Expression of Interest:

Ninja Marnau
Center for IT-Security, Privacy and Accountability (CISPA)

I would like to express my interest in participating in the W3C Workshop on Privacy and User–Centric Controls.

Many users of the web and mobile devices have lost faith in the responsible and privacy-preserving data access and use of their devices and apps. Empowering the users to gain control over their personal data and its use is essential for system and app developers - not just to fulfill regulatory requirements but in order to regain trust by being transparent and on more on par with the user. Nevertheless, the functionality, deployment and acceptance of user-centric controls rely on two key factors that remain at the center of our ongoing research:

• First, usable privacy and comprehensible transparency: Web and mobile systems grow more complex with each new development cycle. To empower the average web and mobile device user to understand and make use of user-centric controls, we must not let him alone with a toolbox of fine-grained mechanisms that even advanced users would not bother to walk through step-by-step. Developers have to account for different levels of experience and expectations. There is a thin line between necessary simplification and grouping of user expectations and paternalism from providers and developers. CISPA and other privacy-focused research institutes explore potential strategies to walk this thin line, be it fine-grained layered privacy configuration for Android [1], showing users personal examples of Android app access rights [2], or context-sensitive app rights [3]. Making these mechanisms usable and deployable in real-life applications will require long-term joint efforts of security, privacy, sociology, psychology and HCI experts.
• Second, aiding developers with baseline security and privacy of their systems. The best and most advanced user-centric transparency and control tools are useless, if system developers are unable to correctly deploy state-of-the-art security. How often do we see news reports of another critical leakage of personal data. Most often these news conclude that the reason for the leak was due to misuse or absence of the most basic security features. Usable security and privacy must not only focus on the user but we need to find ways to aid and support developers with baseline secure implementations of standards such as SSL [4].

---

[1] M. Backes, S. Gerling, C. Hammer, M. Maffei, and P. von Styp-Rekowsky. “App- Guard - Enforcing User Requirements on Android Apps”. In: Proc. 19th Interna- tional Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 13). Vol. 7795. Lecture Notes in Computer Science. Springer, 2013, pp. 543–548.

[2] M. Harbach, M. Hettig, S. Weber, M. Smith (2014), "Using personal examples to improve risk communication for security & privacy decisions", In Proceedings of the 32nd annual ACM conference on Human factors in computing systems. , pp. 2647-2656.

[3] F. Roesner, T. Kohno, A. Moshchuk, B. Parno, H. Wang, C. Cowan (2012), "User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems", 33rd IEEE Symposium on Security and Privacy (Oakland).

[4] S. Fahl, M. Harbach, H. Perl, M. Koetter, M. Smith (2013), "Rethinking SSL development in an appified world", In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 49-60.

---

Created from email by Rigo: $Id: marnau.html,v 1.1 2014/11/11 20:47:45 rigo Exp $