Showing 1–3 of 3 results for author: Stegman, J

No Privacy in the Electronics Repair Industry

Authors: Jason Ceci, Jonah Stegman, Hassan Khan

Abstract: Electronics repair and service providers offer a range of services to computing device owners across North America -- from software installation to hardware repair. Device owners obtain these services and leave their device along with their access credentials at the mercy of technicians, which leads to privacy concerns for owners' personal data. We conduct a comprehensive four-part study to measur… ▽ More Electronics repair and service providers offer a range of services to computing device owners across North America -- from software installation to hardware repair. Device owners obtain these services and leave their device along with their access credentials at the mercy of technicians, which leads to privacy concerns for owners' personal data. We conduct a comprehensive four-part study to measure the state of privacy in the electronics repair industry. First, through a field study with 18 service providers, we uncover that most service providers do not have any privacy policy or controls to safeguard device owners' personal data from snooping by technicians. Second, we drop rigged devices for repair at 16 service providers and collect data on widespread privacy violations by technicians, including snooping on personal data, copying data off the device, and removing tracks of snooping activities. Third, we conduct an online survey (n=112) to collect data on customers' experiences when getting devices repaired. Fourth, we invite a subset of survey respondents (n=30) for semi-structured interviews to establish a deeper understanding of their experiences and identify potential solutions to curtail privacy violations by technicians. We apply our findings to discuss possible controls and actions different stakeholders and regulatory agencies should take to improve the state of privacy in the repair industry. △ Less

Submitted 10 November, 2022; originally announced November 2022.

Comments: This paper has been accepted to appear at the 44th IEEE Symposium on Security and Privacy (IEEE S&P 2023)

"My Privacy for their Security": Employees' Privacy Perspectives and Expectations when using Enterprise Security Software

Authors: Jonah Stegman, Patrick J. Trottier, Caroline Hillier, Hassan Khan, Mohammad Mannan

Abstract: Employees are often required to use Enterprise Security Software ("ESS") on corporate and personal devices. ESS products collect users' activity data including users' location, applications used, and websites visited - operating from employees' device to the cloud. To the best of our knowledge, the privacy implications of this data collection have yet to be explored. We conduct an online survey (n… ▽ More Employees are often required to use Enterprise Security Software ("ESS") on corporate and personal devices. ESS products collect users' activity data including users' location, applications used, and websites visited - operating from employees' device to the cloud. To the best of our knowledge, the privacy implications of this data collection have yet to be explored. We conduct an online survey (n=258) and a semi-structured interview (n=22) with ESS users to understand their privacy perceptions, the challenges they face when using ESS, and the ways they try to overcome those challenges. We found that while many participants reported receiving no information about what data their ESS collected, those who received some information often underestimated what was collected. Employees reported lack of communication about various data collection aspects including: the entities with access to the data and the scope of the data collected. We use the interviews to uncover several sources of misconceptions among the participants. Our findings show that while employees understand the need for data collection for security, the lack of communication and ambiguous data collection practices result in the erosion of employees' trust on the ESS and employers. We obtain suggestions from participants on how to mitigate these misconceptions and collect feedback on our design mockups of a privacy notice and privacy indicators for ESS. Our work will benefit researchers, employers, and ESS developers to protect users' privacy in the growing ESS market. △ Less

Submitted 23 September, 2022; originally announced September 2022.

Comments: To appear in USENIX Security Symposium 2023

Widely Reused and Shared, Infrequently Updated, and Sometimes Inherited: A Holistic View of PIN Authentication in Digital Lives and Beyond

Authors: Hassan Khan, Jason Ceci, Jonah Stegman, Adam J. Aviv, Rozita Dara, Ravi Kuber

Abstract: Personal Identification Numbers (PINs) are widely used as an access control mechanism for digital assets (e.g., smartphones), financial assets (e.g., ATM cards), and physical assets (e.g., locks for garage doors or homes). Using semi-structured interviews (n=35), participants reported on PIN usage for different types of assets, including how users choose, share, inherit, and reuse PINs, as well as… ▽ More Personal Identification Numbers (PINs) are widely used as an access control mechanism for digital assets (e.g., smartphones), financial assets (e.g., ATM cards), and physical assets (e.g., locks for garage doors or homes). Using semi-structured interviews (n=35), participants reported on PIN usage for different types of assets, including how users choose, share, inherit, and reuse PINs, as well as behaviour following the compromise of a PIN. We find that memorability is the most important criterion when choosing a PIN, more so than security or concerns of reuse. Updating or changing a PIN is very uncommon, even when a PIN is compromised. Participants reported sharing PINs for one type of asset with acquaintances but inadvertently reused them for other assets, thereby subjecting themselves to potential risks. Participants also reported using PINs originally set by previous homeowners for physical devices (e.g., alarm or keypad door entry systems). While aware of the risks of not updating PINs, this did not always deter participants from using inherited PINs, as they were often missing instructions on how to update them. %While aware of the risks of not updating PINs, participants continued using these PINs, as they were often missing instructions on how to update them.Given the expected increase in PIN-protected assets (e.g., loyalty cards, smart locks, and web apps), we provide suggestions and future research directions to better support users with multiple digital and non-digital assets and more secure human-device interaction when utilizing PINs. △ Less

Submitted 24 August, 2020; originally announced August 2020.