Our research on web-based threats to privacy and security involves performing human subjects experiments to examine how people respond to current mitigations, such as web browser security warnings and various privacy tools. We are also performing research to discover new threats to privacy, such as new ways for companies to perform online tracking, web-browser fingerprinting, and managing the disclosure of information on social networking websites.

We’re broadly interested in answering the following questions:

• Why do users choose to ignore web browser security warnings?
• Can we improve online security systems by catering risk communication to specific personas?
• Can we subconsciously help people make better security decisions?
• What methods can be used to fingerprint a web browser (thereby allowing online tracking) and how can these be mitigated?
• What innate factors influence users’ online privacy preferences and behaviors?
• How can we build systems that infer users’ online privacy preferences?

Current Projects

The list of currently active projects can be found here.

Related Publications

• Security and Privacy Failures in Popular 2FA Apps (USENIX Sec ’23)
• Deployment of Source Address Validation by Network Operators: A Randomized Control Trial (Oakland ’22)
• Privacy Champions in Software Teams: Understanding Their Motivations, Strategies, and Challenges (CHI ’21)
• Deciding on Personalized Ads: Nudging Developers About User Privacy (SOUPS ’21)
• Empirical Measurement of Systemic 2FA Usability (USENIX Sec ’20)
• “You’ve Got Your Nice List of Bugs, Now What?” Vulnerability Discovery and Management Processes in the Wild (SOUPS ’20)
• Nudge Me Right: Personalizing Online Security Nudges to People’s Decision-Making Styles (CHB ’20)
• Conducting Privacy-Sensitive Surveys: A Case Study of Civil Society Organizations (CHI Workshops ’20)
• A Promise Is A Promise: The Effect Of Commitment Devices On Computer Security Intentions (CHI ’19)
• The Accuracy of the Demographic Inferences Shown on Google’s Ad Settings (WPES ’18)
• Better Late(r) than Never: Increasing Cyber-Security Compliance by Reducing Present Bias (WEIS ’18)
• Quantifying Users’ Beliefs about Software Updates (USEC ’18)
• An Experience Sampling Study of User Reactions to Browser Warnings in the Field (CHI ’18)
• A Usability Evaluation of Tor Launcher (PETS ’17)
• Let’s Go in for a Closer Look: Observing Passwords in Their Natural Habitat (CCS ’17)
• Personalized Security Messaging: Nudges for Compliance with Browser Warnings (EuroUSEC ’17)
• The Teaching Privacy Curriculum (SIGCSE ’16)
• Do or Do Not, There Is No Try: User Engagement May Not Improve Security Outcomes (SOUPS ’16)
• Behavior Ever Follows Intention? A Validation of the Security Behavior Intentions Scale (SeBIS) (CHI ’16)
• The Myth of the Average User: Improving Privacy and Security Systems through Individualization (NSPW ’15)
• Predicting Privacy and Security Attitudes (ACM CAS)
• Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS) (CHI ’15)
• Fingerprinting Web Users through Font Metrics (FC ’15)
• The importance of being earnest [in security warnings] (FC ’13)
• Does my password go up to eleven?: the impact of password meters on password selection (CHI ’13)
• My profile is my password, verify me!: the privacy/convenience tradeoff of facebook connect (CHI ’13)
• Facebook and privacy: it’s complicated (SOUPS ’12)