Lorrie Faith Cranor's Home Page

Lorrie Faith Cranor

lorrie.cranor.org

Painted Sun Quilt

Highlights
Teaching
Students
Research Projects
Interests and Activities
Publications
bio
resume
news clippings
recent talks
quilts

Thesis2 Quilt

"UNLESS someone like you cares a whole awful lot, nothing is going to get better. It's not."

--Dr. Seuss, from The Lorax

Happy Flowers Quilt

Research: My current research focuses on usable privacy and security. I also do work on privacy enhancing technologies, as well as Internet policy issues. I am working on applications of the Platform for Privacy Preferences (P3P), anti-phishing, and privacy and security policy management, among other things. I chaired the P3P Specification working group and designed the Privacy Bird P3P user agent. I completed a book on P3P in 2002 and co-edited a book on Security and Usability in 2005. I have also done research on electronic voting and a novel voting procedure called declared-strategy voting.

Affiliations: I came to Carnegie Mellon University in December 2003 after seven years at AT&T Labs-Research. I am a faculty member in the Institute for Software Research in the School of Computer Science and in the Engineering and Public Policy department in the College of Engineering. I am director of the CMU Usable Privacy and Security Laboratory (CUPS). I am also affiliated with the Ph.D. Program in Computation, Organizations and Society, Cylab, and the Human-Computer Interaction Institute. I am a member of the Electronic Frontier Foundation Board of Directors. I recently co-founded a start-up company, Wombat Security Technologies, to commercialize some of our anti-phishing research.

Consulting: I consult for large and small companies and non-profits on privacy policies, P3P, usable privacy and security, and technology policy. I have also served as an expert witness in patent litigation and in a number of cases challenging the constitutionality of Internet harmful-to-minors laws, including the ACLU's successful challenge to the 1998 Children's Online Protection Act.

Personal: I spend most of my free time with my husband (Chuck), son (Shane), and daughters (Maya and Nina). Sometimes I find time to design and create quilts.

Highlights

My article on phishing was published in the December issue of Scientific American
There has been quite a bit of buzz about the paper Aleecia McDonald and I wrote for TPRC, The Cost of Reading Privacy Policies
I have been elected to the EFF Board of Directors
Read our paper on The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study
My lab has been doing lots of anti-phishing work. See our web site for details and copies of recent papers, and play Anti-Phishing Phil.
I helped the CMU Graduate Student Assembly establish a New Mothers' Room that provides a private place for new mothers to pump breast milk.

Judge Reed ruled in the ACLU's challenge to the 1998 Children's Online Protection Act, finding the Act unconstitutional on First Amendment grounds. The opinion cites my expert witness testimony extensively.
Download Privacy Bird, a P3P user agent pluggin for IE6 or try our new Privacy Finder search.
Symposium On Usable Privacy and Security (SOUPS) 2008 will be held at CMU July 23-25, 2008
My Security and Usability book (co-edited with Simson Garfinkel) discusses how to design secure systems that people can use

Teaching

Fall 2008

8-733 / 8-533 / 19-608 / 95-818: Privacy Policy, Law, and Technology

Previous semesters

5-899 / 17-500 / 17-800: Usable Privacy and Security (SP08, SP07, SP06)
8-533 / 8-733 / 15-508 / 17-801 / 19-608 / 95-818: Privacy Policy, Law, and Technology (FA07, FA05, FA04, SP04)
15-290 / 17-290 / 19-211: Special Topics: Computers and Society (SP07, SP06, SP05)

08-709 Privacy Technology (MSIT eBusiness Program) (SP07, SP06)
ISR Seminar Series

Students

Current PhD Students: Serge Egelman, COS (advisor)
Patrick Kelley, COS (co-advisor)
Ponnurangam Kumaraguru, COS (advisor)
Aleecia McDonald, EPP (advisor)
Steve Sheng, EPP (advisor)
Janice Tsai, EPP (advisor)
Kami Vaniea, CSD (advisor)
Elaine Newton, EPP (committee member)
Brandon Salmon, ECE (committee member)
Graduated CMU PhD Students: Rob Reeder, CSD PhD 2008 (advisor)
Cynthia Kuo, EPP PhD 2008 (committee member)
Other Past Students: Eric Toan, MSISTM 2007 (project second reader); Christian Ratterman, MHCI 2005 (project advisor); Charles Yiu, MHCI 2005 (project advisor); Shannon O'Brien, MHCI 2005 (project advisor); Alex Eiser, MHCI 2006 (project advisor); Matthew Geiger, MSPPM 2006 (project advisor); Braden Kowitz, MHCI 2005(project advisor); Ryan Mahon, MSISTM 2005(thesis advisor); Pei-Chao Weng, MSIN 2004 (thesis advisor); Kenneth Chu, MSIN 2005 (thesis advisor); Patrick Feng, PhD 2002 Rensselaer Polytechnic Institute (committee member)

Research

I am currently doing research in the following areas: P3P and computer-readable privacy policies, supporting trust decisions (emphasis on anti-phishing), privacy and usability in pervasive computing environments, usable access control with smart phones, usable anonymity tools.

For more information about current research projects, see the current projects list on the CUPS web site.

Prior to coming to CMU I did research on P3P, electronic voting, security vulnerabilities in the movie production and distribution proces, and other topics.

Interests and Activities

ACM: I am a member of USACM, the ACM US public policy committee. I previously served on the ACM Publications board and on the advisory board for Crossroads, The ACM Student Magazine, a publication I was editor-in-chief of for two years while in graduate school.
Art: When I have time, I enjoy dabbling in art and photography. I took up patchwork and hand quilting while in graduate school. After I graduated I bought a sewing machine and started machine quilting. Click here for photos of some of my creations: Photographs, Paintings and Drawings, Art to Wear, Quilts.
Music: I played the flute and piccolo in high school, but decided I needed a louder instrument when I joined the Pep Band in college. So I learned how to play alto sax, and later switched to tenor sax. When I lived in New Jersey I played in the Chatham Community Band.
Social Informatics: I am interested in the impacts of computers on society, and attempts to control these impacts through technology and legislation. This is sometimes referred to as social informatics. The Computers, Freedom and Privacy conference is a great place to learn about these issues. A related area of interest is value-sensitive design.
Washington University: I attended Washington University in St. Louis from 1989 to 1996. One of my favorite WU activities was the Pep Band. I was also involved in graduate student government, serving as coordinator of the Association of Graduate Engineering Students and the 1995-96 graduate student representative to the board of trustees. My degrees are from the Engineering and Policy and Computer Science departments.
Yoga: I started practicing yoga the first time I was pregnant and have been doing it on and off ever since. I currently take yoga classes on campus at CMU.

Selected Publications

See the publications section of my resume for a more complete publications list. See also a list of essays I have written.

Sarah Spiekermann and Lorrie Faith Cranor. Engineering Privacy. To appear in IEEE Transactions on Software Engineering.

P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. Lessons from a real world evaluation of anti-phishing training. In Proceedings of the third eCrime Researchers Summit (eCrime 2008), October 15-16, 2008, Atlanta, GA.

R.W. Reeder, P.G. Kelley, A.M. McDonald, and L.F. Cranor. A User Study of the Expandable Grid Applied to P3P Policy Visualization. Workshop on Privacy in the Electronic Society (WPES 2008). Oct. 2008.

A Framework for Reasoning About the Human in the Loop. Carnegie Mellon CyLab Technical Report CMU-CyLab-08-001, January 2008.

Behavioral Response to Phishing Risk. Proceedings of the 2nd Annual eCrime Researchers Summit, October 4-5, 2007, Pittsburgh, PA, p. 37-44 (with J. Downs and M. Holbrook).

Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer. Proceedings of the 2nd Annual eCrime Researchers Summit, October 4-5, 2007, Pittsburgh, PA, p. 70-81 (with P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, and J. Hong).

Lessons Learned From the Deployment of a Smartphone-Based Access-Control System. In Proceedings of the 2007 Symposium On Usable Privacy and Security, 18-20 July 2007, Pittsburgh, PA (with L. Bauer, M. Reiter, and K. Vaniea).

Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 2007 Symposium On Usable Privacy and Security, 18-20 July 2007, Pittsburgh, PA (with S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, J. Hong, and E. Nunge).

The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study. Paper presented at the Workshop on the Economics of Information Security, June 7-8, 2007, Pittsburgh, PA (with J. Tsai, S. Egelman, and A. Acquisti).

CANTINA: A Content-Based Approach to Detecting Phishing Web Sites. In Proceedings of the 16th International World Wide Web Conference (WWW2007), Banff, Alberta, Canada, May 8-12, 2007, p.639-648 (with Y. Zhang and J. Hong).

Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. In CHI 2007: Conference on Human Factors in Computing Systems, San Jose, California, 28 April - May 3, 2007, p. 905-914 (with P. Kumaraguru, Y. Rhee, A. Acquisti, J. Hong, and E. Nunge).

Phinding Phish: Evaluating Anti-Phishing Tools. In Proceedings of the 14th Annual Network & Distributed System Security Symposium (NDSS 2007), San Diego, CA, 28th February - 2nd March, 2007 (with Y. Zhang, S. Egelman and J. Hong).

An Analysis of P3P-Enabled Web Sites among Top-20 Search Results. In Proceedings of the Eighth International Conference on Electronic Commerce, August 14-16, 2006, Fredericton, New Brunswick, Canada (with S. Egelman and A. Chowdhury).

Decision Strategies and Susceptibility to Phishing. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA (with J. Downs and M. Holbrook).

Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA (with C. Kuo and S. Romanosky).

Power Strips, Prophylactics, and Privacy, Oh My! In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA (with J. Gideon, S. Egleman, and A. Acquisti).

What do they "indicate?": evaluating security and privacy indicators. interactions, May/June 2006, p. 45-57.

The Real ID Act: Fixing Identity Documents with Duct Tape. I/S: A Journal of Law and Policy for the Information Society, Volume 2, Number 1, Winter 2006, pp. 149-183 (with S. Egelman).

User Interfaces for Privacy Agents. ACM Transactions on Computer-Human Interaction 13(2), June 2006 (with P. Guduru and M. Arjula).

Counter-Forensic Privacy Tools: A Forensic Evaluation. ISRI Technical Report. CMU-ISRI-05-119 (with M. Geiger).

Peripheral Privacy Notifications for Wireless Networks. In Proceedings of the 2005 Workshop on Privacy in the Electronic Society, 7 November 2005, Alexandria, VA. (with B. Kowitz).

Privacy in India: Attitudes and Awareness. In Proceedings of the 2005 Workshop on Privacy Enhancing Technologies (PET2005), 30 May - 1 June 2005, Dubrovnik, Croatia (with P. Kumaraguru).

Analysis of Security Vulnerabilities in the Movie Production and Distribution Process. Proceedings of the 2003 ACM Workshop on Digital Rights Management, October 27, 2003, Washington, DC. (with S. Byers, E. Cronin, D. Kormann, and P. McDaniel)

'I Didn't Buy it for Myself': Privacy and Ecommerce Personalization. Proceedings of the 2nd ACM Workshop on Privacy in the Electronic Society, October 30, 2003, Washington, DC.

Automated Analysis of P3P-Enabled Web Sites. In Proceedings of the Fifth International Conference on Electronic Commerce (ICEC2003). Pittsburgh, PA, October 1-3, 2003. (with S. Byers and D. Kormann)

Use of a P3P User Agent by Early Adopters. Proceedings of the ACM Workshop on Privacy in the Electronic Society, November 21, 2002, Washington, DC (with M. Arjula and P. Guduru).

A Webmaster's Guide to Troubleshooting P3P. O'Reilly Network. November 2002.

Help! IE6 is blocking my cookies! O'Reilly Network. October 2002.

Can user agents accurately represent privacy notices?. TPRC 2002 (September 2002) (with Joel Reidenberg).

Web Privacy with P3P (2002). Lorrie Faith Cranor. Sebastopol, CA: O'Reilly & Associates, Inc.

The Platform for Privacy Preferences 1.0 (P3P1.0) Specification. W3C Recommendation. 16 April 2002. (with M. Langheinrich, M. Marchiori, M. Presler-Marshall, and J. Reagle).

The Architecture of Robust Publishing Systems. (November 2001). ACM Transactions on Internet Technology 1(2):199-230. (with M. Waldman and A. Rubin).

Voting After Florida: No Easy Answers. Ubiquity: An ACM IT Magazine and Forum. Issue 47 (February 13-19, 2001).

Beyond Concern: Understanding Net Users' Attitudes About Online Privacy. (2000). In Ingo Vogelsang and Benjamin M. Compaine, eds. The Internet Upheaval: Raising Questions, Seeking Answers in Communications Policy. Cambridge, Massachusetts: The MIT Press, p. 47-70 (with M. Ackerman and J. Reagle). [First published as AT&T Labs-Research Technical Report TR 99.4.3, 14 April 1999. Presented at the Telecommunications Policy Research Conference. Alexandria, VA, September 25-27, 1999.]

Publius, A robust, tamper-evident and censorship-resistant web publishing system. Proceedings of the 9th USENIX Security Symposium, August, 2000 (with M. Waldman and A. Rubin).

Privacy Tools. (August 2000). In Helmut Baumler, Ed., E-Privacy: Datenschutz im Internet. Braunschweig/Wiesbaden: Vieweg & Sohn Verlagsgesellschaft, p.107-119. [Revised version available online.]

Ten years of computers, freedom, and privacy: a personal retrospective. Proceedings of the Tenth Conference on Computers, Freedom and Privacy: Challenging the Assumptions, April 4 - 7, 2000, Toronto, ON Canada, p. 11-15.

Protocols for Automated Negotiations with Buyer Anonymity and Seller Reputations. (2000). Netnomics 2(1):1-23. (with P. Resnick).

Privacy in E-Commerce: Examining User Scenarios and Privacy Preferences. Proceedings of the ACM Conference on Electronic Commerce (EC'99), 3-5 November 1999, Denver, Colorado, p. 1-8 (with M. Ackerman and J. Reagle).

Influencing Software Usage. Proceedings of the Telecommunications Policy Research Conference. Alexandria, VA, October 3-5, 1998. (with R. Wright)

Bias and Responsibility in 'Neutral’ Social Protocols, Computers & Society, September 1998, p. 17-19. Originally presented at the DIMACS workshop on Design for Values: Ethical, Social and Political Dimensions of Information Technology, Princeton, NJ, 28 February 1998.

Spam! Communications of the ACM. Vol. 41, No. 8 (Aug. 1998), Pages 74- 83. (with B. LaMacchia)

Designing a Social Protocol: Lessons Learned from the Platform for Privacy Preferences. In Jeffrey K. MacKie-Mason and David Waterman, eds., Telephony, the Internet, and the Media. Mahwah: Lawrence Erlbaum Associates, 1998. [Paper presented at the Telecommunications Policy Research Conference, Alexandria, VA, September 27-29 1997. (with J. Reagle)]

Sensus: A Security-Conscious Electronic Polling System for the Internet. Proceedings of the Hawai`i International Conference on System Sciences, January 7-10, 1997, Wailea, Hawai`i, USA (with R. Cytron).

Declared-Strategy Voting: An Instrument for Group Decision-Making. Washington University Dissertation. December 1996.