My current work focuses on understanding the impact of existing software engineering practices on end-user privacy, as well as proposing solutions that implement the privacy by design (PbD) principles and other best practices. To achieve these goals, I employ multi-disciplinary methods, spanning from technical analysis of software artifacts to semi-structured interviews with privacy professionals.
I am always happy to chat and grab a coffee. The best way to reach me is to connect with me on LinkedIn or email me at nsamarin [at] berkeley.edu. Please allow me some time to get back to you.
The California Consumer Privacy Act (CCPA) provides California residents with a range of enhanced privacy protections and rights. Our research investigated the extent to which Android app developers comply with the provisions of the CCPA that require them to provide consumers with accurate privacy notices and respond to "verifiable consumer requests" (VCRs) by disclosing personal information that they have collected, used, or shared about consumers for a business or commercial purpose. We compared the actual network traffic of 109 apps that we believe must comply with the CCPA to the data that apps state they collect in their privacy policies and the data contained in responses to "right to know" requests that we submitted to the app’s developers. Of the 69 app developers who substantively replied to our requests, all but one provided specific pieces of personal data (as opposed to only categorical information). However, a significant percentage of apps collected information that was not disclosed, including identifiers (55 apps, 80%), geolocation data (21 apps, 30%), and sensory data (18 apps, 26%) among other categories. We discuss improvements to the CCPA that could help app developers comply with "right to know" requests and other related regulations.
@article{samarin2023lessons,title={Lessons in VCR Repair: Compliance of Android App Developers with the California Consumer Privacy Act (CCPA)},author={Samarin, Nikita and Kothari, Shayna and Siyed, Zaina and Bjorkman, Oscar and Yuan, Reena and Wijesekera, Primal and Alomar, Noura and Fischer, Jordan and Hoofnagle, Chris and Egelman, Serge},journal={Proceedings on Privacy Enhancing Technologies (PoPETS)},volume={3},pages={103--121},year={2023},doi={10.56553/popets-2023-0072},}
Empirical Measurement of Systemic 2FA Usability
Joshua Reynolds , Nikita Samarin, Joseph Barnes , and 4 more authors
Two-Factor Authentication (2FA) hardens an organization against user account compromise, but adds an extra step to organizations’ mission-critical tasks. We investigate to what extent quantitative analysis of operational logs of 2FA systems both supports and challenges recent results from user studies and surveys identifying usability challenges in 2FA systems. Using tens of millions of logs and records kept at two public universities, we quantify the at-scale impact on organizations and their employees during a mandatory 2FA implementation. We show the multiplicative effects of device remembrance, fragmented login services, and authentication timeouts on user burden. We find that user burden does not deviate far from other compliance and risk management time requirements already common to large organizations. We investigate the cause of more than one in twenty 2FA ceremonies being aborted or failing, and the variance in user experience across users. We hope our analysis will empower more organizations to protect themselves with 2FA.
@inproceedings{reynolds2020empirical,title={Empirical Measurement of Systemic 2FA Usability},author={Reynolds, Joshua and Samarin, Nikita and Barnes, Joseph and Judd, Taylor and Mason, Joshua and Bailey, Michael and Egelman, Serge},booktitle={USENIX Security Symposium},pages={127--143},year={2020},doi={10.5555/3489212.3489220},}
Opinions expressed by me are solely my own and do not express the views or opinions of my employer.
