Symposium on Usable Privacy and Security

Wednesday, August 10, 2011

By Michael Brooks

In July, I had the opportunity to attend SOUPS 2011, a conference on usable security and privacy that was located in Pittsburgh. The conference features high quality papers but remains small and relatively informal. I presented a poster about ongoing research with Professor Cecilia Aragon designing and evaluating a new biometric authentication technology that is based on eye movement. Beginning in the spring, we created a variety of low fidelity prototypes and ran an informal user study to inform the designs. The poster at SOUPS included the results of this study. Through speaking with other attendees about this work, I was able to get valuable feedback that will help shape the project in the future.

SOUPS is attended by a diverse group of people from industry, academia, and government who are interested in security and usability. The mix of backgrounds contributed to the success of a pre-conference workshop that I attended, which was about creating conventions for security-related user interfaces (think about the "padlock" icons you see everywhere). Attendees from industry provided insight about many of the roadblocks to creating more widely adopted standards. For example, a researcher from Microsoft described their internal guidelines for security UI, but software companies generally use UI differences to differentiate themselves from competitors. Finding a way to follow conventions while allowing differentiation is one important challenge. The academic and research attendees provided more information about what the biggest problems are in this area. One significant problem that was discussed was the particular difficulty of developing security UI conventions for mobile devices, where screen space is even more restricted.

The closing session, a panel on web tracking and behavioral advertising, also capitalized on the different perspectives that were represented, bringing to the table experts from advertising firms, user researchers from academia, representatives from industry, and those with experience crafting government regulations. The panel discussed several current technologies for controlling targeted ads, such as "Do Not Track," a technology that lets users send a message to servers (in their HTTP headers) that they would prefer not to be targeted by behavioral advertising. The lively debate that ensued was interesting and revealed many of the reasons that the different stakeholders have not yet come together with a comprehensive solution to this problem. The conflict between businesses that depend on behavioral advertising and end users who often do not realize that it happens (what would they think if they did) will not easily be resolved.

SOUPS is a small, single track conference, which made it feel relaxed and friendly. The presentations during the conference raised many interesting issues, and there were numerous opportunities to discuss these issues with other attendees during the breaks between sessions. It was important that I attend this conference so that I could become part of the community of people who study security and usability, so I am grateful to the department for its support. In addition, along with another attendee from HCDE, Colin Birge, we were able to raise awareness of HCDE in this community.