End-users have become accustomed to the ease with which cloud-based systems 
allow them to exchange messages, pictures, and other files with colleagues, 
friends, and family. This convenience, however, typically comes at the expense 
of disclosing this (often highly personal) information to the service provider 
in the process. Furthermore, users have little control over which 
third-parties - e.g., storage providers, unauthorized friends, hackers, 
advertisement companies, and governmental agencies - access their data. 

Several studies have identified security and privacy as the biggest concerns 
for companies when adopting cloud-based solutions, but not much is known about 
end-users' attitudes and practices. Given the high amount of personal 
information that users often disclose on such platforms, detractors claim 
that users care little or not at all about their privacy. To disprove such 
beliefs, we conducted an extensive cross-cultural study. Our results show that 
consumers have strong privacy concerns, trust local storage more than the 
cloud when storing sensitive data, and are only partially aware of the risks 
they face in the cloud. 

Based on this initial study, we identify the need for novel, user-centered 
security mechanisms to help non-technical users protect the information they 
share in the cloud. A number of systems have been proposed to limit the 
service providers’ access to this information, yet these systems typically 
require trusted servers, are platform specific (e.g., work for Facebook only), 
or fail to hide that confidential communication is taking place. In this 
thesis, we present a novel system that enables users to share data over any 
web-based cloud storage platform, while both protecting the confidentiality of 
the communicated data and hiding the fact that the exchanged data is 
confidential. We provide a proof-of-concept implementation of our system in 
the form of a publicly available Firefox plugin, and demonstrate the viability 
of our approach through a performance evaluation. 

To bootstrap secure communications in systems like the one we propose, 
current solutions leave it as an exercise for the user to manually verify key 
material (e.g., public key fingerprints) through offline channels with 
potentially hundreds of online contacts. Instead, in our system, we take 
advantage of users’ encounters and we verify keys automatically through a 
secure, direct connection between users' mobile devices. The usability of the 
device pairing protocol used to establish the secure connection is crucial, as 
overly complex mechanisms might prompt users to choose a lower security level, 
or lead them to abandon security altogether. To this end, we conducted a 
comparative usability study of existing device pairing methods. Unlike 
previous work, our study places pairing tasks in specific real-life 
situations. Our results disprove the commonly held belief that users always 
choose the easiest method. Instead, users prefer different methods in 
different situations, depending on their time constraints, relationship to the 
interacting partner, social conventions appropriate for the place, and 
perceived security needs and guarantees.