C I R C L E

The growing popularity of wearable camera glasses raises pressing concerns about bystanders being recorded without their consent. Most existing privacy-enhancing technologies (PETs) rely on opt-out models that place the burden of privacy protection on bystanders. We conducted a qualitative study on wearers' and bystanders' perceptions of opt-in, privacy-by-default approaches for camera glasses. To enable this study, we designed and evaluated an opt-in privacy-by-default protocol. We then conducted semi-structured interviews with camera glass wearers and bystanders (N = 18) to examine their perceptions of the protocol. Our findings show that bystanders viewed the opt-in protocol as essential and advocated for even stronger anonymization. Wearers appreciated the protocol's safeguards but found it visually limiting, expressing desire for a context-dependent version that can be enabled in relevant scenarios. Our findings highlight the need for context-aware PETs that provide effective mechanisms for consent negotiation.

Smart glasses pose significant privacy challenges by capturing bystanders without notice or consent. Existing solutions often rely on permanent obfuscation, shift responsibility to bystanders, or offload sensitive data to the cloud, risking unauthorized access and denying meaningful control. We present a novel three-tier architecture for privacy-preserving smart glasses that enforces blurring at the point of capture, supports synthetic face replacement, and enables consent-based decryption of visual data. We implement SITARA, a working prototype on Raspberry Pi-based hardware, and demonstrate on-device blurring and secure consent mediation. Our evaluation shows that SITARA operates efficiently while achieving reliable bystander anonymization; furthermore, its synthetic replacement delivers perceptual quality competitive with state-of-the-art baselines, all without exposing raw video or undermining usability.

Misconfigurations in cloud services remain a leading cause of security and privacy incidents, often stemming from the complexity of configuring cloud platforms. To better understand these challenges, we analyzed approximately 251,900 security- and privacy-related Stack Overflow posts spanning from 2008 to 2024. Using topic modeling and qualitative analysis, we systematically mapped cloud use cases to their associated security and privacy configuration challenges, revealing a comprehensive landscape of the hurdles cloud operators faced. We identified both technical and human-centric issues, including problems related to insufficient documentation and the lack of context-aware tooling tailored to operators' environments. Notably, authentication and access control challenges appeared in all identified use cases, cutting across nearly every stage of cloud deployment, integration, and maintenance. Our findings underscore the need for usable, tailored, and context-sensitive support tools and resources to help developers securely configure cloud services.

Low socioeconomic populations face severe security challenges while being unable to access traditional written advice resources. We present the first study to explore the security advice landscape of low socioeconomic people in Pakistan. With 20 semi-structured interviews, we uncover how they learn and share security advice and what factors enable or limit their advice sharing. Our findings highlight that they heavily rely on community advice and intermediation to establish and maintain security-related practices (such as passwords). We uncover how shifting social environments shape advice dissemination, e.g., across different workplaces. Participants leverage their social structures to protect each other against threats that exploit their financial vulnerability and lack of digital literacy.

Content creators are exposed to elevated risks compared to the general Internet user. This study explores the threat landscape that creators in Pakistan are exposed to, how they protect themselves, and which support structures they rely on. We conducted a semi-structured interview study with 23 creators from diverse backgrounds who create content on various topics. Our data suggests that online threats frequently spill over into the offline world, especially for gender minorities. Creating content on sensitive topics like politics, religion, and human rights is associated with elevated risks. We find that defensive mechanisms and external support structures are non-existent, lacking, or inadequately adjusted to the sociocultural context of Pakistan.

The understanding of how teenagers perceive, manage and perform privacy is less well-understood in spaces outside of Western, educated, industrialised, rich and democratic countries. To fill this gap we interviewed 30 teens to investigate the privacy perceptions, practices, and experienced digital harms of young people in Pakistan, a particularly interesting context as privacy in this context is not seen as an individual right or performed within an individualistic framework but instead is influenced by a combination of factors including social norms, family dynamics and religious beliefs. Based on our findings, we developed four personas to systematize the needs and values of this specific population and then conducted focus groups with co-design activities to further explore privacy conflicts. Among other things that confirm and extend existing theories on teen's privacy practices and perceptions, our findings suggest that young women are disproportionately impacted by privacy violations and the harms extend beyond themselves to include their families.

Voice-based phishing attacks, in which a scammer uses social engineering techniques over a phone call to convince victims to divulge sensitive information, cause losses of several million dollars. We present a pilot study of a novel intervention that trains users to recognize phishing calls by identifying the persuasion principles used by the scammer. The training is implemented via a Whatsapp chatbot that includes example audio recordings and exercises of scam calls, and how the scammer employs the principle of authority in order to persuade the victim. 50 students from a university participated in the persuasion principles training. We then conducted a simulated vishing call a few days later to test how well the participants recognize the call compared to a control group (also 50 students) that was only given a general awareness training, and was not specifically trained to recognize authority via chatbot exercises. We also conducted interviews with participants from both the groups to understand the perceived usefulness of the training.

We explore the experiences, understandings and perceptions of cyber-threats and crimes amongst young adults in Pakistan, focusing on their mechanisms for protecting themselves, for reporting cyber threats and for managing their digital identities. Relying on data from a qualitative study with 34 participants in combination with a repertory grid analysis with 18 participants, we map users mental models and constructs of cyber crimes and threats, their understanding of digital vulnerabilities, their own personal boundaries and their moral compasses on what constitutes an invasion of privacy of other users in a country where there is little legal legislation governing cyberspace and cyber crimes. Our findings highlight the importance of platform adaptation to accommodate the unique context of countries with limited legal mandates and reporting outlets, the ways in which digital vulnerabilities impact diverse populations, and how security and privacy design can be more inclusive.