Proximity displays for access control

Managing access to shared digital information, such as photographs and documents. is difficult for end users who are accumulating an increasingly large and diverse collection of data that they want to share with others. Current policy-management solutions require a user to proactively seek out and open a separate policy-management interface when she wants to review or change her access-control policy. However, end users treat access control as a secondary task, and rarely visit a website for the primary task of managing security. Historically, security administrators and auditors were available to check for access-control issues on behalf of users, but in the age of Facebook and Flickr people are responsible for their own content. Users need a way to review their access-control policies that fits into their normal workflows. This thesis proposes the use of proximity information displays — small interface components spatially located near the data elements (or near a representation of data, e.g., file name in a file manager or thumbnail photo in a photo album) that contain information about who currently has access or who could access the data. These displays are intended to help users become more aware of how their data has been used in the past and how the data could be used in the future. We present empirical studies that test the hypothesis: Users of a system that includes proximity information displays of access control-information will implement policies that result in grant/deny actions that better match their preferences than will users of a system where access-control information is available only on a secondary interface.The focus of this thesis is understanding the impact of proximity displays on people's permission-modification behavior. The displays were conceptualized based on interviews with end users and security administrators, which highlighted the need for increased end-user awareness of their policies. Focus groups showed that people liked the idea of showing permission information in proximity to data. Finally, several evaluation studies were conducted in the lab and online using a photo-sharing website. Participants who saw proximity displays that were more comprehensive and could be glanced at easily were better able to identify access-control policy errors. Participants who saw displays that were overly coarse-grained, on the sidebar, or showed information about who had previously viewed the photos, showed no improvement over those who saw permission settings only on a secondary interface. Our studies suggest that proximity displays for access control can help significantly the majority of users who do not normally check their access-control policies.