Of Secrets and Seedphrases: Conceptual misunderstandings and security challenges for seed phrase management among cryptocurrency usersCryptocurrency adoption has surged dramatically, with over 500 million global users. Despite the appeal of self-custodial wallets, which grant users control over their assets, these users often struggle with the complexities of securing seed phrases, leading to substantial financial losses. This paper investigates the behaviors, challenges, and security practices of cryptocurrency users regarding seed phrase management. We conducted a mixed-methods study comprising semi-structured interviews with 20 participants and a comprehensive survey of 643 respondents. Our findings reveal significant gaps in users' understanding and practices around seed phrase security and the circumstances under which users share their seed phrases. We also explore users' mental models of shared accounts and strategies for handling cryptocurrency assets in the event of death. We found that the majority of our participants harbored significant misconceptions about seed phrases that could expose them to significant security risks --- e.g., only 43% could correctly identify an image of a seed phrase, many believed they could reset their seed phrase if they lost them. Moreover, only a minority have engaged in any estate planning for their crypto assets. By identifying these challenges and behaviors, we provide actionable insights for the design of more secure and user-friendly cryptocurrency wallets, ultimately aiming to enhance user confidence in managing their crypto assets reduce their exposure to scams and accidental loss of assets, and simplify the creation of bequeathment plans.2025FEFarida Eleshin et al.Carnegie Mellon University, Human Computer Interaction InstitutePasswords & AuthenticationPrivacy Perception & Decision-MakingCHI
Exploring the Needs of Users for Supporting Privacy-protective Behavior in Smart HomesIn this paper, we studied people’s smart home privacy-protective behaviors (SH-PPBs), to gain a better understanding of their privacy management do’s and don’ts in this context. We first surveyed 159 participants and elicited 33 unique SH-PPB practices, revealing that users heavily rely on ad hoc approaches at the physical layer (e.g., physical blocking, manual powering off). We also characterized the types of privacy concerns users wanted to address through SH-PPBs, the reasons preventing users from doing SH-PPBs, and privacy features they wished they had to support SH-PPBs. We then storyboarded 11 privacy protection concepts to explore opportunities to better support users’ needs, and asked another 227 participants to criticize and rank these design concepts. Among the 11 concepts, Privacy Diagnostics, which is similar to security diagnostics in anti-virus software, was far preferred over the rest. We also witnessed rich evidence of four important factors in designing SH-PPB tools, as users prefer (1) simple, (2) proactive, (3) preventative solutions that can (4) offer more control.2022HJHaojian Jin et al.CMUAlgorithmic Transparency & AuditabilityPrivacy by Design & User ControlSmart Home Privacy & SecurityCHI
To Self-persuade or Be Persuaded: Examining Interventions for Users' Privacy Setting SelectionUser adoption of security and privacy (S&P) best practices remains low, despite sustained efforts by researchers and practitioners. Social influence is a proven method for guiding user S&P behavior, though most work has focused on studying peer influence, which is only possible with a known social graph. In a study of 104 Facebook users, we instead demonstrate that crowdsourced S&P suggestions are significantly influential. We also tested how reflective writing affected participants' S&P decisions, with and without suggestions. With reflective writing, participants were less likely to accept suggestions --- both social and Facebook default suggestions. Of particular note, when reflective writing participants were shown the Facebook default suggestion, they not only rejected it but also (unknowingly) configured their settings in accordance with expert recommendations. Our work suggests that both non-personal social influence and reflective writing can positively influence users' S&P decisions, but have negative interactions.2022KWKimi Wenzel et al.Carnegie Mellon UniversityPrivacy by Design & User ControlPrivacy Perception & Decision-MakingCHI
Understanding Challenges for Developers to Create Accurate Privacy Nutrition LabelsApple announced the introduction of app privacy details to their App Store in December 2020, marking the first ever real-world, large-scale deployment of the privacy nutrition label concept, which had been introduced by researchers over a decade earlier. The Apple labels are created by app developers, who self-report their app's data practices. In this paper, we present the first study examining the usability and understandability of Apple's privacy nutrition label creation process from the developer's perspective. By observing and interviewing 12 iOS app developers about how they created the privacy label for a real-world app that they developed, we identified common challenges for correctly and efficiently creating privacy labels. We discuss design implications both for improving Apple's privacy label design and for future deployment of other standardized privacy notices.2022TLTianshi Li et al.Carnegie Mellon University, Carnegie Mellon UniversityPrivacy by Design & User ControlPrivacy Perception & Decision-MakingCHI
Designing Alternative Representations of Confusion Matrices to Support Non-Expert Public Understanding of Algorithm PerformanceEnsuring effective public understanding of algorithmic decisions that are powered by machine learning techniques has become an urgent task with the increasing deployment of AI systems into our society. In this work, we present a concrete step toward this goal by redesigning confusion matrices for binary classification to support non-experts in understanding the performance of machine learning models. Through interviews (n=7) and a survey (n=102), we mapped out two major sets of challenges lay people have in understanding standard confusion matrices: the general terminologies and the matrix design. We further identified three sub-challenges regarding the matrix design, namely, confusion about the direction of reading the data, layered relations and quantities involved. We then conducted an online experiment with 483 participants to evaluate how effective a series of alternative representations target each of those challenges in the context of an algorithm for making recidivism predictions. We developed three levels of questions to evaluate users' objective understanding. We assessed the effectiveness of our alternatives for accuracy in answering those questions, completion time, and subjective understanding. Our results suggest that (1) only by contextualizing terminologies can we significantly improve users' performance and (2) flow charts, which help point out the direction of reading the data, were most useful in improving objective understanding. Our findings set the stage for developing more intuitive and generally understandable representations of the performance of machine learning models.2020HSHong Shen et al.Interpreting and Explaining AICSCW
`I Can't Even Buy Apples If I Don't Use Mobile Pay?': When Mobile Payments Become Infrastructural in ChinaDespite slow adoption in the West, mobile payments are the de facto solution for hundreds of millions of users in China for everything from paying bills to riding buses, from sending virtual ``Red Packets'' to buying money market funds. In this paper, we use the theoretical lens of infrastructure to study users' interactions with ubiquitous and embedded mobile payment systems in China, focusing on Alipay and WeChat Pay, the two dominant apps on the market. Based on data from a survey (n=466) and follow-up interviews (n=12) with users in China, we describe the diverse usage patterns across physical, social, and digital ubiquity, and a series of challenges people face. Reflecting on the lessons we learned from the Chinese case, in particular problems and pitfalls, we discuss some implications both for design and for policy. Our findings have important implications for other countries that have been moving towards greater adoption of mobile payments.2020HSHong Shen et al.Social Support, Donation, and MoneyCSCW
How Developers Talk about Personal Data and What It Means for User Privacy: A Case Study of a Developer Forum on RedditWhile online developer forums are major resources of knowledge for application developers, their roles in promoting better privacy practices remain under explored. In this paper, we conducted a qualitative analysis of a sample of 207 threads (4772 unique posts) mentioning different forms of personal data from the /r/androiddev forum on Reddit. We started with bottom-up open coding on the sampled posts to develop a typology of discussions about personal data use and conducted follow-up analyses to understand what types of posts elicited in-depth discussions on privacy issues or mentioned risky data practices. Our results show that Android developers rarely discussed privacy concerns when talking about a specific app design or implementation problems, but often had active discussions around privacy when stimulated by certain external events representing new privacy-enhancing restrictions from the Android operating system, app store policies, or privacy laws. Developers often felt these restrictions could cause considerable cost yet fail to generate any compelling benefit for themselves. Given these results, we present a set of suggestions for Android OS and the app store to design more effective methods to enhance privacy, and for developer forums (e.g., /r/androiddev) to encourage more in-depth privacy discussions and nudge developers to think more about privacy.2020TLDiana Li et al.Privacy and SecurityCSCW
I'm All Eyes and Ears: Exploring Effective Locators for Privacy Awareness in IoT ScenariosWith the proliferation of IoT devices, there are growing concerns about being sensed or monitored by these devices unawares, especially in places perceived as private. We explore the design space of IoT locators to help people physically find nearby IoT devices. We first conducted a survey to understand people's willingness, current practices, and challenges in finding IoT devices. Our survey findings motivated us to design and implement low-cost locators (visual, auditory, and contextualized pictures) to help people find nearby devices. Through an iterative design process and two rounds of experiments, we found that these locators greatly reduced people's search time over a baseline of no locators. Many participants found the visual and auditory locators enjoyable. Some participants also appropriated the use of our system for other purposes, e.g., to learn about new IoT devices, instead of for privacy awareness.2020YSYunpeng Song et al.Xi'an Jiaotong UniversityPrivacy by Design & User ControlIoT Device PrivacyCHI
Normal and Easy: Account Sharing Practices in the WorkplaceWork is being digitized across all sectors, and digital account sharing has become common in the workplace. In this paper, we conduct a qualitative and quantitative study of digital account sharing practices in the workplace. Across two surveys, we examine the sharing process at work, probing what accounts people share, how and why they share those accounts, and identifying the major challenges people face in sharing accounts. Our results demonstrate that account sharing in the modern workplace serves as a norm rather than a simple workaround; centralizing collaborative activity and reducing boundary management effort are key motivations for sharing. But people still struggle with a lack of activity accountability and awareness, conflicts over simultaneous access, difficulties controlling access, and collaborative password use. Our work provides insights into the current difficulties people face in workplace collaboration with online account sharing, as a result of inappropriate designs that still assume a single-user model for accounts. We highlight opportunities for CSCW and HCI researchers and designers to better support sharing by multiple people in a more usable and secure way.2019YSYunpeng Song et al.WorkplacesCSCW
Evolving the Ecosystem of Personal Behavioral DataEveryday, people generate lots of personal data. Driven by the increasing use of online services and widespread adoption of smartphones (owned by 68% of U.S. residents; Anderson, 2015), personal data take many forms, including communications (e.g., e-mail, SMS, Facebook), plans and coordination (e.g., calendars, TripIt, to-do lists), entertainment consumption (e.g., YouTube, Spotify, Netflix), finances (e.g., banking, Amazon, eBay), activities (e.g., steps, runs, check-ins), and even health care (e.g., doctor visits, medications, heart rate). Collectively, these data provide a highly detailed description of an individual. Personal data afford the opportunity for many new kinds of applications that might improve people’s lives through deep personalization, tools to manage personal well-being, and services that support identity construction. However, developers currently encounter challenges working with personal data due to its fragmentation across services. This article evaluates the landscape of personal data, including the systemic forces that created current fragmented collections of data and the process required for integrating data from across services into an application. It details challenges the fragmented ecosystem imposes. Finally, it contributes Phenom, an experimental system that addresses these challenges, making it easier to develop applications that access personal data and providing users with greater control over how their data are used.2018JWJason Wiese et al.University of UtahPrivacy by Design & User ControlContext-Aware ComputingCHI
Panel: Voice Assistants, UX Design and ResearchIn this panel, we discuss the challenges that are faced by HCI practitioners and researchers as they study how voice assistants (VA) are used on a daily basis. Voice has become a widespread and commercially viable interaction mechanism with the introduction of VAs such as Amazon's Alexa, Apple's Siri, the Google Assistant, and Microsoft's Cortana. Despite their prevalence, the design of VAs and their embeddedness with other personal technologies and daily routines have yet to be studied in detail. Making use of a roundtable, we will discuss these issues by providing a number of VA use scenarios that panel members will discuss. Some of the issues that researchers will discuss in this panel include: (1) obtaining VA data & privacy concerns around the processing and storage of user data; (2) the personalization of VAs and the user value derived from this interaction; and (3) the relevant UX work that reflects on the design of VAs?2018JKJofish Kaye et al.MozillaVoice User Interface (VUI) DesignIntelligent Voice Assistants (Alexa, Siri, etc.)CHI
Breaking! A Typology of Security and Privacy News and How It’s SharedNews coverage of security and privacy (S&P) events is pervasive and may affect the salience of S&P threats to the public. To better understand this coverage and its effects, we asked: What types of S&P news come into people’s awareness? How do people hear about and share this news? Over two years, we recruited 1999 participants to fill out a survey on emergent S&P news events. We identified four types of S&P news: financial data breaches, corporate personal data breaches, high sensitivity systems breaches, and politicized / activist cybersecurity. These event types strongly correlated with how people shared S&P news—e.g., financial data breaches were shared most (42%), while politicized / activist cybersecurity events were shared least (21%). Furthermore, participants’ age, gender and security behavioral intention strongly correlated with how they heard about and shared S&P news—e.g., males more often felt a personal responsibility to share, and older people were less likely to hear about S&P news through conversation.2018SDSauvik Das et al.Georgia Institute of TechnologyPrivacy Perception & Decision-MakingSocial Platform Design & User BehaviorCHI