User Perceptions of Privacy and Security on the Web

1
User Perceptions of Privacy and Security on the
Web

• Scott Flinn
• Joanna Lumsden
• PST05 13 October 2005

2
Users are clueless, right?

• They dont understand secure connections.
• They have no idea what cookies are.
• They dont read privacy policies.
• They think the privacy slider in MSIE makes them
  safe.
• They blindly trust any professional looking site.
• They think all trust seals are trustworthy.
• They make me crazy! There oughta be a law!

3
Distributing clue to users

• So what to do?
• Education
• Education
• Education
• After all, its all their fault.
• As soon as we beat users heads with sufficient
  force, our problems will end. SecurityFocus

4
Hmm lets check

• Lets ask the users
• Which users?
• What to ask?
• How about this
• Lets ask average Internet users.
• Lets find out what they know and believe.

5
The survey

• Anonymous on-line questionnaire
• Recruiting message circulated electronically
• Click-through consent form
• Demographic questions followed by technical
  questions in four categories

6
The questions

• For each of these privacy and security features
• Secure web sites
• Browser cookies
• Privacy policies
• Trust marks
• Ask the following questions
• Describe in your own words.
• How familiar are you with this?
• To what extent do you agree with ...?
• To what extent do you rely on ...?

7
Results

• Active for four months in summer of 2004
• 470 visitors, 236 responses

8
Education

• Most respondents highly educated
• 82 post secondary
• 41 advanced or professional degree
• Interest in learning, but a difficult subject

9
Education

• My only knowledge of secure web sites is that
  they store sensitive information on a separate
  secure server. However I'm not really sure what
  that means or how it benefits me. I have read
  the security information provided on a few secure
  sites but I have not retained the information,
  possibly due to not fully understanding it.
• I believe cookies are files containing
  personal information that other computers
  (servers) place on my hard drive to identify my
  machine, and me, when I access their web sites.

10
Secure web sites

• Interpretation secure site vs. secure channel
• Of 236 respondents, 53 site vs. 96 channel
• Interesting differences in opinions
• For example
• Secure site is trustworthy for doing business
  55 vs. 18
• A site where I can carry out business
  transactions with confidence
• The information given on a secure web is for the
  recipient only and cannot be shared or stolen. It
  makes buying on the internet a much safer
  experience.

11
Secure web sites transport vs storage

• Consider these statements
• When a website is secure, other people can't see
  your credit card numbers, personal info., etc.
  when ordering things online.
• Information is encrypted to preserve privacy.
• Site encryption lock dangerous
  misinterpretation

12
Secure web sites

• TLS server authentication
• Supposedly a lynch pin of e-commerce
• Solicited agreement with this statement
• A secure Web site assures me that I am
  communicating with the real site and not an
  impostor.
• Surprising disagreement
• 37 of all respondents
• 41 of secure connection respondents

13
Cookies

• Users have tried to educate themselves
• Many examples like the one quoted earlier
• Meaning of privacy
• Agreement with all negative statements about
  cookies
• Yet strong disagreement that cookies invade
  privacy

14
Cookies and local storage

• Distinctions between data stored locally by
  browser not well understood
• E.g., believe that cookies speed up web sites
• A cookie stays on your computer so that when you
  visit that web page again, it loads pictures
  faster.
• My understanding of cookies is that my computer
  stores web sites that are used so when I want to
  view these sites they can be viewed quicker.

15
Cookies and local storage
16
Privacy policies

• Skepticism is widespread
• policies disclaim sharing of data, rather than
  offering protection
• legal standing of policies is not known and
  presumed to be weak
• policies subject to change at any time
• BUT ... we trust you anyway!
• If a Web site has a privacy policy, its operators
  have no choice but to respect it. (67/9
  dis/agreement)
• A web site can violate its stated privacy policy,
  but most sites can be trusted to respect it.
  (18/44 dis/agreement)

17
Trust marks

• Some evidence they are trusted
• Low awareness of click-through validation
• Anyone can copy the graphic and put it on their
  site it doesn't mean that the site is actually
  secure.
• Confusion with server authentication
• third party companies which guarantee that the
  site i am communicating with is the actual site
  with whom communication is intended.
• VeriSign Secure Site Seal may be to blame

18
Conclusion

• Users have tried to educate themselves, with
  limited success
• The term secure web site can lead to dangerous
  misinterpretation
• TLS server authentication not valued
• Skepticism of privacy policies, but sites trusted
  anyway
• Distinctions between local browser storage
  cookies, bookmarks, form data, cached pages not
  well understood

19
(No Transcript)