Ad-hoc
Guesting: when exceptions are the rule
Brinda
Dalal1, Les Nelson1, Diana Smetters1,
Nathaniel Good1, Ame Elliot2 |
|
1Palo Alto
Research Center, Inc. 3333 Coyote Hill Road Palo Alto, CA 94304 {bdalal, smetters, nathaniel.good}@parc.com lesnelson@acm.org |
2IDEO Palo Alto |
Abstract
People’s work days are
filled with exceptions to normal routine. These exceptions affect the security
and privacy of their information access and sharing. In a recent ethnographic
study of ten users in the Bay Area, we identify a number of key problems not
well addressed by current data sharing technologies, and from them derive
requirements for Ad-hoc Guesting,
our term for minimal, readily available access control addressing situations
not planned for in advance.
Information sharing and
persistent data access is increasingly critical to people’s work and
personal lives. Yet, corporate security policies rarely comprehend dynamic user
models and people’s informal and persistent practices around ad-hoc
sharing. This paper reports the results of a field study focusing on
people’s practices around access control, security and file sharing.
Our study sought to
understand three areas: under what circumstances do people or companies share
or restrict access to files, what tools or behavioral norms are being used to
do so, and how are people’s experiences, problems and needs changing in
regard to secure file sharing and access control, especially in the case of geographically
dispersed colleagues, clients, friends and family members?
We identified a number of
key problems users face in sharing data:
·
Sharing with myself:
users are their own most common sharing partner, effortfully
moving data between their own machines, accounts and devices in order to ensure
continued access.
·
Transient data: users often need to hold data only briefly while
transporting it from one place or another; and that data may linger, be lost
and forgotten.
·
Transient access: users need to access data for only short periods of
time – they intend only one-time access, or to make data available in
certain situations.
·
Over sharing: users grant more access than necessary when it is
difficult to limit who has access to content or how much to share with others,
or when pressed for time to extract information from larger data sets
·
Ad-hoc sharing: users often share content with groups of recipients
they have not shared with before, and may not again.
·
Impedance matching: users spend considerable time and effort tailoring
content for sharing based on their understanding of recipient needs or the
demands of the sharing mechanisms in use.
Based on these insights, we propose that the general
nature of the problem faced by users is what we term ad-hoc guesting: where users need to share
data securely with unplanned sets of people with whom they have not previously
shared who may belong to another organization, thus cannot be
“named” by traditional access control. These interactions are
transitory and lightweight, often not worth the effort required to set up new
sharing mechanisms or change administrative state.
Our research builds upon a
growing body of literature on file-sharing and access control. Previous studies
have focused on personal file sharing, specifically, in the domains of music
[3,4] or photographs [1,2],
or professional collaborations in corporations [6], where email is viewed as
the preponderant medium for file sharing [6,7].
Ahern et al.[1] investigated sharing preferences for personal photos over a mobile
phone photo sharing network, and discovered that access control mechanisms were
too coarse for many users’ needs. They found that end users often
overloaded access control mechanisms in order to get around usability issues,
such as making all their photos public to make it easier to share photos with
friends and family.
Whalen et al [7] surveyed
corporate users on document and access control practices, and found that end
users had complex policy needs that changed over time and were inadequately
addressed by current file sharing and access control mechanisms. Voida et. al
[6] created a taxonomy of current file sharing technologies and their
attributes. They also found that policies played an important role in
users’ privacy decisions, and that current tools were inadequate in
meeting people’s complex requirements; a finding supported by [8]. Both
of these studies considered subjects within a single organization, all of whom
had access to similar, established file sharing mechanisms (e.g. file servers, etc.). They did not, however, consider the effect that
these preexisting options had on the challenges users would face or the choices
they would make when sharing across organizational boundaries, or operating in
the absence of pre-existing shared infrastructure.
Email is routinely chosen as
the preferred means of sharing files even in the presence of other alternatives
[6,7]. The affordances of file-sharing through email are well-known [6,7]: for
instance, you can easily share multiple files with multiple people simply by
specifying recipients’ addresses. People try to avoid mis-sharing by
using the subject line of emails as a marker, or making explicit their requests
about the content of documents or what actions they expect from recipients.
However, in many instances, email servers and clients typically enforce email
size limitations or limit the types of files that can be sent. Moreover, the
file is only accessible to the people who received the email: if others wish to
access the file, one of the recipients must find and send on the original file.
Email also does not provide a means to revoke access to a file, or allow you to
view how the file is being accessed. In addition, email is difficult to use for
personal storage and versioning tasks. Multiple copies of similar documents can
crowd an inbox, and make searching for changes between documents more
difficult. Thus file sharing through email remains complex.
What this study adds to the
discussion is an exploration of what properties users need from content sharing
mechanisms largely in the absence of any a priori shared infrastructure. Based on interviews of users across various domains, we were
able to explore access control and sharing issues across different types of
organizations, such as those with stricter or more lax regulations and
compliance policies. We examined in some depth how file-sharing and access
controls were used, not used or circumvented in order to get work done. From
this analysis we identified key challenges faced by those using and choosing
among current file sharing technologies, including email, and derived a set of
design criteria we would expect a more effective “sharing system”
should meet.
We conducted ten 2-hour,
in-depth interviews with respondents in their homes, home offices, or in cafes
where people worked, in the spring of 2007. Interviews consisted of
semi-structured and open-ended questions about file sharing practices and
people’s perceptions around access control. Participants were also asked
to evaluate paper interface mock-ups relating to security and privacy (results
from that research have been addressed elsewhere and will not be covered in
this paper).
Participants were recruited
through an online site, and pre-screened using a survey followed by a telephone
call. Recruiting criteria included those who a). used laptops and desktop
computers, b). used two or more mobile devices (such as a cell phone and
personal digital assistant), c). worked with colleagues who were not
co-located, and d). traveled frequently or had been on an overseas business
trip within the last six months. We selected participants with file sharing and
access control challenges, such as having to work with multiple clients from
different organizations, or share data with geographically dispersed teams, or
those who needed access to confidential data. Altogether, we interviewed six
men and four women between 23-53 years of age, who worked in finance, health
care, travel and tourism, design, engineering (civil, electrical, and
software), and product management. The size of their companies ranged from 3 to
150,000 employees. Each interview was conducted by researcher pairs covering
backgrounds in anthropology, design, security, and computer engineering.
Respondents were asked to describe examples of their professional and personal practices around security, privacy and file
sharing. We encouraged them to add to a preliminary list of devices, file
types, content, social software applications, locations and other variables,
and to select any items that triggered thoughts about their practices. Each
interview was recorded and transcribed, then analyzed using a grounded theory
approach [5]. Data were clustered into emergent categories and cross-cutting
themes. Common themes, issues, dilemmas, and trade-offs that people made
between levels of security and their ability to complete tasks were identified.
Findings were discussed through three design sessions, and used to generate
technology requirements and proposed solutions.
Our study highlights
distinctions between personal and professional sharing; we identified a variety
of infrastructure and devices used, the types of content that people shared,
the ways in which items were shared or accessed, and where people were located
at the time that they shared documents with each other. 80% of respondents
shared files with overseas collaborators or clients in Europe and the
Asia-Pacific region, and 100% exchanged data with colleagues across the US.
When working from home, consultants and employees in mid-large corporations
often shared files through distributed corporate servers, and in three cases,
on protected FTP sites. Predominantly, the data shared in professional settings
revolved around project work: shared documents included technical
specifications, meeting minutes and action items, proposals, reports and in one
case, an analysis of soil samples. One of the primary affordances of using a
shared server within a company was the ability to reuse documents from one
project to another. Frequently, people described how they incorporated sections
of an old proposal or template into a new document, “[I] see if I can
borrow text from it and pull information into what I am doing.” At the
same time, people found it time-consuming to browse different versions of
documents to find the proposal they wished to reuse and resorted instead to
telephoning or emailing their colleagues to obtain the appropriate copy. As one
person explained, “Emails end up being the simplest way to do it, rather
than my looking around on their server”.
In contrast, people’s
personal file sharing practices focused on ways in which experiences could be shared with others, The content being
shared in this case—primarily multi-media—was relational in nature,
such as sharing photographs of events with family members who live overseas. We
also found a surprising number of people shared the same personal account. For
instance, relatives scattered across the US used a photo sharing account that
had a single login and password to ensure privacy. Another set of parents set
up a “family email account” and used email messages within the same
account to discuss homework with their children in the evening.
All respondents used email
to share files. 90% of subjects mentioned that they had multiple email accounts
(largely personal accounts) and 80% said that they used personal email accounts
for business.
80% of respondents, regardless of their demographics,
also used a wide variety of social software, including wikis, blogs, social
networking sites (including MySpace and Facebook), hosted services (such as
Yahoo! Briefcase), public websites for sharing images and multi-media files
(including Flickr, YouTube), and online forums and games.
Respondents clarified two
distinctions in file sharing; sharing with self, and sharing with others. File sharing with oneself serves an important function,
allowing people to synchronize their activities regardless of location (work,
traveling, or home), accessibility (i.e., whether people can access corporate
servers while traveling), or what devices are at hand (laptop at home, USB
drives or hosted services).
Sharing with oneself
addresses the need to maintain persistent access, regardless of the technical
or security constraints in one’s environment. For example, interviewees
who did not have a printer at home, often uploaded files to Yahoo! briefcase
then downloaded and printed files out at their office. 80% of the respondents
used USB drives (rather than laptops), to download content at client sites,
especially when policies required that they contact IT administrators before
accessing electronic files.
Email is a convenient and
preferred mechanism for sharing files with oneself, especially for shorter term
tasks. Respondents who programmed at home in the evenings described how they
preferred to email snippets of code from work to their personal email accounts
instead of using CVS directories on corporate servers (which involved lengthy
login procedures), or when they wished to avoid having corporate IT install
security policies on their personal laptops.
Most respondents had multiple email accounts (some up
to 12 or 15) and used these accounts as a data management device. Different
types of content were filtered into different accounts - work, friends, dating
services, rental businesses, family photographs or spam. However, professional
and personal accounts bled into one another, opening avenues for significant
security lapses. When email or corporate servers were inaccessible, people
readily sent files to consultants using their personal email accounts. While this served a short term need, people
said they later ran into trouble trying to track source documents and different
versions across their accounts.
Users frequently handle what
we are calling “transient data”, or data useful for a single
instance or for a task conducted in short order. Transient data are often
placed in transient locations or on devices that serve people’s short
term needs– such as Yahoo! Briefcase, USB flash drives, FTP sites, or in
emails to oneself or others. The “throwaway nature” of temporary
storage and devices has constraints. For example, one individual remarked that
she had a shoebox full of USB drives. Other respondents reported having
anywhere between 2-15 active or inactive flash drives stored in their cars,
briefcases, at work, or at home. “Fobiquitous tracking” is
problematic for many: where does the information reside on my growing number of
USB storage fobs? Is this fob the most recent one? Sensitive data might
languish, unremembered, on such fobs forever.
Users dealt with such “throwaway data” at
different levels of granularity up to and including entire accounts or
identities. Respondents increasingly lacked the time to manage their accounts,
and tended to shed rather than sort, delete or destroy private data. One
individual said that she simply discarded old web accounts and opened new ones.
4.3. Transient Access
A number of individuals noted a need for transient access to data. Consultants, for example, were only supposed to have access to client data during the period of their contracts, or while working in a certain environment.
It can be difficult to go back and “fix” unwanted lingering access, as with another respondent: “But that pretty much is just a few phone calls, desperate phone calls saying ‘Delete from your servers, delete from your company, make sure it’s completely clean.’ You’re at the mercy of hoping they follow your request.”
4.4.
Oversharing
Oversharing occurs in
situations where people share too much, or share inappropriate information with
others or themselves. For example, privacy policies are exacerbated for
contractors who have limited access to corporate databases, “I have no
permissions to get into anything. Other subcontractors are in the same boat,
which shouldn’t be a problem except that people forget it, so
there’s a lot of assigning out...of staff, ‘Can you make sure you
send her a disk?’ So [the staff member sends me] files that I don’t
even really need....”
Time compounds the issue, and results in oversharing with
oneself. A healthcare consultant noted that when she visits a client site, she
lacks sufficient time to go through the client database in order to extract the
data she needs, thus ends up downloading entire files (including social
security numbers) onto USB drives. She
remarked, “There are a lot of rules trying to get permission from state
agencies [to access confidential data]. A lot of data really is protected, so a
lot of times the only effective way for me to do the work really disturbs me.
Like I can’t get permissions, but I can dump huge amounts of data on
flash drives that I can then [in theory] lose.”
Our research found an increasing trend for companies to delegate access control to other companies. Rather than set up extranet sites for consultants or provide them with logins and passwords, companies now expect their consultants to provide a secure but provisional electronic sites on which to store interim data or final reports.
People have varying degrees of perceived and actual
technical skills required to use systems, and consequently, there is a
disparity in the need for sharing. Often those with greater need faced the
burden of the extra work to obtain or share files. As one subject reported
about a newly installed web-based repository, “I think we have folks with
very limited technical comfort. So for that reason I always have to upload my
files [to the repo] and then email them around, so it’s sort of another
step rather than saving a step."
A major concern among
respondents was preventing data sharing failures. The majority of our subjects
spent time anticipating their own and their recipients’ current state,
and changed their actions according to their knowledge of or assumptions about
state. People spent considerable time reformatting data for others, based on
two parameters. First, they anticipated the constraints of their own or a
recipient’s system (such as capacity or bandwidth), and secondly,
anticipated the recipient’s socio-technical knowledge regarding their
ability to receive data. A software engineer described the reasons why he
compressed photographs for his relatives, “A lot of my relatives are not
very techie, so I’ll just put photographs in an email attachment. I try
to compress them so they are small jpeg sizes and then all people have to do is
just click [on the images]”. Another respondent drew a similar
distinction, “when you’re trying to share with family or friends
the speed of the network really decides whether or not you can share five
photos or just one. If you have to
upload five photos individually to send them, that’s a real drag. So you need to resize all of them so
they fit onto a CD. It’s
just a big hassle.”Half of our interviewees expressed frustration in
sending or receiving large files. Some specifically mentioned their personal
accounts or corporate email could not handle files over 10MB. A design
consultant who provides audio-visual material to his clients, was exasperated
by the effort it took to reformat content for their clients, “It’s
absolutely absurd in this networked economy that we can’t share [large]
files without going into some extreme effort.”
These examples exemplify how the act of file sharing
induces impedance matching. In
other words, users are forced to decide between sharing modalities based on
whether the sharing mechanisms will work with a particular user (do they have
X? are they on Y?) or piece of content (is the file too big?), or what sharing
mechanisms work best with that user (can they be counted on to log onto a separate
system?). Equally importantly, how well can you gauge the accuracy of your
assumptions about another’s state, (can they even receive your files)? It
is clear that the onus of work currently resides on users rather than the
systems they use.
Our findings lead us to identify a common class of sharing problems we term ad-hoc guesting. Users in our study often shared data with new and unplanned sets of people, often without assurance that they would ever share with that group of people again. We find that they preferentially and almost overwhelmingly turned to email to do so, except when their impedance matching processes indicate that email is unlikely to be successful. This is in contrast to the interpretations of Voida et. al. [6] who suggested that email was chosen only as a fallback alternative to other, preferred, forms of sharing. In this section, we define a set of design requirements for the problem ad-hoc guesting.
5.1. Ad hoc Guesting Design
Criteria
We analyze
sharing interactions in terms of two roles, initiator and responder, and two
modes of sharing: sender-initiated sharing, where the user wants to provide
content to someone who does not have it; and the less common receiver-initiated
sharing, where a user requests content to which they currently have no access.[1]
1)
No impedance
matching: initiators should no
longer need to be cognizant of the limitations of the system or of a specific
recipient’s system
a) The system should work for all types and sizes of
data, within physical limits (e.g.
sending large files will be slower than sending small ones).
b) Responders in particular should be required to have
no more than minimal, readily available tools (e.g. email and a web browser).
2) Support ad-hoc sharing: encourage lightweight sharing interactions between
arbitrary, highly dynamic groups.
a) Use universal
identifiers, such as email
addresses; people should be able to share with anyone, inside or outside of
their organization, with equal facility.
b)
Minimize setup effort as users will not know upfront whether they will
share with a particular group or use a specific mechanism enough times to make
the effort worthwhile.
c)
Require no a priori preparation by responders -- they should not be required to install software,
create an account, or register a profile before someone can initiate sharing
with them.
3)
No oversharing:
a)
Content shared only
with intended recipients: it
is not accessible to their friends or arbitrary strangers, or to the server on
which the content is stored.or its systems
administrators.
b)
Transient access
management: data can be made
available for one-time or time-limited access, without requiring the user to go
back and make it “unavailable” again.
4)
Simple and
self-contained:
a)
Interactions should
be lightweight and familiar.
b)
One-step
sharing: additional coordination,
such as follow-up emails should not be necessary; people should know that
content is there waiting for them,
or that it has been shared successfully.
In our small study, we found
that exceptions to stricter security policies are increasingly becoming the
rule. We have illustrated users’ practices, such as mundane breaches and
transient data sharing, in order to design pragmatic and lightweight
alternatives. We find that people regularly bypass secure access procedures by
using public web repositories, personal emails, and USB drives to transfer
information (insecurely). Indeed, many situations require temporary access to
data in order to complete a job or activity. Individuals spend considerable
time anticipating ways in which to ensure that others can access the data they
send them. Repeatedly, people are frustrated that systems and security policies
prevent them from sharing large files .
We have identified a common
problem and an interesting design opportunity for data sharing – that of ad-hoc
guesting. In future work, we will
explore the success of these potential designs based on the requirements
proposed in this paper.
1. Ahern, S., Eckles, D., Good, N. S., King, S., Naaman,
M., and Nair, R. 2007. Over-exposed?: privacy patterns and considerations in
online and mobile photo sharing. In Proceedings of the SIGCHI Conference on
Human Factors in Computing Systems, 357-366.
3.
Brown, B., Sellen, A. J., and Geelhoed,
E. 2001. Music sharing as a computer supported collaborative application. In Proceedings
of the Seventh Conference on European Conference on Computer Supported
Cooperative Work,, 179-198.
5.
Glasser, B., Strauss,
A., 1967. The discovery of grounded
theory: Strategies for qualitative research. Aldine Publishing, New York.
6. Voida, S., Edwards, W., Newman, M. W., Grinter, R.
E., and Ducheneaut, N. 2006. Share and share alike: exploring the user
interface affordances of file sharing. In Proceedings of the SIGCHI
Conference on Human Factors in Computing Systems, 221-230.
8. Olson, J.S., Grudin, J. and Horvitz,
E.. 2005. A study of preferences for sharing and privacy. In CHI ’05
extended abstracts on Human factors in computing systems, 1985–1988.
[1] The determination of who plays the initiator role may be due to social or organizational factors; e.g. a consultant delivering results to a client, or as a result of impedance matching, e.g. the more technically sophisticated party in an exchange doing the “heavy lifting” of initiating a transfer.