge Egelman: Yeah. Absolutely. You're absolutely right. But I mean, so take connecting to the Internet, you're not going to have a system drawn a button for every app so that it can get Internet access. That's ridiculous. Instead>>: What about something that is in response to user interaction, so it would go past that before it [inaudible]? >>: Why does that belong to the denominator? >> Serge Egelman: The point is, the harm from that is sufficiently minor if you're not say, internationally roaming. Most people have pretty good data plans, often unlimited, if there's an app that's abusing this we can about audit medic mechanism, as we’re going to get to, so that people can identify the apps that are abusing this even though it's been granted without consent. And so this sets up this research agenda, which is first looking at well, which permissions are necessary to grant, which ones aren't. And then of those that are necessary, how could we design, that aren’t necessary to be explicitly granted, how can we design better audit mechanisms? And the other side of that is for the requests that do require user interaction, how can we optimize those? And so in the rest of the talk is current stuff that I've been working on to improve the audit mechanisms, or what I like to refer to as begging forgiveness instead of asking for permission because I guess what we're doing here is not asking for the permission a priority but allowing the user to revisit those decisions. So the first question in exploring this is: are audit mechanisms likely to be effective? So I conducted this online survey using people on Mechanical Turk. We didn't specifically screen based on what smart phone platform they used, instead we did that post doc. We had a free response, this way they weren’t incentivized to cheat one way or the other, and we just screened out Android and iOS users, the reason being that both have some existing audit mechanisms; and we also got too few responses from Windows phone and BlackBerry users to really include them. We only got like two or three from each. Anyway, so there are two questions that we hoped to answer through this survey. The first is, so do users understand that applications running the background can access the same resources as those running in the foreground? This is important because if you're not aware of this when a misbehavior occurs on their device, they're likely to just blame whatever app was running in the foreground not understanding that it could've been anything that was also running at the same time. And if that's the case, that can set the need for better audit mechanisms so that they can disambiguate the cause of misbehaviors. The second is that both these platforms have some existing audit mechanisms built-in. And so we wanted to look at whether users were aware that these existed. >>: Why do you think the users [inaudible] aware this audit mechanisms? Average user, I don’t need to know what’s happening on the platform. This should be the platform like IO has a Windows phone or [inaudible]. You don’t need to know. >> Serge Egelman: If something happens on your device you probably want to find what app’s responsible so you can take corrective action. >>: Not really in many of the scenarios in the real world. If I own something, I don’t know how to fix it. I would call someone or find someone who's an expert to fix the problem. It doesn't necessarily put everything in the user’s hands. >> Serge Egelman: Sure. But if we can do it in an unobtrusive way so that it’s simpler for the user, I mean that's still a net win because it's empowering more users, certainly not every user is going to take advantage of that, but it's empowering more users to make better decisions about how their data is being used. >>: It seems like the background, running in background and [inaudible], they sound orthogonal to me. If I'm using Angry Birds and it's sending SMS messages while I’m running it, it’s just as annoying as>> Serge Egelman: Absolutely. But if you get- >>: So why is this question in a survey about audit mechanisms? Why is it [inaudible] in the background? What does that matter? >> Serge Egelman: Because there needs to be a way of disambiguating whether it really was Angry Birds or something else that happened to be running at the same time. I mean, you're not going to know. You're just going to get some charges on your bill. >>: So you think that there will be a charge and it says 2:35 PM and the user will remember, oh, I was running Angry Birds at 2:35 PM. >> Serge Egelman: SMS is a bad example because the way if they get notified is a distant time in the future. But say your device just starts vibrating. >>: So just to be clear, so you're suggesting auditing as an alternative to asking for permission? >> Serge Egelman: I mean SMS is a bad example because that's not something that's benign. You would grant permission for SMS, and users are concerned with running up costs. >>: Could you give like two or three examples of the kind of things [inaudible]? >> Serge Egelman: Yeah, so like vibrating the device, having it make noise. So these are annoyances, and the user will want to maybe stop these at the moment that they start if it's an ongoing event. So the first question was we had a multiple-choice question about what happens to apps in the background. We had five possible answers from I don't know, it simply exits, it runs with fewer abilities, it goes into a suspended state and doesn't actually do anything until you resume it, or runs with the same abilities, which was the correct answer. So 22 percent selected the same abilities, but we see, we do a binomial task and see that if people were randomly guessing, there's still a 25 percent chance that at least this many would've guessed this. So what this illustrates is people really have no idea what happens when an app goes in the background which means that maybe we should have some sort of provenance for apps when they do misbehaviors on the device. So, to give one example, data usage on Android. So Android 4.0 added the ability to view the data usage. So in the settings app there's a panel, there’s a thing here for data usage; if the user selects that they get a sub panel. And all the way at the bottom here, if they scroll down, it will show it sorted by individual apps. So they can see which app was responsible for using most of their data. This has been in deployment for over a year. There haven't been any public education campaigns about this. So our question was: are Android users aware of this? Have they discovered this on their own just because it's been on their devices? So what we did was we asked a question. We had a scenario that you get a hefty bill and it’s due to data usage, how would you go about finding the cause of this using your device? This was a free text response. So we just had like an essay box and we wanted to see whether they would describe the steps involved in getting to the settings app unprompted. And what we found was almost three quarters of Android 4.0 users were aware of this. They wrote out all the steps involved in getting to the data usage screen. They were aware of its existence. If we look at the 95 percent confidence interval, this means as high as 85 percent of users are simply aware of this because they've had it on their devices. Looking at users of prior versions of Android as well as iOS who didn't have this ability, their responses were all over the place. A plurality simply said they would blame whatever app they most recently used, though the next popular response was they would inspect device settings which indicates that maybe if, on these other platforms that feature were available, users would've stumbled upon it. Another 13 percent said that they check app reviews, and while this is probably the most viable strategy of the ones listed, it's not a guaranteed solution either. And so what we found from this is users generally expect to find this provenance information within the settings app, regardless of whether or not it's actually there. So this might be a good place to have annotations to indicate what app most recently changed a certain setting. >>: Yeah, so that's exactly the question I was going to ask. So this is not really the auditing mechanism or, it's more of a, it’s almost like it's even more general than just privacy [inaudible]. It's basically about configurations and configure [inaudible]. >> Serge Egelman: Yeah, I guess that’s what I’ve been saying; provenance, I guess, rather than auditing. >>: There may not be any misbehavior, it's just [inaudible] does something, and then later I think, I want to know how to turn it off. >> Serge Egelman: Sure. >>: [inaudible]. >> Serge Egelman: Yes, and it could be used to audit but it's not in and of itself necessarily. >>: So this setting is very natural for all the configurations to happen. >> Serge Egelman: Yeah. And so then that brings the second question. So all of this was, well, a follow up question, all of this was about changes to settings and where do users go to find the cause of that. What about ongoing events? So maybe the device starts vibrating. Is it reasonable to expect that they go to the settings app to do that, to figure out what's causing that? And that brings about notifications. So pretty much every platform has some sort of notification bar where it has icons, which indicate what apps are doing. So here on Android, this is the SMS one, and if I were to drag that down, it would expand and show me that I have a text, and it will even show me some information from that text. So the question is: are users aware that these exist? Do they understand that they can interact with them to yield more information about the cause of certain behaviors? So we followed up this survey with a qualitative interview with 8 different participants recruited from Craigslist, all were existing Android users, and the gender was pretty well split, as were the ages. We asked them to perform three different scenarios using a smart phone that we provided them. So the first the scenario was, we asked them the same scenario that we gave to our online participants: how would you identify the cause of a data overage? And just based on that information, half our participants immediately navigated to this screen. So that sort of validated those results. The remaining four immediately said things like well, I would use my phone to call my provider or I would look at my bill online. Of course those strategies won’t actually break it down on a per app basis, and so then after we prompted them to investigate the device, they too immediately navigated to the settings. So this sort of validates that this is an intuitive location for that type of information. In the second scenario, we told them to imagine that the wallpaper has changed on their device. What would they do to figure this out? Now currently there's no way of auditing this. But the purpose of this scenario was to see whether they too would go to the settings panel where such changes are generally made to see if it would yield any information. And of course all of them did that. There are two different ways, so they can either click the desktop for a prolonged period which brings up a chooser, or from the settings panel there's this display settings, they can configure wallpaper from there. So all of them did one of these two things to see if any information would be there about the cause of such a change, but only one participant understood that applications could be responsible for these type of changes. The rest of the participants said well, they expected maybe somebody else borrow their phone and changed it. They didn't understand that this is something that apps could do unexpectedly. And finally, we looked at notifications. So we had them read a newsreader on the phone and while they're in the process of doing that task, we made a notification appear with a little video icon here, and if they were to expand it, it said that another app was accessing video. We wanted to observe whether they would notice these and expand them on their own. >>: [inaudible] Facebook? >> Serge Egelman: What? >>: Was it on Facebook? >> Serge Egelman: No. >>: Did they say anything about Facebook verses other apps? >> Serge Egelman: Yeah. And so what we found was, so without prompting, only three of them investigated this on their own and we suspect that’s because it wasn't their phone, they were in a public place when they were using it, so a lot of them said that after we prompted them they knew exactly what it meant, they just didn't really care; it wasn't alarming enough. But when we prompted them, everyone but one person knew that they could expand that menu to see what app was responsible. >>: My question is, did they say anything about like oh, it's okay because it’s Facebook and I trust Facebook to record my life. >> Serge Egelman: We didn't actually test that. The whole point was whether they would know to expand it, whether they would know that there's more information available about what app is causing that. So from this, we had a couple observations. So the first was that users expect to find this provenance information in either the system wide settings app or wherever else those changes can be made. We also found that users are familiar with the notification bar and know that they can use it to get more information. So we decided to instrument our phones with some of these, with these two audit mechanisms to observe whether people would do this in the lab, interact with them when they're put in a position to motivate them to do so. I guess, I refer to this as adversarial usability testing where we try and mimic a threat model and see whether users will use the provided mitigations to counter that threat. So we had 76 Android users recruited from Craigslist. It's skewed towards male; the average age was mid-30s, so we think this was relatively generalizable. And we performed a controlled experiment. We randomly assigned people to two different conditions, we ran several sessions, we had 20 different phones, half of them were flashed with an experimental condition, the other half were flashed with a control where they didn't have audit mechanisms, and we didn't actually know what condition people were assigned to until we pulled the logs off the devices at the end of the experiment. And the questions we wanted to answer were: when devices misbehave and they're provided with audit mechanisms, will people use those audit mechanisms to find the cause of the misbehaviors? We intentionally designed this study to make this task ambiguous in the control condition by having them interact with applications that all requested the same abilities. So we specifically looked at the ability to vibrate the device, so we had three different apps that we interacted with that all had this ability, and three different apps that could change the wallpaper. And so obviously when this misbehaves, we wanted to make sure that every single one of these apps was already running in the background so that it's plausible that it could've been any of them that was causing the misbehavior. And so what we did was, we used to some deception and we told them that they were there to simply write reviews for apps, that way we could be assured that they had run several apps in a short amount of time and the apps were running in the background. So with regard to the vibration audits, so these were only available in the experimental condition, when the device started vibrating, since this was an ongoing annoyance, we had a notification icon appear, and if they were to interact with that, it would attribute that to a particular app that they had used. In the controlled condition, the only way of identifying the app would be to launch the task list and individually kill apps until the vibration stops. And we did observe that behavior. With regard to>>: [inaudible] shortcut? >> Serge Egelman: Hmm? >>: So the vibration icons are the shortcut to the system setting? >> Serge Egelman: No. We actually didn't implement that. So we didn't ask them to stop the vibration. The only data point that we collected was whether they interacted with it, and then in their questionnaires, we asked them which app was responsible. But, yeah. That was a oversight that we talk about in the paper that several people did try and click that button. In the exit survey we asked them what behavior they would've expected after clicking the button, and it was about evenly split between launching the application responsible or going to some central settings panel to disable it. Yes. That's something that we should've instrumented but didn't. >>: Is your proposal to make this easier tests? >> Serge Egelman: Yes. Exactly. I think that having that go to the settings panel is probably the best way of handling it because if these are going to be drawn by the OS, and if it's a potentially malicious app, it should be the OS that handles terminating the behavior. With regard to the wallpaper changes, we simply added annotations to the settings panels. There were two of them; so in the display settings we added it here, right under the wallpaper, where they would go to change the wallpaper as well as that chooser that I showed you from the desktop. And so again, this was only available in the experimental condition. And so actually in the controlled condition, there was no good way of determining what app is responsible for changing the wallpaper. In a best case scenario, people could go through and see what apps have the ability to do so, but that only narrows it down to a subset and doesn't definitively tell them. Yeah. >>: So you give like three or four different places of different permissions on different events. But they are currently where working on the best app, I mean Windows has this system lock, right? So [inaudible] that ever happened. >> Serge Egelman: Sure. >>: [inaudible] search. Do you think it make sense in any way, like we should provide a central place for people to look at the events and permissions because the good thing if I know where to look for wallpaper change, it's obvious. On the other hand, when there are a [inaudible] away, even as a [inaudible] user as I am, I find it’s pretty hard to [inaudible] going on there. It is there a central place I can easily search for it? >> Serge Egelman: Yeah. Potentially. I think that's a separate question. And I agree completely. I actually, in the future work that I wanted to discuss, I’ve thought about that a little bit. I'll try and get to that, I should get to that at the end. >>: I have a question about iPhone. >> Serge Egelman: Okay. >>: If this is not a good time>> Serge Egelman: Yeah, it’s fine. >>: My question is that iPhone also has, in the setting, it already, so when your iPhone is [inaudible] information system, right? So it also tells you, do you want this application to send you notification? Then later you can also go [inaudible]. So is that pretty close to what you're proposing? >> Serge Egelman: Yes. Exactly. We actually looked at that a little bit. So we did a previous experiment. Summer undergrads actually set up a Mechanical Turk task to get people to upload screenshots of that panel just to observe whether by default people just have that all enabled or if they've actually done some, if there's any intelligence applied to disabling that on a per app basis. They were trying to take a machine learning approach to see whether they could predict what applications would have those things disabled, and all of the classifiers we used weren't able to find any trends, which was kind of interesting that it seemed that on just, it all came down to preference. But it was surprising that people actually have taken steps to disable that. In our, the first online survey that we did with this that I presented a few slides ago, I did have some questions about iOS 6, which now has those audit mechanisms for sharing contacts and photos. And while we found that on average more people were aware of those, we had them select multiple-choice options of what audits are available on their device, and we included a whole bunch of ones that didn’t actually exist, on average, people were more likely, the means were higher for those in among iOS 6 users; but there wasn't a statistically significant difference, but also only 40 of our 200 some participants were confirmed using iOS 6, so it's hard to drawing any conclusions whether, I guess those have moved into the public consciousness that those options are available at this point. I guess it's only been available for six months. Anyway, moving on, so in the lab when we examined this we had them do, each misbehavior we had occurred twice. The first time we referred to it as the implicit misbehavior, so we had them doing some other task and then we triggered the misbehavior, and that was simply to observe whether they would've noticed that it was occurring and interact with the audits unprompted. And that we followed that up with an explicit misbehavior after they completed all the other tasks, we told them your device is now, one of the apps is causing your device to vibrate, please identify which one it is. So that was sort of to get both a lower bound and an upper bound on the effectiveness of these audit mechanisms. So the full sequence of steps was, so we randomized whether the wallpaper or vibration one occurred first, so this listing is just as an example, but had the wallpaper one been first, once they arrived at the lab we told them that they needed to write reviews for three different drawing apps; and as a first step, all these apps are installed on the phone, they should spend two or three minutes interacting with each one to become familiar with it. And after they did all three of those in random order, we then asked them to interact with a desktop widget. And the reason why we had them interact with a desktop widget was so that we can be assured that they could view the desktop when changed the background to Justin Bieber. And then after that, we didn't prompt them about this, we just did it, and then we observed, we asked them to write the reviews for the apps; and afterwards we read through those reviews to see if they documented this misbehavior within their app reviews. We followed this up with the vibration misbehavior, so we had them do the same thing with the three different timer apps. Again, we chose these apps because they all had the ability to vibrate the device, and then as the fourth distractor task, we asked them to play with a dice app. The reason for this was so that we could be assured that they were holding the device in their hand because it was accelerometer-based, so they had to shake the device to roll the dice, that way when we would start vibrating incessantly we knew that they would be able to detect that because it was in their hands. Again, after that, we asked them to write reviews for the apps to observe whether they would include that misbehavior in any particular app review. After they did those, all those tasks, we then had them go back and we told them okay, one of the apps just change the wallpaper on your device, please indicate which app was responsible and also report the degree of confidence you have in your selection using a five point Likert scale. We did that again with the vibration, and then we had an exit survey. So regarding the unprompted vibration, which was represented with a notification icon, we found that about half of them commented on the vibration in their reviews. So they noticed it; but the difference with regard to identifying a particular app was significantly different between, so 17 of the 21 who noticed it identified it, whereas only two of the six who noticed it in the control condition were able to identify it. So of the people who noticed it but didn't identify it, they wrote in multiple reviews that one app was vibrating, I'm not sure which one was responsible. Going through the logs that we stored on the devices, every single one of the 17 who correctly identified the app did so by expanding the notification bar. So this was intuitive to them; they didn't need to be prompted to do it. Regarding the explicit misbehavior, so we told them your device is now vibrating, please report which app is responsible, over 80 percent in the experimental condition were able to correctly do so, whereas only about 30 percent in the control condition. Of course though, of the multiple-choices that we provided, the number in the control condition was not statistically significant, then simply randomly guessing and arriving at the correct one. And so finally, looking at the strategies that people took, almost everyone opened the notification bar after the device started vibrating, even the people in the control condition. They expected that there was some sort of something going on. Maybe there was something in the notification bar, even though there wasn't. Of the 12 participants who identified the correct app in the exit survey, 10 of them outright that it was due to random guessing, whereas two of them killed apps individually until they found the right app. And so finally, of the incorrect ones, there was a plurality who admitted random guessing because they didn't know what to do. 29 percent named the last app; and what's interesting both on this misbehavior and the other one, there was a small minority who simply inferred the abilities based on the UI. So they said, within this particular app there's a settings panel for controlling a vibration feature, I don't see this in the other apps, so therefore this must be the one that's responsible. So they're inferring abilities based on what UI features are available as opposed to what permissions have been actually granted the application. And then also in the experimental condition, it was the only one where we would see significant correlation between confidence and the correct answer and actually having a correct answer. So finally, wallpaper; we were a little disheartened to observe that very few people actually documented the change. So we, after we Biebered our participants, only about 15 percent noted it in their reviews. And afterwards we asked them in the exit resurvey, and a lot more people had been aware of it but thought maybe it was something they did with the widget they were interacting with, and so they blamed the thing that they were using at the time that the misbehavior occurred. >>: For all these, it wasn’t their fault; it was your fault [inaudible] using, right? >> Serge Egelman: Yeah. >>: So could they just think, I’m in a drawing app, maybe this is what drawing apps do, right? >> Serge Egelman: And so then when we explicitly called their attention this and told them it was one of the apps they had previously used, please identify it and specify your confidence, there was a statistically significant improvement and difference in the experimental condition, but it was only about 30 percent. So of the 12 who correctly identified it, two admitted to randomly guessing and arriving at the answer, so there were really only 10 who got here through the audit mechanism, and this was confirmed through the logs. Six of them went to the settings app and observed the annotation, three saw the wallpaper chooser, and one saw both. And so the incorrect ones, again, it came down to random guessing, looking at the last use app. And again, there was this phenomenon where they're inferring abilities based on the UI features available. So some of them said, you know a particular app, they saw the option to set wallpaper, they didn't notice this in the other apps, therefore it must be this app. And again, confidence correlated with correctness. So from this there were a couple open questions. So we confirmed our previous findings regarding people intuitively going to the settings app to look at the cause of changes. But the question is: should that 30 percent in the wallpaper, during the wallpaper misbehavior, should that be considered a success? While this was a significant improvement over the status quo, 30 percent seems like a low number. I would argue that yes, this is a success. What we've observed in previous studies is most users don't actually read the direct disclosures from apps about how data is being used and instead rely on third parties, such as reviews or word-ofmouth. And so actually having a small number of savvy users aware of these features, that information is then eventually going to get disseminated into reviews and more users will become aware if that particular application is systematically causing misbehaviors. And so some of the future questions are: if apps are drawing these notifications, we have system drawn notifications, we also have app drawn ones, how do we make this difference intuitive to end-users? Yeah. >>: [inaudible] should we be designing these prompts to target [inaudible] users in that case if they’re the ones most likely to use it? >> Serge Egelman: Potentially. I mean this was one misbehavior, and so it's hard to dry conclusions from that. I mean, what we also found is, so in the stuff in the settings app with the data usage, so that had been deployed for a year, right? Up to 85 percent are aware of that, so maybe if these notifications were in widespread use, maybe in a year that number’s going to be greatly improved. It's hard to say. But I think this is promising. >>: I have a question. Who are the participants? [inaudible]? >> Serge Egelman: No, no, no. We recruited from the general public. I usually avoid recruiting people from campus. We had them, we collected ages, gender, and also occupation. And we found that there was actually a pretty good distribution with regard to occupation. There weren't many in technical jobs, but there was a huge range from a blue collar to white collar, people with higher education degrees. So I think this is relatively generalizable. One problem that Cormac sort of hit at is the moral hazard element. So they were using our phones and not their phones. So maybe some of these misbehaviors they simply didn't have an incentive to look at because they weren’t the ones who were bearing any lasting harm. So maybe these are considered lower bounds as a result of that. So future work, I'm just about done, is that the grand vision for all of this, and I think more generally with previous work that I've done, is in the usable security space we've gone leaps and bounds over say, 10 years ago where things were sort of designed without the user in mind. And now, a lot of systems have been improved by focusing on the user doing user centered design; but at the same time, all of the experiments that we do sort of cater to the average user, but no such user actually exists. And I think that there are probably clusters of behaviors. And I think one of the future things that I'm really interested in working on over the next few years is trying to cater security mitigations to individuals. And this comes back to your question about having some thing where all that information is aggregated, well, there's the habituation problem, and obviously that could cause of some sort of overload, I think less so than with the warnings because it’s the push versus pull nature of it. People are going there to seek information out, but there's still some intelligence that we could apply in terms of displaying the things that we think a particular user finds most important. And also that's the case with if a lot more, if 50 percent of permissions are replaced with notifications, obviously that could overwhelm the status bar and create a lot of clutter; but if we know what an individual cares about, we can prioritize and only show the things that are relevant to them. And the amount of data that's out there, especially on mobile devices and backing up stuff to the cloud, makes this really possible. So to give an example. So Gustavo has a smart phone. He uses it to make public check ins on Foursquare, anyone can read his posts on Foursquare. He sends tweets that include his location, but having some sort of middleware or even at the OS level, the smart phone can infer that he probably doesn't care about location and further prompting him to disclose, whether he wants to disclose his location is probably just going to habituate him to request that he might care about more. And so we could do a lot in this space by learning what individual users care about, or maybe as a first cut, just segmenting the population into a couple discreet personas and catering, security mitigations around that before we get all involved in a machine learning approach to>>: [inaudible] contradict this. I like the Facebook and all the social apps that access my photo album. Doesn’t mean I would like [inaudible] to access [inaudible]. >> Serge Egelman: Yeah. Sure. >>: This is what really happened to me. [inaudible] app on all my pictures. Once I give that information it’s what I>> Serge Egelman: Yeah. No. I mean that’s a good example, and I don't think, this isn't supposed to be, I'm not designing a system around this particular use case, but I mean this is just to illustrate how we can do customization and make inferences about individual users to minimize the number of unnecessary security interactions. So the conclusion is that the current choice architectures are really failing users because there are too many requests that they don't care about which means that the important ones tend to go unnoticed. At the same time, we know that users do want some control of how information is shared with third parties, and by performing iterative human subjects experiments, we can yield generalizable knowledge to try and give them that. >>: I have a question. I have the same sense that is basically what you said auditing can be used beyond [inaudible]. In some sense, I mean this, I'm [inaudible] people, but in some sense, people care about the usability of fixing a problem more than security and for information percentage [inaudible]. So have you thought about looking at this applies the auditing. How could the user resolve an issue problem instead of [inaudible] related issues? Is that something like>> Serge Egelman: I'm not sure I understand the question. >>: For instance, you apply, you are looking at auditing because you want to allow users to reverse permissions. >> Serge Egelman: Sure. >>: And when I look at auditing work I say, man, if you can help 50 percent people or 60 percent people to figure out wallpaper problem, I still have the same problem on my wife's phone, my daughter plays with it. I mean it's a real-world issue. I mean that happens way more often than information issues. >> Serge Egelman: Yeah. Absolutely. I mean, I think there's a permission for saying wallpaper. But I understand your point, and I think that more generally what this points to is, I guess using same permissions is a misnomer. I think that what we are really concerned with are outcomes, and unexpected outcomes or undesirable outcomes. And whether that's through inappropriately granting one permission, a set of permissions, or just unexpected behavior that had nothing to do with permissions, yeah, you're absolutely right. And that sort of falls under though this notion of provenance and trying to make it easier to understand for users how we change or unexpected event occurred generally. >>: So I have follow up my early question about iphone. >> Serge Egelman: Okay. >>: So based on your study here, what would you think that Apple should do in addition to what they have right now because they seem to already have a mechanism, like in setting you can kind of undo the things that you've done, you configure your apps. >> Serge Egelman: Yeah. >>: [inaudible]. So what do you think we should do in addition based on your findings? >> Serge Egelman: I think that actually based on some of the earlier research, which I didn't include in this talk, we've done a couple surveys looking at unexpected outcomes in order to sort of rank consequences to see what people are most concerned with. And of the four things that Apple has provided audit mechanisms for, those tend to end up at the bottom of the list in terms of user concern, and so I think that the way that we are doing it is intuitive to people. What we’ve found is having it in the settings panel, it does get found by users, but I think that they're focusing on the wrong things. >>: Can you give an example? >>: So just quickly, have you thought about maybe using third parties that might have a view across multiple users. Example: at [inaudible], imagine the OS in your carrier, which app is sending it, and your carrier could say, he Serge, this chess timer, this is really>> Serge Egelman: Yeah. I mean I've thought about that. I haven't thought about that more generally; I've thought about the SMS issue, and I think that that's a larger economics problem. So on some level, the carriers sort of have an incentive to not do anything about that because they're getting money. At the same time- >>: [inaudible], right? >> Serge Egelman: What? >>: Can't figure out>> Serge Egelman: The platform>>: That you can send [inaudible], that you can send at this time. >>: So, replace the carrier with LookOut. >> Serge Egelman: Sure. >>: Or, you know, [inaudible] or Symantec or some other antivirus. So you see a new antivirus model where I let these people sort of see what apps are sending SMS>> Serge Egelman: Yeah. I think that's the model that we are going to now. There used to be this notion that if anything bad can happen then the system’s insecure and should be abandoned. But I think what we are, the model that we’re going to now, is there are always, when new malware comes out or a new vulnerability is discovered there's some sort of, there are some expected losses, but then the crowd learns of it and adjusts. And so we see that with, I say malware isn't it really a problem on most of these platforms. Certainly when malware gets uploaded there are a few users who are impacted, right? But eventually, it gets detected and gets pulled off the devices. They had a few users are adversely impacted before it gets detected is bad, but I think we are, we’d be poorly allocating resources if that's the main problem we are focusing on. >>: Okay. Thank you. >>: Does Windows eight, do they seem to be moving towards a storage model for the desktop as well? >> Serge Egelman: Yeah. >>: Are the usability problems the same? Are they easier, harder? >> Serge Egelman: I haven't actually spent much time looking at them, but I think that most of this is applicable to that. Certainly with respect to, again, I don't think malware, in detecting malware is really problem, it's simply empowering users to decide how their information is shared with third parties; and certainly the central app repositories on the desktop could go leaps and bounds to improve that. >>: The notification perks, things like useful place to notify people about vibration, it's intuitive because vibration’s typically used for notifying people. So imagine that when my phone vibrates, I think oh, it's probably something I should be notified about. >> Serge Egelman: Sure. >>: But it seems not to fit so much with the phone is getting hot, or the time just changed, or do you just>> Serge Egelman: I don't know. We haven't investigated that. So the time change I don't think is, I don’t know. I mean, that might be more appropriate for settings. The idea that we are thinking about is using the notification bar for ongoing things because you have a passive indicator, and if the user is concerned about something that they notice that's currently happening, it's just, they just have to glance up. >>: Right. I was just wondering, will that work on iPhones that are>> Serge Egelman: Yeah. I honestly don't know. And I think that's an interesting test case. >>: All right. Any last questions? We do have time for more I think, but we can also [inaudible]. Okay. Let's thanks Serge. >> Serge Egelman: Thank you.