Understanding Developers' Reasoning about Privacy and Security - UMD - April 2017

PI(s): Michelle Mazurek, Charalampos Papamanthou, Mohit Tiwari
Researchers: Casen Hunger, Doowon Kim, Yehuda Katz

PROJECT GOAL

Our goal is to discover, understand, and quantify challenges that developers face in writing secure and privacy-preserving programs. Several research thrusts enable this goal.

Qualitative studies of developers allow us to discover cultural and workplace dynamics that encourage or discourage privacy and security by design. Experiments with alternative design schemas enable us to test how to best facilitate adoption. To perform these studies, we are developing the Bubbles platform that will serve as a place for developers to write privacy-preserving applications that respect the privacy decisions that have been taken by users.

Facilitating adoption:

Techniques such as information-flow control can offer strong privacy guarantees but have failed to achieve traction among developers. Concepts such as lattices of security labels and scrubbing implicit flow leaks from programs require developers to learn security concepts in order to work correctly on an information-flow secure platform (Jif, Flume). We have developed an alternative scheme that requires developers to partition their apps based on functionality (analogous to a model-view-controller pattern) instead of using labels and information-flow secure compilers. We are conducting developer studies using A-B testing to determine the ease of programming using information flow versus our programming model. Similarly, we are studying design patterns for security features in applications. For example, privilege separation in applications, key management in a distributed application, mandatory access control policies for app components. These design patterns will enable even non-security-expert developers to write secure and private applications by default.

HARD PROBLEM(S) ADDRESSED

Human behavior

PUBLICATIONS

Krontiris, I., Langheinrichz, M. & Shilton, K. (2014). Trust and Privacy in Mobile Experience Sharing - Future Challenges and Avenues for Research. IEEE Communications, August 2014. http://cps-vo.org/node/17109

Martin, K. and Shilton, K. (in press) "Why Experience Matters To Privacy: How Context-Based Experience Moderates Consumer Privacy Expectations for Mobile Applications." Journal of the Association for Information Science & Technology.

ACCOMPLISHMENT HIGHLIGHTS

Bubbles User Study: The team completed a pilot study attempting to evaluate the usability of the Bubbles platform, based on whether it is possible to accurately infer access-control bubbles using machine-learning techniques. To achieve this, we ask participants to log into their cloud accounts (email, files, calendar), and use learning techniques to infer groups of real data that is shared with the same set of people; we then ask users to confirmt the accuracy of the inferences. To achieve this, we build a study infrastructure platform that interfaces with crowdsourcing services. Our pilot study demonstrated that our learning techniques are not yet sufficiently accurate, and may require additional supervision to gain accuracy. We submitted a paper illustrating the pilot results to USEC 2017.

Access Control Metrics Study: The team is currently undertaking a measurement study to better understand data sharing in cloud platforms. Using the infrastructure platform we developed for the first study, we will collect usage data across multiple services and obtain mappings about how many items are shared with how many people, in what type of groups, with what longevity. This will allow us to characterize the modern cloud-based access-control space, updating prior work that examined corprorate and peer-to-peer sharing approaches.

In particular, the current access-control study includes APIs to analyze meta-data from Google Drive, Google Calendar, GMail, and Dropbox – with plans on adding iCloud and Box APIs as well. The study analyzes data sharing patterns across all platforms in order to gain information about how users create and share their data. For example, Figure 1 (see attached pdf) shows the proportion of access-control groups that contain a given number of members across all users we have piloted the study on. We find that calendar events have the least complex access-control lists while emails may have up to 25 users in a single access-control list. Additionally, Figure 2 (see attached pdf) shows how the lifespan of groups differ across the various platforms, indicating that document storage has the longest-lived access-control lists.