< specifying (1) the names of your
team members, (2) a working name for your project, (3) the name (or a brief
description) of the project you have chosen, and (4) a collaboration plan for
when/how frequently your group will meet and communicate while working on this
project (I strongly recommend reserving a regular weekly meeting time).
## List of Possible Projects
1. *Understanding Data Minimization* Many recent privacy regulations---including GDPR, PIPA, PDPA, PIPEDA, LGPD, and CPRA---include a data minimization requirement. These requirements, loosely speaking, prohibit unnecessary data collection. However, legal requirements may fall short of user expectations. This project would study user understandings, beliefs, and expectations about how data
minimization does or should impact data collection.<br/><br/>Related readings:
- Text of relevant laws. E.g., [GDPR Article 5](https://gdpr-info.eu/art-5-gdpr/), [CPRA 1798.100](https://cpra.gtlaw.com/general-duties-of-businesses-that-collect-consumers-personal-information/)
- L. Zhang-Kennedy and S. Chiasson. ["Whether it's moral is a whole other story": Consumer perspectives on privacy regulations and corporate data practices](https://www.usenix.org/system/files/soups2021-zhang-kennedy.pdf). SOUPS 2021.
- S. Kaushik, Y. Yao, P. Dewitte, and Y. Wang. [“How I Know For Sure”: People’s Perspectives on Solely Automated Decision-Making (SADM)](https://www.usenix.org/system/files/soups2021-kaushik.pdf). SOUPS 2021.<br/><br/>
2. *Generalizability of Public Comments* Legislators often elicit public comments on privacy regulations prior to finalizing legal requirements. To what extent are responses to such solicitations representative of the broader population? Do responses capture the perspectives and priorities of vulnerable populations?<br/><br/>Related readings:
- [CPRA Public Comment Invitation 9/2021](https://cppa.ca.gov/regulations/pdf/invitation_for_comments.pdf)
- CPRA Public Comments: [Comments 1](https://cppa.ca.gov/regulations/pdf/preliminary_rulemaking_comments_1.pdf), [Comments 2](https://cppa.ca.gov/regulations/pdf/preliminary_rulemaking_comments_2.pdf), [Comments 3](https://cppa.ca.gov/regulations/pdf/preliminary_rulemaking_comments_3.pdf), [Comments 4](https://cppa.ca.gov/regulations/pdf/preliminary_rulemaking_comments_4.pdf)
- L. Zhang-Kennedy and S. Chiasson. ["Whether it's moral is a whole other story": Consumer perspectives on privacy regulations and corporate data practices](https://www.usenix.org/system/files/soups2021-zhang-kennedy.pdf). SOUPS 2021.
- If interested in the vulnerable populations angle, the citations in the second-to-last paragraph of the first page of [this paper](https://dl.acm.org/doi/pdf/10.1145/3313831.3376167) are likely to be relevant.<br/><br/>
3. *Replication: Usability of Password Managers* In a classic paper published more than fifteen years ago, Chiasson et al. conducted a usability study of two
proposed password managers and found usability issues and misunderstandings that suggested typical users would be reluctant to opt-in to use such security tools. However, much has changed since that work was conducted, with the average user spending more time online and with the introduction of built-in browser-based password managers. So to what extent do their results still hold? How usable are modern password managers? And how well do users understand their functionality and the security trade-offs of such tools? <br/><br/> Related readings:
- S. Chiasson, P. van Orschot, and R. Biddle. [A Usability Study and Critique of Two Password Managers.](https://www.usenix.org/legacy/events/sec06/tech/full_papers/chiasson/chiasson.pdf). USENIX Security 2006.
- S. Pearman, S. Zhang, L. Bauer, N Christin, and L. Cranor. [Why people (don’t) use password managers effectively](https://www.usenix.org/system/files/soups2019-pearman.pdf). SOUPS 2019.
- S. Zibaei, D. Malapaya, B. Mercier, A. Salehi-Abari, and J. Thorpe. [Do Password Managers Nudge Secure (Random) Passwords?](https://www.usenix.org/system/files/soups2022-zibaei.pdf). SOUPS 2022. <br/><br/>
4. *Cookie categories.* Cookie banners that offer users choices about which cookies to accept often rely on standard [cookie category terms from the UK International Chamber of Commerce (ICC): strictly necessary, performance, functional, targeting. Recent research suggests that most people don't understand what these terms mean. This project would evaluate comprehension of these (and perhaps other) cookie-related terms and propose and evaluate terms that might improve comprehension.<br/><br/>
Related readings:
- [ICC UK Cookie Guide](https://cookie-cat.co.uk/about/icc-uk-cookie-guide/)
- H. Habib, M. Li, E. Young, L. Cranor. [“Okay, whatever”: An Evaluation of Cookie Consent Interfaces](https://dl.acm.org/doi/pdf/10.1145/3491102.3501985). CHI 2022.
- C. Santos, A. Rossi, L. Sanchez Chamorro, K. Bongard-Blanchy, and R. Abu-Salma. [Cookie Banners, What's the Purpose? Analyzing Cookie Banner Text Through a Legal Lens](https://doi.org/10.1145/3463676.3485611). WPES 2021.<br/><br/>
5. *SP Terms* Prior work has found that certain technical terms that appear in privacy policies are not understand and/or are misunderstood by many people. How well do people understand security or privacy terminology in another context (e.g., news articles, Twitter, app privacy labels)? Are there particular terms that are well understood or that are broadly misunderstood? Or what terms do people use naturally to describe security or privacy concepts? <br/><br/>Related readings:
- J. Tang et al. [Defining Privacy: How Users Interpret Technical Terms in Privacy Policies](https://petsymposium.org/2021/files/papers/issue3/paper103-2021-3-source.pdf)<br/><br/>
6. *Privacy Nutrition Label for Mobile Apps* Both Apple and Google have recently introduced privacy labels in their mobile app stores that convey information about the security and privacy of apps. However, these labels are multi-layered, rarely looked at, and often misunderstood. Design and evaluate a single-layer graphical security/privacy label for mobile apps.<br/><br/>Related Readings:
- P. Kelley et al. [A "nutrition label" for privacy](https://dl.acm.org/doi/pdf/10.1145/1572532.1572538). SOUPS 2009.
- P. Kelley et al. [Standardizing privacy notices: an online study of the nutrition label approach](https://dl.acm.org/doi/pdf/10.1145/1753326.1753561). CHI 2010.
- S. Zhang et al. [How Usable Are iOS App Privacy Labels?](https://petsymposium.org/2022/files/papers/issue4/popets-2022-0106.pdf). PETS 2022.
- [Google Play's Data Safety Labels](https://support.google.com/googleplay/android-developer/answer/10787469?hl=en)<br/><br/>
7. *Replication: Biometric Authentication* Prior work by Bhagavatula et al. published in 2015 found that users preferred fingerprint readers or PINs to facial recognition as a means of authenticating on mobile devices. However, technological progress has increased the availability (and perhaps usability) of face ID. What does the usability of various authentication schemes for mobile devices compare today? When and how commonly do people use various schemes? And how do people perceive their relative security and usability?<br/><br/>Related Readings:
- R. Bhagavatula et al. [Biometric authentication on iphone and android: Usability, perceptions, and influences on adoption](https://ink.library.smu.edu.sg/cgi/viewcontent.cgi?article=4969&context=sis_research). USEC 2015.<br/><br/>
8. *Porting Data.* Many privacy laws grant people a right to portability, that
is a right to extract their personal information from one website or service
and import it into an alternative service. However, current work suggests that
portability is still not practical. Design and evaluate the usability of a tool
for porting data between services.<br/><br/>Related Readings:
- J. Wong and T. Henderson. [How portable is portable? Exercising the GDPR’s right to data portability](https://dl.acm.org/doi/abs/10.1145/3267305.3274152). UbiComp 2018.
- S.Kuebler-Wachendorff et al. [The right to data portability: Conception, status quo, and future directions](https://epub.ub.uni-muenchen.de/90996/1/Kuebler-Wachendorff2021_Article_TheRightToDataPortabilityConce.pdf). Informatik Spektrum, 44(4):264–272, 2021.
- S. Turner et al. [The exercisability of the right to data portability in the emerging internet of things (IoT) environment](https://journals.sagepub.com/doi/pdf/10.1177/1461444820934033). New media & Society 2021.<br/><br/>
9. *Privacy Signals.* CPRA will introduce a requirement that websites need to
visibly signal to users whether or not they comply with automated opt-out
signals. Design and evaluate a signal that will effectively convey this
information to users.<br/><br/>Related readings:
- [CPRA Proposed Regulations](https://cppa.ca.gov/meetings/materials/20220608_item3.pdf), Section 7025.
- H. Habib et al. [Toggles, Dollar Signs, and Triangles: How to (In)Efectively Convey Privacy Choices with Icons and Link Texts](https://dl.acm.org/doi/pdf/10.1145/3411764.3445387). CHI 2021.
- M. Hils et al. [Privacy preference signals: Past, present and future](https://petsymposium.org/2021/files/papers/issue4/popets-2021-0069.pdf). PETS 2021.<br/><br/>
8. *Other.* You can also come up with your own project in the area of usable security or usable privacy. If you are interested in this option, you must discuss your ideas with me in advance.
]]>