Sanchari Das

Sanchari Das, Dhiman Goswami, Michelle Melo et al.

As digital systems increasingly rely on pervasive data collection and inference, educating future designers and researchers about Usable Privacy has become a critical need for HCI. However, privacy education in higher education is often fragmented, theory-heavy, or detached from real-world applications. Thus, in this paper, we present the design, implementation, and evaluation of a 15-week graduate-level course on Usable Privacy that addresses this through active, practice-oriented pedagogy. The course integrates use cases, structured role playing, case-based discussions, guest lectures, and a multi-phase research project to support students in reasoning about privacy from multiple stakeholder perspectives. Grounded in contemporary privacy research and the Modern Privacy framework, the curriculum emphasizes both conceptual understanding and applied research skills. We report findings from two course offerings in consecutive years (2024-2025) using a mixed-methods evaluation that combines quantitative teaching evaluations with qualitative analysis of student reflections and instructor observations. Results indicate increased student engagement, improved ability to articulate trade-offs in privacy design, and stronger connections between theory and practice. To support adoption and replication, we also release detailed assignment descriptions and grading rubrics. This work contributes an empirically informed model for teaching Usable Privacy in HCI education and offers actionable guidance for educators seeking to integrate privacy into their curricula.

Dhiman Goswami, Al Nahian Bin Emran, Md Hasan Ullah Sadi et al.

Online propaganda detection pipelines expose measurable privacy risks at multiple stages including data collection, feature extraction, and model inference. We conduct a structured analysis of $162$ peer-reviewed studies and formalize the problem using the Propaganda Risk Online Mitigation and Privacy-preserving Tactics (PROMPT) framework. PROMPT models risks $R$ and mitigation strategies $S$ through a mapping $M: R\to S$ guided by a utility function $α\cdot \mathrm{PrivacyGain}(s_j) - β\cdot \mathrm{PerfLoss}(s_j) - γ\cdot \mathrm{Cost}(s_j)$, with tunable $(α,β,γ)$ enabling stakeholders to balance privacy, accuracy, and deployment costs. To assess practical adoption, we introduce a compliance score that quantifies the alignment of existing methods with GDPR, CCPA etc. requirements. Our evaluation shows that many widely used pipelines remain non-compliant, particularly in metadata handling and user-level aggregation. We further present empirical fine-tuning experiments on transformer-based encoders and decoders under synthetic perturbation, demonstrating a monotonic privacy-utility trade-off: with $q = 0.05$ performance decreased by 1-2% F$_1$, while at $q = 0.20$ the reduction reached 13-14%. These results establish quantitative baselines for privacy costs in propaganda detection. Our contributions include a formal risk-to-defense mapping, a compliance-oriented auditing metric, and experimental evidence of privacy-performance trade-offs, providing a technical foundation for building regulation-compliant and privacy-aware detection systems.

Pooja Krishan, Rohan Mohapatra, Sanchari Das et al.

The emergence of deep learning models has revolutionized various industries over the last decade, leading to a surge in connected devices and infrastructures. However, these models can be tricked into making incorrect predictions with high confidence, leading to disastrous failures and security concerns. To this end, we explore the impact of adversarial attacks on multivariate time-series forecasting and investigate methods to counter them. Specifically, we employ untargeted white-box attacks, namely the Fast Gradient Sign Method (FGSM) and the Basic Iterative Method (BIM), to poison the inputs to the training process, effectively misleading the model. We also illustrate the subtle modifications to the inputs after the attack, which makes detecting the attack using the naked eye quite difficult. Having demonstrated the feasibility of these attacks, we develop robust models through adversarial training and model hardening. We are among the first to showcase the transferability of these attacks and defenses by extrapolating our work from the benchmark electricity data to a larger, 10-year real-world data used for predicting the time-to-failure of hard disks. Our experimental results confirm that the attacks and defenses achieve the desired security thresholds, leading to a 72.41% and 94.81% decrease in RMSE for the electricity and hard disk datasets respectively after implementing the adversarial defenses.

Supriya Khadka, Sanchari Das

Authentication in financial systems remains a uniquely high-stakes security challenge, where even marginal increases in false acceptance can result in catastrophic monetary loss. Existing deployments of adaptive authentication, which combine biometrics, behavioral signals, and contextual risk scoring, remain conceptually fragmented and often prioritize regulatory compliance over explicit economic and adversarial risk modeling. To address this structural imbalance, in this paper we introduce a formal Risk-Cost Model (RCM) for adaptive authentication in financial systems. The RCM provides a principled mathematical foundation that integrates three essential components: (i) cost-sensitive risk functions that explicitly capture fraud loss, opportunity cost, and tail risk through Conditional Value-at-Risk (CVaR); (ii) sequential decision-making mechanisms that adapt to adversarial probing and distributional drift; and (iii) quantifiable privacy and regulatory constraints embedded directly within the optimization objective. By reframing authentication as a constrained dynamic risk-cost optimization problem, the RCM moves beyond static classification and compliance-driven design toward systems that are economically grounded, tail-risk aware, and resilient under adversarial uncertainty.

Supriya Khadka, Sanchari Das

Advancements in augmented reality (AR) technologies offer immense potential for mobile experiences. However, most commercial and educational AR systems assume a baseline of predictable user behavior and stationary interaction. Preschoolers and children in early childhood education, specifically ages 3 to 8, are naturally erratic, physically dynamic, and prone to rapid locomotion, making them the ultimate stress test for mobile spatial computing. Through a focused analysis of recent literature on physical activity and spatial learning in AR for preschoolers, this paper identifies points of friction in current mobile deployments. We highlight recurring failures in camera tracking during dynamic movement, physical safety hazards caused by screen-induced distraction, spatial crowding around physical markers, and the privacy risks of continuous environmental surveillance. To address these challenges, we propose AnchorPlay AR, a conceptual prototype for a privacy-preserving, audio-first spatial application. By explicitly separating locomotion from visual tracking, AnchorPlay AR uses audio cues to safely guide movement and reserves visual augmentation for stationary moments, offering a safer framework for preschoolers in constant motion.

Gaurav Shinde, Rohan Mohapatra, Pooja Krishan et al.

Lithium-ion batteries (Li-ion) have revolutionized energy storage technology, becoming integral to our daily lives by powering a diverse range of devices and applications. Their high energy density, fast power response, recyclability, and mobility advantages have made them the preferred choice for numerous sectors. This paper explores the seamless integration of Prognostics and Health Management within batteries, presenting a multidisciplinary approach that enhances the reliability, safety, and performance of these powerhouses. Remaining useful life (RUL), a critical concept in prognostics, is examined in depth, emphasizing its role in predicting component failure before it occurs. The paper reviews various RUL prediction methods, from traditional models to cutting-edge data-driven techniques. Furthermore, it highlights the paradigm shift toward deep learning architectures within the field of Li-ion battery health prognostics, elucidating the pivotal role of deep learning in addressing battery system complexities. Practical applications of PHM across industries are also explored, offering readers insights into real-world implementations.This paper serves as a comprehensive guide, catering to both researchers and practitioners in the field of Li-ion battery PHM.

Supriya Khadka, Sanchari Das

In decentralized web applications, users face an inherent conflict between public verifiability and personal privacy. To participate in regulated on-chain services, users must currently disclose sensitive identity documents to centralized intermediaries, permanently linking real-world identities to public transaction histories. This binary choice between total privacy loss or total exclusion strips users of agency and exposes them to persistent surveillance. In this work, we introduce a Selective Disclosure Framework designed to restore user sovereignty by decoupling eligibility verification from identity revelation. We present ZK-Compliance, a prototype that leverages browser-based zero-knowledge proofs to shift the interaction model, enabling users to prove specific attributes (e.g., "I am over 18") locally without revealing the underlying data. We implement a user-governed Grant, Verify, Revoke lifecycle that transforms the user's mental model of compliance from a permanent data handover into a dynamic, revocable authorization session. Our evaluation shows that client-side proof generation takes under 200ms, enabling a seamless interactive experience on commodity hardware. This work provides early evidence that regulatory compliance need not come at the cost of user privacy or autonomy.

Shaghayegh Hosseinpour, Sanchari Das

Smishing, or SMS-based phishing, poses an increasing threat to mobile users by mimicking legitimate communications through culturally adapted, concise, and deceptive messages, which can result in the loss of sensitive data or financial resources. In such, we present a multi-channel smishing detection model that combines country-specific semantic tagging, structural pattern tagging, character-level stylistic cues, and contextual phrase embeddings. We curated and relabeled over 84,000 messages across five datasets, including 24,086 smishing samples. Our unified architecture achieves 97.89% accuracy, an F1 score of 0.963, and an AUC of 99.73%, outperforming single-stream models by capturing diverse linguistic and structural cues. This work demonstrates the effectiveness of multi-signal learning in robust and region-aware phishing.

Andrick Adhikari, Sanchari Das, Rinku Dewri

Natural Language Processing (NLP) is an essential subset of artificial intelligence. It has become effective in several domains, such as healthcare, finance, and media, to identify perceptions, opinions, and misuse, among others. Privacy is no exception, and initiatives have been taken to address the challenges of usable privacy notifications to users with the help of NLP. To this aid, we conduct a literature review by analyzing 109 papers at the intersection of NLP and privacy policies. First, we provide a brief introduction to privacy policies and discuss various facets of associated problems, which necessitate the application of NLP to elevate the current state of privacy notices and disclosures to users. Subsequently, we a) provide an overview of the implementation and effectiveness of NLP approaches for better privacy policy communication; b) identify the methodologies that can be further enhanced to provide robust privacy policies; and c) identify the gaps in the current state-of-the-art research. Our systematic analysis reveals that several research papers focus on annotating and classifying privacy texts for analysis but need to adequately dwell on other aspects of NLP applications, such as summarization. More specifically, ample research opportunities exist in this domain, covering aspects such as corpus generation, summarization vectors, contextualized word embedding, identification of privacy-relevant statement categories, fine-grained classification, and domain-specific model tuning.

Callie Monroe, Faiza Tazi, Sanchari Das

Governments, Healthcare, and Private Organizations in the global scale have been using digital tracking to keep COVID-19 outbreaks under control. Although this method could limit pandemic contagion, it raises significant concerns about user privacy. Known as ~"Contact Tracing Apps", these mobile applications are facilitated by Cellphone Service Providers (CSPs), who enable the spatial and temporal real-time user tracking. Accordingly, it might be speculated that CSPs collect information violating the privacy policies such as GDPR, CCPA, and others. To further clarify, we conducted an in-depth analysis comparing privacy legislations with the real-world practices adapted by CSPs. We found that three of the regulations (GDPR, COPPA, and CCPA) analyzed defined mobile location data as private information, and two (T-Mobile US, Boost Mobile) of the five CSPs that were analyzed did not comply with the COPPA regulation. Our results are crucial in view of the threat these violations represent, especially when it comes to children's data. As such proper security and privacy auditing is necessary to curtail such violations. We conclude by providing actionable recommendations to address concerns and provide privacy-preserving monitoring of the COVID-19 spread through the contact tracing applications.

Sanchari Das, Robert S. Gutzwiller, Rod D. Roscoe et al.

Computer security and user privacy are critical issues and concerns in the digital era due to both increasing users and threats to their data. Separate issues arise between generic cybersecurity guidance (i.e., protect all user data from malicious threats) and the individualistic approach of privacy (i.e., specific to users and dependent on user needs and risk perceptions). Research has shown that several security- and privacy-focused vulnerabilities are technological (e.g., software bugs (Streiff, Kenny, Das, Leeth, & Camp, 2018), insecure authentication (Das, Wang, Tingle, & Camp, 2019)), or behavioral (e.g., sharing passwords (Das, Dingman, & Camp, 2018); and compliance (Das, Dev, & Srinivasan, 2018) (Dev, Das, Rashidi, & Camp, 2019)). This panel proposal addresses a third category of sociotechnical vulnerabilities that can and sometimes do arise from non-inclusive design of security and privacy. In this panel, we will address users' needs and desires for privacy. The panel will engage in in-depth discussions about value-sensitive design while focusing on potentially vulnerable populations, such as older adults, teens, persons with disabilities, and others who are not typically emphasized in general security and privacy concerns. Human factors have a stake in and ability to facilitate improvements in these areas.

Sanchari Das, Andrew Kim, Sayar Karmakar

Due to the outbreak of COVID-19, users are increasingly turning to online services. An increase in social media usage has also been observed, leading to the suspicion that this has also raised cyberbullying. In this initial work, we explore the possibility of an increase in cyberbullying incidents due to the pandemic and high social media usage. To evaluate this trend, we collected 454,046 cyberbullying-related public tweets posted between January 1st, 2020 -- June 7th, 2020. We summarize the tweets containing multiple keywords into their daily counts. Our analysis showed the existence of at most one statistically significant changepoint for most of these keywords, which were primarily located around the end of March. Almost all these changepoint time-locations can be attributed to COVID-19, which substantiates our initial hypothesis of an increase in cyberbullying through analysis of discussions over Twitter.

Swapna Joshi, Kostas Stavrianakis, Sanchari Das

Geriatric depression is a common mental health condition affecting majority of older adults in the US. As per Attention Restoration Theory (ART), participation in outdoor activities is known to reduce depression and provide restorative benefits. However, many older adults, who suffer from depression, especially those who receive care in organizational settings, have less access to sensory experiences of the outdoor natural environment. This is often due to their physical or cognitive limitations and from lack of organizational resources to support outdoor activities. To address this, we plan to study how technology can bring the restorative benefits of outdoors to the indoor environments through augmented spatial natural soundscapes. Thus, we propose an interview and observation-based study at an assisted living facility to evaluate how augmented soundscapes substitute for outdoor restorative, social, and experiential benefits. We aim to integrate these findings into a minimally intrusive and intuitive design of an interactive augmented soundscape, for indoor organizational care settings.

Reyhan Duezguen, Peter Mayer, Sanchari Das et al.

Immersive technologies, including augmented and virtual reality (AR & VR) devices, have enhanced digital communication along with a considerable increase in digital threats. Thus, authentication becomes critical in AR & VR technology, particularly in shared spaces. In this paper, we propose applying the ZeTA protocol that allows secure authentication even in shared spaces for the AR & VR context. We explain how it can be used with the available interaction methods provided by Head-Mounted Displays. In future work, our research goal is to evaluate different designs of ZeTA (e.g., interaction modes) concerning their usability and users' risk perception regarding their security - while using a cross-cultural approach.

Ploy Unchit, Sanchari Das, Andrew Kim et al.

Spear phishing is a deceptive attack that uses social engineering to obtain confidential information through targeted victimization. It is distinguished by its use of social cues and personalized information to target specific victims. Previous work on resilience to spear phishing has focused on convenience samples, with a disproportionate focus on students. In contrast, here, we report on an evaluation of a high school community. We engaged 57 high school students and faculty members (12 high school students, 45 staff members) as participants in research utilizing signal detection theory (SDT). Through scenario-based analysis, participants tasked with distinguishing phishing emails from authentic emails. The results revealed an overconfidence bias in self-detection from the participants, regardless of their technical background. These findings are critical for evaluating the decision-making of underrepresented populations and protecting people from potential spear phishing attacks by examining human susceptibility.

Behnood Momenzadeh, Shakthidhar Gopavaram, Sanchari Das et al.

In the age of ubiquitous technologies, security- and privacy-focused choices have turned out to be a significant concern for individuals and organizations. Risks of such pervasive technologies are extensive and often misaligned with user risk perception, thus failing to help users in taking privacy-aware decisions. Researchers usually try to find solutions for coherently extending trust into our often inscrutable electronic networked environment. To enable security- and privacy-focused decision-making, we mainly focused on the realm of the mobile marketplace, examining how risk indicators can help people choose more secure and privacy-preserving apps. We performed a naturalistic experiment with N=60 participants, where we asked them to select applications on Android tablets with accurate real-time marketplace data. We found that, in aggregate, app selections changed to be more risk-averse in the presence of user risk-perception-aligned visual indicators. Our study design and research propose practical and usable interactions that enable more informed, risk-aware comparisons for individuals during app selections. We include an explicit argument for the role of human decision-making during app selection, beyond the current trend of using machine learning to automate privacy preferences after selection during run-time.

Sanchari Das, Bingxing Wang, L. Jean Camp

Traditional single-factor authentication possesses several critical security vulnerabilities due to single-point failure feature. Multi-factor authentication (MFA), intends to enhance security by providing additional verification steps. However, in practical deployment, users often experience dissatisfaction while using MFA, which leads to non-adoption. In order to understand the current design and usability issues with MFA, we analyze aggregated user generated comments (N = 12,500) about application-based MFA tools from major distributors, such as, Amazon, Google Play, Apple App Store, and others. While some users acknowledge the security benefits of MFA, majority of them still faced problems with initial configuration, system design understanding, limited device compatibility, and risk trade-offs leading to non-adoption of MFA. Based on these results, we provide actionable recommendations in technological design, initial training, and risk communication to improve the adoption and user experience of MFA.

Sanchari Das, Bingxing Wang, Zachary Tingle et al.

Security vulnerabilities of traditional single factor authentication has become a major concern for security practitioners and researchers. To mitigate single point failures, new and technologically advanced Multi-Factor Authentication (MFA) tools have been developed as security solutions. However, the usability and adoption of such tools have raised concerns. An obvious solution can be viewed as conducting user studies to create more user-friendly MFA tools. To learn more, we performed a systematic literature review of recently published academic papers (N = 623) that primarily focused on MFA technologies. While majority of these papers (m = 300) proposed new MFA tools, only 9.1% of papers performed any user evaluation research. Our meta-analysis of user focused studies (n = 57) showed that researchers found lower adoption rate to be inevitable for MFAs, while avoidance was pervasive among mandatory use. Furthermore, we noted several reporting and methodological discrepancies in the user focused studies. We identified trends in participant recruitment that is indicative of demographic biases.

Sanchari Das, Andrew Kim, Zachary Tingle et al.

Phishing is a well-known cybersecurity attack that has rapidly increased in recent years. It poses legitimate risks to businesses, government agencies, and all users due to sensitive data breaches, subsequent financial and productivity losses, and social and personal inconvenience. Often, these attacks use social engineering techniques to deceive end-users, indicating the importance of user-focused studies to help prevent future attacks. We provide a detailed overview of phishing research that has focused on users by conducting a systematic literature review of peer-reviewed academic papers published in ACM Digital Library. Although published work on phishing appears in this data set as early as 2004, we found that of the total number of papers on phishing (N = 367) only 13.9% (n = 51) focus on users by employing user study methodologies such as interviews, surveys, and in-lab studies. Even within this small subset of papers, we note a striking lack of attention to reporting important information about methods and participants (e.g., the number and nature of participants), along with crucial recruitment biases in some of the research.