This project explores an architecture, mechanisms, and interfaces for helping users manage access control in the digital home.
The home is a challenging, yet critical, target for usable security. It requires abstractions that are intuitive for laypeople, interfaces that allow users to manipulate those abstractions, and access-control and storage infrastructure that can support the abstractions. Without a holistic, usable approach to access-control management, adoption of new technology in the home will be slowed and there will be no effective data security once the transition inevitably occurs. Based on their early experiences with home storage, the PIs seek to adapt and integrate:
(1) the semantic query as an abstraction for describing a set of files to which a specific policy applies;
(2) the Expandable Grid as a visual interaction technique for creating, editing, and viewing security policies;
(3) logic-based access control as a rigorous foundation for specifying and implementing policies.
User studies, surveys, and test deployments are a core component of the project; they are used to discover needs of users in the digital home and users' ability to effectively apply approaches developed.
The project has several forms of impact. First, it develops tools and techniques that can significantly simplify the use of access control in the digital home. Second, it increases understanding of user behavior and access-control needs in the emerging home storage environment. Third, it enhances education at CMU and elsewhere, as new insights are embedded into storage systems, distributed systems, and computer security classes taught by the PIs.
Digital content is becoming common in the home, as new content is created in digital form and people digitize existing content (e.g., photographs and personal records). Interesting and fun new devices make creating digital content easier and interacting with it much more flexible than ever before. The transition to digital homes is exciting, but brings many challenges. Perhaps the biggest challenge is dealing with access control. Users want to be able to access their content easily from any of their devices, including shared devices (e.g., the family DVR), and yet they also want to be able to restrict access to certain data among household members and visitors. They also want to be able to share data (e.g., photographs) selectively with friends and family outside their home. Unfortunately, studies repeatedly show that computer users have trouble specifying access-control policies. Worse, we are now injecting the need to do so into an environment with users who are much less technically experienced and notoriously impatient with complex interfaces. Without a holistic, usable approach to access control management, adoption of new technology in the home will be slowed and there will be no effective data security once the transition inevitably occurs. The home is a challenging, yet critical, target for usable security. It requires abstractions that are intuitive for laypeople, interfaces that allow users to manipulate those abstractions, and access-control and storage infrastructure that can support the abstractions. Recognizing that this is a new and rapidly evolving domain, key component of this project was a series of user studies that investigated the access-control needs of users in the digital home and the ability of such users to effectively apply different approaches to expressing and understanding their privacy concerns, policies, and requirements. The outcome of these studies is a significantly improved understanding of home users' requirements, and designs for new mechanisms that help meet these requirements. We found, for example, that users' goals are more complex, contextual, and many faceted than expected; and that users are attracted to policy mechanisms that preserve awareness and control as well as social norms of asking and granting permission. A specific such mechanism we developed and tested as part of this project is reactive policy creation, which allows users to make privacy decisions (e.g., with whom to share a document) in real-time, when they are required (e.g., when someone attempts to access a document). Another promising mechanism is to allow users to specify privacy policies for document sharing using tags (e.g., such as are commonly used for annotating digital photos). We showed that this approach was a good fit for users' mental models; users were enthusiastic about it and were able to use it effectively. Drawing on these and other insights drawn from the security, systems, and HCI communities, we designed and developed a prototype of a distributed file system created from the ground up to enable usable access control while providing principled security. Our file system supports tag-based policy specification, which aligns well with users' mental models; and builds on logic-based access control, which provides strong assurance of correctness as well as broad policy flexibility. To evaluate our system we developed a novel set of realistic case studies and workload traces, grounded in data from our user studies. The research carried out as part of this project has had several forms of impact. We developed tools and techniques that significantly simplify the use of access control in the digital home. This is a critical enabler for injecting trust into personal data management. We also increased the research community's understanding of the user behavior and access-control needs in this dynamic new environment. Such understanding will aid in creating new technologies and refining existing ones that simultaneously offer utility and trust. This project also had a substantial impact on education and training: it involved a particularly large number of undergraduate, masters, and PhD students -- and specifically women and minorities -- in research, and helped convince many of them to choose careers in technology and in academia.
