Scholar Spotlight: Jason Hong is Arming Smart Device Users with the Tools to Protect Themselves from Cyberattacks

Siebel Scholar Jason Hong (UC Berkeley, CS ’04) likes to play video games on his smartphone. But Hong isn’t your typical gamer, he’s an associate professor of computer science who studies cybersecurity at one of the largest university-based cybersecurity research and education centers in the U.S., Carnegie Mellon University’s CyLab.

So, a few years ago when a blackjack game Hong was playing on his smartphone asked for his location, he became wary. Why, he wondered, would the game need his location?

\That question led Hong to launch a research project with his team at CyLab, called Computer Human Interaction: Mobility Privacy Security (CHIMPS). Hong and his group specialize in human computer interaction and they have studied user privacy and security issues for a decade. During the course of their investigation into gaming apps, they found that many of them—even the one that turns the phone into a flashlight—access sensitive data such as contact lists and location.

The team’s privacy analysis of a million Android apps eventually became the website privacygrade.org, which gained attention from the media and government regulators. Hong’s group plans to scale it up even more, by continuously updating apps and by deploying new kinds of privacy analyses. They’ve also developed an app called PrivacyProxy that will identify which apps on a device are sending information to a third party.

Hong’s research raised user awareness and led developers to create better interfaces for apps. Their work encompasses a wide array of cybersecurity issues, from building in safety when software is designed to making security settings easier for users.

Hong came to Carnegie Mellon in 2004, after completing his PhD at UC Berkeley, and has been an associate professor in the university’s Human Computer Interaction Institute since 2010. In 2008 Hong co-founded Wombat Security Technologies, which helps organizations protect themselves against phishing attacks.

Hong spoke with the Siebel Scholars program about his work.

Q: How did you first become interested in this work?  

It’s funny, when I was a little kid I wanted to be Superman, but I quickly realized I had no superpowers. Later in life when I got into computer science I found another way of protecting people, by coming up with solutions for privacy and security.

Q: What problem or challenge are you trying to solve?

In my specific area of work, I’m interested in how to make privacy and security usable for everyday people. For example, I’m looking at how to foster an ecosystem for smartphone privacy. I’m also working with a group of people to develop a privacy-sensitive infrastructure for Internet of Things, where nearly every object is embedded with sensing and wireless networking. More pragmatically, I’m also looking at techniques for simplifying privacy policies and terms and condition policies for everyday people.

I’m really interested in looking at how to make it so that other stakeholders can shoulder more of the burden of privacy, for example, software developers, third parties like the Federal Trade Commission or journalists, ad networks, as well as hardware manufacturers.

For example, most software developers we’ve interviewed and surveyed simply have no idea what to do with respect to privacy. So having better tools that only require a little bit of extra work on their part could have a lot of positive benefit. Hopefully, by the end of the day, an end user doesn’t have to make so many privacy decisions. When it’s up to the end user to know what’s up with the app, it’s really burdensome.

Q: What makes your research group unique?

Most of computer science focuses on the computer itself; for example, faster networking, better storage, longer battery life. My field of work is known as human-computer interaction, and it looks at people and computers together. My department is also a bit unusual, in that it has computer scientists sitting next to behavioral scientists and interaction designers.

In our social psychology work we look at how to encourage behavior change to promote secure practices. So for instance, I overhead two women chatting one day about a colleague who fell on the ice, broke his laptop and lost his data. One of the women then said, “I’m going to go back up my data right now.” So that made me think about what influences people to improve their behaviors. We were working with Facebook on some messaging encouraging people to check their security settings, and we added language that told them what percent of their friends had already done so. As predicted by theory, this small change did increase click thru rates and adoption of security settings.

Q: What are some specific projects your group is working on?

We have a project called Giotto, which is an open infrastructure for the Internet of Things, and another called UniAuth, which looks at what kinds of software is needed for our smartphones to manage all our authentication needs. Our group is also looking at social cybersecurity, or how to use social psychology to improve people’s awareness, motivation, and knowledge to use technology securely.

Q: What would you say is the biggest challenge you’re facing?

The biggest challenge with privacy and security is that it’s too easy to do the wrong thing, either intentionally or accidentally. Computer systems are designed to make everything easy to gather, store, and share data, and it takes extra steps (and knowledge) to add in privacy and security.

Q: Do you think there will ever be “an answer” to the cybersecurity problem? 

It’s like illiteracy, it’s not something that can ever be totally solved. Every year you have to keep working on it. There is never going to be a perfect solution for privacy and security. It’s just an ongoing effort.

Q: What do you find most rewarding about the work?

Working with really amazing undergraduate and graduate students. A former student of mine from several years ago visited me, and was showing some of the cool things he was doing at his company. He was even featured in Wired Magazine too! It was really great to know that I was a small part of his educational experiences, that I was lucky enough to help him just a little bit in his life.

Q: What do you think is the key to successful leadership/innovation/problem solving?

The most important thing I’ve learned about innovation is that it really takes a leap of imagination to envision a better world. Take the iPhone for example. All of the pieces and interactions already existed, but the core insight was to combine them in a new way to create a really compelling user experience.

It also takes a fair amount of courage to make this leap. It’s easy to stick with the garden path and just trudge along with what everyone else is already doing. You’ll get knocked down to the ground quite a bit when trying something new, but if you’re willing to keep getting up, if you’re willing to keep reaching for a better tomorrow, you just might be able to do it.

Q: What do you enjoy doing during your time away from work?

My two-year old daughter is the highlight of my day. I’m really inspired by her and want to do what I can to help make the world a better place for her.