Q&A with Dr. Hassan Khan

Dr. Hassan Khan joined the School of Computer Science at the University of Guelph as an assistant professor in 2018, after completing his PhD and postdoctoral work at the University of Waterloo. We had the opportunity to speak to him about his work in computer security and human computer interaction.

Could you tell us a bit about your research focus? 

My research lies at the intersection of Computer Security and Human Computer Interaction. Security engineers build secure systems, but these systems often do not provide the desired effect as they are not very usable. A textbook example is that of passwords, where you can force users to create very complex passwords in the name of security, but users will resist those – for example by writing them on sticky notes. My research focuses on the human side of things to: (i) show that existing security controls do not work as intended; and (ii) understand why security controls do not work from the perspective of end users. 

Your work focuses on Artificial Intelligence-based security solutions, can you explain how you use Artificial Intelligence to create and improve computer security?

One line of research that I have focused on is the evaluation of the security of Artificial Intelligence-based solutions for end users. Behaviour biometrics have been proposed as an alternate and more usable authentication mechanism. The underlying idea is that our smartphones can learn our behaviour – such as how we speak, how we swipe or type, or how we walk – and then use this to authenticate us or detect device misuse by non-owners with over 99 per cent accuracy. However, my research has demonstrated that such systems are quite easy to bypass due to the overlapping behaviours of the general population. By using our algorithms, an attacker can bypass state-of-the-art voice, gait, touch or keystroke behaviour-based authentication systems effortlessly.  

Some of your research involves human subjects, can you explain how you bring them into your research?

My research often involves human subjects. For the behaviour-based authentication systems, we have recruited human participants to mount attacks. For instance, in our previous work, we have designed a smartphone-to-smartphone augmented reality-based attack system. The idea is that if the attackers want to mimic or behave like another person (“victim”) in terms on how the victim interacts with their device, they could use our augmented reality application for it. The attacker would use an application to collect victim’s behaviour (such as by offering them to use their phone or making them visit the victim’s website) and then use the augmented reality application to overlay the collected behavioural cues on the victim’s smartphone without requiring them to install anything on the victim’s device. Human subjects were used for this research both as attackers and victims during controlled experiments.

What is a recent research project/initiative that you are especially excited about?

I would say the most exciting work that I have ever done was our recent work on measuring the state of privacy in electronics repair industry. Electronics repair and service providers offer a range of services to computing device owners across North America – from software installation to hardware repair. Device owners obtain these services and leave their device along with their access credentials at the mercy of technicians, which leads to privacy concerns for owners' personal data. We conducted a comprehensive four-part study to measure the state of privacy in the electronics repair industry. We conducted a study of 18 service providers and uncovered that most service providers do not have any privacy policy or controls to safeguard device owners' personal data from snooping by technicians. We dropped off rigged devices for repair at 16 service providers and collected data on widespread privacy violations by their technicians, including snooping of personal data, copying data off the device, and removing tracks of snooping activities. We then conducted an online survey of over 100 individuals to collect data on customers' experiences when getting devices repaired. Lastly, we invited 30 of our survey participants for interviews to establish a deeper understanding of their experiences and identify potential solutions to curtail privacy violations by technicians. 

Another recent work that would be of interest to public is our research on the conflict between security and privacy in the context of Enterprise Security Software. Employees are often required to use Enterprise Security Software (ESS) on corporate and personal devices. ESS products collect users' activity data including users' location, applications used and websites visited – operating from employees' device to the cloud. To the best of our knowledge, the privacy implications of this data collection have yet to be explored. We conducted an online survey of over 250 individuals and a semi-structured interview with 22 ESS users to understand their privacy perceptions, the challenges they face when using ESS and the ways they try to overcome those challenges. The most important finding is that while many participants reported receiving no information about what data their ESS collected, those who received some information often underestimated what was collected. Employees reported lack of communication about various data collection aspects including: the entities with access to the data and the scope of the data collected. We used the interviews to uncover several sources of misconceptions among the participants. Our findings show that while employees understand the need for data collection for security, the lack of communication and ambiguous data collection practices result in the erosion of employees' trust on the ESS and employers. 

Are you currently looking for undergraduate, graduate, or postdoctoral students?

Yes, I am looking for undergraduate and graduate students.

Dr. Hassan Khan is an Assistant Professor in the School of Computer Science.