Lorrie Faith Cranor
"UNLESS someone like you cares a whole awful lot, nothing is going to get better. It's not."
Affiliations: I came to Carnegie Mellon University in 2003 after seven years at AT&T Labs-Research. I am a faculty member in the Institute for Software Research in the School of Computer Science and in the Engineering and Public Policy department in the College of Engineering. I am director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy masters program. I am also affiliated with the Ph.D. Program in Computation, Organizations and Society, Cylab,the Electrical & Computer Engineering Department, and the Human-Computer Interaction Institute. I am a member of the Electronic Frontier Foundation Board of Directors and the The Future of Privacy Forum Advisory Board. In 2008 I co-founded a company, Wombat Security Technologies, to commercialize some of our anti-phishing research.
Consulting: I consult for companies and non-profits on privacy policies, P3P, usable privacy and security, and technology policy. I have also served as an expert witness in patent litigation and in privacy cases, and in cases challenging the constitutionality of Internet harmful-to-minors laws, including the ACLU's successful challenge to the 1998 Children's Online Protection Act. I currently do expert witness consulting through Harbor Labs.
Prospective graduate students and visiting students, please read this before you send me email!
The following is a list of selected publications arranged chronologically (and not always up to date). It represents about one third of my publication list. If you can't find what you are looking for here, see the publications section of my resume for a complete publications list sorted by publication type. Or see the CUPS website for a list of recent publications sorted by topic (this is what is usually most up to date). See also my ACM Digital Library author page or Google Scholar page.
P. Klemperer, Y. Liang, M. Mazurek, M. Sleeper, B. Ur, L. Bauer, L.F. Cranor, N. Gupta, and M. Reiter. Tag, You Can See It! Using Tags for Access Control in Photo Sharing. CHI 2012.
P.G. Leon, B. Ur, R. Balebako, L.F. Cranor, R. Shay, and Y. Wang. Why Johnny Can't Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising. CHI 2012. [Extended version available as CyLab tech report]
S. Komanduri, R. Shay, G. Norcie, B. Ur, L.F. Cranor. AdChoices? Compliance with Online Behavioral Advertising Notice and Choice Requirements. Forthcoming in I/S: A Journal of Law and Policy for the Information Society 2012.
J. Wiese, P.G. Kelley, L.F. Cranor, L. Dabbish, J.I. Hong and J. Zimmerman. Are You Close with Me? Are You Nearby? Investigating Social Groups, Closeness, and Willingness to Share UbiComp 2011.
Y. Wang, S. Komanduri, P.G. Leon, G. Norcie, A. Acquisti, L.F. Cranor. I regretted the minute I pressed share: A Qualitative Study of Regrets on Facebook. SOUPS 2011.
Y. Wang, G. Norcie, L.F. Cranor. Who Is Concerned about What? A Study of American, Chinese and Indian Users Privacy Concerns on Social Network Sites. 4th International Conference on Trust & Trustworthy Computing (TRUST 2011).
C. Bravo-Lillo, L.F. Cranor, J.S. Downs, S. Komanuri. Bridging the Gap in Computer Security Warnings: A Mental Model Approach. IEEE Security & Privacy, 2011: 18-26.
C. Bravo-Lillo, L.F. Cranor, J.S. Downs, S. Komanduri, M. Sleeper. Improving Computer Security Dialogs. In Proceedings of 13th IFIP TC13 Conference on Human-Computer Interaction (INTERACT'2011), 2011, pp.18-35.
P. G. Kelley, R. Brewer, P. Mayer, L. F. Cranor, and N. Sadeh. An investigation into facebook friend grouping. In Proceedings of 13th IFIP TC13 Conference on Human-Computer Interaction (INTERACT'2011), 2011.
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Rich Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Julio Lopez. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. CyLab Technical Report cmu-cylab-11-008, August 21, 2011.
Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. Of passwords and people: Measuring the effect of password-composition policies. In CHI 2011: Conference on Human Factors in Computing Systems, May 2011. CHI 2011 Honorable Mention.
Robert W. Reeder, Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea. More than skin deep: Measuring effects of the underlying model on access-control system usability. In CHI 2011: Conference on Human Factors in Computing Systems, May 2011.
Kelley, P.G., Benisch, M., Cranor, L.F., and Sadeh, N. When Are Users Comfortable Sharing Locations with Advertisers? CHI 2011.
Michelle L. Mazurek, Peter F. Klemperer, Richard Shay, Hassan Takabi, Lujo Bauer, and Lorrie Faith Cranor. Exploring reactive access control. In CHI 2011: Conference on Human Factors in Computing Systems, May 2011.
Encountering Stronger Password Requirements: User Attitudes and Behaviors. Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin and Lorrie Faith Cranor. SOUPS 2010.
P.G. Leon, L.F. Cranor, A.M. McDonald, and R. McGuire. Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens WPES 2010.
A.M. McDonald and L.F. Cranor. Beliefs and Behaviors: Internet Users' Understanding of Behavioral Advertising. 38th Research Conference on Communication, Information and Internet Policy. October 2, 2010.
A.M. McDonald and L.F. Cranor. Americans' Attitudes About Internet Behavioral Advertising Practices. WPES 2010.
B. Meeder, J. Tam, P.G. Kelley, and L.F. Cranor. RT @IWantPrivacy: Widespread Violation of Privacy Settings in the Twitter Social Network. Web 2.0 Security and Privacy 2010 (W2SP 2010). May 20, 2010.
A.M. McDonald and L.F. Cranor. An Empirical Study of How People Perceive Online Behavioral Advertising. Carnegie Mellon CyLab Technical Report CMU-CyLab-09-015, November 10, 2009.
P.G. Kelley, L.J. Cesca, J. Bresee, and L.F. Cranor. Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach. CHI 2010 [originally published as Carnegie Mellon CyLab Technical Report CMU-CyLab-09-014, November 10, 2009].
M. Mazurek, J.P. Arsenault, J. Bresee, N. Gupta, I. Ion, C. Johns, D. Lee, Y. Liang, J. Olsen, B. Salmon, R. Shay, K. Vaniea, L. Bauer, L.F. Cranor, G.R. Ganger, and M.K. Reiter. Access Control for Home Data Sharing: Attitudes, Needs and Practices. CHI 2010.
J. Downs, M. Holbrook, S. Sheng, and L. Cranor. Are Your Participants Gaming the System? Screening Mechanical Turk Workers. CHI 2010.
S. Sheng, M. Holbrook, P. Kumaraguru, L. Cranor, and J. Downs. Who Falls for Phish? A Demographic Analysis of Phishing Susceptibility and Effectiveness of Interventions. CHI 2010.
J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. Cranor. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. USENIX Security 2009.
A.M. McDonald, R.W. Reeder, P.G. Kelley, and L.F. Cranor. A comparative study of online privacy policies and formats. Privacy Enhancing Techonologies Symposium 2009.
P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M.A. Blair, and T. Pham. School of Phish: A Real-Word Evaluation of Anti-Phishing Training. SOUPS 2009.
P. Kelley, J. Bresee, L. Cranor, and R. Reeder. A "Nutrition Label" for Privacy. SOUPS 2009
S. Egelman, J. Tsai, L. Cranor, and A. Acquisti. 2009. Timing Is Everything? The Effects of Timing and Placement of Online Privacy Indicators. CHI '09: Proceedings of the SIGCHI conference on Human Factors in Computing Systems.
L. Bauer, L. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. Real life challenges in access-control management. In CHI 2009: Conference on Human Factors in Computing Systems, pages 899-908, April 2009.
The Cost of Reading Privacy Policies. I/S: A Journal of Law and Policy for the Information Society 2008 Privacy Year in Review issue. (with A. McDonald)
Can Phishing Be Foiled?. Scientific American, December 2008.
Perspective: Semantic Data Management for the Home. Brandon Salmon, Steven W. Schlosser, Lorrie Faith Cranor, Gregory R. Ganger. 7th USENIX Conference on File and Storage Technologies (FAST'09). February 24-27, 2009, San Francisco, CA.
Engineering Privacy. IEEE Transactions on Software Engineering. Vo. 35, No. 1, January/February, 2009, pp. 67-82. (with S. Spiekermann)
L. Cranor. A Framework for Reasoning About the Human in the Loop. Usability, Psychology and Security 2008.
P3P Deployment on Websites. Electronic Commerce Research and Applications, Volume 7, Issue 3, Autumn 2008, Pages 274-293 (with S. Egelman, S. Sheng, A. McDonald, and A. Chowdhury).
A User Study of Policy Creation in a Flexible Access-Control System. In CHI 2008: Conference on Human Factors in Computing Systems (with L. Bauer, R.W. Reeder, M.K. Reiter, and K. Vaniea).
Expandable Grids for Visualizing and Authoring Computer Security Policies. In CHI 2008: Conference on Human Factors in Computing Systems (with R.W. Reeder, L. Bauer, M.K.Reiter, K. Bacon, K. How, and H. Strong).
You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In CHI 2008: Conference on Human Factors in Computing Systems (with S. Egelman and J. Hong).
Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer. Proceedings of the 2nd Annual eCrime Researchers Summit, October 4-5, 2007, Pittsburgh, PA, p. 70-81 (with P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, and J. Hong).
Lessons Learned From the Deployment of a Smartphone-Based Access-Control System. In Proceedings of the 2007 Symposium On Usable Privacy and Security, 18-20 July 2007, Pittsburgh, PA (with L. Bauer, M. Reiter, and K. Vaniea).
Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 2007 Symposium On Usable Privacy and Security, 18-20 July 2007, Pittsburgh, PA (with S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, J. Hong, and E. Nunge).
Scrubbing Stubborn Data: An evaluation of counter-forensic privacy tools. IEEE Security & Privacy, September/October 2006, p. 16-25 (with M. Geiger).
Decision Strategies and Susceptibility to Phishing. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA (with J. Downs and M. Holbrook).
Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA (with C. Kuo and S. Romanosky).
User Interfaces for Privacy Agents. ACM Transactions on Computer-Human Interaction 13(2) , June 2006, 135-178 (with P. Guduru and M. Arjula).
Book: Security and Usability: Designing Secure Systems That People Can Use (2005). Lorrie Faith Cranor and Simson Garfinkel, eds. (2005) Sebastopol, CA: O'Reilly & Associates, Inc.
Peripheral Privacy Notifications for Wireless Networks. In Proceedings of the 2005 Workshop on Privacy in the Electronic Society, 7 November 2005, Alexandria, VA, p.90-96. (with B. Kowitz).
An analysis of security vulnerabilities in the movie production and distribution process. (August-September 2004). Telecommunications Policy 28(7-8):619-644. (with S. Byers, E. Cronin, D. Korman, and P. McDaniel)
'I Didn't Buy it for Myself': Privacy and Ecommerce Personalization. Proceedings of the 2nd ACM Workshop on Privacy in the Electronic Society, October 30, 2003, Washington, DC.
Book: Web Privacy with P3P (2002). Lorrie Faith Cranor. Sebastopol, CA: O'Reilly & Associates, Inc.
Can user agents accurately represent privacy notices?. The 30th Research Conference on Communication, Information and Internet Policy (TPRC2002) 28-30 September, 2002 Alexandria, Virginia (with Joel Reidenberg).
The role of privacy advocates and data protection authorities in the design and deployment of the platform for privacy preferences. Proceedings of the 12th Conference on Computers, Freedom and Privacy, April 16-19, 2002, San Francisco, CA.
Voting After Florida: No Easy Answers. Ubiquity: An ACM IT Magazine and Forum. Issue 47 (February 13-19, 2001).
Ten years of computers, freedom, and privacy: a personal retrospective. Proceedings of the Tenth Conference on Computers, Freedom and Privacy: Challenging the Assumptions, April 4 - 7, 2000, Toronto, ON Canada, p. 11-15.
Protocols for Automated Negotiations with Buyer Anonymity and Seller Reputations. (2000). Netnomics 2(1):1-23. (with P. Resnick).
Privacy in E-Commerce: Examining User Scenarios and Privacy Preferences. Proceedings of the ACM Conference on Electronic Commerce (EC'99), 3-5 November 1999, Denver, Colorado, p. 1-8 (with M. Ackerman and J. Reagle).
Privacy Critics: UI Components to Safeguard Users' Privacy. Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI'99), short papers (v.2.), p. 258-259. (with M. Ackerman)
Sensus: A Security-Conscious Electronic Polling System for the Internet. Proceedings of the Hawai`i International Conference on System Sciences, January 7-10, 1997, Wailea, Hawai`i, USA (with R. Cytron).
Declared-Strategy Voting: An Instrument for Group Decision-Making. Washington University Dissertation. December 1996.