Lorrie Faith Cranor's Home Page

Lorrie Faith Cranor

lorrie.cranor.org

"UNLESS someone like you cares a whole awful lot, nothing is going to get better. It's not."

--Dr. Seuss, from The Lorax

Research: My research focuses on usable privacy and security. My current projects fall into several overlapping areas: privacy decision making (including applications of P3P), user-controllable security and privacy (including location-sharing privacy and file access control in the home), and usable cyber trust indicators. Prior to coming to CMU I did research on P3P, electronic voting, security vulnerabilities in the movie production and distribution proces, and other topics.

Affiliations: I came to Carnegie Mellon University in 2003 after seven years at AT&T Labs-Research. I am a faculty member in the Institute for Software Research in the School of Computer Science and in the Engineering and Public Policy department in the College of Engineering. I am director of the CyLab Usable Privacy and Security Laboratory (CUPS). I am also affiliated with the Ph.D. Program in Computation, Organizations and Society, Cylab,the Electrical & Computer Engineering Department, and the Human-Computer Interaction Institute. I am a member of the Electronic Frontier Foundation Board of Directors, the The Future of Privacy Forum Advisory Board, and of the USACM Council. In 2008 I co-founded a company, Wombat Security Technologies, to commercialize some of our anti-phishing research.

Consulting: I consult for companies and non-profits on privacy policies, P3P, usable privacy and security, and technology policy. I have also served as an expert witness in patent litigation and in cases challenging the constitutionality of Internet harmful-to-minors laws, including the ACLU's successful challenge to the 1998 Children's Online Protection Act.

Personal: I spend most of my free time with my husband (Chuck), son (Shane), and daughters (Maya and Nina). I walk to work, practice yoga, take lots of photos, and design and create quilts.

See also, my bio, resume, press clippings, and everything else....

Prospective graduate students and visiting students, please read this before you send me email!

Highlights

Photos from my trip to Porto, Portugal and our family vacation in Keystone, Colorado
My article on phishing was published in the December issue of Scientific American
I helped the CMU Graduate Student Assembly establish a New Mothers' Room that provides a private place for new mothers to pump breast milk.

Try our new and improved Privacy Finder search.
Symposium On Usable Privacy and Security (SOUPS) 2010 will be held at Microsoft July 14-16, 2010
My Security and Usability book (co-edited with Simson Garfinkel) discusses how to design secure systems that people can use

Teaching

Spring 2010

EPP Undergraduate Project: Privacy Challenges Posed by Behavioral and Location Tracking Technologies

Previous semesters

5-899 / 08-534 / 08-734: Usable Privacy and Security (FA09, SP08, SP07, SP06)
8-533 / 8-733 / 19-608 / 95-818: Privacy Policy, Law, and Technology (FA08, FA07, FA05, FA04, SP04)
15-290 / 17-290 / 19-211: Special Topics: Computers and Society (SP07, SP06, SP05)
EPP Undergraduate Project (SP09 Carrying Capacity)
COS PhD seminar (SP06, FA05, SP05, FA04)
08-709 Privacy Technology (MSIT eBusiness Program) (SP07, SP06)
ISR Seminar Series

Students

Current PhD Students: Cristian Bravo Lillo, EPP
Patrick Kelley, COS (Co-advisor: Norman Sadeh)
Saranga Komanduri, COS
Aleecia McDonald, EPP
Kursat Ozenc, Design (Project Advisor; Thesis Advisor: John Zimmerman)
Rich Shay, COS
Kami Vaniea, CSD
Current PhD Committees: Varun Dutt, EPP (Advisor: Cleotilde Gonzalez)
Karen Tang, HCII (Advisor: Jason Hong)
Graduated PhD Students (advisor): Serge Egelman, COS PhD 2009
Ponnurangam Kumaraguru, COS PhD 2009
Rob Reeder, CSD PhD 2008
Steve Sheng, EPP Janice Tsai, EPP PhD 2009
Graduated PhD Students (committee member): Patrick Feng, PhD 2002 Rensselaer Polytechnic Institute
Cynthia Kuo, EPP PhD 2008
Elaine Newton, EPP PhD 2009
Brandon Salmon, ECE PhD 2009
Other Past Students: Eric Toan, MSISTM 2007 (project second reader); Christian Ratterman, MHCI 2005 (project advisor); Charles Yiu, MHCI 2005 (project advisor); Shannon O'Brien, MHCI 2005 (project advisor); Alex Eiser, MHCI 2006 (project advisor); Matthew Geiger, MSPPM 2006 (project advisor); Braden Kowitz, MHCI 2005(project advisor); Ryan Mahon, MSISTM 2005(thesis advisor); Pei-Chao Weng, MSIN 2004 (thesis advisor); Kenneth Chu, MSIN 2005 (thesis advisor);

Selected Publications

The following is a list of selected publications arranged chronologically. It represents about one third of my publication list. If you can't find what you are looking for here, see the publications section of my resume for a complete publications list sorted by publication type. Or see the CUPS website for a list of recent publications sorted by topic. See also my ACM Digital Library author page.

P.G. Kelley, L.J. Cesca, J. Bresee, and L.F. Cranor. Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach. CHI 2010 [originally published as Carnegie Mellon CyLab Technical Report CMU-CyLab-09-014, November 10, 2009].

M. Mazurek, J.P. Arsenault, J. Bresee, N. Gupta, I. Ion, C. Johns, D. Lee, Y. Liang, J. Olsen, B. Salmon, R. Shay, K. Vaniea, L. Bauer, L.F. Cranor, G.R. Ganger, and M.K. Reiter. Access Control for Home Data Sharing: Attitudes, Needs and Practices. CHI 2010.

J. Downs, M. Holbrook, S. Sheng, and L. Cranor. Are Your Participants Gaming the System? Screening Mechanical Turk Workers. CHI 2010.

S. Sheng, M. Holbrook, P. Kumaraguru, L. Cranor, and J. Downs. Who Falls for Phish? A Demographic Analysis of Phishing Susceptibility and Effectiveness of Interventions. CHI 2010.

J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. Cranor. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. USENIX Security 2009.

A.M. McDonald, R.W. Reeder, P.G. Kelley, and L.F. Cranor. A comparative study of online privacy policies and formats. Privacy Enhancing Techonologies Symposium 2009.

P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M.A. Blair, and T. Pham. School of Phish: A Real-Word Evaluation of Anti-Phishing Training. SOUPS 2009.

P. Kelley, J. Bresee, L. Cranor, and R. Reeder. A "Nutrition Label" for Privacy. SOUPS 2009

S. Egelman, J. Tsai, L. Cranor, and A. Acquisti. 2009. Timing Is Everything? The Effects of Timing and Placement of Online Privacy Indicators. CHI '09: Proceedings of the SIGCHI conference on Human Factors in Computing Systems.

L. Bauer, L. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. Real life challenges in access-control management. In CHI 2009: Conference on Human Factors in Computing Systems, pages 899-908, April 2009.

The Cost of Reading Privacy Policies. I/S: A Journal of Law and Policy for the Information Society 2008 Privacy Year in Review issue. (with A. McDonald)

Can Phishing Be Foiled?. Scientific American, December 2008.

Perspective: Semantic Data Management for the Home. Brandon Salmon, Steven W. Schlosser, Lorrie Faith Cranor, Gregory R. Ganger. 7th USENIX Conference on File and Storage Technologies (FAST'09). February 24-27, 2009, San Francisco, CA.

Engineering Privacy. IEEE Transactions on Software Engineering. Vo. 35, No. 1, January/February, 2009, pp. 67-82. (with S. Spiekermann)

L. Cranor. A Framework for Reasoning About the Human in the Loop. Usability, Psychology and Security 2008.

P3P Deployment on Websites. Electronic Commerce Research and Applications, Volume 7, Issue 3, Autumn 2008, Pages 274-293 (with S. Egelman, S. Sheng, A. McDonald, and A. Chowdhury).

A User Study of Policy Creation in a Flexible Access-Control System. In CHI 2008: Conference on Human Factors in Computing Systems (with L. Bauer, R.W. Reeder, M.K. Reiter, and K. Vaniea).

Expandable Grids for Visualizing and Authoring Computer Security Policies. In CHI 2008: Conference on Human Factors in Computing Systems (with R.W. Reeder, L. Bauer, M.K.Reiter, K. Bacon, K. How, and H. Strong).

You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In CHI 2008: Conference on Human Factors in Computing Systems (with S. Egelman and J. Hong).

Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer. Proceedings of the 2nd Annual eCrime Researchers Summit, October 4-5, 2007, Pittsburgh, PA, p. 70-81 (with P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, and J. Hong).

Lessons Learned From the Deployment of a Smartphone-Based Access-Control System. In Proceedings of the 2007 Symposium On Usable Privacy and Security, 18-20 July 2007, Pittsburgh, PA (with L. Bauer, M. Reiter, and K. Vaniea).

Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 2007 Symposium On Usable Privacy and Security, 18-20 July 2007, Pittsburgh, PA (with S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, J. Hong, and E. Nunge).

Scrubbing Stubborn Data: An evaluation of counter-forensic privacy tools. IEEE Security & Privacy, September/October 2006, p. 16-25 (with M. Geiger).

Decision Strategies and Susceptibility to Phishing. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA (with J. Downs and M. Holbrook).

Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA (with C. Kuo and S. Romanosky).

User Interfaces for Privacy Agents. ACM Transactions on Computer-Human Interaction 13(2) , June 2006, 135-178 (with P. Guduru and M. Arjula).

Book: Security and Usability: Designing Secure Systems That People Can Use (2005). Lorrie Faith Cranor and Simson Garfinkel, eds. (2005) Sebastopol, CA: O'Reilly & Associates, Inc.

Peripheral Privacy Notifications for Wireless Networks. In Proceedings of the 2005 Workshop on Privacy in the Electronic Society, 7 November 2005, Alexandria, VA, p.90-96. (with B. Kowitz).

An analysis of security vulnerabilities in the movie production and distribution process. (August-September 2004). Telecommunications Policy 28(7-8):619-644. (with S. Byers, E. Cronin, D. Korman, and P. McDaniel)

'I Didn't Buy it for Myself': Privacy and Ecommerce Personalization. Proceedings of the 2nd ACM Workshop on Privacy in the Electronic Society, October 30, 2003, Washington, DC.

Book: Web Privacy with P3P (2002). Lorrie Faith Cranor. Sebastopol, CA: O'Reilly & Associates, Inc.

Can user agents accurately represent privacy notices?. The 30th Research Conference on Communication, Information and Internet Policy (TPRC2002) 28-30 September, 2002 Alexandria, Virginia (with Joel Reidenberg).

The role of privacy advocates and data protection authorities in the design and deployment of the platform for privacy preferences. Proceedings of the 12th Conference on Computers, Freedom and Privacy, April 16-19, 2002, San Francisco, CA.

The Architecture of Robust Publishing Systems. (November 2001). ACM Transactions on Internet Technology 1(2):199-230. (with M. Waldman and A. Rubin).

Voting After Florida: No Easy Answers. Ubiquity: An ACM IT Magazine and Forum. Issue 47 (February 13-19, 2001).

Ten years of computers, freedom, and privacy: a personal retrospective. Proceedings of the Tenth Conference on Computers, Freedom and Privacy: Challenging the Assumptions, April 4 - 7, 2000, Toronto, ON Canada, p. 11-15.

Protocols for Automated Negotiations with Buyer Anonymity and Seller Reputations. (2000). Netnomics 2(1):1-23. (with P. Resnick).

Privacy in E-Commerce: Examining User Scenarios and Privacy Preferences. Proceedings of the ACM Conference on Electronic Commerce (EC'99), 3-5 November 1999, Denver, Colorado, p. 1-8 (with M. Ackerman and J. Reagle).

Privacy Critics: UI Components to Safeguard Users' Privacy. Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI'99), short papers (v.2.), p. 258-259. (with M. Ackerman)

Spam! Communications of the ACM. Vol. 41, No. 8 (Aug. 1998), Pages 74- 83. (with B. LaMacchia)

Sensus: A Security-Conscious Electronic Polling System for the Internet. Proceedings of the Hawai`i International Conference on System Sciences, January 7-10, 1997, Wailea, Hawai`i, USA (with R. Cytron).

Declared-Strategy Voting: An Instrument for Group Decision-Making. Washington University Dissertation. December 1996.