-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello nice Tor people,
[I've spoken with Runa about this and she suggested me to send this to the dev list. If it should belong somewhere else, just let me know. Thanks Runa.]
Tl;dr: 6 months worth of a reasonably security/privacy/encryption savvy HCI researchers time to carry out a MSc dissertation about usability of security software, and the effect their UIs have on peoples idea of how they work.
(You may see this e-mail on a number of lists,I'm mailing each list individually.)
Seeing as I am going to be asking for a favour, I should give some information about me.
My background is: electronics engineering, network and systems admin, then telecoms engineer (mobile networks). I'm not a coding/security/crypto bod, but security has been part of the past 10 years+ of my work that I can understand some and know where to find/who to ask for the answers for the other.
My interest is: HCISEC - Human Computer Interaction in security technology. Security, privacy, encryption tools and why people, who should use them, do not use them.
I define a "people who should use them" as human rights activists, investigative journalists, people in countries whose government are oppressive.
I define "security, privacy, encryption tools" as "Tor, TBB, Orweb, Orbot, PGP, Redphone, TextSecure, Pixelknot, Silent Circle, Tails, and other tools I don't yet know about.
My focus is not with security professionals/experts, technical people who can understand the limitations of these tools, threats they defend against. These users have the technical knowledge and understanding of computing concepts, and threat models, etc which allow them to make a more educated decision.
I am doing a masters in human computer systems, and it's coming to the time to start planning my dissertation. My chosen topic (very generally) is: "Usable security and its impact on mental models and trust." Over the next few weeks I want to focus this better.
(If you're familiar with the concept, or are not interested, just skip this.)
A mental model is a "small scale model of reality" humans create to use to reason, to anticipate events, and to reenforce explanation. Based on the users understanding of a software interface, they will construct an idea of what is happening in an application. If a user creates a number of mental models because a software interface gives different/wrong/conflicting information, this causes the user to be confused, as as result, they will make incorrect decisions, and possibly stop using the software. Given the scenarios where these tools are used, making mistakes, having a false sense of security, or not using them, can be dangerous.
There is a lot of research in trust and confidence in recommender systems, transparency in system status, credibility of information provided in user interface, but (from what I've found so far) not much specifically to do with security and privacy tools.
So to my request: I have 6 months (beginning from May) to carry out a hcisec human factors focused project. There have been usability evaluations of Tor carried out already, and I was looking for other areas to focus on.
I can find a subject myself, but I would like to do some work on an area that could lead to some useful research/provide input to making these tools better, from a user point of view. Is there a question you'd love to see answered? Is there some area of a tool that needs some research?
I will also be looking for participants to take part in research - again I am very conscience of the scenarios where these tools are used, and the need to maintain anonymity and privacy. I will be anonymising all research, asking for the minimum information and am happy to carry out communications via secure communications tools. I would appreciate support from users of security and privacy tools.
At the end, all research will be released and available for use by the security community if required.
At the risk of teaching you to suck eggs, if you are interested in learning more, I can recommend the "Security and Usability: Designing Secure Systems that People Can Use" book by Lorrie Faith Crannor and also the SOUPS Conference (http://cups.cs.cmu.edu/soups/2013/).
I look forward to some feedback (on or off list).
thanks, Bernard
- -------------------------------------- Bernard / bluboxthief / ei8fdb
IO91XM / www.ei8fdb.org
While I'm not quite sure it's what you're looking for, cross-cultural factors come into play a lot and seriously affect trust. I work with an organization that (in turn) works with Chinese activists & organizers. It's a bit of a catch-22 that tools and guides in Chinese dialects are critically important, but tools made in China aren't necessarily trusted. (Though this is probably owing to the extreme levels of infiltration in activist communities there). But tools that aren't trusted might be used more often than non-translated alternatives.
...It's problematic.
best, Griffin
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Griffin,
Yes, I would agree with you that language and culture play a big role in trusting something. Unfortunately that's a bit outside my field, and also the scope of my dissertation.
What I am looking for is some suggestions, or ideas I could investigate in my dissertation. The UI of Tor tools, and how they represent the users "current status" - i.e. if s/he is secure or not, or levels of security. Do users trust more information, or less?
For example:
- - In the TBB, the only information presented to the user on his/her status is a) the colour of the onion icon (green/yellow/red), and also the information presented in the message log (either advanced or basic).
Is this enough? Is this a model understood by users?
- - In Orbot on Android, a similar model is used (with the robot's colour and hand position changing as Orbot starts up).
Again, is this model something that users understand?
It does not have to be Tor or TBB, it could be Tails for example.
Apologies, if the idea seems a bit abstract. I will try and make it more concrete. If anyone has any questions, please let me know. I have some blogposts started here http://www.diymobileusabilitytesting.net/diymut/tag/hcisec/ to give some better ideas of where I am going with this.
thanks, Bernard
On 9 Apr 2013, at 18:40, Griffin Boyce wrote:
While I'm not quite sure it's what you're looking for, cross-cultural factors come into play a lot and seriously affect trust. I work with an organization that (in turn) works with Chinese activists & organizers. It's a bit of a catch-22 that tools and guides in Chinese dialects are critically important, but tools made in China aren't necessarily trusted. (Though this is probably owing to the extreme levels of infiltration in activist communities there). But tools that aren't trusted might be used more often than non-translated alternatives.
...It's problematic.
best, Griffin _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
- -------------------------------------- Bernard / bluboxthief / ei8fdb
IO91XM / www.ei8fdb.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello nice Tor people,
I thought I'd bump this up again, just in case people missed it :)
I am looking to volunteer my time to do some research as part of my HCI masters on a subject that Tor people think is important.
For any people interested in humans and security, there is a nice video from a user researcher at Mozilla talking about how security matters to "normal" people (not security people). It brought up a lot of questions for me.
https://air.mozilla.org/meaningful-security/
If anyone is even *remotely* interested, please let me know. My offer is genuine, but my time is running out!
thanks, Bernard
(bluboxthief on #tor / #ooni)
On 9 Apr 2013, at 12:44, Bernard Tyers - ei8fdb wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello nice Tor people,
[I've spoken with Runa about this and she suggested me to send this to the dev list. If it should belong somewhere else, just let me know. Thanks Runa.]
Tl;dr: 6 months worth of a reasonably security/privacy/encryption savvy HCI researchers time to carry out a MSc dissertation about usability of security software, and the effect their UIs have on peoples idea of how they work.
(You may see this e-mail on a number of lists,I'm mailing each list individually.)
Seeing as I am going to be asking for a favour, I should give some information about me.
My background is: electronics engineering, network and systems admin, then telecoms engineer (mobile networks). I'm not a coding/security/crypto bod, but security has been part of the past 10 years+ of my work that I can understand some and know where to find/who to ask for the answers for the other.
My interest is: HCISEC - Human Computer Interaction in security technology. Security, privacy, encryption tools and why people, who should use them, do not use them.
I define a "people who should use them" as human rights activists, investigative journalists, people in countries whose government are oppressive.
I define "security, privacy, encryption tools" as "Tor, TBB, Orweb, Orbot, PGP, Redphone, TextSecure, Pixelknot, Silent Circle, Tails, and other tools I don't yet know about.
My focus is not with security professionals/experts, technical people who can understand the limitations of these tools, threats they defend against. These users have the technical knowledge and understanding of computing concepts, and threat models, etc which allow them to make a more educated decision.
I am doing a masters in human computer systems, and it's coming to the time to start planning my dissertation. My chosen topic (very generally) is: "Usable security and its impact on mental models and trust." Over the next few weeks I want to focus this better.
(If you're familiar with the concept, or are not interested, just skip this.)
A mental model is a "small scale model of reality" humans create to use to reason, to anticipate events, and to reenforce explanation. Based on the users understanding of a software interface, they will construct an idea of what is happening in an application. If a user creates a number of mental models because a software interface gives different/wrong/conflicting information, this causes the user to be confused, as as result, they will make incorrect decisions, and possibly stop using the software. Given the scenarios where these tools are used, making mistakes, having a false sense of security, or not using them, can be dangerous.
There is a lot of research in trust and confidence in recommender systems, transparency in system status, credibility of information provided in user interface, but (from what I've found so far) not much specifically to do with security and privacy tools.
So to my request: I have 6 months (beginning from May) to carry out a hcisec human factors focused project. There have been usability evaluations of Tor carried out already, and I was looking for other areas to focus on.
I can find a subject myself, but I would like to do some work on an area that could lead to some useful research/provide input to making these tools better, from a user point of view. Is there a question you'd love to see answered? Is there some area of a tool that needs some research?
I will also be looking for participants to take part in research - again I am very conscience of the scenarios where these tools are used, and the need to maintain anonymity and privacy. I will be anonymising all research, asking for the minimum information and am happy to carry out communications via secure communications tools. I would appreciate support from users of security and privacy tools.
At the end, all research will be released and available for use by the security community if required.
At the risk of teaching you to suck eggs, if you are interested in learning more, I can recommend the "Security and Usability: Designing Secure Systems that People Can Use" book by Lorrie Faith Crannor and also the SOUPS Conference (http://cups.cs.cmu.edu/soups/2013/).
I look forward to some feedback (on or off list).
thanks, Bernard
Bernard / bluboxthief / ei8fdb
IO91XM / www.ei8fdb.org
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org
iQEcBAEBAgAGBQJRY/8bAAoJENsz1IO7MIrrM4AIALW27F757Fn4Jgy3pk0ZX4PQ yl4ToEyJcFmZcKNjlejuTAeeVc00UGLlJRNTPuGT1WAUwt7JhgCYX8p9/YwgA4Pm 1AU6tCHcg9LBpc8ca+0lqBvCh/ZmVf5zTTEVjlXyylrUpqdlR67QemkpyjN0sUJW V7PGPxig2Y3opdVzWZRrmvhLsJf7qN2mAxLUyzSS44nInqpS9+Db1MsDLpI5mof5 ze/FUKV3eTiTzJJ1qLMXbo8VbJvpZO3HgeUFwZH7btbUZQszwrifWupuZefqtro5 nyCNFnUcQ6fyxMOnRLPAji2eAe/fBasQ9h5pCiYVScclddWe1VWhf4poyjVHv9U= =Sak4 -----END PGP SIGNATURE----- _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
- -------------------------------------- Bernard / bluboxthief / ei8fdb
IO91XM / www.ei8fdb.org
-
Bernard Tyers - ei8fdb -
Griffin Boyce