1 / 19

User Perceptions of Privacy and Security on the Web

User Perceptions of Privacy and Security on the Web. Scott Flinn Joanna Lumsden PST’05 — 13 October 2005. Users are clueless, right?. They don’t understand secure connections. They have no idea what cookies are. They don’t read privacy policies.

veramcgee
Download Presentation

User Perceptions of Privacy and Security on the Web

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. User Perceptions of Privacy and Security on the Web • Scott Flinn • Joanna Lumsden • PST’05 — 13 October 2005

  2. Users are clueless, right? • They don’t understand secure connections. • They have no idea what cookies are. • They don’t read privacy policies. • They think the privacy slider in MSIE makes them safe. • They blindly trust any professional looking site. • They think all trust seals are trustworthy. • They make me crazy! There oughta be a law!

  3. Distributing clue to users • So what to do? • Education • Education • Education • After all, it’s all their fault. “As soon as we beat users’ heads with sufficient force, our problems will end.” SecurityFocus

  4. Hmm — let’s check • Let’s ask the users • Which users? • What to ask? • How about this: • Let’s ask average Internet users. • Let’s find out what they know and believe.

  5. The survey • Anonymous on-line questionnaire • Recruiting message circulated electronically • Click-through consent form • Demographic questions followed by technical questions in four categories

  6. The questions • For each of these privacy and security features: • Secure web sites • Browser cookies • Privacy policies • Trust marks • Ask the following questions • Describe in your own words. • How familiar are you with this? • To what extent do you agree with ...? • To what extent do you rely on ...?

  7. Country Responses Age Group Gender Responses Responses Canada 72.6% Female 18 to 20 2.5% 33.1% Male United Kingdom 13.1% 66.5% 21 to 30 33.1% Unspecified United States 7.2% 0.4% 31 to 40 33.1% Other 7.1% 41 to 50 17.4% 51 to 60 11.4% 61 to 70 1.7% 71 or older 0.4% Results • Active for four months in summer of 2004 • 470 visitors, 236 responses

  8. Education • Most respondents highly educated • 82% post secondary • 41% advanced or professional degree • Interest in learning, but a difficult subject

  9. Education “My only knowledge of secure web sites is that they store sensitive information on a separate secure server. However I'm not really sure what that means or how it benefits me. I have read the security information provided on a few secure sites but I have not retained the information, possibly due to not fully understanding it.” “I believe [cookies] are files containing personal information that other computers (servers) place on my hard drive to identify my machine, and me, when I access their web sites.”

  10. Secure web sites • Interpretation: secure site vs. secure channel • Of 236 respondents, 53 site vs. 96 channel • Interesting differences in opinions • For example: • Secure site is trustworthy for doing business: 55% vs. 18% • “A site [where] I can carry out business transactions with confidence” • “The information given on a secure web is for the recipient only and cannot be shared or stolen. It makes buying on the internet a much safer experience.”

  11. Secure web sites: transport vs storage • Consider these statements: • “When a website is secure, other people can't see your credit card numbers, personal info., etc. when ordering things online.” • “Information is encrypted to preserve privacy.” • Site + encryption + lock = dangerous misinterpretation

  12. Secure web sites • TLS server authentication • Supposedly a lynch pin of e-commerce • Solicited agreement with this statement: • A secure Web site assures me that I am communicating with the real site and not an impostor. • Surprising disagreement • 37% of all respondents • 41% of “secure connection respondents”

  13. Cookies • Users have tried to educate themselves • Many examples like the one quoted earlier • Meaning of privacy • Agreement with all negative statements about cookies • Yet strong disagreement that cookies invade privacy

  14. Cookies and local storage • Distinctions between data stored locally by browser not well understood • E.g., believe that cookies speed up web sites • “A cookie stays on your computer so that when you visit that web page again, it loads pictures faster.” • “My understanding of cookies is that my computer stores web sites that are used so when I want to view these sites they can be viewed quicker.”

  15. Cookies and local storage

  16. Privacy policies • Skepticism is widespread • policies disclaim sharing of data, rather than offering protection • legal standing of policies is not known and presumed to be weak • policies subject to change at any time • BUT ... we trust you anyway! • If a Web site has a privacy policy, its operators have no choice but to respect it. (67/9% dis/agreement) • A web site can violate its stated privacy policy, but most sites can be trusted to respect it. (18/44% dis/agreement)

  17. Trust marks • Some evidence they are trusted • Low awareness of click-through validation • “Anyone can copy the graphic and put it on their site – it doesn't mean that the site is actually secure.” • Confusion with server authentication • “third party companies which guarantee that the site i am communicating with is the actual site with whom communication is intended.” • VeriSign Secure Site Seal may be to blame

  18. Conclusion • Users have tried to educate themselves, with limited success • The term “secure web site” can lead to dangerous misinterpretation • TLS server authentication not valued • Skepticism of privacy policies, but sites trusted anyway • Distinctions between local browser storage — cookies, bookmarks, form data, cached pages — not well understood

More Related