SOUPS 2024 Call for Papers The Twentieth Symposium on Usable Privacy and Security (SOUPS 2024) will take place August 11-13, 2024, and will be co-located with the 33rd USENIX Security Symposium in Philadelphia, PA, USA. In cooperation with USENIX, the Advanced Computing Systems Association Important Dates All dates are at 23:59 AoE (Anywhere on Earth) time. These are firm deadlines; no extensions will be granted. Mandatory Paper Registration Deadline: Thursday, February 8, 2024 Paper Submission Deadline: Thursday, February 15, 2024 Early Rejection Notification: Thursday, March 21, 2024 Author Response Period: Thursday, April 18–Thursday, April 25, 2024 Paper Notifications: Monday, May 13, 2024 Camera Ready Deadline: Monday, June 10, 2024 Symposium Organizers General Co-Chairs Patrick Gage Kelley, Google Apu Kapadia, Indiana University Bloomington Technical Papers Co-Chairs Katharina Krombholz, CISPA Helmholtz Center for Information Security Mainack Mondal, IIT Kharagpur Technical Papers Committee Svetlana Abramova, University of Innsbruck Taslima Akter, University of California, Irvine Nalin Asanka Gamagedara Arachchilage, The University of Auckland Hala Assal, Carleton University Adam J. Aviv, The George Washington University Alexandru Bardas, University of Kansas Lujo Bauer, Carnegie Mellon University Eleanor Birrell, Pomona College Kevin Butler, University of Florida Joe Calandrino, Federal Trade Commission Sonia Chiasson, Carleton University Camille Cobb, University of Illinois Urbana–Champaign Lynne Coventry, Northumbria University Sauvik Das, Carnegie Mellon University Sascha Fahl, CISPA Helmholtz Center for Information Security Cori Faklaris, University of North Carolina at Charlotte Yuanyuan Feng, University of Vermont Carrie Gates, Bank of America Maximilian Golla, CISPA Helmholtz Center for Information Security Julie Haney, National Institute of Standards and Technology Jun Ho, Huh, Samsung Research Bailey Kacsmar, University of Alberta Hassan Khan, University of Guelph Doowon Kim, University of Tennessee Hyoungshick Kim, Sungkyunkwan University Bart Knijnenburg, Clemson University Maina Korir, University of Suffolk Heather Lipford, University of North Carolina at Charlotte Sana Maqsood, York University Karola Marky, Ruhr University Bochum Abigail Marsh, Macalester College Peter Mayer, University of Southern Denmark Michelle Mazurek, University of Maryland Susan E. McGregor, Data Science Institute and Columbia University Imani Munyaka, University of California, San Diego Alena Naiakshina, Ruhr University Bochum Simon Parkin, Delft University of Technology Irwin Reyes, Two Six Technologies Joshua Reynolds, New Mexico State University Scott Ruoti, University of Tennessee Florian Schaub, University of Michigan Kent Seamons, Brigham Young University Elizabeth Stobert, Carleton University Jose Such, King's College London and Universitat Politecnica de Valencia Zhibo (Eric) Sun, Drexel University Nida ul Habib Bajwa, Saarland University Kami Vaniea, University of Waterloo Emanuel von, Zezschwitz, Google Josephine Wolff, Tufts University Fletcher School Yaxing Yao, Virginia Tech Daniel Zappala, Brigham Young University Yixin Zou, Max Planck Institute for Security and Privacy Mary Ellen Zurko, MIT Lincoln Laboratory Invited Talks Chair Heather Lipford, University of North Carolina at Charlotte Lightning Talks and Demos Co-Chairs Taslima Akter, University of California Irvine Alexandru Bardas, University of Kansas Lightning Talks and Demos Junior Co-Chair Eva Gerlitz, Fraunhofer FKIE Karat Award Chair Emilee Rader, University of Wisconsin—Madison Posters Co-Chairs Kovila P.L. Coopamootoo, King's College London Joshua Reynolds, New Mexico State University Posters Junior Co-Chair Sophie Stephenson, University of Wisconsin—Madison Tutorials and Workshops Co-Chairs Kelsey Fulton, Colorado School of Mines Daniel Votipka, Tufts University Tutorials and Workshops Junior Co-Chair Sabrina Amft, CISPA Helmholtz Center for Information Security Mentoring Co-Chairs Sauvik Das, Carnegie Mellon University Sana Maqsood, York University Mentoring Junior Co-Chairs Nicholas Huaman, Leibniz University Hannover Tanusree Sharma, University of Illinois at Urbana–Champaign Publicity Co-Chairs Yaxing Yao, Virginia Tech Yixin Zou, Max Planck Institute Planck Institute Email List Chair Lorrie Faith Cranor, Carnegie Mellon University Accessibility Chair Liz Markel, USENIX Association USENIX Liaison Casey Henderson-Ross, USENIX Association Overview The 2024 Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature: Technical papers, including replication papers and systematization of knowledge papers Workshops and tutorials A poster session Lightning talks Technical Papers We invite authors to submit previously unpublished papers describing research or experience in all areas of usable privacy and security. We welcome a variety of research methods, including both qualitative and quantitative approaches. Papers will be judged on their scientific quality, overall quality, and contribution to the field. Topics include, but are not limited to: Innovative security or privacy functionality and design Field studies of security or privacy technology Usability evaluations of new or existing security or privacy features Security testing of new or existing usability features Longitudinal studies of deployed security or privacy features Studies of administrators or developers and support for security and privacy Organizational policy or procurement decisions and their impact on security and privacy Lessons learned from the deployment and use of usable privacy and security features Foundational principles of usable security or privacy Ethical, psychological, sociological, or anthropological aspects of usable security and privacy Usable security and privacy implications/solutions for specific domains (e.g., IoT, medical, vulnerable populations) Replicating or extending important previously published studies and experiments Systematization of knowledge papers that integrate and systematize existing knowledge to provide new insight into a previously studied area Paper Registration: Technical papers must be registered by February 8, 2024. Registration is mandatory for all papers. Registering a paper in the submission system requires filling out all the fields of the online form that describe the submission, but does not require uploading a PDF of the paper. This information must describe the paper accurately, in sufficient detail to assign appropriate reviewers. Placeholder, incomplete, or inaccurate titles and abstracts may result in rejection without review. Paper Submission: Technical papers must be uploaded as PDFs by February 15, 2024 (but note the mandatory February 8 registration deadline above). All submissions must follow the guidelines described below. Submissions that violate any of the requirements below may be rejected without review. Contact the program chairs prior to submission at soups24chairs@usenix.org if you have any questions about these requirements. Format and Page Limits: Papers must use the SOUPS formatting template (available for MS Word or LaTeX) and be submitted as a PDF via the web submission system. Submissions must be no more than 12 pages (excluding acknowledgments, bibliography, and appendices). For the body of your paper, brevity is appreciated, as evidenced by the fact that many published papers in prior years have been well under this limit. Submissions may include as many additional pages as needed for references and for supplementary material in appendices. The paper should stand alone without the supplementary material. We encourage authors to use the appendices for content that is peripheral to the main contributions of the paper but that may interest some readers or that may facilitate replication. Note that members of the program committee are free to not read this material when reviewing the paper. Camera-ready versions of accepted papers have an official limit of 12 pages (excluding acknowledgments, bibliography, and appendices) and 20 pages total including references and appendices. The program committee chairs will grant any extension they determine reasonable to accommodate references and supplemental material. Paper Content: Papers need to describe the purpose and goals of the work, cite related work, show how the work effectively integrates usability or human factors with security or privacy, and clearly indicate the innovative aspects of the work or lessons learned as well as the contribution of the work to the field. The paper abstracts should contain a sentence summarizing the contribution to the field and literature. All submissions must clearly relate to the human aspects of security or privacy. Papers on security or privacy that do not address usability or human factors will not be considered. Likewise, papers on usability or human factors that do not address security or privacy will not be considered. The determination of whether a paper is within scope will be solely at the discretion of the program committee chairs. Your paper and research approach—including research instruments—should be inclusive and respectful. A variety of guidance exists on this topic. Please be sure to follow guidance on language use from the USENIX statement on racism and Black, African-American, and African Diaspora inclusion. Systematization of Knowledge Papers: We are soliciting Systematization of Knowledge (SoK) papers that integrate and systematize existing knowledge to provide new insight into a previously studied area of usable security or privacy. SoK papers should draw on prior work to put forth a new taxonomy, argument, or observation in an area in which substantial work has already been done. SoK papers should be more than a survey or summary of prior work in an area. SoK papers will be held to the same scientific and presentation standards as other technical papers. Please prefix the title of these papers with "SoK:" and check the SoK checkbox on the submission form to flag them for the review process. Replication Papers: In addition to original work, we are soliciting well-executed replication studies that meaningfully confirm, question, or clarify the result under consideration. Please prefix the title of these papers with the word "Replication:" for the review process. Replication papers should aim to replicate important/influential findings from the literature. They may not necessarily offer new or unexpected findings; papers confirming previous findings are also considered contributions. Replication of a result that has already been replicated many times is less valuable. Replication of an obscure study that originally had only minimal influence on the community is less valuable. Authors should clearly state why they conducted a replication study, describe the methodological differences precisely, and compare their findings with the results from the original study. Replication papers will be held to the same scientific standards as other technical papers. They should use currently accepted methodologies and technologies. Authors should not reuse outdated methods/technologies simply because they were used in the original paper. Replications may follow the same protocol as the original study, or may vary one or more key variables to see whether the result is extensible (e.g., re-running a study with a sample from a different population). Anonymous Submission: Reviewing is anonymous. No names or affiliations should appear on the title page or in the body of the paper, acknowledgments should be removed, and papers should avoid revealing the authors' identities in the text (e.g., don't name a specific organization's ethics review board or similar) or in the PDF metadata. Any references to the authors' own work should be made in the third person, as if it was work by someone else. Appendices and figures should also be de-identified (e.g., do not leave logos or contact info on study materials, and remove identifying URLs from screenshots). Please ensure all author names, affiliations, URLs, etc. have been removed; even minor mistakes may result in rejection without review. Contact the program chairs at soups24chairs@usenix.org if you have any questions. Overlap with Previous Papers: USENIX policy prohibits simultaneous submission of the same work to multiple venues, submission of previously published work, and plagiarism. SOUPS further prohibits the submission of substantially similar work to multiple venues. On the recommendation of a program chair, USENIX may take action against authors who have committed these practices. Any overlap between your submitted paper and other work either under submission, previously published, or submitted elsewhere before the SOUPS notification deadline must be documented in an explanatory note sent to the chairs. If a subsequent overlapping submission is made during the review process, the chairs should be notified. State precisely how the two works differ in their goals, share experiments or data sources, and offer unique contributions. If the other work is under submission elsewhere, the program committee may ask to review that work to evaluate the overlap. Please note that program committees frequently share information about papers under review and reviewers usually work on multiple conferences simultaneously. Technical reports, e.g., arXiv reports, are exempt from this rule. If in doubt, please contact the program chairs at soups24chairs@usenix.org for advice. Self-plagiarism includes verbatim or near-verbatim use of one's own published work without citing the original source, and is generally not acceptable. In some cases, it may be acceptable to include a brief portion of selected content from the introduction, background, related work, or methods of a closely related paper. In these cases, the original paper must be explicitly referenced and the overlap should be clear to the reader. The reused content must not be part of the main contributions of the paper and, where possible, rewriting the text is preferred. Papers with significant text reuse may be rejected because of too much overlap. If in doubt, please contact the program chairs at soups24chairs@usenix.org for advice. Appendices: Authors may attach to their paper supplementary appendices containing study materials (e.g., survey instruments, interview guides, etc.) that would not otherwise fit within the body of the paper. These appendices may also include any material that could assist reviewers with questions that fall outside the stated contribution of your paper on which your work is to be evaluated. Appendices can include links (e.g. to a working prototype or source code repository or data repository); please include full links (not shortened ones), and try to use long-term archives like osf.io or Dataverse for online appendices. Reviewers are not required to read any appendices, so your paper should be self contained without them. We note that in recent years, inclusion of study materials as appendices has become very common, and reviewers may choose to refer to appendices for clarification or confirmation. Accepted papers will be published online with their supplementary appendices included. Conflicts of Interest: The submission system will request information about conflicts of interest between the paper's authors and program committee (PC) members, including a brief explanation. It is the full responsibility of all authors of a paper to identify their potential conflict-of-interest PC members, according to the following definition. A paper author has a conflict of interest with a PC member when one or more of the following conditions holds: The PC member shared an institutional affiliation with the author in the prior two years. The PC member was the advisor or advisee of the author at any time. The PC member has collaborated or published with the author in the prior two years. The PC member is serving as the sponsor or administrator of a grant that funds the author's research. The PC member is a close personal friend or relative of the author. We recognize that special circumstances may exist, such as deep personal animosity. If you have any questions or concerns, please contact the program chairs at soups24chairs@usenix.org. Ethical Research: User studies should follow the basic principles of ethical research, including beneficence (maximizing the benefits to an individual or to society while minimizing harm to the individual), minimal risk (appropriateness of the risk versus benefit ratio), voluntary consent, respect for privacy, and limited deception. Studies that rely on crowdworkers can incur additional ethical obligations, including but not limited to paying a fair wage. If images of participants are included in the paper, make sure that these images will not create potential risk for participants and that the informed consent covers potential publication of participant images. All papers, especially those with human subjects studies, are expected to discuss ethical considerations. Risks and benefits of the presented research should be weighed. Methodological decisions should be justified. Authors may be asked to provide additional explanations should questions arise during the review process. If your organization or institution requires formal clearance for research with human subjects, your paper may be rejected if clearance is not obtained. However, such clearance alone does not guarantee acceptance, and the program committee may reject a paper on ethical grounds. Early Rejections: Papers that receive substantially negative initial reviews will be rejected early. The authors of early-rejected papers, and only such papers, will receive a copy of their initial reviews. At this point, papers are no longer considered under submission (except if authors appeal). Authors who substantively disagree with the reviews can appeal to the program committee chairs. Authors' appeals must clearly and explicitly identify concrete disagreements with factual statements in the initial reviews. Appealing a submission that was rejected early will keep it under consideration, and it cannot be withdrawn or resubmitted elsewhere until the final notification of acceptance or rejection. Response: A response period will occur after the second round of reviews. Authors will be given a chance to see reviews, and they may provide a short response that will be considered in subsequent discussions. Due to time constraints, the response period is fairly short. Please ensure that you reserve enough time between April 18 and 25 for the response process. Late responses will not be accepted. Presentation: For accepted papers, we require at least one of the paper authors to attend the conference and present the work. However, in exceptional cases, authors of accepted papers may present remotely with permission from the PC Co-Chairs. If you have any questions, please contact the program chairs at soups24chairs@usenix.org. Credits * Overlap with Previous Papers policy adapted from USENIX Security 2021 * Conflict of Interest policy adapted from USENIX Security 2020 * Early Rejection policy adapted from IEEE Symposium on Security and Privacy 2017 * Replication papers description adapted from Elsevier Journal of Molecular and Cellular Cardiology * SoK papers description adapted from IEEE Symposium on Security and Privacy 2018