Cloudy with a Chance of Misconceptions

Cloud Office suites (Google Docs, Microsoft Office 365) are widely used and introduce security and privacy risks to documents and sensitive user information. Users may not know how, where and by whom their documents are accessible and stored.

We surveyed 200 office users from the U.S. and German-speaking countries about their experiences and perceptions with cloud office software.


This website is based on our findings in an academic publication:

First page of the publications
Cloudy with a Chance of Misconceptions: Exploring Users' Perceptions and Expectations of Security and Privacy in Cloud Office Suites
Dominik Wermke, Nicolas Huaman, Christian Stransky, Niklas Busch, Yasemin Acar, and Sascha Fahl.
Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020), August 12-14, 2020.
View PDF Resources Cite Conference Page

Timeline:
Last Updated: 2020-08-12

2020-08-11
Presentation during the “Applications and User Perceptions” session at SOUPS 2020 (Video, Slides (PDF))
2020-05-19
Publication accepted at the Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020).
2019-08-15

Overview

Office solutions are a common staple on today's computing devices. They are so common, that you probably have no problems identifying one if not all of their app icons below:

Logos of cloud office applications including Office 365, Google Drive, iCloud.

Figure 1: Logos of common cloud office applications. Can you identify them all?

Recently, most major office providers shifted their local-only applications to online cloud platforms. The major selling points for these cloud office platforms might as well be their most concerning (security & privacy) weaknesses:

  • Easy sharing of documents
  • Cloud storage of data
  • High similarity in design and UI to previously prevalent offline office software

And while cloud-connected office software has perks such as ease of access and sharing, it also introduces new security and privacy challenges formerly not found in their offline equivalents.

Problem(s)

Even if you don't use cloud office software, you are not safe from having your information processed online. Cloud-based office software is now widely used by companies, governments, and even schools.

Especially concerning is the storage of cloud data, which relates back to access rights and data safety. For example, in 2019 a German data protection commissioner banned cloud office app from schools, due to collected telemetry and potential access by U.S. officials:

“What is true for Microsoft is also true for the Google and Apple cloud solutions. The cloud solutions of these providers have so far not been transparent and comprehensibly set out. Therefore, it is also true that for schools the privacy-compliant use is currently not possible.”
Hessian commissioner of Data Protection and Freedom of Information.

While this specific case was resolved by placing dedicated severs directly within Germany. It highlights nonetheless the changed playing field for security and privacy in the now cloud-connected office apps.

Approach

With our study, we wanted to investigate the following aspects of cloud office usage:

  • If and how users interact with cloud office applications
  • Users’ awareness, perception, and attitudes are about security and privacy in cloud office apps.
  • Users’ understandings and basic mental models are, regarding protection, security, and access of their cloud office data.

For this, we developed a survey consisting of 9 sections, containing quantitative and qualitative aspects. Our survey had two versions, one in English with an US-focus, and a German-speaking version which we pretested with native speakers and tested as pre-surveys with 29 participants.

Number of MTurkers and Crowdworkers.

Figure 2: We conducted surveys with 200 U.S. crowd workers on Amazon’s Mechanical Turk and 95 German-speaking crowd workers on ClickWorker.

We conducted our surveys in mid 2019 on Amazon's Mechanical Turk and ClickWorker, the equivalent for German-speaking countries. After removing dropouts and filtering low-quality answers, we arrived at 200 final participants, 105 from the MTurk and 95 from ClickWorker.

Survey Structure

We surveyed both the German-speaking participants from ClickWorker and the English-speaking participants from Amazon’s Mechanical Turk with an almost identical survey.

The surveys included 9 sections ranging from general cloud office questions to personal beliefs about the responsibilities of cloud office providers:

Structure of the surveys consisting of 9 sections.

Figure 3: Illustration of the survey flow for both German and English surveys. Splits in the flow include a localized version of the ‘Responsibility’ block for Germany and the U.S. and a split for generalized scenarios vs. personalized which were randomly assigned to participants.

The survey versions differed slightly due to localized answer options (e.g., localized names for government agencies) and changes to concepts that do not exist or have a different privacy implication in German-speaking countries (e.g., social security number).

Findings

Overall, online office usage is quite prevalent among our participants, which often use the Google Drive or Microsoft Office 365 suites. Although the German-speaking participants still prefer offline Microsoft office by a slight margin.

Unsurprisingly, our participants prefer to store their documents on the platform they edit them with, that being in the cloud for online apps and locally for offline office software.

Our participants agree on the benefits of cloud-office software: free access without installation and easy collaboration.

Them seem to be aware of some security implications of processing their documents in the cloud, and prefer their local system in terms of security against unauthorized access. Although some assumptions regarding cloud security seem to be somewhat less developed.

In case of unauthorized access of their documents, most of our participants would like the cloud providers to inform them via email of the breach.

Recommendations

Based on our findings, we offer recommendations for groups associated with cloud office suites:

  • For Office Users: A number of self-hosted alternatives to cloud office applications, such as Seafile or NextCloud, allow for most of the cloud conveniences while you retain full control of your data.

  • For Cloud Providers: Since our participants were somewhat unsure about who actually has access to their documents, we recommend changes to user interfaces and sharing policies that will improve their awareness.

    In case of unauthorized access, we recommend notifications via email, as most of our participants prefer their provider to inform them this way. Participants also identified encryption as their preferred security measure their cloud office suite should employ for improved security.

  • For Researchers: Our study predates the COVID-19 outbreak, which probably makes studies investigating changed usage patterns and attitudes due to the lockdown to a low hanging fruit for further research.

Resources

Feel free to use the resources below for teaching or research to your heart's content.

Publication Abstract

Cloud Office suites such as Google Docs or Microsoft Office 365 are widely used and introduce security and privacy risks to documents and sensitive user information. Users may not know how, where and by whom their documents are accessible and stored, and it is currently unclear how they understand and mitigate risks.

We conduct surveys with 200 cloud office users from the U.S. and Germany to investigate their experiences and behaviours with cloud office suites. We explore their security and privacy perceptions and expectations, as well as their intuitions for how cloud office suites should ideally handle security and privacy.

We find that our participants seem to be aware of basic general security implications, storage models, and access by others, although some of their threat models seem underdeveloped, often due to lacking technical knowledge. Our participants have strong opinions on how comfortable they are with the access of certain parties, but are somewhat unsure about who actually has access to their documents. Based on our findings, we distill recommendations for different groups associated with cloud office suites, which can help inform future standards, regulations, implementations, and configuration options.

Presentation

SOUPS 2020

Survey Questions

Full Questionnaire

Survey

The following survey is the English version of the survey, the German version followed the same structure with nearly identical questions. Differences in questions included localization changes, e.g., for country-specific agencies and institutions. Question numbers were not displayed to the participants and order of answer options was generally randomized.

[Consent Form with contact information.]

Please indicate, in the box below, that you are at least 18 years old, have read and understood this consent form, and you agree to participate in this online research study.

  • I am age 18 or older.
  • I have read this consent form or had it read to me.
  • I am comfortable using the English language to participate in this study.
  • I have used cloud office software before (e.g., Google Drive or Microsoft Office 365).
  • I agree to participate in this research and I want to continue with the study.

Office Demographics

For this survey, we are interested in your experience with and use of Cloud Office Suites and applications. Cloud Office Application or Online Office Application are software that can be used to create office documents in a web browser, without requiring the installation of a dedicated software. Examples for Cloud Office Suites are Google Docs/Sheets/Slides, Microsoft Office 365, and LibreOffice Online.

Q1.1: Which office suites have you used before?
(Please select all that apply)

  • Microsoft Office (Offline; Word, Excel, Powerpoint, …)
  • Microsoft Office 365 (Cloud-based; Word, Excel, Powerpoint, …)
  • LibreOffice (Offline; Writer, Calc, …)
  • LibreOffice Online (Cloud-based; Writer, Calc, …)
  • Google Drive (Cloud-based; Docs, Sheets, Slides, …)
  • Apple's iWork App (Offline; Pages, Numbers. Keynote…)
  • Apple's iWork Web (Cloud-based; Pages, Numbers. Keynote…)
  • OnlyOffice
  • Other (please specify): ______

Q1.2: Which office suites have you used this month?
(Please select all that apply)

  • Microsoft Office (Offline; Word, Excel, Powerpoint, …)
  • Microsoft Office 365 (Cloud-based; Word, Excel, Powerpoint, …)
  • LibreOffice (Offline; Writer, Calc, …)
  • LibreOffice Online (Cloud-based; Writer, Calc, …)
  • Google Drive (Cloud-based; Docs, Sheets, Slides, …)
  • Apple's iWork App (Offline; Pages, Numbers. Keynote…)
  • Apple's iWork Web (Cloud-based; Pages, Numbers. Keynote…)
  • OnlyOffice
  • Other (please specify): ______

Q1.3: Does your job involve using office applications on a regular basis?

  • Yes
  • No
  • I don't know
  • I'd prefer not to answer

Q1.4: Which types of documents do you process with office suites? For this question, please give answers both for your job and your personal life.
(Please select all that apply)

  • Text (Reports, Letters, etc.)
  • Spreadsheets (Numbers, Dates, etc.)
  • Presentations
  • Calendar and Appointments
  • Emails
  • Other (please specify): ______

Q1.5: How do you store your documents? For this question, please give answers for any documents you might store, including personal and work documents, including but not limited to documents that you edit with office applications.
(Please select all that apply)

  • Locally on my computer
  • My office suite saves them online automatically.
  • Dropbox
  • Google Drive
  • Network Share
  • Self-hosted cloud service
  • OneDrive
  • iCloud
  • Other (please specify): ______

Q1.6: Why do you use cloud office applications (compared to local office applications)?
(Please select all that apply)

  • Provided or required by work
  • Easy remote access (e.g., from multiple devices)
  • Ease of collaboration
  • No installation required
  • Built-in backup of documents
  • Free / cheap access
  • Other (please specify): ______

Document Safety

Q2.1: Where do you think your documents are more secure from any unauthorized access?
[Matrix question, the scale for answers is:]

  • More secure on my computer
  • Somewhat more secure on my computer
  • Equally secure
  • Somewhat more secure in the cloud
  • More secure in the cloud
  • I don't know

[The questions are:]

  • Word documents
  • Presentations
  • Spreadsheets
  • E-Mails
  • Calendar and Appointments

Q2.2: Why (if at all) do you think your documents may be more secure on your computer?
[Free text field]

Q2.3: Why (if at all) do you think your documents may be more secure in the cloud?
[Free text field]

Document Access

Q3.1: Who else besides yourself might be able to access the documents you edit in cloud office applications?
(Please select all that apply)

  • People I share the documents with
  • My employer
  • My internet provider
  • The cloud office provider (e.g., Google or Microsoft)
  • My browser vendor (e.g., Google or Mozilla)
  • My operating system manufacturer (e.g., Apple or Microsoft)
  • Cybercriminals (e.g., hackers or organized crime)
  • Law enforcement or intelligence agencies (e.g., police, FBI or NSA)
  • Third parties (e.g., online advertisers or plugin developers)
  • The manufacturer of my computer hardware (e.g., Intel, AMD, Apple, or Lenovo)
  • Other (please specify): ______

[The following 3 questions are matrix questions with the following options:]

  • People I share the documents with
  • My employer
  • My internet provider
  • The cloud office provider (e.g., Google or Microsoft)
  • My browser vendor (e.g., Google or Mozilla)
  • My operating system manufacturer (e.g., Apple or Microsoft)
  • Cybercriminals (e.g., hackers or organized crime)
  • Law enforcement or intelligence agencies (e.g., police, FBI or NSA)
  • Third parties (e.g., online advertisers or plugin developers)
  • The manufacturer of my computer hardware (e.g., Intel, AMD, Apple, or Lenovo)

Q3.2: Where do you think the risk is higher that the following parties can obtain unauthorized access to your cloud office documents?

  • Higher risk on my computer
  • Somewhat higher risk on my computer
  • Equal risk
  • Somewhat higher risk in the cloud
  • Higher risk in the cloud
  • I don't know

Q3.3: Do you think that any of these parties have already accessed your documents?

  • Yes
  • No
  • I don't know

Q3.4: Please rate your level of (dis)comfort with the potential access of these parties to your cloud office documents.

  • Completely comfortable
  • Somewhat comfortable
  • Neither
  • Somewhat uncomfortable
  • Completely uncomfortable
  • I don't know

Q3.5: Who do you think would inform you if an unauthorized party or person accessed you documents?
(Please select all that apply)

  • People I share the documents with
  • My employer
  • My internet provider
  • The cloud office provider (e.g., Google or Microsoft)
  • My browser vendor (e.g., Google or Mozilla)
  • My operating system manufacturer (e.g., Apple or Microsoft)
  • Law enforcement or intelligence agencies (e.g., police, FBI or NSA)
  • Third parties (e.g., online advertisers or plugin developers)
  • The manufacturer of my computer hardware (e.g., Intel, AMD, Apple, or Lenovo)
  • The news
  • Scientists
  • Nobody would inform me
  • Other (please specify): ______

Q3.6: Who do you think should be responsible for informing you if an unauthorized party or person accessed your documents?
(Please select all that apply)

  • People I share the documents with
  • My employer
  • My internet provider
  • The cloud office provider (e.g., Google or Microsoft)
  • My browser vendor (e.g., Google or Mozilla)
  • My operating system manufacturer (e.g., Apple or Microsoft)
  • Law enforcement or intelligence agencies (e.g., police, FBI or NSA)
  • Third parties (e.g., online advertisers or plugin developers)
  • The manufacturer of my computer hardware (e.g., Intel, AMD, Apple, or Lenovo)
  • The news
  • Scientists
  • Nobody would inform me
  • Other (please specify): ______

Q3.7: How would you like to be informed if an unauthorized party or person accessed your cloud office documents?
[Free text field]

Document Storage

Q4.1: Do you think that multiple copies of your cloud office documents exist?
These can be documents that are shared with others or private documents.

  • Yes
  • No
  • I don't know
  • I'd prefer not to answer

Q4.2: [only shown if Q4.1 = Yes] For which purpose do you think these copies might exist?
[Free text field]

Q4.3: [only shown if Q4.1 = Yes] In which geographic locations do you think your cloud office documents and copies of these are stored?
[Free text field]

Q4.4: [only shown if Q4.1 = Yes] Which of the copies do you think are actually removed if you delete a cloud office document?

  • All
  • Mine and my collaborators’
  • Only mine
  • Only my collaborators’
  • None
  • I don't know
  • I'd prefer not to answer
  • Other (please specify): ______

Q4.5: [only shown if Q4.1 = Yes and Q4.4 != All] Where or with whom do you think copies remain?
[Free text field]

Q4.6: [only shown if Q4.1 = Yes and Q4.4 != All] For which purpose do you think that the copies remain?
[Free text field]

Q4.7: Who do you think can delete your documents?
(Please select all that apply)

  • People I share the documents with
  • My employer
  • My internet provider
  • The cloud office provider (e.g., Google or Microsoft)
  • My browser vendor (e.g., Google or Mozilla)
  • My operating system manufacturer (e.g., Apple or Microsoft)
  • Cybercriminals (e.g., hackers or organized crime)
  • Law enforcement or intelligence agencies (e.g., police, FBI or NSA)
  • Third parties (e.g., online advertisers or plugin developers)
  • The manufacturer of my computer hardware (e.g., Intel, AMD, Apple, or Lenovo)
  • Other (please specify): ______

Q4.8: Who do you think is responsible for protecting your data?
(Please select all that apply)

  • People I share the documents with
  • My employer
  • My internet provider
  • The cloud office provider (e.g., Google or Microsoft)
  • My browser vendor (e.g., Google or Mozilla)
  • My operating system manufacturer (e.g., Apple or Microsoft)
  • Cybercriminals (e.g., hackers or organized crime)
  • Law enforcement or intelligence agencies (e.g., police, FBI or NSA)
  • Third parties (e.g., online advertisers or plugin developers)
  • The manufacturer of my computer hardware (e.g., Intel, AMD, Apple, or Lenovo)
  • Myself
  • The US-Government
  • Other (please specify): ______

Responsibility

Q5.1: Please indicate your agreement with the following statements:
[5 point-likert scale from Strongly agree to Strongly disagree + I don't know option]

  • Cloud office providers should offer adequate protection for cloud office documents (e.g., by encryption and well implemented security practices)
  • I should have the right to demand a full overview of my data collected by cloud office providers.
  • Upon my request, cloud office providers should have to show what they do with my documents and who has or had access.
  • Cloud office providers must be able to modify or delete any data they have on private individuals.

Q5.2: Please indicate your (dis)comfort with the following statements:
[5 point-likert scale from Completely comfortable to Completely uncomfortable + I don't know option]

  • Cloud providers can store my documents on servers outside of the US without legal repercussions.
  • US regulations and laws still apply if the documents are stored on servers outside of the US.
  • US law enforcement can access my cloud documents without a court order.
  • US law enforcement can force me to give up my cloud office password.

Q5.3: Where do you think the risk is higher of somebody obtaining unauthorized access to your documents if they are either stored on a server in Germany or the US?
[5 point-likert scale from "Higher risk for server in Germany" to "Higher risk for server in the US" + I don't know option]

  • My employer
  • My internet provider
  • The cloud office provider (e.g., Google or Microsoft)
  • My browser vendor (e.g., Google or Mozilla)
  • My operating system manufacturer (e.g., Apple or Microsoft)
  • Cybercriminals (e.g., hackers or organized crime)
  • Third parties (e.g., online advertisers or plugin developers)
  • The manufacturer of my computer hardware (e.g., Intel, AMD, Apple, or Lenovo)
  • US government
  • German governments
  • Foreign government (neither US nor German)

Personal Perception

[Only scenario block A or B was randomly shown to the participants]

Scenario A - Personalized Scenario

[Question order was randomized]

Below are listed three different scenarios. How comfortable do you feel with each approach?

Q6.A.1: Your child is required by the school to use a cloud office suite for tasks. The processed documents include private information such as your child's name and grades.

  • Completely comfortable
  • Somewhat comfortable
  • Neither
  • Somewhat uncomfortable
  • Completely uncomfortable
  • I don't know

Q6.A.2: Your general practitioner uses a cloud office suite to process patient data. The processed documents include private information such as your name, age, weight, diagnosis, and treatment plan.

  • Completely comfortable
  • Somewhat comfortable
  • Neither
  • Somewhat uncomfortable
  • Completely uncomfortable
  • I don't know

Q6.A.3: Your financial advisor uses a cloud office suite to process client data. The processed documents include private information such as your name, SSN, and financial information.

  • Completely comfortable
  • Somewhat comfortable
  • Neither
  • Somewhat uncomfortable
  • Completely uncomfortable
  • I don't know

Scenario B - Generalized Scenario

[Question order was randomized]

Below are listed three different scenarios. How comfortable do you feel with each approach?

Q6.B.1: A school requires children to use a cloud office suite for tasks. The processed documents include private information such as children names and grades.

  • Completely comfortable
  • Somewhat comfortable
  • Neither
  • Somewhat uncomfortable
  • Completely uncomfortable
  • I don't know

Q6.B.2: A doctor’s office uses a cloud office suite to process patient data. The processed documents include private information such as name, age, weight, diagnosis, and treatment plans.

  • Completely comfortable
  • Somewhat comfortable
  • Neither
  • Somewhat uncomfortable
  • Completely uncomfortable
  • I don't know

Q6.B.3: A financial advisor’s office uses a cloud office suite to process client data. The processed documents include private information such as name, SSN, and financial information.

  • Completely comfortable
  • Somewhat comfortable
  • Neither
  • Somewhat uncomfortable
  • Completely uncomfortable
  • I don't know

Data Protection

Q7.1: What do you think - what data does the cloud office application collect when you process documents with it?
[Free text field]

Q7.2: How do you think documents processed by cloud office applications are protected?
[Free text field]

GDPR

Q8.1: Do you know what the GDPR is?

  • A data protection regulation in EU law
  • A plugin for Google Drive
  • A cloud office provider
  • A counter terrorism act in US law
  • I don't know
  • I'd prefer not to answer

Q8.2: [Only shown if Q8.1 = A data protection regulation in EU law] What do you think does the GDPR protect?
[Free text field]

Demographics

[We administered demographic questions at the end of the questionnaire to prevent stereotype bias.]

Q9.1: How old are you? (in years, e.g. 42. Optional)
[Free text field]

Q9.2: As which gender do you identify?

  • Male
  • Female
  • [Free text field]
  • I'd prefer not to answer

Q9.3: Do you have formal education (Bachelor’s degree or higher) in computer science, information technology, or a related field?

  • Yes
  • No
  • I'd prefer not to answer

Q9.4: Have you held a job in computer science, information technology, or a related field?

  • Yes
  • No
  • I'd prefer not to answer

Q9.5: Do you have any feedback or additional comments for us? (completely optional)
[Free text field]

Downloads

Filename Type Copyright
conf-soups-wermke20.pdf Publication PDF USENIX Open Access
survey.md Questionnaire Markdown -
soups2020-video-short-wermke.mp4 Presentation Video CC BY 2.0
soups2020-slides-short-wermke.pdf Presentation Slides CC BY 2.0

Cite This Page

If you want to reference this page, feel free to cite our related publication “Cloudy with a Chance of Misconceptions”:

@inproceedings{conf/soups/wermke20,
	title = {Cloudy with a Chance of Misconceptions: Exploring Users' Perceptions and Expectations of Security and Privacy in Cloud Office Suites},
	author = {Dominik Wermke and
		Nicolas Huaman and
		Christian Stransky and
		Niklas Busch and
		Yasemin Acar and
		Sascha Fahl},
	booktitle = {Sixteenth Symposium on Usable Privacy and Security, SOUPS 2020, August 12-14, 2020},
	month = {Aug},
	year = {2020},
	url = {https://www.usenix.org/conference/soups2020/presentation/wermke},
}
Download .bib
Wermke et al. Cloudy with a Chance of Misconceptions: Exploring Users' Perceptions and Expectations of Security and Privacy in Cloud Office Suites." Proceedings of the Sixteenth Symposium on Usable Privacy and Security. 2020.
Download .txt
Wermke, D., Huaman, N., Stransky, C., Busch, N., Acar, Y., & Fahl, S. (2020, August). Cloudy with a Chance of Misconceptions: Exploring Users' Perceptions and Expectations of Security and Privacy in Cloud Office Suites. In Proceedings of the Sixteenth Symposium on Usable Privacy and Security.
Download .txt
%0 Conference Proceedings
%T Cloudy with a Chance of Misconceptions: Exploring Users' Perceptions and Expectations of Security and Privacy in Cloud Office Suites
%A Wermke, Dominik
%A Huaman, Nicolas
%A Stransky, Christian
%A Busch, Niklas
%A Acar, Yasemin
%A Fahl, Sascha
%B Proceedings of the Sixteenth Symposium on Usable Privacy and Security
%D 2020
Download .enw
TY  - CONF
T1  - Cloudy with a Chance of Misconceptions: Exploring Users' Perceptions and Expectations of Security and Privacy in Cloud Office Suites
A1	- Wermke, Dominik
A1	- Huaman, Nicolas
A1	- Stransky, Christian
A1	- Busch, Niklas
A1	- Acar, Yasemin
A1	- Fahl, Sascha
JO  - Proceedings of the Sixteenth Symposium on Usable Privacy and Security
Y1  - 2020
ER  -
Download .ris