1 FEMALE PRIVACY AND CLOUD SECURITY 1 Female Privacy and Cloud Security via Smartphones Jasmijn Kol, Dominik Terweh, Judith Weda Cyber-Crime Science Prof Dr Pieter Hartel, Prof Dr Marianne Junger , University of Twente
2 FEMALE PRIVACY AND CLOUD SECURITY 2 Abstract This research tries to determine whether or not an educational game could be a satisfying prevention method against the leakage of personal data from clouds. Due to recent leakage of celebrity nude photos, women are getting aware that they have insufficient knowledge about protecting their own privacy on phones and clouds. Through questionnaires and a serious game or task list, participants are examined on their cloud and phone skills. Participants using a list to complete tasks take a significant amount of more time to complete tasks compared to participants who use the game. Introduction Due to a recent leakage of celebrity nude photos, women are getting aware that they have insufficient knowledge about protecting their privacy on the Internet. This is a big problem, since many (young) women have private pictures on their phones. They often do not know that these pictures get stored, automatically, in huge databanks or clouds. Leakage of these images to the wrong people could have huge consequences for their future career and private life. Therefor, it is key to educate women on the dangers of cloud storage, prevention and security as best as possible, for their own protection. Literature study Harassment, cyber stalking and cyber-pornography are the most used crimes against women worldwide. (Agarwal, 2013) The second being the most relevant to this paper, since posting someone s private pictures online is a type of cyber-stalking. It is also stated by Agarwal, that Cyber stalking usually occurs with women, who are stalked by men, or children who are stalked by adult predators. [ ] It is believed that over 75% of the cyber-stalking victims are female. The motives behind cyber stalking have been divided into four reasons, namely, for sexual harassment, for obsession for love, for revenge and for ego and power trips. (2013, p.
3 FEMALE PRIVACY AND CLOUD SECURITY 3 2). It is supported by Halder and Jaishankar, that these crimes mostly seem to be in a sexual nature. They state that: In most cases male harassers attack the victim for sexual purposes like morphing, using the image for pornographic purposes, cyber stalking etc. [...] (2009, p. 12). In this new age females are at a higher risk of these crimes, especially when they act carelessly when sharing or storing sensitive information. Individuals may increase their chances of coming in contact with potential harassers by regularly using computer-mediated communications such as chat rooms or social networking sites to connect with others (Finn, 2004). These are all very basic services, used by practically everybody. Any individual that does not know how to protect him or herself could be a potential victim of cybercrimes. The Internet and easy sharing shows to be a threat to women around the globe especially those that are unaware of the dangers and consequences of sharing indiscriminately. The obvious danger associated with sexting is that the material can be easily and widely disseminated. Once the message or image is in cyberspace, the sender loses control over the material and cannot assume that it will remain private. (Katzman, 2010) It is easy to forget that once something has been placed on the Internet, on a cloud or otherwise, it is unlikely for it to ever be fully deleted. Therefore women have to be educated about the risks they take when they take pictures and store them. The goal of the research is to find ways to improve cloud- and phone safety awareness, in women. Finn claims that: Individuals must become savvy both online and offline; know how to take precautionary measures in cyberspace and how to seek recourse if their rights are violated. (Finn, Banach, 2000) Dashora introduces a list of things one can do to protect oneself from cyber crime. (2011) They are useful tips, but they might not reach people, as they are stated in a scholarly paper. Misra mostly talks about several remedies to help prevent cyber crime. The most important thing for this research is the introduction of raising awareness about cyber culture and it s drawbacks. (2011) The intention is to educate through a game, designed to help women secure their phone and data.
4 FEMALE PRIVACY AND CLOUD SECURITY 4 It has been shown that serious games are powerful learning tools, not limited to training but useful for a vast diversity of educational purposes. (Mouaheb, Fahli, Moussetad, Eljamili, 2012) Computer and videogames can be regarded as providing authentic, meaningful and powerful contexts for learning. [ ] Further, when contrasted with traditional views of education, games provide a learner-centred rather than teacher-centred approach to education. (Stapleton, 2004, p.5) The game should make the users more aware of the dangers of the Internet and make them better at securing their phone in comparison to their peers. This is a prevention method. It will not solve the problem of hackers trying to get personal data from women (or male users). However, helping women to secure their phones will, hopefully, prevent another leakage of personal photos from happening again. Method The study that will be performed is whether or not an educational game is a good way to teach women about how their phone security works and how to prevent big security leakages. There will be a test group and a control group. Both groups will fill out the same questionnaire. After the first questionnaire, the control group will do six tasks without the help of any medium. The test group will get an educational game, which will guide them through the same tasks. The game provides both an explanation and enjoyment while completing the tasks. What will be tested, is if participants have a better ability to find the things they need to do to protect their phone and why, with an educational game. In Appendix B, a description of this educational game, the intervention, will be provided. At the end of their session, the test subjects will fill out another questionnaire, to see if their skills and knowledge about phone and cloud security has improved. During the second part of the research (the completion of the tasks), both groups will be observed by one of the researchers. The observer will be present to assess the subject and their skill and skill
5 FEMALE PRIVACY AND CLOUD SECURITY 5 improvement, as well as their reactions to the game, if the subject is part of the test group. Which group a subject is part of will be randomly decided before their session begins. Both groups will consist of women only, as they are the main target group. The subject group will be a small, random sample of women between the ages of 18 and 30. This is the group that is most vulnerable to online cyber stalking attacks of a sexual nature. The observer will write down the time that each participant spends on each task, how much difficulty the participant had while completing each task (at a scale of 1 to 5), and if the task was completed or not. The tasks that the participants will need to complete are: 1. Check whether your system is up to date 2. Turn off add tracking. This prevents companies from using your browser data to give you personalized ads. 3. Turn off location tracking completely or for certain apps. 4. Access your cloud (icloud for iphone users, Google Drive for Android). 5. Turn off the automatic back-up function 6. Turn off the iphone keychain (iphone) or the function which codes your documents (Drive) There are two hypotheses in this research that need to be taken into account. First and foremost, one assumption is that the test group will give a better performance when it comes to the completion of the tasks. This means that they will either take less time in completing the tasks, they will complete more tasks, or they struggle less compared to the participants in the control group. The second hypothesis is that the test group will have a better understanding of how to secure their phone and why. This can be measured using the outcome of the second test. There should be a significantly larger improvement between the first and second test, compared to the control group, to support this hypothesis.
6 FEMALE PRIVACY AND CLOUD SECURITY 6 The independent variables are: age, study and the skill of the participant when it comes to their phone and its security. Age and study can be of influence. Knowledge can come with age or younger women might be better in securing their phones because of recent technological developments, instead. The study of the participant could be of importance since some studies have a higher regard for technology than others, which might influence the abilities of the participant. The last of these dependent variables is likely to have the most influence on the dependent variable. The dependent variable in this research is whether the subject can successfully secure their phone or not. The independent variables are measured using the questionnaires. The skill of the participant is measured based on the subject s own perception of their skills. Questions such as: Do you have an affinity for technology?, How well do you know your phone on a scale from 1 to 5? and Do you think that your phone is secured well? try to give a rough estimate of the participants skills about their phone usage. This estimate might have an influence on the participant s ability to secure their phone, which is why this is an independent variable. The dependent variable is measured by observing the participants while they complete the tasks. Results The results that are found will be discussed in this section of the document. There was a significant difference between the performances of the participants in the test group, compared to those in the control group. The observers classified the participant s abilities per task, by determining the amount of struggle that was seen in the participant (Figure 1+2). Figure 2: All over average times for the two groups needed to perform the tasks.
7 FEMALE PRIVACY AND CLOUD SECURITY number of people tasks little rather little okay a lot very much STRUGGELING Figure 1: the control group performs the tasks with observations number of people tasks little rather little okay a lot very much STRUGGELING Figure 2: the test group performs the tasks with observations From this figure, it is clear that people without the educational game, struggled more compared to those who could play the game. The differences are especially obvious for task 3 (Appendix C, TASK 3) and 5 (Appendix C, TASK 3). The test group had no issues at all in completing this task, while about half of the control group participants struggled on these same tasks. With task 2 both groups seemed to struggle. However, 70% of the participants of the control group struggled very much compared to 10% of the test group. Also 20% of the participants of the control group do not have any struggles at all, compared to 40% of the test participants. Therefor, based on the numbers, we can state that the test group performed better on average, compared to the control group.
8 FEMALE PRIVACY AND CLOUD SECURITY task no control group test group time in seconds Figure 1: the control group performs the tasks with observations (Appendix C, TIME) The time spent per task was also measured. The average time needed per task can be found in Figure 3. For the second task, the control group needed a lot more time then the test group. The same goes for task 5. For task 4, the test group needed more time then the control group, on average, which is slightly surprising. Conclusion and discussion Concluding from this research, it can be said that the interference of a game is a positive teaching method. This, because the game caused a better performance under the participants, compared to the participants who did not use the game. It appears that the women who participated had a better understanding of how to secure their phone once done with the tasks in the game. They also thought they would use some of the things learned in the game, in the future. This is a very positive observation. However, the amount of participators (20 total, 10/10) is not a big enough sample to draw this conclusion over a larger group of people. Not enough information has been gathered for this research to actually qualify as valid. For further research, more participants need to be found. Also the game is quite simple. It fulfilled its use during the research, but on a bigger scale, it would be better to have a somewhat more professional game.
9 FEMALE PRIVACY AND CLOUD SECURITY 9 References Agarwal, R. (2013) Cyber Crime Against Women and Regulations in India <http://www.tmu.ac.in/gallery/viewpointsdcip2013/pdf/track4/t-403.pdf> Dashora, K. (2011) Cyber Crime in Society: Problems and Preventions. Journal of Alternative Perspectives in the Social Sciences. 3 (1) Finn, Jerry A Survey of Online Harassment at a University Campus. Journal of Interpersonal Violence 19 ( 4 ): Finn, J. & Banach, M. (2000) Victimization online: The downside of seeking human services for women on the Internet. CyberPsychology & Behavior. Halder, D. & Jaishankar, K. (2009) Cyber Socializing and Victimization of Women, Temida, p Katzman, D.K. (2010) Sexting: Keeping Teens Safe in a Technologically Savvy World <http://www.cps.ca/documents/position/sexting> Misra, R. (2013) Cyber Crime Against Women <http://papers.ssrn.com/sol3/papers.cfm?abstract_id= > Mouaheb, H., Fahli, A., Moussetad & M., Eljamili, S. (2012) The Serious Game: What Educational Benefits?, Procedia Social and Behavioral Sciences, Vol.46, p
10 FEMALE PRIVACY AND CLOUD SECURITY 10 Stapleton, A.J. (2004) Serious Games: Serious Opportunities. Melbourne, VIC. Appendix A Checklist ethical permissibility of research. This version of the checklist is only to be used for proposed research conducted as part of the Cyber-crime Science Course. Items that are greyed-out should not be changed. If you would like to answer one of the greyed-out questions differently, you must complete the regular (full) checklist instead, which can be found on the web site of the ethical committee: General When answering the questions, it is advisable to consult the chapter on standardized research (see the protocol on the web site of the ethical committee) because the answers will be considered with this in mind. 1. Title of the project: Cloud and phone safety awareness 2. Principal researcher: Pieter Hartel 3. Researchers: Jasmijn Kol, Dominik Terweh, Judith Weda 4. Department responsible for the research: EWI/SCS 5. Location where research will be conducted: University of Twente 6. Short description of the project (about 100 words): The research will explore whether cloud and phone security can be improved by playing a simple game guiding female users through their phone and maximize their safety as well as teaching the users about the importance of cloud and phone security. 7. Expected duration of the project and research period: 3 weeks 8. Number of experimental subjects: EC member of the department: Roel Wieringa Questions about general requirements and conditions 1. Has this research or similar research by the department been previously submitted to the EC? Yes, No If yes, what was the number allocated to it by the EC? (See the Website of the Ethical Committee) 2. Under which category does the research fall with regard to the consideration of Medical / Not medical? Category D Category A Category B Category C Uncertain, explain why Explanatory notes: This is non-medical research with negligible risk, hence category D. 3. Are adult, competent subjects selected? Yes, indicate in which of the ways named in the general requirements and conditions this is so No, explain Uncertain, explain why Explanatory notes: Only females between the ages of 18 and 28 are selected to join this research
11 FEMALE PRIVACY AND CLOUD SECURITY Are the subjects completely free to participate in the research, and to withdraw from participation whenever they wish and for whatever reason? Yes No, explain why not Uncertain, explain why Explanatory notes: Subjects are completely free to deny participating in the research and are free to leave at any time during their session. 5. In the event that it may be necessary to screen experimental subjects in order to reduce the risks of adverse effects of the research: Will the subjects be screened? Screening is not necessary, explain why not Yes, explain how No, explain why not Uncertain, explain why Explanatory notes: The risk for subjects is nil, hence no screening is required. 6. Does the method used allow for the possibility of making an accidental diagnostic finding which the experimental subject should be informed about? (See general conditions.) No, the method does not allow for this possibility Yes, and the subject has given signed assent for the method to be used Yes, but the subject has not given signed assent for the method to be used Uncertain, explain why Explanatory notes: 7. Are subjects briefed before participation and do they sign an informed consent beforehand in accordance with the general conditions? Yes, attach the information brochure and the informed consent form to be signed No, explain why not Uncertain, explain why Explanatory notes: 8. Are the requirements with regard to anonymity and privacy satisfied as stipulated in 5.2.7? Yes No, explain why not Uncertain, explain why Explanatory notes: All researchers will complete and sign a PII form (as attached to this document) to state that they will treat all data according to of the protocol 9. If any deception should take place, does the procedure comply with the general terms and conditions (no deception regarding risks, accurate debriefing)? No deception takes place The deception which takes place complies fully with the conditions (explain) The deception which takes place does not comply with the conditions (explain) If deception does take place, attach the method of debriefing Explanatory notes: 10. Is it possible that after the recruitment of experimental subjects, a substantial number will withdraw from participating because, for one reason or another, the research is unpleasant? No Yes, that is possible Questions regarding specific types of standard research Answer the following questions based on the department to which the research belongs. 11. Does the research fall entirely within one of the descriptions of standard research as set out in the described standard research of the department? Yes, go to question 12 No, go to question 13
12 FEMALE PRIVACY AND CLOUD SECURITY 12 Uncertain, explain what about, and go to question 13 Explanatory notes: 12. Give a more detailed specification of the research. Provide all possible data that is relevant for an ethical consideration. I.e. is there any risk for stress for the subjects? If they self-select, explain how and consider any possible discomfort they may experience when taking part in the experiment. No deception will take place during the research. The game will be carefully designed as to not cause stress for the subject. Appendix B Description of the intervention The intervention was given to the test group, consisting of ten, randomly picked, female students between the ages of 18 and 30. The intervention was done by an educational game, or a playful guide. This would help the participants understand how to secure their devices as best as possible. The game will go through the following tasks: 1. Check whether your system is up to date 2. Turn off add tracking. This prevents companies from using your browser data to give you personalized ads. 3. Turn off location tracking completely or for certain apps. 4. Access your cloud (icloud for iphone users, Google Drive for Android). 5. Turn off the automatic back-up function 6. Turn off the iphone keychain (iphone) or the function which codes your documents (Drive) The tasks are explained by Jenny, a virtual personality that tells the users about the tasks and why these tasks are important to complete. Using screenshots from Android phones and iphones, the game guides the participant through all the steps that are necessary to take to complete each task. The participant can click through each task using the mouse button. Some screenshots of the intervention method can be found in Figure B1 and B2.
13 FEMALE PRIVACY AND CLOUD SECURITY 13 Figure B1: First question to be answered by the participant.
14 FEMALE PRIVACY AND CLOUD SECURITY 14 Figure B2: One of the tasks given to an iphone user. Appendix C Calculations for significance TASK 3: Calculations for the control group for the performance on task 3 For the test group the mean is 5 since there are only 5 in the sample. Since the mean of the test group is out of the boundaries of the 90% confidence interval we can say that the hypothesis that the game influences the performance of the players (in this case in task 3) is true with a probability of 90%.
15 FEMALE PRIVACY AND CLOUD SECURITY 15 TASK 5: Calculations for the control group for the performance on task 5 For the test group the mean is 5 since there are only 5 in the sample. Since the mean of the test group is out of the boundaries of the 95% confidence interval we can say that the hypothesis that the game influences the performance of the players (in this case in task 3) is true with a probability of 95%.
16 FEMALE PRIVACY AND CLOUD SECURITY 16 TIMES: Calculations for the control group for the testing times Calculations for the test group for the testing times Since the mean of the test group is out of the boundaries of the 85% confidence interval we can say that the hypothesis that the game influences the time of the tasks is true with a probability of 5%.