2021 Capstone Project
Capstone Report: Best Privacy Practice Recommendations for Global Audio Streaming Platforms
2020 Capstone Projects
Presented by: Chenxiao Guan, Chenghao Ye, Yigeng Wang, Fangxian Mi
Advisor: Timothy Libert
People are accustomed to letting voice assistants complete daily tasks for more convenience, and the purpose of our design is to provide healthcare services to people via voice assistants as well. However, news and studies show many devices have been exposed to record and abuse users’ conversations with intelligent voice assistants without consent. Thus, we created a consent and authorization voice interface using Alexa Skill based on HIPAA Privacy Rule to guarantee users can handle their protected health information (PHI). We innovated a new way of agreeing to privacy policies and notices via a voice interface, while still maintaining the usability from the user's perspective in a privacy-friendly manner, and simultaneously letting the company-side be in compliance with regulations such as HIPAA. The implementation is meant to strike a balance between usability and privacy-friendliness, and thus we provide a way of configuring fine-grained privacy preferences while making sure the interface is not bloated with too many explanations that annoy our users.
Sponsor: Elektra Labs
Presented by: Dev N. Patel, Yash D. Mehta, Ziyuan Zhu
Advisor: Yuvraj Agarwal
IoT is a rapidly growing industry and it is becoming increasingly difficult to keep up with the advances in the industry. These advances have also led to a large increase in the number of devices available in the market, which makes it difficult for consumers to compare and make a decision about which device to purchase. Elektra Labs is a startup focused on providing comprehensive information about medical IoT devices, such as research evidence and security, through an interface which makes it possible to find information easily and compare it with other similar devices, the target audience being clinicians, medical researchers who might be interested in purchasing the device for their study, their research subjects or even consumers interested in a device for personal use. In this presentation, we describe our efforts to select the information that should be displayed to the target audience through a multi-layered label. We also present a questionnaire that would be given to device manufacturers to provide the information that would be displayed on the label. We tested both, the questionnaire and the label with some device manufacturers and medical researchers respectively. We also include our findings from these user test in this presentation.
Presented by: Clare Hsu, Lewei Li, Daniel Mo
Advisor: Lorrie Cranor
Low digital literacy users, who are generally not familiar with digital skills and Internet technologies, are forced to join in the current trend of online payment and social commerce under this COVID-19 situation. However, compared to general users, their lower awareness, less concerns, and more misconceptions could make them more vulnerable in terms of privacy. In this talk, we will present a design of privacy education for low digital literacy users under the context of data practice policies on Facebook Pay, addressing their potential privacy concerns, misconception towards existing data practice policies, and absence of privacy self-efficacy. We will also discuss the evaluation result of our design based on qualitative responses we collected from interviews, and propose several recommendations for current education design.
2018 Capstone Projects
Evaluation of Mobile Privacy and Security: Mobile App Privacy Score
Sponsored: Redmorph Inc.
Presented by: Fan Yang, Jianlan Zhu
Advisor: Timothy Libert
Nowadays, mobile applications suffer from tremendous user-privacy issues. With the popularity of mobile apps, users’ data is shared between a large variety of entities. Problems like targeted advertising and information leakage are common privacy violations among mobile applications. What makes it even worse is that, according to research, few users have an idea of the complicated issues. Even users are aware of some of their personal data has been improperly used, they have no idea of how bad the situation is and no choice but to accept them. Related studies have done plenty of work to identify privacy issues exist in current mobile applications. Researchers have taken many metrics like privacy policies, permission requested, code analysis, data transmission into consideration to evaluate mobile apps’ privacy performance. But average users still have a difficult time understanding the issues because few studies have put forward a straightforward scoring system.
Executive Summary: Evaluation of Mobile Privacy and Security: Mobile App Privacy Score.
Evaluating Privacy Enhancing Technologies for Organizations
Sponsor: Netflix, Inc.
Presented by: Ao Chen, Jeremy Thomas
Advisor: Nicolas Christin
Given the changing perspective on privacy in today’s society, organizations must adapt to a growing set of requirements and constraints on practices that impact privacy. Individual choices about privacy, exposure of broken privacy practices, and expanding regulations force organizations towards expanding the influence of accepted principles of privacy throughout
business operations. All of these factors encourage the use of technologies to provide stronger privacy guarantees and to directly address the privacy challenges these requirements create in an effective and efficient manner. To better understand the use of privacy enhancing technologies (PETs) by organizations, we interviewed a set of privacy experts working across various industries and in multiple disciplines. We conducted 20 interviews of privacy experts from September 2018 to November 2018. We interviewed most participants over the phone or through video conferencing applications, and typically the interviews lasted 30 to 60 minutes.
Executive Summary: Evaluating Privacy Enhancing Technologies for Organizations
View the final report here.
Designing Privacy Controls for Older Facebook Users
Presented by: Yama Ahmadullah, Zhuo Chen, David Edelstein
Advisor: Lorrie Cranor
At Facebook’s request we investigated the particular privacy concerns of seniors (age 65+) regarding Facebook and to develop proposed remedies.
We built off of existing research and prior attempts to develop privacy aids for older users to construct interviews and surveys to find places for improvement in Facebook’s existing experience. We conducted 15 semi-structured interviews to identify privacy concerns senior users have on Facebook. Then, from our results, we developed a survey to find which concerns were most important and to find promising ways to provide senior users with better control of their security and privacy. Ultimately, we got 79 completed surveys. Seniors were eager to share their concerns with us, and were pleased that a company like Facebook was interested in learning how they felt.
Executive Summary: Designing Privacy Controls for Older Facebook User
Developing a Process to Test Privacy in Mobile Apps
Presented by: Sharada Boda
2017 Capstone Projects
Developing a Windows Privacy Walkthrough Experience
Presented by: Dhanuja Shaji and Javed Ramjohn
This project provides data to help inform Microsoft on how to deliver a state-of-the-art privacy experience for Windows 10 desktop that empowers the user and that represents the dedication Microsoft has to privacy. We conducted a competitive analysis of the privacy experiences offered by major platforms and operating systems and identified a lack of proactive privacy experiences that use elements like nudges or notifications to encourage informed privacy decision making. Microsoft also offered greater privacy controls than most of the other platforms studied. An MTurk study (N = 364) was done to gain insight into the habits and preferences of consumers with regard to operating system privacy. The results show that, despite Microsoft’s extensive privacy controls, Windows users were more concerned about their privacy than other OS users (p < 0.05). We also find that participants (80%) want a proactive privacy walkthrough for their OS privacy settings. Finally, a series of prototype drafts for a privacy walkthrough experience in Windows 10 were designed as a starting point for future work. Our findings suggest that Microsoft can further assert itself as a privacy leader by focusing on a seamless privacy experience throughout its ecosystem of products and that Microsoft should devote resources to the user testing and development of a proactive privacy walkthrough experience.
Data Processing Inventory: A solution for compliance with GDPR Article 30
Presented by: Lidong Wei, Quan (Bill) Quan, and Jun Ma
This project is designed to organize the data processing activities of Citi organization and assist it in becoming compliant to Article 30 of the GDPR regulation which comes into effect on May 25th, 2018. A two-step approach was taken - analysis and developing a prototype. The analysis phase entailed of a detailed research of publicly available third party descriptions of Article 30, and research into vendor tools designed to meet Article 30 compliance objectives. In the second phase, a prototype was designed and developed. The work effort ensured the design and development would meet the requirements of GDPR Article 30 covering data processing, data collection, data sorting and the presentation of the data. The work includes data management, data analytics and data visualization components and original, innovative thinking regarding how to setup and maintain a compliant Article 30 inventory.
Getting Consent From Drivers on the Go: a Privacy Consent Collection Framework for in-vehicle Systems
Presented by: Tong Liu, Yuankun Li, Yuru Liu
HERE Technologies, a digital location technology company, providing location based services to various verticals, including Automotive, has been considering different means of acquiring consent in an in-vehicle context. Therefore, we designed a consent collection framework for collecting consent in an in-vehicle context. The framework consists of four methods that each have their pros and cons: using the vehicle’s screen, using the vehicle’s audio interface, using an app on the user’s smartphone, or using the vehicle’s audio interface to send information to the user’s smartphone for viewing.
We conducted a two-phase user study to evaluate each method with drivers. Overall, we found the in-vehicle screen is the most favored method: people think it is the most natural and convenient way to provide consent. However, some people still think the consent process takes too much time and want to bypass it. The other approaches we tested were also promising.
Supporting Data Portability in the Cloud Under the GPDR
Presenters: Anuj Shah and Yunfan Wang
The right to data portability under the European Union’s General Data Protection Regulation (GDPR) extends beyond existing privacy frameworks and empowers individuals to transfer their personal data between data controllers. While the Working Party for Article 29 of the Data Protection Directive has issued guidance on how to respond to portability requests, the European Commission has expressed a different interpretation of this right. Data portability therefore brings new and significant challenges to data-driven enterprises, especially those with systems that are distributed across cloud infrastructure. We attempt to clarify how this right translates to the operations of cloud service providers in their roles as either data controllers or data processors. Specifically, we outline the various technical methods available for porting data in the cloud, and then consider how the recipient of data from a portability request and the cloud service level govern which compliance solution a cloud provider can put forward. The solutions we describe here are simple extensions of existing services and do not prescribe a specific legal interpretation. We encourage cloud providers to take a competitive stance on GDPR compliance by offering these solutions to their customers.
Metrics and Adversary Models for Implicit Authentication
Presenters: Siddharth Nair, Preethi Josephina Mudialba, and Dan Calderon
Implicit Authentication is a prominently emerging field for considering the usably secure authentication of users. Many approaches have been considered for achieving the goals of this field, but it remains unclear how to evaluate across systems since there is no agreed-upon set of performance evaluation metrics for this field. To compound this problem further, not all systems necessarily consider the same, if any, adversarial threats to their system that could compromise the security or usability of the system. In this project, we review literature on performance evaluation, and the broader computer security authentication literature, and determine a set of important criteria that a metric and a threat model should have to be valuable for evaluating an implicit authentication system. We present taxonomies of performance metrics and threat models with respect to these criteria, and recommend a subset that all future proposed systems should use.
2016 Capstone Projects
Prevalence of PII data in the clear on personal computers
Sponsor: Intersections, Inc.
Presented by: Lieyong Zhou & Xi Zheng
Problem: People commonly store personal data (SSN, credit card numbers, user names and passwords, etc.) on their devices in the clear. Devices, meaning mobile phones, laptops, desktops, tablets, etc.
- Develop methods to scan personal computers (with the users' consent), search for personal data in the clear, and categorize the type of data found.
- The resulting data will be used to determine how prevalent the issue is, determine what type of data is most commonly at risk, and identify ways of increasing user awareness.
- The project will focus on windows machines
Data Subject Notice and Consent under the EU GDPR
Presented by: Jonathan Liao, Vijay Kalani, Arnab Kumar
Problem: The EU GDPR (General Data Protection Regulation is going to change requirements revolving around notice and consent when collecting and processing data associated with EU residents. This capstone will take a close look at these changes and work with PrivacyCheq to identify opportunities to refine and extend its current product portfolio and in particular its recently launched ConsentCheck GDPR "Compliance Development Kit."
2015 Capstone Projects
How Transparency Affects User Preferences and Behavior
Presented by Scott Stevenson, Chunyue Du, and Rahul Yadav
The Lufthansa Team: Chunyue Du, Scott Stevenson, Bettina Kraemer (Lufthansa), Lorrie Cranor, and Rahul Yadav
Tales from the Crypton: An Evaluation of SpiderOak's Novel Authentication Mechanisms
Presented by: Cameron Boozarjomehri and Hsin Miao
The SpiderOak Team: Hsin Miao, Norman Sadeh, Cameron Boozarjomehri
2014 Capstone Projects
A Taxonomy of Privacy Notices
Presented by Adam Durity and Aditya Marella
Mobile Location Analytics Opt-out
Sponsor: The Future of Privacy Forum
Presented by: Pranshu Kalvani, Chao Pan (pictured below), and Weisi Dai
Sponsor: American Express
Presented by: Sakshi Garg, Zhipeng Tian, Ziewi Hu