Cloudy with a Chance of Misconceptions: Exploring Users' Perceptions and Expectations of Security and Privacy in Cloud Office Suites

Cloud Office suites such as Google Docs or Microsoft Office 365 are widely used and introduce security and privacy risks to documents and sensitive user information. Users may not know how, where and by whom their documents are accessible and stored, and it is currently unclear how they understand and mitigate risks. We conduct surveys with 200 cloud office users from the U.S. and Germany to investigate their experiences and behaviours with cloud office suites. We explore their security and privacy perceptions and expectations, as well as their intuitions for how cloud office suites should ideally handle security and privacy. We find that our participants seem to be aware of basic general security implications, storage models, and access by others, although some of their threat models seem underdeveloped, often due to lacking technical knowledge. Our participants have strong opinions on how comfortable they are with the access of certain parties, but are somewhat unsure about who actually has access to their documents. Based on our findings, we distill recommendations for different groups associated with cloud office suites, which can help inform future standards, regulations, implementations, and configuration options.

[1]  Frank Teuteberg,et al.  The role of trust and risk perceptions in cloud archiving — Results from an empirical study , 2014 .

[2]  Srdjan Capkun,et al.  Home is safer than the cloud!: privacy concerns for consumer cloud storage , 2011, SOUPS.

[3]  Marten van Dijk,et al.  On the Impossibility of Cryptography Alone for Privacy-Preserving Cloud Computing , 2010, HotSec.

[4]  Steve Whittaker,et al.  Cloudy forecast: an exploration of the factors underlying shared repository use , 2014, CHI.

[5]  Chris Kanich,et al.  "I Saw Images I Didn't Even Know I Had": Understanding User Perceptions of Cloud Storage Privacy , 2015, CHI.

[6]  K. Charmaz,et al.  Constructing Grounded Theory , 2014 .

[7]  Chris Kanich,et al.  Forgotten But Not Gone: Identifying the Need for Longitudinal Data Management in Cloud Storage , 2018, CHI.

[8]  Xin Tan,et al.  User acceptance of SaaS-based collaboration tools: a case of Google Docs , 2015, J. Enterp. Inf. Manag..

[9]  Ibrahim Arpaci,et al.  Effects of security and privacy concerns on educational use of cloud services , 2015, Comput. Hum. Behav..

[10]  Mexhid Ferati,et al.  User awareness of existing privacy and security risks when storing data in the cloud , 2015 .

[11]  Jose M. Such,et al.  "I feel stupid I can't delete...": A Study of Users' Cloud Deletion Practices and Coping Strategies , 2017, SOUPS.

[12]  M. Couper,et al.  METHODS FOR TESTING AND EVALUATING SURVEY QUESTIONS , 2004 .

[13]  John C. Tang,et al.  That syncing feeling: early user experiences with the cloud , 2012, DIS '12.

[14]  Philip D. Waggoner,et al.  The shape of and solutions to the MTurk quality crisis , 2018, Political Science Research and Methods.

[15]  Klaus Krippendorff,et al.  Content Analysis: An Introduction to Its Methodology , 1980 .

[16]  D. Dittrich,et al.  The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research , 2012 .

[17]  Roger Clarke,et al.  Privacy and consumer risks in cloud computing , 2010, Comput. Law Secur. Rev..

[18]  Elissa M. Redmiles,et al.  How I Learned to be Secure: a Census-Representative Survey of Security Advice Sources and Behavior , 2016, CCS.

[19]  A. Strauss,et al.  Grounded Theory in Practice , 1997 .

[20]  Moira C. Norrie,et al.  MUBox: Multi-User Aware Personal Cloud Storage , 2015, CHI.

[21]  P. V. Marsden,et al.  Handbook of Survey Research , 1985 .

[22]  N. C. Schaeffer,et al.  The Science of Asking Questions , 2003 .

[23]  A. Strauss,et al.  Grounded theory , 2017 .

[24]  Lilian Adkinson-Orellana,et al.  Privacy for Google Docs : Implementing a Transparent Encryption Layer , 2010 .

[25]  A. Acquisti,et al.  Reputation as a sufficient condition for data quality on Amazon Mechanical Turk , 2013, Behavior Research Methods.

[26]  David R. Anderson,et al.  Understanding AIC and BIC in Model Selection , 2004 .

[27]  Fabio Vitali,et al.  Content cloaking: preserving privacy with Google Docs and other web applications , 2010, SAC '10.

[28]  Nestori Syynimaa,et al.  Is My Office 365 GDPR Compliant? - Security Issues in Authentication and Administration , 2018, ICEIS.

[29]  Jeanna Neefe Matthews,et al.  The good, the bad and the ugly of consumer cloud storage , 2010, OPSR.

[30]  Eric Johnson Lost in the Cloud: Cloud Storage, Privacy, and Suggestions for Protecting Users' Data , 2017 .