Lorrie Faith Cranor

lorrie @ acm . org
http://lorrie.cranor.org/
412-268-7534 (W)

Education

Washington University, St. Louis, MO
Doctor of Science in Engineering and Policy, December 1996
Master of Science in Computer Science, December 1996
Master of Science in Technology and Human Affairs, May 1993
Bachelor of Science in Engineering and Public Policy, May 1992
Minors in Computer Science and Fine Arts

Employment

Associate Professor, 2008 - present
Carnegie Mellon University Institute for Software Research and Engineering and Public Policy Department (affiliated faculty member in the Human-Computer Interaction Institute and the Electrical and Computer Engineering Department), Pittsburgh, PA

Board Member and Co-Founder 2008 - present
Wombat Security Technologies, Inc., (Chief Scientist 2008 - 2011) Pittsburgh, PA

Associate Research Professor, 2003 - 2008
Carnegie Mellon University School of Computer Science (appointments in Institute for Software Research and Engineering and Public Policy Department; affiliated faculty member in the Human-Computer Interaction Institute), Pittsburgh, PA

Adjunct Assistant Professor of Information Systems, 2003
New York University Stern School of Business

Principal Technical Staff Member, 2001 - 2003
AT&T Labs-Research, Florham Park, NJ

Senior Technical Staff Member, 1996 - 2001
AT&T Labs-Research, Florham Park, NJ

Lecturer and Manager of the Student Staff, 1993 - 96
Washington University Computer Science Department, St. Louis, MO

Research Assistant, 1992 - 93
Washington University Medical Library, Advanced Technology Group,
St. Louis, MO

Freelance Writer, 1989 - 96
The St. Louis Post-Dispatch, the Gazette Newspapers, and other publications

Staff Member, Student Life, Washington University's semi-weekly student newspaper - served as Managing Editor, Production Manager, News Editor, Page Designer and Senior Staff Writer, 1989 - 92

Institute of Electrical and Electronics Engineers Intern, Summer 1992
Washington Internships for Students of Engineering, Washington, DC

Health and Environmental Sciences Intern, Summer 1991
American Petroleum Institute, Washington, DC

Teaching Experience

EPP Project / Policy Analysis III (19-451/88-222)
Spring 2009, Spring 2010, Spring 2011, Spring 2012
Carnegie Mellon University

Usable Privacy and Security (05-436/05-836/08-534/08-734)
Spring 2006, Spring 2007, Spring 2008, Fall 2009, Fall 2011
Carnegie Mellon University

Computers and Society (15-290/17-290/19-211)
Spring 2005, Spring 2006, Spring 2007
Carnegie Mellon University

Privacy Policy, Law, and Technology (8-533/8-733/19-608)
Spring 2004, Fall 2004, Fall 2005, Fall 2007, Fall 2008, Fall 2010
Carnegie Mellon University

Online Privacy (B20.3156)
Spring 2003
New York University Stern School of Business

Computer and Network Security (B20.3157)
Spring 2003
New York University Stern School of Business

Faculty member in the continuing legal education program of the Association of the Bar of the City of New York, 2002

Computers and Society (EP/CS 142)
Fall 1993, Spring 1996
Washington University

Introduction to Computing Tools (CS 100)
Fall 1994, Summer 1995
Washington University

Guest lecturer for courses at University of Pittsburgh, Johns Hopkins University, Yale University, Rutgers University, Columbia University, Princeton University, George Washington University, the University of Michigan School of Information, and Fordham University School of Law

Professional Activities

Conference Committees

Editorial Boards

Advisory Committees and Boards

Standards Activities

Professional Societies

University Service

Other Professional Activities and Affiliations

Honors

Publications

Refereed Journal Publications

Michael Benisch, Patrick Gage Kelley, Norman Sadeh, and Lorrie Faith Cranor. Capturing Location-Privacy Preferences: Quantifying Accuracy and User-Burden Tradeoffs. Journal of Personal and Ubiquitous Computing. 15, 7 (October 2011), 679-674.

Guang Xiang, Jason Hong, Carolyn Rose, C., and Lorrie Faith Cranor. CANTINA+: A Feature-Rich Machine Learning Framework for Detecting Phishing Web Sites. ACM Trans. Inf. Syst. Secur. 14, 2 (Sep. 2011), 1-28.

Location-Sharing Technologies: Privacy Risks and Controls. I/S: A Journal of Law and Policy for the Information Society. To appear 2010. (with J. Tsai, P. Kelley, and N. Sadeh)

The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study. Information Systems Research. 2(2), June 2010. (with J. Tsai, S. Egleman, and A. Acquisti)

Teaching Johnny Not to Fall for Phish. ACM Transactions on Internet Technology. To appear 2010. (with P. Kumaraguru, S. Sheng, A. Acquisti, and J. Hong)

Engineering Privacy. IEEE Transactions on Software Engineering. Vo. 35, No. 1, January/February, 2009, pp. 67-82. (with S. Spiekermann)

The Cost of Reading Privacy Policies. I/S: A Journal of Law and Policy for the Information Society 2008 Privacy Year in Review issue. (with A. McDonald) [Paper originally presented at TPRC 2008, Sept 26-28, 2008, Arlington, VA.]

P3P Deployment on Websites. Electronic Commerce Research and Applications, Volume 7, Issue 3, Autumn 2008, Pages 274-293 (with S. Egelman, S. Sheng, A. McDonald, and A. Chowdhury).

Understanding and capturing people's privacy policies in a mobile social networking application. Personal and Ubiquitous Computing, 2008.

How Technology Drives Vehicular Privacy. I/S: A Journal of Law and Policy for the Information Society, 2(3), Fall 2006, 981-1015 (with A. McDonald).

An Evaluation of the Effectiveness of US Financial Privacy Legislation Through the Analysis of Privacy Policies. I/S: A Journal of Law and Policy for the Information Society, 2(3), Fall 2006, 943-979 (with X. Sheng).

User Interfaces for Privacy Agents. ACM Transactions on Computer-Human Interaction 13(2) , June 2006, 135-178 (with P. Guduru and M. Arjula).

The Real ID Act: Fixing Identity Documents with Duct Tape. I/S: A Journal of Law and Policy for the Information Society, Volume 2, Number 1, Winter 2006, pp. 149-183 (with S. Egelman).

An analysis of security vulnerabilities in the movie production and distribution process. (August-September 2004). Telecommunications Policy 28(7-8):619-644. (with S. Byers, E. Cronin, D. Korman, and P. McDaniel)

The Architecture of Robust Publishing Systems. (November 2001). ACM Transactions on Internet Technology 1(2):199-230. (with M. Waldman and A. Rubin).

Protocols for Automated Negotiations with Buyer Anonymity and Seller Reputations. (2000). Netnomics 2(1):1-23. (with P. Resnick).

Refereed Magazine Publications

Cristian Bravo-Lillo, Lorrie Faith Cranor, Julie Downs, and Saranga Komanduri, Bridging the Gap in Computer Security Warnings: A Mental Model Approach. IEEE Security & Privacy, March/April 2011, 18-26.

Simson L. Garfinkel and Lorrie Faith Cranor. Institutional Review Boards and Your Research. Communications o f the ACM, June 2010, 38-40.

Matthew Geiger and Lorrie Faith Cranor. Scrubbing Stubborn Data: An evaluation of counter-forensic privacy tools. IEEE Security & Privacy, September/October 2006, 16-25.

Lorrie Faith Cranor. What Do They "Indicate"?: Evaluating security and privacy indicators. ACM Interactions, May/June 2006, 45-47.

P3P: Making Privacy Policies More Useful. IEEE Security and Privacy. November/December 2003. p.50-55.

The Platform for Privacy Preferences. Communications of the ACM. Vol. 42, No. 2 (Feb. 1999), p. 48-55. (with J. Reagle)

Spam! Communications of the ACM. Vol. 41, No. 8 (Aug. 1998), Pages 74- 83. (with B. LaMacchia)

Scrubbing Stubborn Data: An evaluation of counter-forensic privacy tools. IEEE Security & Privacy, September/October 2006, p. 16-25 (with M. Geiger).

What do they "Indicate"?: evaluating security and privacy indicators ACM Interactions, May/June 2006, p. 45-57.

Books

Security and Usability: Designing Secure Systems That People Can Use (2005). Lorrie Faith Cranor and Simson Garfinkel, eds. (2005) Sebastopol, CA: O'Reilly & Associates, Inc.

Rethinking Rights and Regulations: Institutional Responses to New Communications Technologies (2003). Lorrie Faith Cranor and Steven S. Wildman, eds. MIT Press.

Web Privacy with P3P (2002). Lorrie Faith Cranor. Sebastopol, CA: O'Reilly & Associates, Inc.

Communications Policy and Information Technology: Promises, Problems, Prospects. (2002). Lorrie Faith Cranor and Shane Mitchell Greenstein, eds. MIT Press.

Book Chapters

Lorrie Faith Cranor, Jason Hong, Ponnurangam Kumaraguru, and Alessandro Acquisti. Empirical Evaluations of Embedded Training for Anti-Phishing User Education. In Rebecca Herold, Managing an Information Security and Privacy Awareness and Training Program, Second Edition, CRC Press (2010).

Platform for Privacy Preferences Project (P3P). In Hossein Bidgoli, ed. Handbook of Information Security. John Wiley & Sons, 2005.

'I Didn't Buy it for Myself': Privacy and Ecommerce Personalization. In Clare-Marie Karat, Jan O. Blom, and John, Karat, eds. Designing Personalized User Experiences in eCommerce. Kluwer Academic Publishers, 2004. [Extended version of WPES '03 paper.]

In search of the perfect voting technology: no easy answers. (2002). In Dimitris Gritzalis, ed. Secure Electronic Voting. Boston: Kluwer Academic Publishers, 2002.

P3P: The Platform for Privacy Preferences Project. (2001). In Simson Garfinkel with Gene Spafford. Web Security, Privacy & Commerce, 2nd Edition. Sebastopol, CA: O'Reilly & Associates, Inc., p. 699-707.

Publius. (2001). In Andy Oram, ed. Peer-to-Peer: Harnessing the Power of Disruptive Technologies. Sebastopol, CA: O'Reilly & Associates, Inc., p.145-158 (with M. Waldman and A. Rubin).

Trust. (2001). In Andy Oram, ed. Peer-to-Peer: Harnessing the Power of Disruptive Technologies. Sebastopol, CA: O'Reilly & Associates, Inc., p.242-270 (with M. Waldman and A. Rubin).

Beyond Concern: Understanding Net Users' Attitudes About Online Privacy. (2000). In Ingo Vogelsang and Benjamin M. Compaine, eds. The Internet Upheaval: Raising Questions, Seeking Answers in Communications Policy. Cambridge, Massachusetts: The MIT Press, p. 47-70 (with M. Ackerman and J. Reagle). [First published as AT&T Labs-Research Technical Report TR 99.4.3, 14 April 1999. Presented at the Telecommunications Policy Research Conference. Alexandria, VA, September 25-27, 1999.]

Privacy Tools. (August 2000). In Helmut Baumler, Ed., E-Privacy: Datenschutz im Internet. Braunschweig/Wiesbaden: Vieweg & Sohn Verlagsgesellschaft, p.107-119.

Designing a Social Protocol: Lessons Learned from the Platform for Privacy Preferences. In Jeffrey K. MacKie-Mason and David Waterman, eds., Telephony, the Internet, and the Media. Mahwah: Lawrence Erlbaum Associates, 1998. [Paper presented at the Telecommunications Policy Research Conference, Alexandria, VA, September 27-29 1997. (with J. Reagle)]

Conference and Workshop Papers

Pedro G. Leon, Blase Ur, Rebecca Balebako, Lorrie Faith Cranor, Richard Shay, and Yang Wang. Why Johnny Can't Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising. In CHI 2012: Conference on Human Factors in Computing Systems, May 2012.

Peter F. Klemperer, Yuan Liang, Michelle L. Mazurek, Manya Sleeper, Blase Ur, Lujo Bauer, Lorrie Faith Cranor, Nitin Gupta, and Michael K. Reiter. Tag, you can see it! Using tags for access control in photo sharing. In CHI 2012: Conference on Human Factors in Computing Systems, May 2012.

Manya Sleeper, Divya Sharma, and Lorrie Faith Cranor. I know where you live: analyzing privacy protection in public databases. Workshop on Privacy in the Electronic Society (WPES 2011). Chicago, IL, October 17, 2011, 165-170.

Jason Wiese, Patrick Gage Kelley, Lorrie Faith Cranor, Laura Dabbish, Jason I. Hong, and John Zimmerman. Are you close with me? Are you nearby?: Investigating social groups, closeness, and willingness to share. 13th international Conference on Ubiquitous Computing (UbiComp '11). Beijing, China, September 17 - 21, 2011, 197-206.

Cristian Bravo-Lillo, Lorrie Faith Cranor, Julie Downs, Saranga Komanduri, and Manya Sleeper. Improving computer security dialogs. 13th IFIP TC 13 international Conference on Human-Computer interaction (INTERACT). Lisbon, Portugal, September 05 - 09, 2011, 18-35.

Patrick Gage Kelley, Robin Brewer, Yael Mayer, Lorrie Faith Cranor, and Norman Sadeh, An investigation into facebook friend grouping. 13th IFIP TC 13 international Conference on Human-Computer interaction (INTERACT). Lisbon, Portugal, September 05 - 09, 2011, 216-233.

Yang Wang, Gregory Norcie, Saranga Komanduri, Pedro Giovanni Leon, Lorrie Faith Cranor, and Alessandro Acquisti. "I regretted the minute I pressed share": A Qualitative Study of Regrets on Facebook. SOUPS 2011. Pittsburgh, PA, July 20-22, 2011.

Yang Wang, Gregory Norcie, and Lorrie Faith Cranor. Who is concerned about what? A study of American, Chinese and Indian users' privacy concerns on social network sites. 4th international Conference on Trust and Trustworthy Computing, Pittsburgh, PA, June 22 - 24, 2011, 146-153.

Fatih Kursat Ozenc, Lorrie Faith Cranor, Jim Morris. Adapt A Ride: Understanding the Dynamics of Commuting Preferences through An Experience Design Framework, DPPI 2011, Milano Italy, June 22-25, 2011.

Timothy Vidas, Nicolas Christin, Lorrie Cranor. Curbing Android Permission Creep. Web 2.0 Security & Privacy 2011. Oakland, CA, May 26, 2011.

Patrick Gage Kelley, Michael Benisch, Lorrie Faith Cranor, and Norman Sadeh. When are users comfortable sharing locations with advertisers? CHI 2011. Vancouver, BC, Canada, May 07 - 12, 2011, 2449-2452.

Robert W. Reeder, Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea, More than skin deep: measuring effects of the underlying model on access-control system usability. CHI 2011. Vancouver, BC, Canada, May 07 - 12, 2011, 2065-2074.

Michelle L. Mazurek, Peter F. Klemperer, Richard Shay, Hasan Takabi, Lujo Bauer, and Lorrie Faith Cranor. Exploring reactive access control. CHI 2011. Vancouver, BC, Canada, May 07 - 12, 2011, 2085-2094.

R. Balebako, P.G. Leon, H. Almuhimedi, P.G. Kelley, J. Mugan, A. Acquisti, L.F. Cranor, and N. Sadeh. Nudging Users Towards Privacy on Mobile Devices. The 2nd International Workshop on Persuasion, Influence, Nudge & Coercion through mobile devices, May 8, 2011, Vancouver, Canada (at CHI2011).

Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. Of passwords and people: measuring the effect of password-composition policies. In CHI 2011: Conference on Human Factors in Computing Systems, May 2011. CHI 2011 Honorable Mention.

Hanan Hibshi, Tim Vidas, and Lorrie Faith Cranor. Usability of Forensics Tools: A User Study. IT Security Incident Management and IT Forensics (IMF), 10-12, May 2011.

P. Leon, L. Cranor, A. McDonald, and M. McGuire. Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens. Workshop on Privacy in the Electronic Society (WPES 2010). Chicago, IL, October 4, 2010.

A. McDonald, and L. Cranor. Americans' Attitudes about Internet Behavioral Advertising Practices. Workshop on Privacy in the Electronic Society (WPES 2010). Chicago, IL, October 4, 2010.

B. Meeder, J. Tam, P.G. Kelley, and L.F. Cranor. RT @IWantPrivacy: Widespread Violation of Privacy Settings in the Twitter Social Network. Web 2.0 Security and Privacy 2010 (W2SP 2010). May 20, 2010.

Eran Toch, Justin Cranshaw, Paul Hankes Drielsma, Janice Y. Tsai, Patrick Gage Kelley, Lorrie Faith Cranor, Jason Hong, and Norman Sadeh. Empirical Models of Privacy in Location Sharing. Ubicomp 2010. Copenhagen, Denmark, Sept 26-29, 2010.

Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach. CHI 2010. Atlanta, GA, April 10-15, 2010. (with P.G. Kelley, L.J. Cesca, J. Bresee)

Access Control for Home Data Sharing: Attitudes, Needs and Practices. CHI 2010. Atlanta, GA, April 10-15, 2010. (with M. Mazurek, J.P. Arsenault, J. Bresee, N. Gupta, I. Ion, C. Johns, D. Lee, Y. Liang, J. Olsen, B. Salmon, R. Shay, K. Vaniea, L. Bauer, G.R. Ganger, and M.K. Reiter)

Are Your Participants Gaming the System? Screening Mechanical Turk Workers. CHI 2010. Atlanta, GA, April 10-15, 2010. (with J. Downs, M. Holbrook, S. Sheng)

Who Falls for Phish? A Demographic Analysis of Phishing Susceptibility and Effectiveness of Interventions. CHI 2010. Atlanta, GA, April 10-15, 2010. (with S. Sheng, M. Holbrook, P. Kumaraguru, and J. Downs)

Crying Wolf: An Empirical Study of SSL Warning Effectiveness. USENIX Security 2009. Montreal Canada, August 10-14, 2009. (with J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri)

A.M. McDonald, R.W. Reeder, P.G. Kelley, and L.F. Cranor. A comparative study of online privacy policies and formats. Privacy Enhancing Techonologies Symposium 2009.

P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M.A. Blair, and T. Pham. School of Phish: A Real-Word Evaluation of Anti-Phishing Training. SOUPS 2009. [Originally published as CyLab Technical Report: cmu-cylab-09-002, March 2009.]

S. Sheng, B. Wardman, G. Warner, L. Cranor, J. Hong, and C. Zhang. An Empirical Analysis of Phishing Blacklists. CEAS 2009.

P. Kumaraguru, L. Cranor, and L. Mather. Anti-Phishing Landing Page: Turning a 404 into a Teachable Moment for End Users. CEAS 2009.

P. Kelley, J. Bresee, L. Cranor, and R. Reeder. A "Nutrition Label" for Privacy. SOUPS 2009

S. Egelman, J. Tsai, L. Cranor, and A. Acquisti. 2009. Timing Is Everything? The Effects of Timing and Placement of Online Privacy Indicators. CHI '09: Proceedings of the SIGCHI conference on Human Factors in Computing Systems.

J.Tsai, P. Kelley, P. Drielsma, L. Cranor, J. Hong, and N. Sadeh. Who's Viewed You? The Impact of Feedback in a Mobile-location System. CHI 2009

L. Bauer, L. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. Real life challenges in access-control management. In CHI 2009: Conference on Human Factors in Computing Systems, pages 899-908, April 2009.

Perspective: Semantic Data Management for the Home. Brandon Salmon, Steven W. Schlosser, Lorrie Faith Cranor, Gregory R. Ganger. 7th USENIX Conference on File and Storage Technologies (FAST'09). February 24-27, 2009, San Francisco, CA.

A Survey to Guide Group Key Protocol Development. Annual Computer Security Applications Conference (ACSAC) 2008, December 8-12, 2008, Anaheim, CA (with A. Studer, C. Johns, J. Kase, K. O'Meara).

Lessons from a real world evaluation of anti-phishing training. In Proceedings of the third eCrime Researchers Summit (eCrime 2008), October 15-16, 2008, Atlanta, GA (with P. Kumaraguru, S. Sheng, A. Acquisti, and J. Hong).

A User Study of the Expandable Grid Applied to P3P Policy Visualization. Workshop on Privacy in the Electronic Society (WPES 2008). Oct. 2008 (with R.W. Reeder, P.G. Kelley, A.M. McDonald)

A User Study of Policy Creation in a Flexible Access-Control System. In CHI 2008: Conference on Human Factors in Computing Systems (with L. Bauer, R.W. Reeder, M.K. Reiter, and K. Vaniea).

Expandable Grids for Visualizing and Authoring Computer Security Policies. In CHI 2008: Conference on Human Factors in Computing Systems (with R.W. Reeder, L. Bauer, M.K.Reiter, K. Bacon, K. How, and H. Strong).

You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In CHI 2008: Conference on Human Factors in Computing Systems (with S. Egelman and J. Hong).

Behavioral Response to Phishing Risk. Proceedings of the 2nd Annual eCrime Researchers Summit, October 4-5, 2007, Pittsburgh, PA, p. 37-44 (with J. Downs and M. Holbrook).

Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer. Proceedings of the 2nd Annual eCrime Researchers Summit, October 4-5, 2007, Pittsburgh, PA, p. 70-81 (with P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, and J. Hong).

Lessons Learned From the Deployment of a Smartphone-Based Access-Control System. In Proceedings of the 2007 Symposium On Usable Privacy and Security, 18-20 July 2007, Pittsburgh, PA (with L. Bauer, M. Reiter, and K. Vaniea).

Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 2007 Symposium On Usable Privacy and Security, 18-20 July 2007, Pittsburgh, PA (with S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, J. Hong, and E. Nunge).

The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study. Paper presented at the Workshop on the Economics of Information Security, June 7-8, 2007, Pittsburgh, PA (with J. Tsai, S. Egelman, and A. Acquisti).

CANTINA: A Content-Based Approach to Detecting Phishing Web Sites. In Proceedings of the 16th International World Wide Web Conference (WWW2007), Banff, Alberta, Canada, May 8-12, 2007, p.639-648 (with Y. Zhang and J. Hong).

Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. In CHI 2007: Conference on Human Factors in Computing Systems, San Jose, California, 28 April - May 3, 2007, p. 905-914 (with P. Kumaraguru, Y. Rhee, A. Acquisti, J. Hong, and E. Nunge).

Phinding Phish: Evaluating Anti-Phishing Tools. In Proceedings of the 14th Annual Network & Distributed System Security Symposium (NDSS 2007), San Diego, CA, 28th February - 2nd March, 2007 (with Y. Zhang, S. Egelman and J. Hong).

User Controllable Security and Privacy for Pervasive Computing. In Proceedings of HotMobile 2007: The 8th IEEE Workshop on Mobile Computing Systems and Applications, Tucson, Arizona, February 26-27, 2007 (with J. Cornwell, I. Fete, G. Hsieh, M. Prabaker, J. Rao, K. Tang, K. Vaniea, L. Bauer, J. Hong, B. McLaren, M. Reiter, and N. Sadeh).

Trust modeling for online transactions: A phishing scenario. In Proceedings of Privacy, Security, Trust 2006, October 30 - November 1, 2006, Toronto, Ontario, Canada (with P. Kumaraguru and A. Acquisti).

Privacy Patterns for Online Interactions. Pattern Languages of Programming Conference (PLoP 2006), October 21-23, 2006, Portland, Oregon (with S. Romanosky, A. Acquisti, J. Hong, and B. Friedman).

An Analysis of P3P-Enabled Web Sites among Top-20 Search Results. In Proceedings of the Eighth International Conference on Electronic Commerce, August 14-16, 2006, Fredericton, New Brunswick, Canada (with S. Egelman and A. Chowdhury).

Vicarious infringement creates a privacy ceiling. In Proceedings of the ACM Workshop on Digital Rights Management, Alexandria, Virginia, October 30 - 30, 2006 (with J. Tsai and S. Craver).

Decision Strategies and Susceptibility to Phishing. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA (with J. Downs and M. Holbrook).

Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA (with C. Kuo and S. Romanosky).

Power Strips, Prophylactics, and Privacy, Oh My! In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA (with J. Gideon, S. Egleman, and A. Acquisti).

Peripheral Privacy Notifications for Wireless Networks. In Proceedings of the 2005 Workshop on Privacy in the Electronic Society, 7 November 2005, Alexandria, VA, p.90-96. (with B. Kowitz).

Privacy in India: Attitudes and Awareness. In Proceedings of the 2005 Workshop on Privacy Enhancing Technologies (PET2005), 30 May - 1 June 2005, Dubrovnik, Croatia (with P. Kumaraguru).

Searching for Privacy: Design and Implementation of a P3P-Enabled Search Engine. In Proceedings of the 2004 Workshop on Privacy Enhancing Technologies (PET2004), 26-28 May, 2004, Toronto, Canada (with S. Byers, D. Kormann, and P. McDaniel).

Exposing digital content piracy: approaches, issues and experiences. Conference Record of the Thirty-Eighth Asilomar Conference on Signals, Systems and Computers, 2004, pp. 377- 381, 7-10 Nov. 2004 (with S. Byers, E. Cronin, D. Kormann, and P. McDaniel).

'I Didn't Buy it for Myself': Privacy and Ecommerce Personalization. Proceedings of the 2nd ACM Workshop on Privacy in the Electronic Society, October 30, 2003, Washington, DC.

Analysis of Security Vulnerabilities in the Movie Production and Distribution Process. Proceedings of the 2003 ACM Workshop on Digital Rights Management, October 27, 2003, Washington, DC. (with S. Byers, E. Cronin, D. Kormann, and P. McDaniel)

Automated Analysis of P3P-Enabled Web Sites. In Proceedings of the Fifth International Conference on Electronic Commerce (ICEC2003). Pittsburgh, PA, October 1-3, 2003, p. 326-338. (with S. Byers and D. Kormann)

Designing a Privacy Preference Specification Interface: A Case Study. CHI 2003 Workshop on Human-Computer Interaction and Security Systems, Ft. Lauderdale, Florida, April 6, 2003.

Use of a P3P User Agent by Early Adopters. Proceedings of the ACM Workshop on Privacy in the Electronic Society, November 21, 2002, Washington, DC (with M. Arjula and P. Guduru).

Can user agents accurately represent privacy notices?. The 30th Research Conference on Communication, Information and Internet Policy (TPRC2002) 28-30 September, 2002 Alexandria, Virginia (with Joel Reidenberg).

The role of privacy advocates and data protection authorities in the design and deployment of the platform for privacy preferences. Proceedings of the 12th Conference on Computers, Freedom and Privacy, April 16-19, 2002, San Francisco, CA.

Publius, A robust, tamper-evident and censorship-resistant web publishing system. Proceedings of the 9th USENIX Security Symposium, August, 2000 (with M. Waldman and A. Rubin).

Ten years of computers, freedom, and privacy: a personal retrospective. Proceedings of the Tenth Conference on Computers, Freedom and Privacy: Challenging the Assumptions, April 4 - 7, 2000, Toronto, ON Canada, p. 11-15.

Privacy in E-Commerce: Examining User Scenarios and Privacy Preferences. Proceedings of the ACM Conference on Electronic Commerce (EC'99), 3-5 November 1999, Denver, Colorado, p. 1-8 (with M. Ackerman and J. Reagle).

Agents of Choice: Tools that Facilitate Notice and Choice about Web Site Data Practices. Proceedings of the 21st International Conference on Privacy and Personal Data Protection, 13-15 September 1999, Hong Kong SAR, China, p. 19-25.

Privacy Critics: UI Components to Safeguard Users' Privacy. Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI'99), short papers (v.2.), p. 258-259. (with M. Ackerman)

Influencing Software Usage. Proceedings of the Telecommunications Policy Research Conference. Alexandria, VA, October 3-5, 1998. (with R. Wright)

Sensus: A Security-Conscious Electronic Polling System for the Internet. Proceedings of the Hawai`i International Conference on System Sciences, January 7-10, 1997, Wailea, Hawai`i, USA (with R. Cytron).

Towards an Information-Neutral Voting Scheme That Does Not Leave Too Much to Chance. Paper presented at the Midwest Political Science Association Annual Meeting, April 18-20, 1996 (with R. Cytron).

Magazine and Newsletter Articles

Lorrie Faith Cranor. Can Users Control Online Behavioral Advertising Effectively? IEEE Security & Privacy. March/April 2012 (vol. 10 no. 2) pp. 93-96.

Lorrie Faith Cranor. Can Users Control Online Behavioral Advertising Effectively? IEEE Security & Privacy, March/April 2012.

Lorrie Faith Cranor. Security for Humans. The Innovator, Volume 4, Issue 1, February 2011.

Can Phishing Be Foiled?. Scientific American, December 2008.

Giving Notice: Why Privacy Policies and Security Breach Notifications Aren't Enough. IEEE Communications Magazine. August 2005. p. 18-19.

Guest Editors' Introduction: Secure or Usable? IEEE Security and Privacy. September/October 2004. p. 16-18 (with S. Garfinkel).

A Webmaster's Guide to Troubleshooting P3P. O'Reilly Network. November 2002.

Help! IE6 is blocking my cookies! O'Reilly Network. October 2002.

Why P3P is a Good Privacy Tool for Consumers and Companies. GigaLaw.com. (April 2002) (with Rigo Wenning). [Reprinted in Electronic Banking Law and Commerce Report Vol. 7, No. 2 (June 2002), p. 13-15.]

The P3P Protocol Standardizes Online Privacy Statements. e-commerce Law & Strategy. January 2002, p.1, 8-9.

Voting After Florida: No Easy Answers. Ubiquity: An ACM IT Magazine and Forum. Issue 47 (February 13-19, 2001).

Internet voting for public officials: introduction. Communications of the ACM. Vol. 44, No. 1 (Jan. 2001), p. 69-71 (with L. Hoffman).

Privacy Critics: Safeguarding Users' Personal Data. WebTechniques (September 1999) p. 67-70. (with M. Ackerman)

Introduction to CACM special section: Internet Privacy. Communications of the ACM. Vol. 42, No. 2 (Feb. 1999), p. 28-31.

Bias and Responsibility in 'NeutralÂ’ Social Protocols, Computers & Society, September 1998, p. 17-19. Originally presented at the DIMACS workshop on Design for Values: Ethical, Social and Political Dimensions of Information Technology, Princeton, NJ, 28 February 1998.

Internet Privacy: A Public Concern. netWorker: The Craft of Network Computing Vol. 2, No. 3 (June/July 1998), p. 13-18.

After Accolade: time for new laws? IEEE Software. November 1992. p100-101.

Technical Specifications

The Platform for Privacy Preferences 1.1 (P3P1.1) Specification. W3C Working Group Note, 13 November 2006 (R. Wenning and M. Schunter, eds).

The Platform for Privacy Preferences 1.0 (P3P1.0) Specification. W3C Recommendation 16 April 2002 (with M. Langheinrich, M. Marchiori, M. Presler-Marshall, and J. Reagle).

A P3P Preference Exchange Language 1.0 (APPEL1.0). W3C Working Draft 15 April 2002 (with M. Langheinrich and M. Marchiori).

P3P Guiding Principles. W3C Note, 21 July 1998 (editor)

P3P Vocabulary Working Group Grammatical Model and Data Design Model. W3C Working Draft, October 14, 1997. (editor)

Other Publications

Teaching Usable Privacy and Security: A Guide for Instructors. 2007 (with J. Hong and M. Reiter). 2006 Privacy Policy Trends Report. CyLab Privacy Interest Group. January 31, 2007 (with A. McDonald, S. Egelman, and S. Sheng).

The Role of Privacy Enhancing Technologies. In Considering Consumer Privacy: A Resource for Policymakers and Practitioners. Center for Democracy and Technology, edited by Paula J. Bruening, March 2003.

Election Automation. In The Administration and Cost of Elections (ACE) Electronic Publication. A joint endeavor of the International Institute for Democracy and Electoral Assistance, the United Nations Department of Economic and Social Affairs, and the International Foundation for Election Systems. Version 0, October 1998.

Technology Inventory: A Catalog of Tools that Support Parents' Ability to Choose Online Content Appropriate for their Children. Prepared for the Internet Online Summit: Focus on Children, December 1997. Revised for America Links Up, September 1998. (with P. Resnick and D. Gallo)

The Role of Technology in Self-Regulatory Privacy Regimes. In Privacy and Self Regulation in the Information Age. U.S. Department of Commerce, National Telecommunications and Infrastructure Administration. June 1997. p. 185-191.

Declared-Strategy Voting: An Instrument for Group Decision-Making. Washington University Dissertation. December 1996.

Design and Implementation of a Security-Conscious Electronic Polling System. Washington University Computer Science Technical Report WUCS-96-02. January 23, 1996 (with R. Cytron).

Can Declared Strategy Voting be an Effective Instrument for Group Decision-Making? Washington University Computer Science Technical Report WUCS-95-04. February 8, 1995.

Is ENOF Enough? Design and Evaluation of an Electronic Newspaper of the Future. Washington University Masters Thesis. May 1993.

Selected Presentations

Dinner Keynote: Designing Secure Systems That People Can Use. 2011 Pittsburgh CIO Executive Summit, May 24, 2011.

Invited talk: Standardizing Privacy Notices: Privacy Taxonomy, Privacy Nutrition Labels, and Computer-Readable Policies. University of California Berkeley Center for Law and Technology, 4th Annual Privacy Lecture, Berkeley, California, February 17, 2011.

Keynote: Usable Privacy and Security Research and Education, 2nd Annual Workshop on Integrating Usability and Accessibility in Information Assurance Education, Bowie Maryland, August 3, 2010.

Keynote: Building a Better Privacy Policy, IEEE International Symposium on Policies for Distributed Systems and Networks, Fairfax, VA, July21-23, 2010.

Keynote: Users do the darndest things: True stories from the CyLab Usable Privacy and Security Laboratory, Financial Cryptography and Data Security '10, Tenerife, Canary Islands, Spain, January 25-28, 2010.

Keynote: Users do the darndest things: True stories from the CyLab Usable Privacy and Security Laboratory, 2009 Annual Computer Security Applications Conference, Honolulu, Hawaii, December 7-11, 2009.

Keynote: Teaching Johnny Not to Fall for Phish. 6th Conference on Email and Anti-Spam. Mountain View, CA, July 18, 2009.

Invited talk: The Human in the Loop. Information Security Best Practices 2009, Philadelphia, PA, January 29-30, 2009.

Keynote: You've Been Warned: Why Nobody Pays Any Attention to Computer Security Warnings (And How We Might Change That). Computer Science 2008: student research conference, Cambridge, UK, December 15, 2008.

Invited talk: Teaching Johnny Not to Fall for Phish. University College London Centre for Security and Crime Science, London, UK, December 16, 2008.

Invited talk: Visualization and Semantics to Support Fast and Accurate Policy Authoring, NSF Workshop on Assurable and Usable Security Configuration, Fairfax, VA, 11-12 August 2008.

Invited talk: Leveraging the 'teachable moment': APWG/CMU phishing education landing page program, APWG eCrmine Researchers Summit, Atlanta, GA, October 14-16, 2008.

Invited talk: A Framework for Reasoning About the Human in the Loop, Google, Mountain View, CA September 5, 2008.

Invited talk: Online shoppers will pay more for privacy: results from emperical research, IAPP Privacy Summit, Washington, DC, March 25-28, 2008.

Invited talk: Supporting Trust Decisions Research at Carnegie Mellon, 2007 Anti-Phishing Working Group General Members Meeting, Pittsburgh, PA, 2-3 October 2007.

Invited talk: Usable Storage Security, 2007 SNIA Storage Security Summit, Pittsburgh, PA, 31 May 2007.

Invited talk: Inexplicable Indicators and Puzzling Pop-ups: Security Software From an End User Perspective, Pennsylvania State University College of Information Sciences and Technology, 30 March 2007.

Invited talk: Phinding Phish: How accurate are today's toolbars? What hope for training users? 2006 Anti-Phishing Working Group General Meeting, Orlando, Florida, 14-15 November 2006.

Keynote: Inexplicable Indicators and Puzzling Pop-ups: Security Software From an End User Perspective, Eighth International Conference on Information and Communications Security (ICICS '06), Raleigh, North Carolina, 4-7 December 2006.

Invited Talk: Hey, That's Personal!, 10th International Conference on User Modeling (UM'05), Edinburgh, Scotland, UK, 24-29 July 2005.

Invited Talk: Scrubbing Stubborn Data, 2nd SNIA Security Summit, Pittsburgh, PA, 1-2 June 2005.

Keynote: Towards Usable Web Privacy and Security, The 14th International World Wide Web Conference (WWW2005), Chiba, Japan, 10-14 May 2005.

Invited Talk: Technical Trends in Privacy, MITRE Privacy Technical Exchange Meeting, McLean, VA, 19 April 2005.

Invited Talk: Making Privacy Visible: The Privacy Bird P3P User Agent and Beyond, Intel Research Seattle, 13 April 2005.

Invited Talk: User Interfaces for Privacy: Design and Evaluation of the AT&T Privacy Bird P3P User Agent, University of Michigan Socio-Technical Infrastructure for Electronic Transactions (STIET) Research Seminar, 10 March 2005.

Commentator: Cyberspace Law and E-Commerce Law, Where IP Meets IT: Technology and the Law Symposium, University of Pittsburgh School of Law, 18 March 2005.

Keynote: Usable Privacy and Security, Intel Corporation Forum: Usable Privacy When Privacy is Ubiquitous, Hillsboro, OR, 2 March 2005.

Invited Talk: Usable Privacy and Security Research at CMU. IBM Watson Research, Hawthorne, New York, February 9, 2005.

Panelist: Electronic Voting. NSF/Harvard Symposium on Voting and Vote Counting. Boston, April 13, 2004.

Tutorial: Machine Readable Privacy Policies and P3P. International Association of Privacy Professionals Fourth Annual Privacy and Data Security Summit, Washington, DC, February 18, 2004.

Invited Talk: User Interfaces for Privacy: Design and Evaluation of the AT&T Privacy Bird P3P User Agent. IBM Watson Research, Hawthorne, New York, March 28, 2003.

Tutorial: P3P Introduction and Practical Solutions. International Association of Privacy Professionals Third Annual Privacy and Data Security Summit, Washington, DC, February 26-28, 2003.

Keynote: How Your Dog Can Publish Your Secrets Anonymously and Why There's Probably Nothing You Can Do About It. Fifth International Workshop on the Web and Databases (WebDB 2002), Madison, Wisconsin, June 6, 2002.

Invited Talk: P3P and Privacy Bird. Workshop on the Relationship between Privacy and Security, Pittsburgh, PA, May 29-30, 2002.

Invited Talk: Developing Online Privacy Standards: A View From the Trenches. New York University Stern School of Business Information Systems Research Seminar, New York, October 11, 2001.

Invited Talk: Online Privacy: Promise or Peril? 2001 USENIX Annual Technical Conference, Boston, MA, 25-30 June 2001.

Invited Talk: Online Privacy: What are People So Concerned About and What is Being done About It?. University of Virginia Department of Computer Science "Top Gun" Distinguished Lecture Series, Charlottesville, Virginia, January 24, 2001.

Keynote: Online Data Privacy Trends. Association of Corporate Travel Executives (ACTE) Executive Forum, New York, NY, January 16, 2001.

Invited Talk: Online Privacy: What are People So Concerned About and What is Being Done About It?. Princeton ACM/IEEE Computer Society meeting, Princeton, NJ, December 14, 2000.

Invited Talk: Overview of Online Privacy-Enhancing Technologies; panel moderator: Implications for Fair Information Practice Principles. NTIA Online Technologies Workshop and Technology Fair, Washington, DC, September 19, 2000.

Testimony before the Commission on Online Child Protection (COPA), Richmond, VA, June 20, 2000

Tutorial: Internet Privacy and P3P, Ninth International World Wide Web Conference (WWW9), Amsterdam, May 15, 2000.

Invited Talk: Online Privacy: What are People So Concerned About and What is Being Done About it?, North Carolina State University, March 24, 2000.

Invited Talk: Privacy Implications of Online Data Collection, DIMACS Workshop: Data Processing on the Web: A Look into the Future, Piscataway, NJ, 6-7 March 2000.

Invited Talk: Many Lessons Later: The Platform for Privacy Preferences and What We've Learned About Designing Social Protocols, Rensselaer Polytechnic Institute, Troy, NY, 11 November 1999.

Minding your own business: The Platform for Privacy Preferences Project and Privacy Minder, 1999 USENIX Annual Technical Conference, FREENIX Track, Monterey, CA, 10 June 1999.

Invited Talk: Tracks on the web and a grammar for personal privacy, Individual Privacy and Information Policy: A Policy and Research Issues Conference, Rutgers University, New Brunswick, NJ, 14 April 1999.

Invited Talk: Privacy and Commerce, Raymond Walters College Community Conversations series on Privacy in America, Cincinnati, OH, 9 February 1999.

Invited Talk: The Platform for Privacy Preferences Project, Internet Developer/Technology Group, San Jose, CA, 15 October 1998.

Invited Talk: Electronic voting: theory and practice, Royal Melbourne Institute of Technology, Melbourne, Australia, 20 April 1998.

Invited Talk: The Platform for Privacy Preferences Project: Facilitating Individual Control Over Personal Information Flow Online, Human Computer Interaction Consortium Workshop, Winter Park, Colorado, 6 March 1998.

Invited Talks: The Platform for Privacy Preferences Project and Unsolicited Commercial Email, IBM Watson Research, Hawthorne, New York, 16 December 1997.

Invited Talk: The Technology Tool Kit, Internet Online Summit: Focus on Children, Washington, DC, 2 December 1997.

Invited Talk: Making the Internet Safe, Fun, and Profitable, International Symposium of Computing Technology (EI@TEC97), Torreon, Coahuil, Mexico, 17 October 1997.

Invited Talk: User Empowerment Techniques to Address Online Privacy Concerns, DIMACS Workshop on Massive Data Sets in Telecommunications, Piscataway, NJ, 14 October 1997.

Invited Talk: The Future of Privacy, DIMACS Research and Education Institute '97, Piscataway, NJ, 3 August 1997.

Panelist: Internet Privacy, A Briefing by the Advisory Committee of the Congressional Internet Caucus, Washington, DC, 18 April 1997.

Invited Talk: Making it Safe, Fun, and Profitable to do Business on the Internet, Sonya Kovalevsky Day 97, Montgomery College Mathematics Department, Rockville, MD, 18 April 1997.

Invited Talk: Electronic Voting: Representative Democracy in the Information Age, Webster University Department of Philosophy, St. Louis, MO, 17 September 1996.

Hobbies and Community Activities

Allegheny County, PA elections poll worker, 2004 - present

Tenor saxophone player, Chatham Community Band, 1996-2003

Member, Garden State Quilters Guild 1997-2003; board member 1999-2001

My quilts have won awards in local and national contests; one of my quilts appears in the book Tumbling Blocks: New Quilts from an Old Favorite, edited by Barbara Smith (American Quilter's Society 2002) and was part of a traveling museum exhibition.