a picture is worth a thousand words: privacy-aware and ... · privacy-aware and intuitive...

A Picture is Worth a Thousand Words:Privacy-aware and Intuitive Relationship Establishment

in Online Social Networks

Delphine Christin, Tobias Freudenreich, Matthias HollickSecure Mobile Networking Lab

Technische Universität Darmstadt64293 Darmstadt, Germany

{firstname.lastname}@seemoo.tu-darmstadt.de

ABSTRACTIn current online social networks (OSNs) such as Facebook,a new connection request usually only includes the nameand photo of the requestor and possibly a list of mutual con-tacts. Given that the creation of a forged user profile is nottoo complicated, it is challenging to verify if the contact re-quest is indeed genuine or from a forged account. Acceptinga connection invitation from a forged profile might severelycompromise the user’s privacy, since the attacker gets accessto a wealth of personal information and social relationships.In this paper, we present a novel and intuitive paradigm forsecure establishment of friendship links in OSNs. We pro-pose an interaction scheme that utilizes cues from snapshotscaptured using omnipresent smartphones to match and thusverify links in OSNs. We present a proof of concept imple-mentation of our scheme using Android smartphones andembedding the same with Facebook. Finally, we show re-sults from a user study with 25 participants, which demon-strates the intuitive and secure nature of our solution.

Categories and Subject DescriptorsK.6.5 [Management of Computing and InformationSystems]: Security and Protection; H.1.2 [InformationSystems]: User/Machine Systems—Human factors

General TermsOnline Social Networks, Privacy, Context-based Interaction

1. INTRODUCTIONSocial networking and the inclusion of user-generated con-tent are among the latest success stories of the Internet.The social networking website Facebook nears 600 millionusers [13], who share diverse information including their at-tendance at upcoming events, up-to-date information abouttheir status, pictures, and more. However, these contentsmay reveal sensitive information about the users, e.g., theirfavorite leisure activities, travel plans, or opinions. Theirdisclosure may lead to severe consequences ranging fromdismissals [12] to safety threats [8]. On existing platforms,these data are protected against disclosure by access controlmechanisms, generally realized in the form of contact lists.Other members can be added to these lists by sending themcontact requests. The members can control what kind of con-tent is disclosed to which of their contact lists using privacypreferences. Once the request is accepted, both members

can mutually access information posted on each other’s pro-files depending on their respective privacy preferences and avirtual relationship is established.

It has been demonstrated that members of online communi-ties tend to accept contact requests obliviously [3]. This be-havior may be driven by the simple curiosity of the membersand their eagerness to augment their list of friends. More-over, a user can base his decision to accept a contact requestonly on limited information, making the entire process sus-ceptible to attacks. As depicted in Fig. 1, a Facebook friendrequest contains only the user name, the profile picture ofthe requester and, possibly, a list of mutual friends. Addi-tional information such as date of birth, past and currentaffiliations or active ‘networks’ might also be found in therequester’s profile. However, forgers may easily infer thesedata using multiple information sources (e.g., personal web-site or profiles in diverse online communities) to create fakeaccounts [3]. Based on this limited amount of informationavailable in the friend request, the recipient may be unableto distinguish real accounts from fake ones. As a result,users may be tricked to authorize attackers to access theirdata, endangering their privacy and possibly incurring se-vere social and safety consequences.

We counter the risk of accepting friend requests from forgedaccounts by a mechanism that reliably verifies the identityof members who want to establish a virtual relationship. In-stead of relying solely on virtual interaction, our approachcreates unforgeable identity proofs based on intuitive phys-ical interactions between the members. As the majority ofnew mobile phones come with embedded cameras, we baseour interaction on this sensing modality. Two users locatedin physical proximity take a picture of a common subject.The subject could be a self-portrait of the two users as il-lustrated in Fig. 2 or any unique mutually agreeable object,which the users can recall at a later stage. The pictures com-plemented by spatiotemporal information are then uploadedby each user individually. Before establishing virtual links,these pictures are compared to verify the existence of a priorphysical interaction between them and consequently, verify

Figure 1: Example of friend request in Facebook

Third International Workshop on Security and Privacy in Spontaneous Interaction and Mobile Phone Use (IWSSI/SPMU)June 12, 2011, San Francisco, CA, USA

Figure 2: Example of common subject

their respective identities. In the scope of this paper, weassume that the users establish friendship links with peoplewhom they have met in person (e.g., at conferences, duringholidays, or at social events), which is a fairly widespreadscenario as shown in [6]. However, we will investigate ex-panding our scheme to include friend requests from virtualfriends with whom no physical encounter has taken place inour future work.

Our contributions are as follows. In Section 2, we analyzethe design space to identify interactions able to provide suf-ficient proofs of users’ identities and we discuss our designdecisions. We describe our concept in Section 3 and an-alyze its resilience against identified attacks in Section 4.We detail the implementation of our proof-of-concept usingAndroid phones and integrated in Facebook in Section 5.In Section 6, we evaluate the usability of our concept byperforming a user study and we discuss related work in Sec-tion 7. We conclude this paper in Section 8.

2. SYSTEM MODEL AND DESIGNWe assume that two members of an online community, Boband Carlos, who meet in person, want to establish a virtualrelationship to share pictures. These pictures contain sensi-tive, personal information and shall remain private to both.Hence, to protect his privacy, Bob must ensure that theaccount presented by the system as Carlos’ account is notforged, before authorizing the access to his pictures. Recip-rocally, Carlos must verify that Bob’s account is trustworthy.From this scenario, we can derive the need for a mechanismto verify the real identity of the users and to establish secureand trusted friendship links. To identify suitable interactionschemes supporting the verification of the user’s identity, weanalyze the design space and discuss our design decisions.

2.1 Design Space AnalysisThe design of the solution is guided by the following crite-ria: Reliability of the provided proofs of identity, privacyguarantee, and usability. Based on these criteria, we an-alyze the feasibility of the following selected classes of so-lutions: Cryptography-based solutions, text-based puzzles,visual contact as proof, and proofs based on physical prox-imity. The results of the analysis are summarized in Table 1.

Standard authentication protocols, e.g Kerberos [11], sup-port authentication and identity verification, but they mainlyprovide guarantees at machine-level and not user-level andmay appear obscure and complex for inexpert users. As thesolution to design must be easy to comprehend, we discardinteractions only based on cryptographic mechanisms.

Short messages containing puzzles (questions/answer) to ver-ify the identity of the users could be exchanged in a text-based solution integrated in the existing friend requests, as

Table 1: Summary of the design space analysisReliability Privacy Usability

Cryptography-based + ++ −−solutions

Text-based puzzles − ++ −Visual contacts ++ −− +

Physical proximity ++ ++ ++

the users can write personal messages. However, the puzzlesmust be carefully selected in order to prevent attackers frominferring the answers from publicly available sources of in-formation. This scheme might be perceived as cumbersomeby the users, as they need to adapt the questions to eachperson depending on the nature of their relationship.

Further, the establishment of each friendship link necessi-tates the resolution of two puzzles to ensure bidirectionalidentity verification. The security of this alternative is there-fore determined by the selection of hard-to-solve puzzles,which negatively impacts on the usability and reliability ifpuzzles cannot be solved. As a result, users might recourseto trivial puzzles, rendering the mechanism inefficient.

Instead of using text-based proofs, visual contacts betweenthe members via web cameras may be envisaged. Althoughthis alternative promises to provide reliable evidence of themembers’ identities, it requires both users to be online at thetime of verification. Also, the immediate privacy may be en-dangered in case of a forger that may be able to temporarilyestablish a connection or to access the video streams. Apreliminary mechanism may thus be introduced to providesufficient identity proofs before establishing the connectionwithout any privacy threat. However, this leads to the prob-lem of the identity verification once again.

Alternatively to a purely remote, virtual exchange of proofsof identity, physical interaction of members may also be ex-ploited. Such interaction requires physical proximity of theusers, which, on a first glance, makes it less flexible com-pared with remote mechanisms. However, this alternativetakes advantage of the fact that online social networks typi-cally mirror real social links that are commonly establishedby direct interaction. Also, the scheme intrinsically guar-antees the identity of both members, without endangeringtheir privacy. Exploiting user proximity may hence sup-port user-friendly interactions involving the users physicallyin the establishment of the relationships and increase theirconsciousness about disclosure issues, as detailed in [5].

2.2 Design DecisionsBased on the results of the above analysis, we have chosen toexploit physical proximity for securely establishing virtualrelationships. In particular, it promises reliable proofs ofidentity without threatening the privacy of the users, whileoffering interesting interaction schemes that allow to im-prove user awareness and to increase usability. The physicalproximity scheme also neutralizes remote attackers, since thephysical presence is required to establish the relationships.Furthermore, despite the virtual nature of OSNs, most ofthe social links are established after offline meetings [6]. Ourscheme consequently supports the establishment of most re-lationships. To not exclude people who never physically met,


our scheme may however be used in combination with exist-ing mechanisms, such as friend requests.

As intermediary in the establishment process, we propose touse smartphones because of their ubiquity and their embed-ded sensors, which provide a large design space for physi-cal interactions. Instead of using existing schemes, such asBluetooth pairing or scanning the surrounding GSM basestations and Wi-Fi access points, we propose to utilize sim-ple, yet intuitive interactions, where the users are physi-cally involved to increase their awareness about the authen-tication process [4]. Preferably, the user should be famil-iar with the actions required, to increase the acceptance ofthe scheme. Among the possible sensor-based interactions,we selected camera-based interactions, as people are usedto spontaneously take pictures of friends and relatives withtheir smartphones. Jointly taken pictures become the rep-resentation of the newly established relationships.

3. CONCEPT AND PROTOCOLConsidering the above discussions, we design an interactionmechanism and the corresponding protocol to establish se-cure and trusted relationships within online communities.

3.1 OverviewAssume that Bob and Carlos want to establish a friendshiplink. They initiate this relationship by taking a picture of acommon subject with their respective devices, e.g., a snap-shot of themselves or a common object. The pictures arestamped with time and location information. They are suc-cessively uploaded by Bob and Carlos to the server of theonline community and serve as key for the pairing. Theserver searches its image database for matching images ingiven time intervals and in given locations. Once a match isdetected, both Bob and Carlos are presented with the searchresults and the proposed pairing. They can then proceed toestablish the relationship by confirming the pairing.

3.2 ProtocolWithout loss of generality, we assume that Bob initiates thefirst step of the protocol illustrated in Fig. 3. Bob takesa picture PB of Carlos and himself with his smartphone(Fig. 2). Then, Carlos repeats the same step with his owndevice and obtains the picture PC including Bob and himself.Metadata including author’s ID, timestamp T and locationinformation L are generated and attached to the pictures PB

and PC automatically. The location information does notrequire being the exact coordinates of the users, but mustprovide insights about their proximity by scanning, e.g., cell-IDs, and Wi-Fi access points. The smartphone initiates thecommunication with the server; we assume a secure chan-nel is being established using the SSL/TLS protocol. Thefollowing communication between the server and the end de-vices are secured by the SSL/TLS protocol. Once the per-sonal end devices are authenticated, the obtained picturesPB{TB , LB} and PC{TC , LC} are successively uploaded onthe server. When Carlos’ picture is uploaded, a search pro-cess is triggered to retrieve the picture formerly uploadedby Bob. To reduce the computation overhead and execu-tion time, the search first exploits the metadata T and Lstored with the pictures. Pictures taken within a prede-fined time interval and physical range (or sharing the same

Sear

ch

Sele

ctio

n

Bob CarlosServer

{Authentication(IDB )}SSL

{PB {IDB, TB, LB}}SSL

{PC { IDC, TC, LC}SSL

{L{ IDB, IDx,…}}SSL

{IDB}SSL

Confirmation request{IDC} SSL

{Confirm. response}SSL

{Notification}SSL

{Authentication(IDC)}SSL

{Notification}SSL

PC { IDC, TC, CC}

PB { IDB, TB, CB}

Figure 3: Protocol for establishing secure andtrusted relationships

location-context) around the timestamp TC and location LC

of Carlos’ picture are selected. The time interval is selectedaccording to an estimation of the time necessary for bothusers to perform the different tasks, while the physical rangedepends on the expected precision of the selected localiza-tion scheme. The pictures resulting from this first searchiteration are then compared with Carlos’ picture in orderrecognize Bob’s picture among them. Pictures showing thegreatest amount of similarities with Carlos’ picture are se-lected. The search process is achieved when the list of theresulting IDs L{ID1,ID2,. . . } is securely transmitted anddisplayed on Carlos’ personal end device. Scrolling the list,Carlos recognizes and selects Bob’s identity IDB among theproposals. The selection of Carlos is then transmitted se-curely and triggers a confirmation request sent to Bob. Thisconfirmation request includes Carlos’ identity IDC . Bobverifies the data included in the confirmation request andhis confirmation terminates the protocol by mapping bothidentities together and establishing a trusted relationship.

Without modifying the functionality of the above protocol,Bob and Carlos could also take arbitrary pictures involvingthe same elements/features of their surroundings. We se-lected self-portraits because they are a representation of thesocial context of the relationship, which is virtually estab-lished, and may increase the users’ awareness.

4. SECURITY ANALYSISIn our scenario, the main objective of the attacker is to gainaccess to data posted by the members on the sharing plat-forms. This objective may be motivated by multiple rea-sons including, e.g., simple curiosity, or willingness to harmthe users. To reach this objective, our attacker may cre-ate forged accounts with Bob’s and Carlos’ identities andtempt to intervene in the process of establishing the rela-tionship in one or both directions. To determine how secureour approach is, we analyze the possible consequences of thedifferent attacks on the establishment of relationships.

The SSL protocol protects the data against manipulationduring the transmission between the smartphones and theserver. We further assume that state-of-the-art security


Figure 4: Examples of pictures (A, B, C, D) taken with our prototype

mechanisms protect the data stored on the server from ac-cess and manipulation by potential attackers. Attackers aretherefore unable to modify pictures stored on the server inorder to establish relationships with other users.

Attackers may conduct the equivalent of replay attacks bytaking similar pictures as Bob and Carlos without being no-ticed. In this case, the account of the attacker appears inthe list of IDs proposed to Carlos. If the attacker’s accountdiffers from Bob’s account, Carlos notices the difference(s)and does not select the attacker’s account. If the attackercreated a forged account, two accounts with Bob’s identityare contained in the list and Carlos can detect the multi-ple accounts. He can warn Bob of the existence of a secondaccount and ask for his assistance to identify his actual ac-count. If Bob is able to distinguish his account from theforged ones, the relationship between Bob and Carlos canbe completed. Otherwise Carlos can abort the protocol toprevent the attacker from establishing of a relationship withhim and therefore, protect his privacy.

Attackers may create a forged account of Carlos’ accountand take a similar picture as Bob and Carlos. When Bobuploads his picture, the attackers may jam the channel andthen, upload their own picture from the forged account.Thus, the forged account appears in the list of IDs proposedto Carlos, who may not distinguish it from the actual oneand select it. Yet, as Bob does not receive any confirma-tion request and notification, he notices that the procedureis erroneous and can inquire with Carlos. By introducinga delay between the establishment of the relationship andthe activation of data access authorization, and an optionalmechanism to revoke the established relationship, Carlos’privacy may not be endangered.

To summarize, our approach is resilient against the above at-tacks and enhances the privacy of members of OSNs, as onlypeople met in person are authorized to access their informa-tion. Members can easily verify the identity of the contactrequester and detect forged accounts, preventing them fromaccepting requests coming from forgers who aim to abusetheir personal information and violate their privacy.

5. IMPLEMENTATIONWe implemented our approach on Nexus One smartphonesrunning the Android 2.1 operating system1. Illustrated inFig. 5, the user interface is designed to be simple, user-friendly and easy to comprehend by untrained users. Theusers log in with their Facebook account and a new entry(including the user’s ID, last name, first name, and pic-ture from his Facebook profile) is created at the first lo-gin in the MySQL database running on our server. The

1A video demonstrating our prototype can be found at:http://www.seemoo.tu-darmstadt.de/iwssi

Table 2: Similarity results between each pair of pic-tures

Pictures A B C D

A 0 0,144 0,156 0,181B 0,144 0 0,149 0,119C 0,156 0,149 0 0,164D 0,181 0,119 0,164 0

database also stores the uploaded pictures serving in estab-lishing the friendship links. The search process is initiatedby the server, which consults the database to retrieve thesecond element of the pair of pictures. The pictures are firstselected according to their timestamps and their locationinformation, which must be included in the predeterminedtime interval and location range. Only after this first pro-cessing, the content of the picture is analyzed. The imageprocessing in our prototype is based on the NaiveSimilari-tyFinder application [14] comparing the pictures using spec-tral and spatial features. Higher precision algorithms usingmore complex operations or supporting face recognition mayhowever be envisaged to scale to large sets of images, buttheir design remains out of scope of this paper. Table 2presents the results of the comparison of each pair of pic-tures depicted in Fig. 4. To obtain these values, the picturesare first normalized and equally distributed squares are ex-tracted from the pictures. For each square, the average ofeach RGB value is calculated. The similarity between thetwo pictures is then calculated by summing the Euclideandistance of each pair of squares. The pairs of pictures show-ing the lowest values present therefore the highest similar-ities, as e.g., pictures B and D. Despite the simplicity ofthe image processing algorithm, the pair matching was al-ways successful during our experiments. Once the picturesare paired, the server a confirmation request including thepersonal information about the user.

2:12 PM3G

Trudy

Take Picture

Find Friend

2:12 PM3G

Bob

Delphine

Trudy

add

add

add

2:12 PM3G

Trudy

Bob Carlos

You are now friends !

Figure 5: Design of the user interfaces

6. EVALUATION OF USER STUDYWe performed a user study to compare our approach withthe existing friend requests used in Facebook and to evaluatehow potential users perceive the usability of our prototype.We submitted a questionnaire to 25 persons (7 female and 18


27%

55%

18%

05

10152025

longer equal shorter I do not knowA

bsol

ute

num

ber

of u

sers The proposed mechanism takes ...

longer equal shorter I do not know

Average

Average

Standard deviation

30% 40% 30%

05

10152025

more complex

equal less complex

I do not know

Abs

olut

e nu

mbe

r of

pa

rtic

ipan

ts

The proposed mechanism is ...

more complex equal less complex I do not know

Average

5% 5%

90%

05

10152025

less secure

equal more secure

I do not know

Abs

olut

e nu

mbe

r of

pa

rtic

ipan

ts

The proposed mechanism seems ...

less secure equal more secure I do not know

Average

94%

6%05

10152025

Yes No I do not know

Abs

olut

e nu

mbe

r of

parti

cipa

nts

Do you trust the proposed mechanism?


76% 24%

05

10152025


Abs

olut

e nu

mbe

r of

parti

cipa

nts

Is the proposed mechanism intuitive?

Yes No I do not knowFigure 6: Evaluation of the user study showing the number of users per answer as well as the average answerand its standard deviation

male) at the TU Darmstadt and conducted a practical test.The user study was divided into three parts: (1) personalinformation and background on OSNs, (2) a practical testto add a new friend in Facebook, and (3) a practical test toestablish a relationship using our prototype. The practicaltests were conducted using a supervisor-based approach toguide the participants where necessary.

6.1 Personal InformationOur participants are primarily researchers (80%) working in12 different research labs, mainly focusing on security. Theremaining participants are undergraduate students (12%)and employees (8%). The users were between 20 and 37years old, with an average age of 29. Due to their back-grounds, the participants are more familiar with OSNs thanthe average population. However, at the same time theyare more suspicious about security and trust aspects. More-over, 20% of our participants did not have any experiencewith OSNs. The repartition of memberships and the averagecorresponding amount of contacts for the remaining 80% isthe following: 64% of users have an account at Facebook(with 74 contacts in average), 28% at Xing (78 contacts),28% at StudiVZ (38 contacts), 16% at LinkedIn (21 con-tacts), and 12% at Wer-kennt-wen (65 contacts). StudiVZand Wer-kennt-wen are German OSNs.

6.2 Adding a new Friend in FacebookTo investigate the ambiguity of the current Facebook mem-ber selection process, we created a forged Facebook accountunder the name of Delphine Christin and we completed itwith information publicly available on her personal webpageincluding a profile picture and educational information. Wealso asked two coauthors of papers and her advisor to ac-cept friend requests initiated by the fake account to createa realistic shortlist of friends. For the duration of the study,we disabled her primary Facebook account.

We asked the participants to search for Delphine Christinand add her as a friend in Facebook. Then, they indicatedhow many accounts with her name were displayed in thesearch results. 24% answered with 4 and 5 accounts re-spectively and 8% indicated 2 accounts. Only 44% of theparticipants gave the correct answer of 3 (precisely) match-ing accounts. The search results actually included 5 pro-files with the user names: Delphine Christin (three times),Christine Delphine, Christine Volpi. We observe that the

majority of the participants did not notice the differences inthe results, and may thus be easily influenced by attackerscreating forged accounts using slightly modified user names.

We asked the participants to indicate how they identifiedthe actual account of Delphine Christin. Multi-selection ofanswers allowed, among the proposed answers, 96% selectedthe profile picture, 28% the network and 28% the list offriends. We observe that the profile picture is the foremostselection criterion. However, finding a profile picture fora forged account is relatively easy and our group of usersmay therefore become victim of requests coming from forgedaccounts using a real profile picture of the users.

We concluded this task by inquiring if the participants weresure to have selected the correct account. 76% of the partic-ipants claimed to be sure, while 20% claimed the contrary.The remaining 4% were doubtful. We then explained themthat the account they selected was a forged account createdespecially for the study purpose.

6.3 Adding a new friend using our PrototypeTo evaluate the usability of our prototype, the participantsnext tested our proposed method to establish a virtual rela-tionship with Delphine Christin, who acted as friend-to-be-established. In a supervised setting, each participant per-formed the respective steps required by the protocol withone of the smartphones, as described in details in Section 3.2.

The participants compared our approach with the defaultmechanism used in Facebook to search and add new friends,according to the following criteria: Duration of the process,complexity of the process, perceived security and trust. Therepartition of the answers is detailed in Fig. 6. In summary,the participants found that our approach:

• Takes an equal amount of time

• Is perceived to be trustworthy and more secure

• Is perceived to be intuitive and not more complex

Asked, if they would adopt our approach to add new friendsin online communities, 68% of the participants would pre-fer our approach, while 16% would prefer using the existingmechanism. The remaining of the participants (16%) were


indecisive. We finally offered the opportunity to the partic-ipants to add personal comments about our prototype. Themajority of comments was positive including “I like the ideaof interacting physically”, “I like it”, and “It’s cool”.

7. RELATED WORKWe propose a novel mechanism to establish trusted relation-ships between members of online communities. In the cur-rent state-of-the-art, these relationships are mainly initiatedby friendship requests exchanged within the social networks,as e.g., the friend requests in Facebook. However, the lat-ter mechanism does not provide any guarantee about thereal identity of the account owner and the members may beeasily tricked into befriending owners of forged accounts. Incomparison, our approach eliminates this risk, as the utiliza-tion of physical proximity in combination with its connectedcontext information provides a reliable and reciprocal veri-fication of the member’s identities.

Our approach shares features with the hardware-based ex-change of digital business cards, which often relies on physi-cal proximity. Such exchange carries information that mightbe used to establish virtual relationships. Specialized de-vices, such as Poken [1], exchange personal information abouttheir carriers when these enter in physical contact, whileBump [2] matches the accelerometer data of two smart-phones bumped together to initiate the data exchange. Incomparison, our approach does not require investment inspecial purpose hardware, or specific interactions, respec-tively. Moreover, these approaches only use physical interac-tions to initiate the information exchange protocol withoutproviding any verification mechanism. To provide a similarlevel of security, the members would need to verify manu-ally that the transmitted information was not forged, whichmay rapidly appear as burdensome to the users. To sum-marize, both mechanisms exploit physical proximity to ex-change personal information, but the notion of secure andtrusted establishment of relationship is not included.

Furthermore, our approach shares similarities with mecha-nisms to pair devices, such as presented in [7, 9, 10, 15].The core idea to use sensor-based information is common,but we explore a novel dimension, as the nature of the pairedsubjects differs. We pair members of online communities viaphysical interactions, whereas device paring focuses on thedevices themselves. Based on simple and intuitive interac-tions already adopted by the users, our approach proposesa novel angle to combat forgers in online communities andestablish secure relationships between their members.

8. CONCLUSIONSUsers of OSNs like to share personal details such as snap-shots with their acquaintances and friends. Yet the basis forsuch exchange, the identification of friends, can be hit-and-miss in the presence of forged profiles. We have proposed aninteraction scheme for reliably establishing friendship linksin social networks. Departing from the common goal of ut-most simplicity in user interface design, we designed theinteraction to be natural yet explicit, thus increasing userawareness. In particular, we propose to leverage cues fromsnapshots taken in physical proximity, to match and verifylinks in OSNs. A secure protocol facilitates the interactionbetween users’ and the OSN. We have implemented a proto-

type system and have performed a user study. The obtainedresults are encouraging; users consider our approach to bemore secure and trustworthy, while the perceived complexitystays the same with the existing schemes.

9. ACKNOWLEDGMENTSOur thanks go to A. Reinhardt and S. Kanhere, as well asA. Oberle and the participants of the user study. This workwas supported by CASED (www.cased.de).

10. REFERENCES[1] Poken. Online: http://www.poken.com.

[2] The Bump Application. Online: http://bu.mp.

[3] L. Bilge, T. Strufe, D. Balzarotti, and E. Kirda. AllYour Contacts Are Belong to Us: Automated IdentityTheft Attacks on Social Networks. In Proc. of the 18thInternational World Wide Web Conference, 2009.

[4] M. K. Chong and H. Gellersen. Classification ofSpontaneous Device Association from a UsabilityPerspective. In Proc. of the 2nd InternationalWorkshop on Security and Privacy in SpontaneousInteraction and Mobile Device Use, 2010.

[5] D. Christin. Impenetrable Obscurity vs. InformedDecisions: Privacy Solutions for Participatory Sensing.In Proc. of the 8th IEEE International Conference onPervasive Computing and Communications, 2010.

[6] N. B. Ellison, C. Steinfield, and C. Lampe. TheBenefits of Facebook “Friends”: Social Capital andCollege Students’ Use of Online Social Network Sites.Journal of Computer-Mediated Communication,12(4):1143 –1168, 2007.

[7] M. Goodrich, M. Sirivianos, J. Solis, G. Tsudik, andE. Uzun. Loud and Clear: Human-verifiableAuthentication based on Audio. In Proc. of the IEEEInternational Conference on Distributed ComputingSystems, 2006.

[8] R. Gross and A. Acquisti. Information Revelation andPrivacy in Online Social Networks. In Proc. of theACM Workshop on Privacy in the Electronic Society,2005.

[9] R. Mayrhofer and H. Gellersen. Shake well before Use:Authentication based on Accelerometer Data. In Proc.of the 5th International Conference on PervasiveComputing, 2007.

[10] J. M. McCune, A. Perrig, and M. K. Reiter.Seeing-Is-Believing: Using Camera Phones forHuman-Verifiable Authentication. In Proc. of theIEEE Symposium on Security and Privacy, 2005.

[11] B. Neuman and T. Ts’o. Kerberos: An AuthenticationService for Computer Networks. IEEECommunications Magazine, 32(9):33–38, 2002.

[12] B. Quinn. Virgin Sacks 13 over Facebook ‘Chav’Remarks. Online: http://www.guardian.co.uk.

[13] L. Rao. More Evidence That Facebook Is Nearing 600Million Users. Online: http://techcrunch.com.

[14] R. Santos. Java Image Processing Cookbook. On-line: http://www.lac.inpe.br/JIPCookbook/index.jsp.

[15] N. Saxena, J. Ekberg, K. Kostiainen, and N. Asokan.Secure Device Pairing based on a Visual Channel. InProc. of the IEEE Symposium on Security andPrivacy, 2006.


a picture is worth a thousand words: privacy-aware and ... · privacy-aware and intuitive...

Documents