190 likes | 211 Views
Explore user comprehension of web security & privacy via an online survey. Discover insights on cookies, trust marks, privacy policies, and secure sites. Report on responses from Canada, UK, and US across different age groups & genders.
E N D
User Perceptions of Privacy and Security on the Web • Scott Flinn • Joanna Lumsden • PST’05 — 13 October 2005
Users are clueless, right? • They don’t understand secure connections. • They have no idea what cookies are. • They don’t read privacy policies. • They think the privacy slider in MSIE makes them safe. • They blindly trust any professional looking site. • They think all trust seals are trustworthy. • They make me crazy! There oughta be a law!
Distributing clue to users • So what to do? • Education • Education • Education • After all, it’s all their fault. “As soon as we beat users’ heads with sufficient force, our problems will end.” SecurityFocus
Hmm — let’s check • Let’s ask the users • Which users? • What to ask? • How about this: • Let’s ask average Internet users. • Let’s find out what they know and believe.
The survey • Anonymous on-line questionnaire • Recruiting message circulated electronically • Click-through consent form • Demographic questions followed by technical questions in four categories
The questions • For each of these privacy and security features: • Secure web sites • Browser cookies • Privacy policies • Trust marks • Ask the following questions • Describe in your own words. • How familiar are you with this? • To what extent do you agree with ...? • To what extent do you rely on ...?
Country Responses Age Group Gender Responses Responses Canada 72.6% Female 18 to 20 2.5% 33.1% Male United Kingdom 13.1% 66.5% 21 to 30 33.1% Unspecified United States 7.2% 0.4% 31 to 40 33.1% Other 7.1% 41 to 50 17.4% 51 to 60 11.4% 61 to 70 1.7% 71 or older 0.4% Results • Active for four months in summer of 2004 • 470 visitors, 236 responses
Education • Most respondents highly educated • 82% post secondary • 41% advanced or professional degree • Interest in learning, but a difficult subject
Education “My only knowledge of secure web sites is that they store sensitive information on a separate secure server. However I'm not really sure what that means or how it benefits me. I have read the security information provided on a few secure sites but I have not retained the information, possibly due to not fully understanding it.” “I believe [cookies] are files containing personal information that other computers (servers) place on my hard drive to identify my machine, and me, when I access their web sites.”
Secure web sites • Interpretation: secure site vs. secure channel • Of 236 respondents, 53 site vs. 96 channel • Interesting differences in opinions • For example: • Secure site is trustworthy for doing business: 55% vs. 18% • “A site [where] I can carry out business transactions with confidence” • “The information given on a secure web is for the recipient only and cannot be shared or stolen. It makes buying on the internet a much safer experience.”
Secure web sites: transport vs storage • Consider these statements: • “When a website is secure, other people can't see your credit card numbers, personal info., etc. when ordering things online.” • “Information is encrypted to preserve privacy.” • Site + encryption + lock = dangerous misinterpretation
Secure web sites • TLS server authentication • Supposedly a lynch pin of e-commerce • Solicited agreement with this statement: • A secure Web site assures me that I am communicating with the real site and not an impostor. • Surprising disagreement • 37% of all respondents • 41% of “secure connection respondents”
Cookies • Users have tried to educate themselves • Many examples like the one quoted earlier • Meaning of privacy • Agreement with all negative statements about cookies • Yet strong disagreement that cookies invade privacy
Cookies and local storage • Distinctions between data stored locally by browser not well understood • E.g., believe that cookies speed up web sites • “A cookie stays on your computer so that when you visit that web page again, it loads pictures faster.” • “My understanding of cookies is that my computer stores web sites that are used so when I want to view these sites they can be viewed quicker.”
Privacy policies • Skepticism is widespread • policies disclaim sharing of data, rather than offering protection • legal standing of policies is not known and presumed to be weak • policies subject to change at any time • BUT ... we trust you anyway! • If a Web site has a privacy policy, its operators have no choice but to respect it. (67/9% dis/agreement) • A web site can violate its stated privacy policy, but most sites can be trusted to respect it. (18/44% dis/agreement)
Trust marks • Some evidence they are trusted • Low awareness of click-through validation • “Anyone can copy the graphic and put it on their site – it doesn't mean that the site is actually secure.” • Confusion with server authentication • “third party companies which guarantee that the site i am communicating with is the actual site with whom communication is intended.” • VeriSign Secure Site Seal may be to blame
Conclusion • Users have tried to educate themselves, with limited success • The term “secure web site” can lead to dangerous misinterpretation • TLS server authentication not valued • Skepticism of privacy policies, but sites trusted anyway • Distinctions between local browser storage — cookies, bookmarks, form data, cached pages — not well understood