Evaluating the Usability of Usage Controls in Electronic Collaboration
July 25, 2008 by Richard Conlanhttp://cups.cs.cmu.edu/soups/2008/proceedings/p85Brustoloni.pdf
Electronic collaboration can greatly increase productivity, but there is a risk of liability for information misuse. The current best practices are to use NDAs, but this can be cumbersome and many potential collaborations just never happen.
The researchers propose that Usage Controls (i.e. Digital Rights Management) may make collaboration easier and more productive and may even remove the need for explicit NDAs. The problem is that existing software-based DRM aren’t very reliable. To overcome many of these shortcomings they have developed a Linux Security Module called UCLinux. This paper examines the system and its interfaces.
TPMs (Trusted Platform Modules) are standardized and increasingly common in commercial computers. Each component in the boot sequence measures integrity of the next component and extends results into a TPM PCR (platform configuration register). The computer can verify itself to a remote computer by signing a challenge nonce and PCR values. UCLinux is driven by the UCFS (Usage Control File System). The UCFS is in an encrypted filesystem with a secret key based on the PCR value, thus insuring it will only load on an unmodified system.
They also designed a UI in which policies could be set when creating a file and in which the user would be prompted to accept usage restrictions when acquiring or opening a file. They conducted a user study in which users role-played as an engineer making a design decision based on usage-controlled files retrieved from the Web. In the first scenario there were no usage controls, in the second they were included. There were seven documents available, four with acceptable usage policies and three without. The study included ten participants. For documents with acceptable policies there was no difference in document download between sessions. For the documents with usage controls there was a notable reduction in downloaded documents in the session including usage controls. In general the users found the system usable.