Carnegie Mellon University
School of Computer Science  ›  Software and Societal Systems  ›  News  ›  2021  ›  Misconceptions plague security and privacy tools

Collage of Peter Story and Norman Sadeh

July 15, 2021

Misconceptions plague security and privacy tools

By Daniel Tkacik

As ransomware attacks continue to rise, tools to help protect our security and privacy are becoming more and more important. But if you think surfing the web via private browsing mode, virtual private networks (VPNs), or Tor Browser protects you from security threats, you’re wrong, but you’re also not alone.

According to a new studyOpens in new window out of Carnegie Mellon University CyLab, people hold a myriad of misconceptions about the security and privacy tools out there meant to help protect our privacy and online security. The study was presented at this week’s Privacy Enhancing Technologies SymposiumOpens in new window.

“There are certainly some people who know everything about these tools and can answer questions about them correctly, but that’s far from the norm,” says CyLab’s Peter Story, a Ph.D. student in the Institute for Software Research (ISR) and the lead author of the study.

The researchers conducted a survey of 500 demographically representative U.S. participants to measure their use of and perceptions of five web browsing-related tools: private browsing, VPNs, Tor Browser, Ad blockers, and antivirus software. Participants were asked how effective each tool would be in a variety of scenarios, such as preventing hackers from gaining access to their device, or preventing law enforcement from seeing the websites they visit.

For all but one scenario—whether different tools would prevent friends or family with physical access to your device from seeing the websites you visit in your browser history—participants answered more than half of the assessment questions incorrectly.

“People know some things about what these tools can do, but they often assume incorrectly that the tools can do other things as well,” says Norman Sadeh, a professor in the ISR and the study’s principal investigator. “People who are more familiar with these tools may be more likely to answer a question about them—either correctly or incorrectly—than recognize they are unsure.”

People know some things about what these tools can do, but they often assume incorrectly that the tools can do other things as well.

For example, one participant said that private browsing can be very effective at preventing their employer from seeing the browsing they do on the employer’s network. But this is false.

“Private browsing does not keep your history,” the participant explained.

This is true, Story says, but when you’re connected to someone else’s network, the administrator can see which websites you are talking to by nature of the company or organization being in control of it. Private browsing does nothing to shield that from your employer. However, Story says, using a VPN or Tor Browser can prevent your employer from seeing what websites you visit.

Perhaps the most concerning misconception participants had is that they often conflated privacy protections of tools with security protections.

“Some participants suggested that private browsing, VPNs, and Tor Browser would also protect them from security threats,” Story says. “This misconception might lead risky behavior.”

Given the vast array of misconceptions—as well as the feeling of resignation of many participants who felt that there was nothing they could really do to protect themselves—the researchers suggest some recommendations for designing “nudging” interventions. “Nudging” interventions might be used to promote security and privacy tools and to help people use them effectively.

“We think interventions should warn people not to assume tools do more than they actually do,” says Story. “It seems especially important to remind people that privacy-focused tools like private browsing do not provide security protections, such as against malware.”

The researchers also suggest reassuring users of the efficacy of the tools, emphasizing the lack of effectiveness of other tools and practices in preventing certain threats, and of course, interventions should debunk common misconceptions.

Paper reference

Awareness, Adoption, and Misconceptions of Web Privacy Tools

  • Peter Story, Carnegie Mellon University
  • Daniel Smullen, Carnegie Mellon University
  • Yaxing Yao, Carnegie Mellon University
  • Alessandro Acquisti, Carnegie Mellon University
  • Lorrie Cranor, Carnegie Mellon University
  • Norman Sadeh, Carnegie Mellon University
  • Florian Schaub, University of Michigan