margelacool

A conversation with Yixin Zou (邹熠欣)

09.03.2022 – my first encounter with privacy & security researchers in person

I was visiting a friend in Edinburgh, and did a short detour to meet with two researchers I admired and still do: Reuben Binns and Konrad Kollnig

after our conversation, a hot chocolate, and some brain juice – I realised user needs for privacy-preserving experiences sparked many many many user interface (UI) design questions

the more I explored online governance and consumer protection, the more I asked “WHAT DOES IT LOOK LIKE?”

let’s look for answers together

21.06.2022 – Yixin Zou publishes an experimental protocol on the open science framework website. She is finishing her PhD in Information at the University of Michigan.

the protocol aims to answer the following question: out of these 4 notifications (see image bellow for a simplified summary) which one encourages the most users to change their password in a controlled setting?

what makes this study more REAL and less “controlled” are the notifications based on REAL data breaches sourced from Have I Been Pwned data records

the 1386 participants actually HAVE to change their passwords as this could have real life consequences on their personal information

hence, the study focuses on personal threat, NOT organisational threat (completely different game)

16.10.2024 – I am sitting on my sticky chair in Berlin, fangirling and asking Yixin a loooooot of questions about her research

Yxin is not in Michigan anymore

She sits in her office in Bochum Germany, where she leads the Max Planck Institute for Security and Privacy Human-Centered Security and Privacy group

she rocks

Yixin deeply cares about consumer protection, and you can really feel it

While we talked about her study on data breach notification – our conversation slowly drifted toward research impact through online regulation

27.06.2019 – Yixin presents her research for the first time at the US Federal Trade Commission PrivacyCon, a yearly conference showcasing research related to consumer privacy and data security.

One path for privacy & security researchers to make their voices heard is conferences organised by consumer protection regulator.

The US Federal Trade Commission has been a role model for many consumer protection regulatory body around the world. Now, the French Data Protection Authority (CNIL) also hosts an annual conference CNIL Privacy Research Day.

What privacy researchers need to inform regulators about notifications protecting consumers online

Despite the rising interest in “privacy by design”, the conference programs have a blind spot: UI design expertise.

when I inquired Yixin about the breach notification visual hierarchy (logo, color, and aligment…), she acknoweldged the emphasis on the logo could confuse the user and catch too much of their attention.

In truth the breach notification’s main goal was to display a layered text and not test different visual hierarchies or customer journeys.

and to be honest privacy & security researchers should not be the ones designing the notification UI

they should be the ones informing the notification design brief and looking beyond the notification or as Yixin puts it “help inform best practices for designing notification”

in practice, this means privacy & security research lab could work with design studios or employ UI designers like the CNIL research team

because in the end, the UI design is just one step of the consumer protection journey

As Yixin rightfully points out at the end of her study notifications are useless

  • if users do not trust the browser or the password managers
  • if changing the password is not a user-friendly experience
  • if the user does not care about the data linked to the password breach
  • if the password manager engages in surveillance behaviour
  • if the most vulnerable people e.g. elderly people, are not concerned by the notification

Thank you Yixin for your time and showing that research is a collective and political endeavor

Yixin Zou breach notification study https://arxiv.org/abs/2405.15308

Yixin Zou research https://yixinzou.github.io/Yixin Zou (邹熠欣)

Interesting study Yixin mentioned during our talk – “In Eighty Percent of the Cases, I Select the Password for Them”: Security and Privacy Challenges, Advice, and Opportunities at Cybercafes in Kenya | IEEE Conference Publication | IEEE Xplore

Credit to the goat, Emilie Lor/@_kknomos for the slutty sea slug inspired from jojo

Response

  1. J.H Avatar
    J.H

    Very cool and very neat, I approve of this post

    Like

    Reply

Leave a comment