Contact us

Overview

Current Applications

Policy Issues

Personnel

Partnership Opportunities

Selected Publications

Sponsors

Press Release

Recent Interview

Project Openings

Project Poster

Mobile Commerce Lab

CUPS Lab

CyLab

School of Computer Science

Overview
Managing security and privacy policies is known to be a difficult problem. Studies have shown that lay users often do not know their own policies or are unable to express them. Even in a desktop computing environment, end users have great difficulty using the Windows XP file permission system to create security policies for file access. In mobile and pervasive computing settings, this situation is often exacerbated by the limitations of access devices and the numerous tasks users concurrently engage in. To make matters worse, desired security and privacy settings are not just difficult to articulate, but they also tend to change over time. In short, emerging demands for empowering end users to set up policies are often unrealistic. This in turn may result in new sources of vulnerability and high levels of user frustration.

We believe it is important that new user interfaces be developed to effectively and efficiently support lay users in understanding and managing security and privacy policies – their own as well as those implemented by systems and individuals with whom they interact. Solutions in this area have traditionally taken a relatively narrow view of the problem by limiting the expressiveness of policy languages or the number of options available in templates, restricting some decisions to specific roles within the enterprise, etc. As systems grow more pervasive and more complex, and as demands for increasing flexibility and delegation continue to grow, it is imperative to take a more fundamental view that weaves together issues of security, privacy and usability to:

• Systematically evaluate key tradeoffs between expressiveness, tolerance for errors, burden on users and overall user acceptance, and

• Develop novel mechanisms and technologies that help mitigate these tradeoffs, maximizing accuracy and trustworthiness while minimizing the time and effort required by end users.

The objective of this project is to develop new interfaces that combine user-centered design principles with dialog, explanation and learning technologies to assist users in specifying and refining policies. This involves developing policy authoring tools for a growing collection of pervasive computing applications and evaluating the effectiveness of these tools with users in longitudinal studies. Evaluation metrics look at both accuracy and overall user acceptance, including user burden. Users should feel that they have adequate control over the behavior of the applications they interact with.

top

Current Applications

• People Finder Application: Users are equipped with smartphones that track their location. They interact with their devices to inquire about the locations of others (e.g., colleagues, friends, spouses) subject to privacy policies.

• Access Control to Resources: Smartphones act as the token by which users access both physical and digital resources. Users interact with their smartphones to create and manage their security policies, and (via the smartphones) with each other to obtain credentials to access different resources.

• Contextual Instant Messaging: Users can inquire about each other’s context (e.g. interruptability, location and current task) through an instant messaging service

top

Policy Issues

Mobile and pervasive computing applications, such as mobile social software that enables users to share their locations with others, are raising a number of challenging security and privacy issues. Get a glimpse of emerging policy issues in this space as they were discussed at the "Location Meets Social Networking: A Wireless Policy and Practices Dialogue" meeting recently organized by the Advisory Committee to the Congressional Internet Caucus, including a video of our own presentation.

Personnel

top

We are looking for companies interested in partnering with us in our research or in licensing our technology. For further details, please contact Norman M. Sadeh

top

Selected Publications

1. N. Sadeh, J. Hong, L. Cranor, I. Fette, P. Kelley, M. Prabaker, and J. Rao, "Understanding and Capturing People's Privacy Policies in a Mobile Social Networking Application", Journal of Personal and Ubiquitous Computing. Accepted for publication, 2008.

2. P.G.Kelley, P. Hankes Drielsma, N. Sadeh, and L.F. Cranor, "User-Controllable Learning of Security and Privacy Policies", First ACM Workshop on AISec (AISec'08), ACM CCS 2008 Conference. Oct. 2008.

3. L. Bauer, L.F. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. A User Study of Policy Creation in a Flexible Access-Control System. ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '08).
2008.

4. R. W. Reeder, L. Bauer, L.F. Cranor, M.K. Reiter, K. Bacon, K. How, and H. Strong. Expandable Grids for Visualizing and Authoring Computer Security Policies. ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '08). 2008.

5. Lujo Bauer, Lorrie Cranor, Robert W. Reeder, Michael K. Reiter, Kami Vaniea, "Comparing Access-Control Technologies: A Study of Keys and Smartphones", CMU-CyLab-07-005, February, 2007.

6. Jason Cornwell, Ian Fette, Gary Hsieh, Madhu Prabaker, Jinghai Rao, Karen Tang, Kami Vaniea, Lujo Bauer, Lorrie Cranor, Jason Hong, Bruce McLaren, Mike Reiter, Norman Sadeh, "User-Controllable Security and Privacy for Pervasive Computing", Proceedings of the 8th IEEE Workshop on Mobile Computing Systems and Applications (HotMobile 2007), February 2007.

7. L. Bauer, L. F. Cranor, M. K. Reiter, and K. Vaniea. Lessons Learned from the Deployment of a Smartphone-Based Access-Control System. In Proceedings of the 2007 Symposium On Usable Privacy and Security, Pittsburgh, PA, July 18-20, 2007.

8. M. Benisch, N. Sadeh, T. Sandholm, "A Theory of Expressiveness in Mechanisms", in Proc. of the 23rd Conference on Artificial Intelligence, July 2008.

top

US National Science Foundation (Cyber Trust initiative), ARO/CyLab, IBM, France Telecom, and Nokia.

top

This project has openings for graduate and undergraduate students as well as for a (senior) research programmer and a postdoctoral candidate

top