Security and Human Behaviour 2010 – Session 1: Deception

I recently attended the 2010 Security and Human Behaviour workshop, organised by Ross Anderson, Bruce Schneier and Alessandro Acquisti.

For the workshop’s official notes (by Ross), visit the Computer Laboratory, University of Cambridge blog. In the following posts I’ll capture my own notes from the workshop.

Session 1 – Deception

Deception:

  • on a small scale is called fraud.
  • on a large scale is called propaganda.

Jeff Hancock (Cornell) kicked off the presentations by identifying trends in deception:

  1. Recordability of online data
  2. Search algorithms – hence easier retrieval of data
  3. Universal cues of lying/deception
  4. Nature of language in deception:
    1. Truthful language
    2. Deceptive language, which uses less first person singular (“I”). If we put all deceptive language in a “deceptive” bin of words, we can identify the lie itself, as well as truthful words/statements surrounding the lie. Psychological distancing of the actor occurs on the lie itself.

Frank Stajano (Cambridge) quoted research his group did on the psychology of scam victims. This led to BBC3’s “The Real Hustle” series (80 episodes). Factors in scams were:

  • Consistency
  • Commitment
  • Kindness
  • Distraction

Frank’s research also demonstrates the “Good Samaritan” value of people (and how it can get you in trouble if you’re not careful). Frank mentioned Robert Cialdini‘s book on consistence and commitment and how these inform influence, and an Office of Fair Trading report by Stephen Lea et al.

Peter Robinson (Cambridge) was on next. His interests are on Human-Computer Interaction (HCI). He made the point that if we judge computers with the same criteria we use for humans, computers are autistic, since they provide no non-verbal cues. He presented research on decoding facial/bodily movements to understand the feelings/posture of an individual on a particular topic.

Pam Briggs (Northumbria) was on next. She described the prototype of a biometric daemon (inspired by the daemons of Philip Pullman’s books) that might make humans make better security decisions. The premise is that it’s easier to develop a personal relationship with your daemon and then use the daemon’s lack of comfort or outright outrage when something is not quite right, rather than making fully informed and conscious security & privacy decisions yourself.

Pam also mentioned that many UK schools are now authenticating their students with fingerprints to grant kids access to school meals, which I found appalling.

Mark Frank (SUNY at Buffalo) was on next. He studies deception by people’s facial expressions. Some of the questions he is looking into are:

  • Can we detect liars?
  • Can we detect them in a natural environment?
  • Can we detect them from their facial expressions?

Mark brought the predominant USA-style approach to safety & security and introduced the familiar notions of “good vs bad guys”, “terrorism”, “airports” and “police” (presumably as the benevolent protector of society).

Mark mentioned SPOT – Screening Passengers by Observation Techniques – which is a behavioural flagging programme using facial expression analysis going on in the USA. Privacy Impact Assessment published by the TSA on the programme can be found at http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_tsa_spot.pdf

Martin Taylor was up next. He’s a magician and hypnotist, but he’ll be the first to tell you he doesn’t use hypnotism. He explained that factors like social compliance are the basis of the illusion constructed in a “hypnosis” situation. Many people are forced to do stuff they wouldn’t normally do, because of peer pressure, perception of expectations and such factors. Who needs hypnotism when you’ve got:

  • Suggestion – talking about something makes people more aware of it, even if it’s just something completely regular. I.e. talking about your pulse rate in a convincing fashion, inducing doubt, citing bogus expert knowledge etc will make people believe there might actually be something wrong with their heart rate.
    Martin mentioned Derren Brown and Uri Geller as examples of other psychological illusionists.
  • Peer pressure – We tend to follow others, group behaviour overwhelms personal choice etc.
  • Obedience – When someone of authority (bogus or not) commands us to do something, we tend to do it because of the social conditioning we’ve received from parents, school, our jobs etc.

Joe Navaro (now retired FBI agent) was mentioned as a prime example of someone who can read non-verbal behavioural cues to excel at his job.

The question “when do we have the right to deceive?” came up, especially in the context of necessary deception versus an oppressive authority. In that context deception is one of the few methods to maintain one’s safety and privacy.

Martin also explained that building rapport is very important for social control (or hypnotism, call it what you like), and said the elements of rapport are

  • Similarity
  • Empathy
  • Liking

Session 2 of the workshop to follow…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s