Lorrie Faith Cranor's Home Page

Lorrie Faith Cranor

lorrie.cranor.org

"UNLESS someone like you cares a whole awful lot, nothing is going to get better. It's not."

--Dr. Seuss, from The Lorax

Research: My research focuses on usable privacy and security. My current projects fall into several overlapping areas: privacy decision making (including applications of P3P), user-controllable security and privacy (including location-sharing privacy and file access control in the home), and usable cyber trust indicators, and and usable and secure passwords. Prior to coming to CMU I did research on P3P, electronic voting, security vulnerabilities in the movie production and distribution proces, and other topics.

Affiliations: I came to Carnegie Mellon University in 2003 after seven years at AT&T Labs-Research. I am a faculty member in the Institute for Software Research in the School of Computer Science and in the Engineering and Public Policy department in the College of Engineering. I am director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy masters program. I am also affiliated with the Ph.D. Program in Computation, Organizations and Society, Cylab,the Electrical & Computer Engineering Department, and the Human-Computer Interaction Institute. I am a member of the Electronic Frontier Foundation Board of Directors and the The Future of Privacy Forum Advisory Board. In 2008 I co-founded a company, Wombat Security Technologies, to commercialize some of our anti-phishing research.

Consulting: I consult for companies and non-profits on privacy policies, P3P, usable privacy and security, and technology policy. I have also served as an expert witness in patent litigation and in privacy cases, and in cases challenging the constitutionality of Internet harmful-to-minors laws, including the ACLU's successful challenge to the 1998 Children's Online Protection Act. I currently do expert witness consulting through Harbor Labs.

Personal: I spend most of my free time with my husband (Chuck), son (Shane), and daughters (Maya and Nina). I walk to work, practice yoga, take lots of photos, and design and create quilts.

See also, my bio, resume, press clippings, blog, and everything else....

Prospective graduate students and visiting students, please read this before you send me email!

Highlights

My guide to Facebook's privacy options published in the WSJ
New paper reflecting on the P3P experience: Necessary But Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice -- see also related blog post

During my sabbatical for the 2012-13 academic year I will be a fellow at the Carnegie Mellon STUDIO for Creative Inquiry - you can read more on my blog
We published two new user studies on online behavioral advertising on April 2: Smart, Useful, Scary, Creepy: Perceptions of Online Behavioral Advertising and What Do Online Behavioral Advertising Disclosures Communicate to Users?
My thoughts on defaults and do not track
Column in March/April 2012 IEEE Security & Privacy: Can Users Control Online Behavioral Advertising Effectively?
Lots of news at the end of February 2012 on P3P privacy standard, IE cookie circumvention, and White House privacy announcement. Long interview with me on ReadWrite: Part 1 and Part 2
Our report: Why Johnny Can't Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising

Our report: AdChoices? Compliance with Online Behavioral Advertising Notice and Choice Requirements
My review of IE9 privacy features
Our report on using P3P to misrepresent website privacy policies
CMU Usable Privacy and Security Doctoral Training Program
Symposium On Usable Privacy and Security (SOUPS) 2012 will be held in Washington, DC July 11-13, 2012
My Security and Usability book (co-edited with Simson Garfinkel) discusses how to design secure systems that people can use
I helped the CMU Graduate Student Assembly establish a New Mothers' Room that provides a private place for new mothers to pump breast milk.

Teaching

Previous semesters

5-899 / 08-534 / 08-734: Usable Privacy and Security (FA11, FA09, SP08, SP07, SP06)
8-533 / 8-733 / 19-608 / 95-818: Privacy Policy, Law, and Technology (FA10,FA08, FA07, FA05, FA04, SP04)
15-290 / 17-290 / 19-211: Special Topics: Computers and Society (SP07, SP06, SP05)
EPP Undergraduate Project (SP09 Carrying Capacity, SP10 Privacy, SP11 Green Printing, SP12 Emergency Messaging with Social Media)
COS PhD seminar (SP06, FA05, SP05, FA04)
08-709 Privacy Technology (MSIT eBusiness Program) (SP12, SP11, SP10, SP09, SP08, SP07, SP06)
ISR Seminar Series

Students

Current PhD Students: Rebecca Balebako, EPP
Cristian Bravo Lillo, EPP
Patrick Kelley, COS (Co-advisor: Norman Sadeh)
Saranga Komanduri, COS
Pedro Leon, EPP
Rich Shay, COS
Manya Sleeper, COS
Blase Ur, COS
Kami Vaniea, CSD
Graduated PhD Students (advisor): Serge Egelman, COS PhD 2009
Ponnurangam Kumaraguru, COS PhD 2009
Aleecia McDonald, EPP
Rob Reeder, CSD PhD 2008
Steve Sheng, EPP PhD 2009
Janice Tsai, EPP PhD 2009
Graduated PhD Students (committee member): Varun Dutt, EPP PhD 2011
Patrick Feng, PhD 2002 Rensselaer Polytechnic Institute
Cynthia Kuo, EPP PhD 2008
Elaine Newton, EPP PhD 2009
Kursat Ozenc, Design PhD 2011
Brandon Salmon, ECE PhD 2009
Karen Tang, HCII PhD 2010

Selected Publications

The following is a list of selected publications arranged chronologically (and not always up to date). It represents about one third of my publication list. If you can't find what you are looking for here, see the publications section of my resume for a complete publications list sorted by publication type. Or see the CUPS website for a list of recent publications sorted by topic (this is what is usually most up to date). See also my ACM Digital Library author page or Google Scholar page.

P. Klemperer, Y. Liang, M. Mazurek, M. Sleeper, B. Ur, L. Bauer, L.F. Cranor, N. Gupta, and M. Reiter. Tag, You Can See It! Using Tags for Access Control in Photo Sharing. CHI 2012.

P.G. Leon, B. Ur, R. Balebako, L.F. Cranor, R. Shay, and Y. Wang. Why Johnny Can't Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising. CHI 2012. [Extended version available as CyLab tech report]

S. Komanduri, R. Shay, G. Norcie, B. Ur, L.F. Cranor. AdChoices? Compliance with Online Behavioral Advertising Notice and Choice Requirements. Forthcoming in I/S: A Journal of Law and Policy for the Information Society 2012.

J. Wiese, P.G. Kelley, L.F. Cranor, L. Dabbish, J.I. Hong and J. Zimmerman. Are You Close with Me? Are You Nearby? Investigating Social Groups, Closeness, and Willingness to Share UbiComp 2011.

Y. Wang, S. Komanduri, P.G. Leon, G. Norcie, A. Acquisti, L.F. Cranor. I regretted the minute I pressed share: A Qualitative Study of Regrets on Facebook. SOUPS 2011.

Y. Wang, G. Norcie, L.F. Cranor. Who Is Concerned about What? A Study of American, Chinese and Indian Users Privacy Concerns on Social Network Sites. 4th International Conference on Trust & Trustworthy Computing (TRUST 2011).

C. Bravo-Lillo, L.F. Cranor, J.S. Downs, S. Komanuri. Bridging the Gap in Computer Security Warnings: A Mental Model Approach. IEEE Security & Privacy, 2011: 18-26.

C. Bravo-Lillo, L.F. Cranor, J.S. Downs, S. Komanduri, M. Sleeper. Improving Computer Security Dialogs. In Proceedings of 13th IFIP TC13 Conference on Human-Computer Interaction (INTERACT'2011), 2011, pp.18-35.

P. G. Kelley, R. Brewer, P. Mayer, L. F. Cranor, and N. Sadeh. An investigation into facebook friend grouping. In Proceedings of 13th IFIP TC13 Conference on Human-Computer Interaction (INTERACT'2011), 2011.

Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Rich Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Julio Lopez. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. CyLab Technical Report cmu-cylab-11-008, August 21, 2011.

Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. Of passwords and people: Measuring the effect of password-composition policies. In CHI 2011: Conference on Human Factors in Computing Systems, May 2011. CHI 2011 Honorable Mention.

Robert W. Reeder, Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea. More than skin deep: Measuring effects of the underlying model on access-control system usability. In CHI 2011: Conference on Human Factors in Computing Systems, May 2011.

Kelley, P.G., Benisch, M., Cranor, L.F., and Sadeh, N. When Are Users Comfortable Sharing Locations with Advertisers? CHI 2011.

Michelle L. Mazurek, Peter F. Klemperer, Richard Shay, Hassan Takabi, Lujo Bauer, and Lorrie Faith Cranor. Exploring reactive access control. In CHI 2011: Conference on Human Factors in Computing Systems, May 2011.

Encountering Stronger Password Requirements: User Attitudes and Behaviors. Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin and Lorrie Faith Cranor. SOUPS 2010.

P.G. Leon, L.F. Cranor, A.M. McDonald, and R. McGuire. Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens WPES 2010.

A.M. McDonald and L.F. Cranor. Beliefs and Behaviors: Internet Users' Understanding of Behavioral Advertising. 38th Research Conference on Communication, Information and Internet Policy. October 2, 2010.

A.M. McDonald and L.F. Cranor. Americans' Attitudes About Internet Behavioral Advertising Practices. WPES 2010.

B. Meeder, J. Tam, P.G. Kelley, and L.F. Cranor. RT @IWantPrivacy: Widespread Violation of Privacy Settings in the Twitter Social Network. Web 2.0 Security and Privacy 2010 (W2SP 2010). May 20, 2010.

A.M. McDonald and L.F. Cranor. An Empirical Study of How People Perceive Online Behavioral Advertising. Carnegie Mellon CyLab Technical Report CMU-CyLab-09-015, November 10, 2009.

P.G. Kelley, L.J. Cesca, J. Bresee, and L.F. Cranor. Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach. CHI 2010 [originally published as Carnegie Mellon CyLab Technical Report CMU-CyLab-09-014, November 10, 2009].

M. Mazurek, J.P. Arsenault, J. Bresee, N. Gupta, I. Ion, C. Johns, D. Lee, Y. Liang, J. Olsen, B. Salmon, R. Shay, K. Vaniea, L. Bauer, L.F. Cranor, G.R. Ganger, and M.K. Reiter. Access Control for Home Data Sharing: Attitudes, Needs and Practices. CHI 2010.

J. Downs, M. Holbrook, S. Sheng, and L. Cranor. Are Your Participants Gaming the System? Screening Mechanical Turk Workers. CHI 2010.

S. Sheng, M. Holbrook, P. Kumaraguru, L. Cranor, and J. Downs. Who Falls for Phish? A Demographic Analysis of Phishing Susceptibility and Effectiveness of Interventions. CHI 2010.

J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. Cranor. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. USENIX Security 2009.

A.M. McDonald, R.W. Reeder, P.G. Kelley, and L.F. Cranor. A comparative study of online privacy policies and formats. Privacy Enhancing Techonologies Symposium 2009.

P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M.A. Blair, and T. Pham. School of Phish: A Real-Word Evaluation of Anti-Phishing Training. SOUPS 2009.

P. Kelley, J. Bresee, L. Cranor, and R. Reeder. A "Nutrition Label" for Privacy. SOUPS 2009

S. Egelman, J. Tsai, L. Cranor, and A. Acquisti. 2009. Timing Is Everything? The Effects of Timing and Placement of Online Privacy Indicators. CHI '09: Proceedings of the SIGCHI conference on Human Factors in Computing Systems.

L. Bauer, L. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. Real life challenges in access-control management. In CHI 2009: Conference on Human Factors in Computing Systems, pages 899-908, April 2009.

The Cost of Reading Privacy Policies. I/S: A Journal of Law and Policy for the Information Society 2008 Privacy Year in Review issue. (with A. McDonald)

Can Phishing Be Foiled?. Scientific American, December 2008.

Perspective: Semantic Data Management for the Home. Brandon Salmon, Steven W. Schlosser, Lorrie Faith Cranor, Gregory R. Ganger. 7th USENIX Conference on File and Storage Technologies (FAST'09). February 24-27, 2009, San Francisco, CA.

Engineering Privacy. IEEE Transactions on Software Engineering. Vo. 35, No. 1, January/February, 2009, pp. 67-82. (with S. Spiekermann)

L. Cranor. A Framework for Reasoning About the Human in the Loop. Usability, Psychology and Security 2008.

P3P Deployment on Websites. Electronic Commerce Research and Applications, Volume 7, Issue 3, Autumn 2008, Pages 274-293 (with S. Egelman, S. Sheng, A. McDonald, and A. Chowdhury).

A User Study of Policy Creation in a Flexible Access-Control System. In CHI 2008: Conference on Human Factors in Computing Systems (with L. Bauer, R.W. Reeder, M.K. Reiter, and K. Vaniea).

Expandable Grids for Visualizing and Authoring Computer Security Policies. In CHI 2008: Conference on Human Factors in Computing Systems (with R.W. Reeder, L. Bauer, M.K.Reiter, K. Bacon, K. How, and H. Strong).

You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In CHI 2008: Conference on Human Factors in Computing Systems (with S. Egelman and J. Hong).

Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer. Proceedings of the 2nd Annual eCrime Researchers Summit, October 4-5, 2007, Pittsburgh, PA, p. 70-81 (with P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, and J. Hong).

Lessons Learned From the Deployment of a Smartphone-Based Access-Control System. In Proceedings of the 2007 Symposium On Usable Privacy and Security, 18-20 July 2007, Pittsburgh, PA (with L. Bauer, M. Reiter, and K. Vaniea).

Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 2007 Symposium On Usable Privacy and Security, 18-20 July 2007, Pittsburgh, PA (with S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, J. Hong, and E. Nunge).

Scrubbing Stubborn Data: An evaluation of counter-forensic privacy tools. IEEE Security & Privacy, September/October 2006, p. 16-25 (with M. Geiger).

Decision Strategies and Susceptibility to Phishing. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA (with J. Downs and M. Holbrook).

Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA (with C. Kuo and S. Romanosky).

User Interfaces for Privacy Agents. ACM Transactions on Computer-Human Interaction 13(2) , June 2006, 135-178 (with P. Guduru and M. Arjula).

Book: Security and Usability: Designing Secure Systems That People Can Use (2005). Lorrie Faith Cranor and Simson Garfinkel, eds. (2005) Sebastopol, CA: O'Reilly & Associates, Inc.

Peripheral Privacy Notifications for Wireless Networks. In Proceedings of the 2005 Workshop on Privacy in the Electronic Society, 7 November 2005, Alexandria, VA, p.90-96. (with B. Kowitz).

An analysis of security vulnerabilities in the movie production and distribution process. (August-September 2004). Telecommunications Policy 28(7-8):619-644. (with S. Byers, E. Cronin, D. Korman, and P. McDaniel)

'I Didn't Buy it for Myself': Privacy and Ecommerce Personalization. Proceedings of the 2nd ACM Workshop on Privacy in the Electronic Society, October 30, 2003, Washington, DC.

Book: Web Privacy with P3P (2002). Lorrie Faith Cranor. Sebastopol, CA: O'Reilly & Associates, Inc.

Can user agents accurately represent privacy notices?. The 30th Research Conference on Communication, Information and Internet Policy (TPRC2002) 28-30 September, 2002 Alexandria, Virginia (with Joel Reidenberg).

The role of privacy advocates and data protection authorities in the design and deployment of the platform for privacy preferences. Proceedings of the 12th Conference on Computers, Freedom and Privacy, April 16-19, 2002, San Francisco, CA.

The Architecture of Robust Publishing Systems. (November 2001). ACM Transactions on Internet Technology 1(2):199-230. (with M. Waldman and A. Rubin).

Voting After Florida: No Easy Answers. Ubiquity: An ACM IT Magazine and Forum. Issue 47 (February 13-19, 2001).

Ten years of computers, freedom, and privacy: a personal retrospective. Proceedings of the Tenth Conference on Computers, Freedom and Privacy: Challenging the Assumptions, April 4 - 7, 2000, Toronto, ON Canada, p. 11-15.

Protocols for Automated Negotiations with Buyer Anonymity and Seller Reputations. (2000). Netnomics 2(1):1-23. (with P. Resnick).

Privacy in E-Commerce: Examining User Scenarios and Privacy Preferences. Proceedings of the ACM Conference on Electronic Commerce (EC'99), 3-5 November 1999, Denver, Colorado, p. 1-8 (with M. Ackerman and J. Reagle).

Privacy Critics: UI Components to Safeguard Users' Privacy. Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI'99), short papers (v.2.), p. 258-259. (with M. Ackerman)

Spam! Communications of the ACM. Vol. 41, No. 8 (Aug. 1998), Pages 74- 83. (with B. LaMacchia)

Sensus: A Security-Conscious Electronic Polling System for the Internet. Proceedings of the Hawai`i International Conference on System Sciences, January 7-10, 1997, Wailea, Hawai`i, USA (with R. Cytron).

Declared-Strategy Voting: An Instrument for Group Decision-Making. Washington University Dissertation. December 1996.