Security and Human Behavior 2026 Day 2

Kami Vaniea
Last updated on May 20, 2026 29 min read Talk

Welcome to the 19th Security and Human Behavior. The write-up below is a live-blog of the workshop.

Contents:

Also see:

Session 5: Organizational Security

Speakers: Carolin Lämmle, Ryan Wright, David Reeves, Samantha Phillips, Tony Vance, Laura Arno

Carolin Lämmle

Title: System Administrators - Power, Gender, and Ethics

Systemadmins - interviews with 11 male administrators then later a study of 13 female system administrators.

  • Unsuprisingly female system adinistrators are not common on teams leading to many issues

Surveyed a larger set of system administrators (32 Women, 216 men, 7 other)

Ryan Wright

Title: Does compliance Actually Reduce Cyber Incidents: Two decades of acadiemic research. Seven CISOs.

How much did your organization spend on compliance training, awareness, and policy enforcement last year? Evidence?

Does compliance actually matter? Maybe it is the wrong construct.

Pre-registered study. Which is challenging to do.

When talking to CISOs about what is working and what is not working for them. Issues like influence, trust, shared goals, regular communication and genuine partnership. AKA Social Capital.

Findings

  1. Compliance didn’t move the needle
  • Compliance does matter for smaller organizations, so having compliance does matter, but adding more maybe doesn’t
  1. Shared social capital is big
  • If both cyber and business and social capital are high and balance - then less odds of a severe breach
  1. Who benifits the most
  • Big organizations need more social capital
  • Top management doesn’t understand cybersecurity plan? It will probably fail.
  • Security teams that act as community members are more effective

“Security leadership increasingly resembles community stewardship”

Compliance is important to get security up to a certain level, but past that there are limited returns from just compliance.

David Reeves (Virginia Tech)

Both a PhD student and a CISO

Behavioral distortions in organizational cybersecurity decision-making

What level of risk is acceptable? Having these conversations at the board-level is complex.

National Guard hacked by Chinese ‘Salt Typhoon’ campaignfor nearly a year, DHS memo says

  • Large data breach
  • State said that acceptable risk was at a certain level, but the on the ground decisions did not match that high level goals
  • Money saving was an aspect
  • Costs of breach were serious and not necessarily properly thought about before hand
    • Loss of trust with partners - long term loss
    • Reassigned employees from other projects to handle the situation
    • High levels of burnout
    • Admins took lots of blame, even though the risk decisions were taken by others
    • Breach costs like having to pay for LiveLock for people who’s data was lost.

Core argument: Organizational leaders rely on cognitive biased interpretations that systematically distort cybersecurity risk perception.

Mixed method study: quantitative data such as financial, ceybrersecurity assessment results, incident informaiton, organizational environmental data. Qualitative data like grounded theory interviews of populations like CEOs, CFOs, CIO, and CISOs.

Samantha Phillips (The University of Tulsa)

Imagine two organizations A and B and the same security intervention is used at both, but the outcome is quite different. What about security culture is causing such a difference in how an intervention is recieved?

Used:

  • Hofstead’s Organizational Culture Dimensions
  • Schein’s Three-Level Model of Culture

Research study with survey study and follow-up interviews.

  • Employees did think that the company cared about security, but they were unsure if they would actually get any help if something happened
  • Leadership story
    • Operations leader, deployed security cameras in a site, then security team found out. Security team didn’t approve, and opperations had to remove the cameras. Leading to frictions and tensions in the culture.
  • Another story
    • Security team depoloyed MFA, so they sent it out to the rest of the company
    • But…. many employees did not have phones, lots of worked sites had no cell service. So MFA caused bad security behaviors like everyone using the one account they could get logged in.

Take aways

  • Measuring the type of information security culture is important to target interventions
    • Easy going culture may not match well with a strict security intervention
  • Assess culture from multiple dimensions/perspectives
  • Consider measuring pre/post to understand how an intervention is impacting a culture

Tony Vance (Virginia Tech)

Title: Rethinking security culture

Story: Microsoft compromised by Chinese hackers including gaining access to a private key - which is very not good

  • Enbled attackers to access email addresses of many organizations that use Microsoft email products
  • Review was done and publicly released
    • Found that security culture needs to be improved at Microsoft
    • But what is “securiyt culture”? Report did not define the term.

Risk management maybe this one

Measuring scales for culture

  • Security education and awareness - good overlap among scales
  • Many other constructs measure a range of things. 83 different constructs found in the review

Some constructs are correlates, some are determinants, and some outcomes. These are different aspects entirely.

Design of survey scales are not at the level of modern scale development. Issues like properly validating the scale to make sure it measures what the authors intended. It is important that participants answer questions in a way that matches the researcher understanding, if this is not tested then there may be a big issue.

A scale development cycle:

  • Conceptual definition
  • Dimensioality specification
  • Item generation
  • Content validity

Wants to improve how culture is measured so organizations can not only say they want to improve, but measure what their current state looks like.

Laura Arno

Talk: How security Policy Motivates Computer Abuse: Organizatoinal Technology Injustice

Overly tight security policies can lead to shadow IT, where users go around the security and setup their own IT which then results in overall lower security.

Insider threats

  • Mone going towards employee monitoring and surveillance as a way of mitigating threats.

Tensions between the IT and the non-IT employees. This an cause computer abuse.

Lots of research focuses on compliance as an outcome. But recent research is calling this into question. Measuring non-compliance is also becoming something to measure. But non-compliance is often conflated with negligence, cyberloafing, violation and computer abuse. But much of non-compliance is closer to work-arounds of overly strict security policies that make day-to-day work very challenging. We should consider measuring non-compliance as a metric of how badly a policy mismatches with employee needs and willingness.

Many employees are not aware of the policies. But they know what they think the policies are. They may only know that the policy is restricting them, that they have lost control, and that they do not like them.

Perceptions of the restrictons is driving their behavior.

Q&A

  • If we talk about cognitive biases, are we suffering from them? Is phishing really the biggest risk? CISOs are doing training/compliance because NIST has said so. Are we the biased ones? Should be re-assessing good protections?
    • Yes: having academic conversations where we have crazy conversations and then testing them is really great. It causes a slow building of understanding that is very valuable.
    • It is hard to measure security culture, especially if it is a suplier that was hacked
    • We spend all this time and energy on barriers. But we need better partnership with employees. Reporting and response are also super important. It isn’t all up-front protection.
  • For Laura - you mentioned shadow IT and that the policies are unjust
    • Studying more than compliance is important. Shadow IT is very much a thing. It is possible to both be compliant (long password changed often) and not in compliance (password written on white board because no one can memorize it).
  • Social capital
    • Ryan: in our study we had the two roles measure each other’s social capital. It was important to see not just how people see themselves, but also how other see them.
  • It is not that compliance does not work, the issue is that compliance is not done correctly. Box ticking vs finding underlying problem and addressing it. In lawsuits: a security report is often based on a CISO answering a questionare, not based on what was actually going on.
    • We need to re-think what compliance actually is.
  • Relational governance - social capital. It was interesting in our case we saw that you cannot order people like tenured professors or members of parlement. So social capital is vital to get security actually done. How do CISOs navigate the changing roles
    • Ryan: CISOs: they feel they need to empower users, empower business units, and they need a shared risk model
    • David: It is imporant as a CISO is to weirdly not be a technologist. But in a CISO role the position is to be a collaborative leader, not a technologist. And to figure out how risks are applied to the company’s business function. Role is to think about what the organization risks are not the IT risks.
  • To Ryan: In political economy people focus quite a bit on trust because it can be measured and put in a model. Would it help to start with trust in these measures of social capital and collaboration within an organization.
  • When I think about security culture I think about “I know it when I see it”. How much cluture is based on the technology of the moment and how much is actually culture.
    • Hopefully not the technology, because that is always changing. Culture also changes over time. So both are combined.
    • They are quite independent. Even if a tech stack was swapped out the culture should persist, though it would need to adapt.
    • At home I’m productive (no restrictions) at work I’m quite restricted so I’m less productive.

Session 6: Trust and Security Public Policy

Speakers: Joseph Bonneau, Kami Vaniea, Serge Egelman, Jayati Dev, Michele Massberg, Ryan Shandler

Notes in this session were done by my incredible student due to me being in the session.

Joseph Bonneau

Title: Cryptographically Verifiable Lotteries

Making lotteries verifiable for cryptography Lotteries are used for many purposes like moose hunt lottery for hunting permits, judge assignments, conscription, and security screening Case Studies: biased randomness US conscription lottery, 1969: those with later birth months were not selected Diversity visa program, 2011: results are void as it was biased

How can we achieve a verifiable lottery? Physical randomness ceremonies: the issue with this is that physical randomness can be faked: hot and cold balls used to aid cheats Randomness from natural phenomena or stock market from asset prices Levels of Verifiability: Using cryptography we can use multiparty randomness beacon protocol (i.e. League of Entropy) the trust model here is that if a majority of them is good the randomness will work well

Participatory protocols: Only 1 of n correct participants needed for security but no security downside to adding participants

Kami Vaniea

Many conferences this year are struggling with high submission rates and potentially AI generated content

What is SOUPS: Symposium on Usable Privacy and Security SOUPS is focused on human factors of security and privacy technologies and have started in 2005. Kami was technical paper chair for 2025 and 2026.

There has been a boom of paper submissions:

  • 2024 was 156 submissions with 21% accepted
  • 2025 was 157 submissions with 19% accepted
  • 2026 was 251 submissions with 15.5% accepted

251 submissions and 15.5% (39 accepted submissions( and 3 main reasons for number of submissions)

  • AI may be a culprit here - its a common source of blame this year
  • CORE ranking- SOUPS was just raised to A-level in late 2025 (being A-level is a big deal)
  • Location being in Germany

Statistics: Kami asked reviewers to let us know about problematic AI and some issues identified included mangled references, fabricated references, citing text does not agree with cited paper, or poorly written text or text that does not match the rest of the paper

  • 18 flagged by reviewers as possibly having problematic AI
  • 12 rejected in round 1
  • 3 rejected in round 2
  • 3 accepted both were flagged for having potentially AI generated text Problem: we never looked this closely at references before

Step 11: SOUPS will be using student volunteers to review the output of reference checkers for all accepted papers!

Serge Egelman

Title: Is it time for software to put on its big boy pants?

Most engineering depends on complex supply chains: Apple doesn’t make glass, Toyota doesn’t make brake pads Airlines use chicken cannons to test airline parts. For engineering software, you should be using ⅙ of the time coding and most of the time in planning and validation. Products must list ingredients and/or share any hazardous ingredients but this doesn’t exist in software. Part of the problem is that “developers usually choose which corporates they incorporate and compliance / QA folks may be left in the dark”.

50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System - Submitted to FTC PrivacyC

Some developer SDKs take location Data and there is a paper on this

Awareness of app behaviours and some developers just did not know Data sent to measurelib.com and it was linked to a defense contractor and there is a book by Bryan Tau on this topic https://www.usenix.org/system/files/usenixsecurity23-lyons.pdf Physical products that cause harm when used as intended are subject to recalls yet we don’t have this for software

Methods for accountability exist: civil engineers are licensed Where do we go from here?

  • SBOMs
  • ONCD organized a working group to come up with a framework for software liability
  • Maybe engineers need to be professionally licensed

Jayati Dev

Title: Multistakeholder approach to open source policy

Open source software is everywhere and for maintainers the bigger is gets the harder it is to maintain and for users there is usage in insecure context and hard to get support

Can we add policy “rocks” for modern infrastructure/ open source software as many policy conversations happen in silos. What would a multi stakeholder policy approach look like for open source? At cybersecurity policy workshops they had breakout sessions with academic, industry, and government 20-25 participants

Initial Findings: a case study to understand the 3 way communication participation via a conservatorship model to fund critical open source, joint bug bounty programs, and support secure implementation of open source. Liabilities and how do we assign liability and who do we assign liability protections for researchers. Having IP and safe harbor protections for open source developers

Plan to convert this to a formal study, conduct more workshops, and collaborate on evidence based research

Michele Massberg

Title: Decrypting Covert Operations: Human Factors in Cryptographic Design

This study presents the first known decryption of Covert Operations panels and the problem:

In order to decrypt this: they transcribed the sculpture to string representation in Python 3.12.0 And then ran statistical analysis and computed annotation using leiden conventional sigla (Dow 1969). If a certain symbol was missing, they would use a different symbol.

Looking at these statistics, the arabic panel looked like it was plain text and english, cyrillic, and 3rd language looked like something else. After a bruteforce comparison, she used a ciphertext only key search and was able to decrypt this text and reconstructed and cracked it again.

For the 4th panel, a reconstruction of the plain text using key and line number. Through reconstruction of cyrillic panel, it was an executive order during the cold war.

This work provides the first complete technical resolution of the four Covert Operation panels. resolution of the four Covert Operations panels. Across both the English and Cyrillic reliefs, the ciphertexts were found to be consistent with periodic polyalphabetic substitutions, implemented as keyed Vigenère variants. The cipher design reflects the practical constraints of artistic design, manual inscription and a preference for mnemonic, thematically aligned keys.

Ryan Shandler

Title: Destabilizing Democracy: The Long term societal effects of cyber operations

When we think of the impact of cyber attacks and threats, computer scientists think of denial of service, degraded infra, data theft but Ryn thinks about societal divisions, distrust in government institutions, elevated perception of threat, and support for anti-democratic policies.

Phase 1: Attacks arouse psychological distress (increased anxiety levels) For individuals who are not technologically adept, they express significant anxiety

Phase 2: Emotional reaction triggers behavioural/political shifts Cyberattacks even when they don’t cause a lot of damage, for political feelings cause signficiant damage and impact

Weaponizing this phenomenon? DARPA shared that foreign entities could use this research to launch attacks against the US. This may be similar to a termite attack.

Behavioural Model of long term societal effects triggered by adversarial cyberattacks and there is always an effect that happen immediately afterwards.

The experiment that starts tomorrow will have 5000 participants experience the treatment/control and record short term, medium term, and long term effects over the next 5 years. Some attack source will be China or unknown source or damage to mobile networks (shutting down internet access) or US response = partisian divisions. This will be consumed via social media feeds and long term news sources. For individual effects it’s usually seen for 1-2 months but will see a long term observation of societal effects and multi country analysis. How do we mitigate democratic destabilization.

Results will be shared at SHB 2027!

Q&A:

Ryan was asked, “Do you think there will be something similar to the Baader-Meinhof phenomenon for cyberattacks: If you buy a car, you see the car continuously” there isn’t just one cyberattack it’s whats the effect of one cyberattack followup in your daily life and maximizing external control and impacts in the long term

Question for Kami, “NSF has banned from using AI to assess anything about them. What would you do for 50,000 proposals that are to decide to spend $0-50 billion dollars?” If it’s purely AI generated, it’s a lot easier to check them and be cruel in the punishment. The discussion sections suffered far more from AI and they used AI for the sections where it’s the hard part where you have to think about it. We need policies on this. There was discussion on requiring a DOI for each citation for paper submissions and avoid having to revoke any papers due to a hallucinated reference.

Ryan got asked, “With so many cyberattacks already in the news, why will this particular treatment have a great impact?”. Ryan says his expectation is that they are trying to create a larger scale of cyberattacks and be realistic that it will break through the media cycle. They are taking a real attack and amplifying it a bit to see if their anxiety will be amplified so participants can look it up later (and be asked about this).

Kami was asked, “One of the references was not real when they submitted a paper and when they used AI to edit the paper it changed the name of the paper.” Kami said this could be a good learning opportunity for students and researchers.

Kami was asked, “Should this be handled by a higher level?” Kami said it hasn’t bubbled up yet and everyone is trying to handle it this year frantically. Another question, “I’ve had an issue with AI generated reviews, is this an issue with SOUPs?” Kami said some reviewers will not be asked back and only 1 reviewer she had a suspicion used AI due to lack of content and constructive feedback. “Across Security and Privacy papers, the people who are writing the Discussions sections just don’t seem as developed?” Kami got another question, “At the end of the day, we shouldn’t hate those who use AI but at the end of the day we should care if a paper is using AI but care about the quality and be smart about evaluating quality”

Session 7: Public Policy and Privacy

Speakers: David Sidi, Avinash Collis, Geoff Tomaino, Andrew Odlyzko, Tawfiq Alashoor, Blase Ur

David Sidi

Access, Privacy, and Conviality with We Build Networks

Tech for advancing values > Broader Access to powerful tech > institutional support > participipator > enthusiastic

Working on making networking and networking tools more accessable to people. Workshops on topics like ToR node setup.

“We build networks” working with public groups to do educations.

Avinash Collis

The consumer welfare effects of Online Ads: Efvidence from a 9-year experiment

Ads

  • Positive for users - informational role, match buyers and sellers
  • Negative - higher prices, hyper focused

Facebook’s internal A/B testing platform has a small number of users who never see ads. They do this for experiment purposes. They recruit people from the ads and no ads. Do an incentivisation study by paying them to not use Facebook. In theory this will help determine how valuable ads are financially.

“Would you be willing to stop using Facebook for one month for $40?”

No significant differences between ads and no ads group. Both gropus value Facebook at about $31/month.

In the next project: how does this generalize across othe internet? How about other platforms. Also targeted vs non-targeted ads. This study looked at willingness to keep being in their condition. This experiment is mid-way.

  • Users in the ad blocking condition (where people have ad blockers) group want higher payments to keep using the system - this means that they are less willing to keep using the advertising blockers than put up with ads
  • Those who experience ad-blocking

Geoff Tomaino

Title: The role of preference ordering in consumer privacy violation perceptions

The value consumers get out of advertisement

First-order preference: What do you want?

  • When you went out for lunch, you wanted a sandwich. Second-order preference: What you want to want
  • They want to want things that they don’t actually want

People take the view that advertisements represent what the brand thinks my first-order preferences are?

For topics like news, food, people often want to want something other than what they really want.

Study 1:

  • We asked to imagne thy used an investing site named Finance
  • FinanceWise recommendation: Low-risk investments
  • Gave other recommendations that match first or second order preferences
  • Found mismatch condition makes people feel like a privacy invasion

Study 2:

  • Your recommendation for
  • First order: indulgent foods
  • Second order preference Healthy OR indulgent foods
  • How do people feel about
  • More of a violation when ad goes against second order preferences

Andrew Odlyzko

Title: Where is our society and economy going?

The modern erra might be named after Turing from Turing Pharmaceuticals who managed to massively marked up the drug. Amazingly the drug was a generic drug.

  • Government has sorta given up on anti-trust enforcement - not just current administration
  • Increasing volume of information - information in the eoconomy as well as private information
    • Cartels
    • Growing part of the economy is corperate profits

Lots of this has to do with the great enrichment of communities. The industrial revolution.

  • The market as you think about Adam Smith’s conception. market depends on a certain amount of capacity. Buyers and sellers come together where it is all about quantity and price.
  • But now with more information available. Now the incentive is to get as much info about your buyers as possible.

Price descrimination is becoming more of a thing. Most of it is done is hidden forms. But this is very unpopular with the public. So most of it is hidden.

  • Get credit card data on potential employees so they can decide who is desperate enough for a low paying job.

Tawfiq Alashoor

Title: Securing Digital Transformation in the Age of AI: Behavioral Privacy Penetration Testing

Long ago no one understood the value of salt. Then it became rare, and became a traded form of money. Solariam (salt) causing “salary”

I’ve heard that data is the new money. The value of personal data is raising like enver before.

We do allot of security penetration testing, but we don’t think about ethical ways to test the human brain to find vulnerabilities.

Passwords are very predictable

In cybersecurity we want to avoid a single point of failure. But our testing is focused on the technology, the firewalls. This single point of failue manifests through bad privacy decisions.

We asked 2k people a set of questions:

  • Subjects that were not primed to privacy and not nudged to privacy answer less questions than those who were primed and nudged
  • Even with small sample sizes we see the same thing

An online randomized field experiment on the importance of privacy education, training, and awareness (PETA)

When a robot violates privacy who is to blame

  • Consumers blame robot
  • Companies blame other companies

AI arms race

  1. contact with AI is social media (attention)
  2. contact with AI is GenAI (intimacy)

Privacy is Dead <- today’s myth

Blase Ur (University of Chicago)

Title: What could data subject access rights be?

Built a Tracking Transparency Tool

US FTC’s FIPP’s

  • Notice - historical focus
  • Choice - historical focus
  • Access - interesting future focus by us
  • Integrity
  • Enforcement

When you download your Twitter data there is this targeting.js file explaining targeting ads. More data here than in the public user interface on why this ad.

When you download data you get a huge zip file or a huge file. How do you parse.

  • Some files were millions of chars but no line breaks
  • Very hard to parse, hard to read
  • Unix timestamps simple example
  • There are no definitions for what some of the things be in the files.

Pursuing usable and useful data downloads under {GDPR/CCPA} access rights via {Co-Design}

  • how can we make some of this data more visible and actionable
  • Have users annotate the data and share with researchers
  • They wondered
    • What data is stored
    • How is it stored
    • How is it used
    • Takeaways from the data
  • Necessary features for a useful tool:
    • Definitions and explanations in context
    • Searching and filtering
    • Data deletion and modification in context

Research on art and privacy

Privacyart.net

Q&A

  • How does first order or second order align with actual vs ideal self. You are being targeted based on your actual self. Is it because I have a “shady” preference. And that causes the privacy violation.
    • Embarassement is coming from inability to connect first and second order preferences. It suggest a lack of control over self.
  • Is it more about the ads or about being targeted?
    • Yes: you are highlighting something about myself that I feel negative about.
  • To Blase: How do these companies work with the incredibly messy data users download. The thing I realized is that companies have data about other users, which gives them context. Is this value common, good, bad?
    • Tried having several people download data from the same companies and then we are building skemas. The researchers only really want certain data, not all the data from that company.

Session 8: Where Do We Go From Here?

Speakers: Sascha Romanosky, Susan Landau, Jean Camp, Matt Blaze, Alessandro Acquisti, Jeremy Epstein

Sascha Romanosky

Studing software vulnerabilities -

Regular Softare vulnerabilities

  • CVE-ID, CWE, CPE, CVSS, EPSS AI Vulnerabilities
  • Bias
  • Discrimination

Attacks against AI systems:

  • Evasion
  • Extraction
    • Solicit or extract information about the model. Or about training data.
  • Poisoning attacks
    • Poison the data
  • Misalignment
    • Exploiting (without necessarily causing) incorrect or deceptive outputs

Generative AI Model

Built a model of GenAI components, for each thought through the vulnerability space for that component.

  • Tokenizer: use some interesting characters and it might react unexpectedly
  • Fine Tuning
  • And more…

Susan Landau

Title: Tussle in the Home IoT

Why has adoption of IoT or “smart homes” been so slow?

In an appartment building who gets the data from smart things. For example ring cameras. There is also an issue of controllability: who decides who gets control and visibility.

All this is a tussle bettween different groups including issues over privacy and security.

Tussle in Cyberspace: Defining Tomorrow’s Internet

Trusted Computing Group report this one?

Human-building ineraction

  • they think about users, visitors, and the buildings themselves.
  • HCI stakeholders: occupants, visitors, companies
  • HBI view: includes contractors and building-related groups

If home IoT is going to become a thing, these tussles must be resolved

Safety first: you cannot put up a smart smoke detector unless it is at least as safe as a “dumb” one

All homes are local:

  • Example: English row houses - their design impacts how they are heated and cooled
  • Design must include variation and resident autonomy
  • Even if not capable of doing settings on devices, they should be able to decide who does the configuraiton for them.

The idea that we can resolve all the tussles is nonsense

Jean Camp

Title: Currrent and predicted market impact of the US cyber trust mark

  • Rational choice
  • Usability
  • Market failure

It is challenging to create labels that help people differentiate products. They compared proposed labels at the time of the experiment.

Ask users to judge:

  • which device is the most secure - participants could use them to identify the most secure products
  • Privacy was ranked as more important than security

Will people pay for privacy?

  • We gave participants $15 and said to buy a lightbulb - simple version
  • Asked why did you decide?
    • Price!
    • Brand
    • Security - these people did pay more, and picked the most secure label
  • Unexpected questions:
    • Most secure watch made in China - but no one would trust the label.
    • yay another study
      • Country of origin did matter to consumers

What to users mean when they say “security”, “privacy”, and “IoT”

  • Our fellow Americans are so lost
    • The energy company came and put this thing in
    • My garage door opener?
    • My car connects to the Interent - so I have an IoT
    • Poor understanding of where the boundaries of IoT are
  • Quality is more important than “security”

Cyber Trust Mark might have impact on security-aware consumers. Even identifying which devices are IoT devices.

  • People will pay for security
  • People are very lost

Matt Blaze (Georgetown University)

Title: Misplaced Pessimism and Unwaranted Optimism in US Election Integrity

Election security has been a long-term research topic. Everyone was ignoring it, now too many people are looking at it but in the wrong areas.

Problem is which do we want/need

  • Making elections more trustworty
  • Making Elections more trusted

Two unsastisfying relaities

  • Serious technical vulnerabilities in US election infrastructure
  • There is no credible evidence that these technical vulnerabilities have actually been explited to the alter the outcome of a US election

Three problems:

  1. hard: improving reality - making elections more trustworthy
  2. harder: Misplaced pessimism - mistrust of (imperfect but improving) elections
  3. Hardest: Unwarrented optimism - demand for horribly untrustworthy election technology

Misplaced Pessimism: Voter Skepticism & Disinformation

  • As securtiy improves, trust seems to be decreasing to an all time low
  • Common theme: election technology is horribly complex and is being manipulated by third parties
  • These views are moving into the mainstream

A common theme is taking the work of experts and conflating the existence of vulnerabilities (true) with them being exploited (no current credible evidence). Just because a vulnerability exists does not mean that it has been used. This attributes enormous power to adversaries, far beyond what they actually hold. Most of this comes down to the assumption that there is no way that the (opposing view) group could have won, therefore the system is fraudulent.

We worked hard as technologists to convince people that elections are insecure. Then people started believing us too much.

The general public thinks: I can bank on my phone, why can’t I vote on my phone. This is a bad idea. People both think that technology is terrible for elections and they want more of it.

Alessandro Acquisti (MIT)

Title: The Internet Behavior Experiment (IBE): An experimental platform to study the impact of tracking, targeting, and advertising on consumer behavior

Economists see behavioral advertising as a win, it helps consumers by showing them what they want/need to see, and helps potentially smmall groups reach the right users without spending impossible amounts.

  • Is this true? Finding out is not easy.

The Internet Behavior Experiment (IBE)

  • Multi-component client-server platform for digital experiments
  • Collects participants rich micro-level actions
  • This system is designed for experiments, not necessarily natural behavior
  • Extensions
    • Chrome extension
    • Thunderbird Extension
  • Extensions send only needed back
  • Live dashboard

Participants

  • In experiment for 3 months
  • Three treatments
    1. Targeted ads
    2. Ad-blocking
    3. ???

Status

  • Still recruiting, have about 550 participants
  • 1TB per week

Sample data Users

  • This sample size is too low, more an example of what can be collected
  • Can track what one user is doing. Can see what is being typed on various pages and how tabs are being switched.
  • System is trying to identify things like “Hello Kami” and strip the data client-side

Looking at how people reaching merchant website. For example via an ad, a search, ChatGPT

Seeing pathways people take to get to high or low quality websites

Jeremy Epstein

Brain computer interfaces

Lots of things go through our brains, think about dreams. Imagine that a computer was capturing my neuro data. What all can it capture?

There are many uses for Brain computer interfaces

  • Enabling people who have physical disabilities
  • Moving mouse for games
  • Deciding your optional fragarence for perfume

Focusing on external devices.

There are many potential privacy risks here

  • Unclear how far into the future this is
  • There are existing patents for some of these technologies
  • Some companies sell devices that do this sort of thing.

What do current companies gather from you about these devices:

  • Study looked at 30 companies
  • Many of these companies are very small and may not understand the privacy questions or what is in their own policies
  • Small companies may not be prepared to protect your data

The Battle for your Brain by Nita A. Farahany

Safeguarding Brain Data: Assessing the Privacy Practices of Consumer Neurotechnology Companies

Q&A

  • For Susan: for some products, you cannot buy them not smart.
  • Appartment complex: they have a video camera and it is recording everyone, children, people, dogs.
    • Focus on the tussles - thought would be straight forward, but the furthist we can go is say who needs to be in the room for the design/setup. But the issue is so localized, that we cannot create broad standards that work for such a wide range.
  • Brain-computer interfaces: have you considered things like sleep pillows
    • We need to think what is being measured. We might want to know if say a truck driver is alert and awake. But maybe we don’t want to know what they are considering eating for lunch. That level of extraction is not not currently possible. But we need to think about consequences now.
  • For Sascha: expanding the considered set of threats to includ Cuda runtime. Might be helpful to think about Cuda and hardware layers. Hardware bugs are perminent. But Cuda is a huge lever for an attacker.
    • Happy to look into it
  • For Matt: Do you see a future where we can reduce the issues happening around trust.
    • Everyone agrees that paper ballots is the gold standard. The problem is how are they tabbulated. US elections is one of the longest and most complex due to the number of things that need to be voted on.
    • Fortunately we have auditing approaches that let us do statstical sampling of ballots that can be used to verify the automation.
    • Lack of trust in elections has very little to do with how secure they are. More far-fetched theories.
    • Threats are quite different in different countries.
Talk
Kami Vaniea
Kami Vaniea
Associate Professor of Usable Privacy and Security

I research how people interact with cyber security and privacy technology.