Carnegie Mellon University
College of Engineering  ›  Engineering and Public Policy  ›  People  ›  Faculty  ›  Lorrie Faith Cranor

Lorrie Faith Cranor

Lorrie Faith Cranor

FORE Systems University Professor
Engineering & Public Policy, and School of Computer Science
Director and Bosch Distinguished Professor in Security and Privacy Technologies, CyLab Usable Privacy and Security Laboratory
Co-director, MSIT-Privacy Engineering Masters Program

Address
CyLab Usable Privacy and Security Laboratory
Carnegie Mellon University
5000 Forbes Avenue
Pittsburgh, PA 15213

Bio

  • Professor, Carnegie Mellon, 2014-present
  • Chief Technologist, US Federal Trade Commission, 2016
  • Associate Professor, Carnegie Mellon, 2008-2014
  • Associate Research Professor, Carnegie Mellon 2003-2008
  • Adjunct Assistant Professor of Information Systems, New York University Stern School of Business, 2003
  • Principal Technical Staff Member, AT&T Labs-Research 2001-2003
  • Senior Technical Staff Member, AT&T Labs-Research 1996-2001

Lorrie Faith Cranor is the Director and Bosch Distinguished Professor in Security and Privacy Technologies of CyLab and the FORE Systems University Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University. She directs the CyLab Usable Privacy and Security Laboratory (CUPS) and co-directs the Privacy Engineering masters program. She was founding co-director of the Collaboratory Against Hate: Research and Action Center at Carnegie Mellon and the University of Pittsburgh. In 2016 she served as Chief Technologist at the US Federal Trade Commission, working in the office of Chairwoman Ramirez. She is also a co-founder of Wombat Security Technologies, Inc, a security awareness training company that was acquired by Proofpoint. She has authored over 200 research papers on online privacy, usable security, and other topics. She has played a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability (O'Reilly 2005) and founded the Symposium On Usable Privacy and Security (SOUPS). She also co-founded the Conference on Privacy Engineering Practice and Respect (PEPR). She chaired the Platform for Privacy Preferences Project (P3P) Specification Working Group at the W3C and authored the book Web Privacy with P3P (O'Reilly 2002). She has served on a number of boards and working groups, including the Electronic Frontier Foundation Board of Directors, the Computing Research Association Board of Directors, the Aspen Institute Cybersecurity Group, and on the editorial boards of several journals. In 2003 she was honored as one of the top 100 innovators 35 or younger by Technology Review magazine. More recently she was elected to the ACM CHI Academy, named an ACM Fellow for her contributions to usable privacy and security research and education, named an IEEE Fellow for her contributions to privacy engineering, and named a AAAS Fellow. She is also a 2019 Andrew Carnegie Fellow and has received an Alumni Achievement Award from the McKelvey School of Engineering at Washington University in St. Louis, the 2022 Carnegie Mellon University Distinguished Professor of Engineering Award, the 2018 ACM CHI Social Impact Award, the 2018 International Association of Privacy Professionals Privacy Leadership Award, and (with colleagues) the 2018 IEEE Cybersecurity Award for Practice and 2019 Carnegie Mellon University Allen Newell Award for Research Excellence. She was previously a researcher at AT&T-Labs Research and taught in the Stern School of Business at New York University. She holds a doctorate in Engineering and Policy from Washington University in St. Louis. In 2012-13 she spent her sabbatical as a fellow in the Frank-Ratchye STUDIO for Creative Inquiry at Carnegie Mellon University where she where she worked on fiber arts projects, including a quilted visualization of bad passwords, Security Blanket, that was featured in Science Magazine as well as a bad passwords dress that she frequently wears when talking about her research. She plays soccer, walks to work, sews her own dresses with pockets, and tries not to embarrass her three teenage/young adult children. Her pandemic pet is a bass flute.

Education

  • B.S. (Engineering and Public Policy) 1992, Washington University in St. Louis
  • M.S. (Technology and Human Affairs) 1993, Washington University in St. Louis
  • M.S. (Computer Science) 1996, Washington University in St. Louis M
  • D.Sc. (Engineering and Policy) 1996, Washington University in St. Louis

Research

My research focuses on usable privacy and security. My current projects fall into several overlapping areas: privacy decision making (including applications of P3P), user-controllable security and privacy (including location-sharing privacy and file access control in the home), and usable cyber trust indicators, and and usable and secure passwords. Prior to coming to CMU I did research on P3P, electronic voting, security vulnerabilities in the movie production and distribution proces, and other topics.

Publications

Selected Publications

  1. Andrea Gallardo, Chris Choy, Jaideep Juneja, Efe Bozkir, Camille Cobb, Lujo Bauer, and Lorrie Cranor. Speculative Privacy Concerns About AR Glasses Data Collection. Proceedings on Privacy Enhancing Technologies 2023(4).
  2. Jessica Colnago, Lorrie Cranor, and Alessandro Acquisti. Is There a Reverse Privacy Paradox? An Exporatory Analysis of Gaps Between Privacy Perspectives and Priavcy-Seeking Behaviors. Proceedings on Privacy Enhancing Technologoes, 2023(1).
  3. Elijah Robert Bouma-Sims, Megan Li, Yanzi Lin, Adia Sakura-Lemessy, Alexandra Nisenoff, Ellie Young, Eleanor Birrell, Lorrie Faith Cranor, and Hana Habib. 2023. A US-UK Usability Evaluation of Consent Management Platform Cookie Consent Interface Design on Desktop and Mobile. CHI 2023. Article 163, 1–36. https://doi.org/10.1145/3544548.3580725
  4. Jane Im, Ruiyi Wang, Weikun Lyu, Nick Cook, Hana Habib, Lorrie Faith Cranor, Nikola Banovic, and Florian Schaub. 2023. Less is Not More: Improving Findability and Actionability of Privacy Controls for Online Behavioral Advertising. CHI 2023. Article 661, 1–33. https://doi.org/10.1145/3544548.358077
  5. Hana Habib, Megan Li, Ellie Young, and Lorrie Cranor. 2022. "Okay, whatever": An Evaluation of Cookie Consent Interfaces. In CHI Conference on Human Factors in Computing Systems (CHI '22). Association for Computing Machinery, New York, NY, USA, Article 621, 1–27. https://doi.org/10.1145/3491102.3501985Tianshi Li, Kayla Reiman, Yuvraj Agarwal, Lorrie Faith Cranor, and Jason I. Hong. 2022. Understanding Challenges for Developers to Create Accurate Privacy Nutrition Labels. In CHI Conference on Human Factors in Computing Systems (CHI '22). Association for Computing Machinery, New York, NY, USA, Article 588, 1–24. https://doi.org/10.1145/3491102.3502012
  6. Hana Habib, Sarah Pearman, Ellie Young, Ishika Saxena, Robert Zhang, and Lorrie FaIth Cranor. 2022. Identifying User Needs for Advertising Controls on Facebook. Proc. ACM Hum.-Comput. Interact. 6, CSCW1, Article 59 (April 2022), 42 pages. DOI:https://doi.org/10.1145/3512906
  7. Hana Habib, Yixin Zou, Yaxing Yao, Alessandro Acquisti, Lorrie Cranor, Joel Reidenberg, Norman Sadeh, and Florian Schaub. 2021. Toggles, Dollar Signs, and Triangles: How to (In)Effectively Convey Privacy Choices with Icons and Link Texts. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems (CHI '21). Association for Computing Machinery, New York, NY, USA, Article 63, 1–25. https://dl.acm.org/doi/10.1145/3411764.3445387
  8. Peter Story, Daniel Smullen, Yaxing Yao, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. Awareness, adoption, and misconceptions of web privacy tools. Proceedings on Privacy Enhancing Technologies, 2021 (3) 308-333. DOI 10.2478/popets-2021-0049.
  9. Shikun Zhang, Yuanyuan Feng, Lujo Bauer, Lorrie Faith Cranor, Anupam Das, and Norman Sadeh. "Did you know this camera tracks your mood?": Understanding privacy expectations and preferences in the age of video analytics. Proceedings on Privacy Enhancing Technologies, 2021 (2) 282-304. DOI 10.2478/popets-2021-0028.
  10. Hana Habib, Sarah Pearman, Jiamin Wang, Yixin Zou, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. "It’s a scavenger hunt": Usability of Websites' Opt-Out and Data Deletion Choices. CHI 2020. https://dl.acm.org/doi/abs/10.1145/3313831.3376511
  11. Jessica Colnago, Yuanyuan Feng, Tharangini Palanivel, Sarah Pearman, Megan Ung, Alessandro Acquisti, Lorrie Faith Cranor, and Norman Sadeh. Informing the Design of a Personalized Privacy Assistant for the Internet of Things. CHI 2020. https://dl.acm.org/doi/abs/10.1145/3313831.3376389
  12. Hana Habib, Yixin Zou, Aditi Jannu, Neha Sridhar, Chelse Swoopes, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. An Empirical Analysis of Data Deletion and Opt-Out Choices on 150 Websites. SOUPS 2019. https://www.usenix.org/conference/soups2019/presentation/habib
  13. Pardis Emami-Naeini, Henry Dixon, Yuvraj Agarwal, and Lorrie Faith Cranor. 2019. Exploring How Privacy and Security Factor into IoT Device Purchase Behavior. In CHI Conference on Human Factors in Computing Systems USA, Paper 534, 12 pages. https://dl.acm.org/citation.cfm?id=3300764
  14. Pardis Emami-Naeini, Martin Degeling, Lujo Bauer, Richard Chow, Lorrie Cranor, Mohammad Reza Haghighat, and Heather Patterson. The Influence of Friends and Experts on Privacy Decision Making in IoT Scenarios. The 21st ACM Conference on Computer-Supported Cooperative Work and Social Computing (CSCW '18), Nov 2018. https://dl.acm.org/citation.cfm?id=3274317
  15. Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates, Chelse Swoopes, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. User Behaviors and Attitudes Under Password Expiration Policies. Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), Baltimore, MD, pp. 13-20.  https://www.usenix.org/system/files/conference/soups2018/soups2018-habib-password.pdf
  16. Hana Habib, Jessica Colnago, Vidya Gopalakrishnan, Sarah Pearman, Jeremy Thomas, Alessandro Acquisti, Nicolas Christin, and Lorrie Faith Cranor. Away From Prying Eyes: Analyzing Usage and Understanding of Private Browsing. Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), Baltimore, MD, pp. 159-175. https://www.usenix.org/system/files/conference/soups2018/soups2018-habib-prying.pdf

     

  17. Joshua Tan, Lujo Bauer, Joe Bonneau, Lorrie Cranor, Jeremy Thomas, and Blase Ur. Can unicorns help users compare crypto key fingerprints? CHI 2017, Denver, CO, May 6-11, 2017. https://dl.acm.org/citation.cfm?id=3025733

  18. Maggie Oates, Yama Ahmadullah, Abigail Marsh, Chelse Swoopes, Shikun Zhang, Rebecca Balebako, and Lorrie Cranor. Turtles, Locks, and Bathrooms: Understanding Mental Models of Privacy Through Illustration. Proceedings on Privacy Enhancing Technologies, 2018 (4):5–32. [Best student paper award] https://petsymposium.org/2018/files/papers/issue4/popets-2018-0029.pdf

  19. Jessica Colnago, Summer Devlin, Maggie Oates, Chelse Swoopes, Lujo Bauer, Lorrie Cranor, and Nicolas Christin. 2018. “It's not actually that horrible”: Exploring Adoption of Two-Factor Authentication at a University. CHI 2018, Montreal, QC Canada, April 21-26, 2018. https://dl.acm.org/citation.cfm?id=3174030

  20. Sarah Pearman, Jeremy Thomas, Pardis Emami Naeini, Hana Habib, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, and Alain Forget. Let’s go in for a closer look: Observing passwords in their natural habitat. 24th ACM Conference on Computer and Communications Security (CCS’17). 2017.  https://dl.acm.org/citation.cfm?id=3133956.3133973

  21. Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Henry Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, and William Melicher. 2017. Design and Evaluation of a Data-Driven Password Meter. CHI 2017. http://dl.acm.org/citation.cfm?id=3026050&CFID=931599301

  22. W. Melicher, B. Ur, S. Segreti, S. Komanduri, L. Bauer, N. Christin, L. Cranor. Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks. USENIX Security, August 10-12, 2016, Austin, TX. https://www.ece.cmu.edu/~lbauer/papers/2016/usenixsec2016-neural-passwords.pdf

  23. B. Ur, J. Bees, S. Segreti, L. Bauer, N. Christin, and L. F. Cranor. CHI'16. Do users' perceptions of password security match reality? http://www.ece.cmu.edu/~lbauer/papers/2016/chi2016-pwd-perceptions.pdf

  24. F. Schaub, R. Balebako, A. Durity, and L. Cranor. A Design Space for Effective Privacy Notices. SOUPS 2015. https://www.usenix.org/system/files/conference/soups2015/soups15-paper-schaub.pdf

  25. R. Shay, L. Bauer, N. Christin, L. Cranor, A. Forget, S. Komanduri, M. Mazurek, W. Melicher, S. Segreti, and B. Ur. A Spoonful of Sugar? The Impact of Guidance and Feedback on Password-Creation Behavior. CHI 2015. http://cups.cs.cmu.edu/rshay/pubs/Feedback.pdf

  26. Chandrasekhar Bhagavatula, Blase Ur, Kevin Iacovino, Su Mon Kywe, Lorrie Faith Cranor, Marios Savvides. Biometric Authentication on iPhone and Android: Usability, Perceptions, and Influences on Adoption. USEC 2015, February 8, 2015. http://www.internetsociety.org/doc/biometric-authentication-iphone-and-android-usability-perceptions-and-influences-adoption

  27. F. Schaub, R. Balebako, A. Durity, and L. Cranor. Designing Effective Privacy Notices. SOUPS 2015. https://www.usenix.org/conference/soups2015/proceedings/presentation/schaub

  28. B. Ur, F. Noma, J. Bees, S. Segreti, R. Shay, L. Bauer, N. Christin, and L. Cranor. "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab. SOUPS 2015. https://www.usenix.org/conference/soups2015/proceedings/presentation/ur

  29. Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, and Stuart Schechter. Telepathwords: Preventing Weak Passwords by Reading Users' Minds. USENIX Security 2014. August 20-22, 2014, San Diego, CA, pp. 591-606. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/komanduri

  30. L. Cranor, A. Durity, A. Marsh, and B. Ur. Parents' and Teens' Perspectives on Privacy in a Technology-Filled World. SOUPS 2014.  https://www.usenix.org/conference/soups2014/proceedings/presentation/cranor

  31. C. Bravo-Lillo, L. Cranor, S. Komanduri, S. Schechter, M. Sleeper. Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It. SOUPS 2014.  https://www.usenix.org/conference/soups2014/proceedings/presentation/bravo-lillo

  32. Richard Shay, Saranga Komanduri, Adam L. Durity, Philip (Seyoung) Huh, Michelle L. Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. Can long passwords be secure and usable? In CHI 2014: Conference on Human Factors in Computing Systems, April 2014. ACM.  http://lorrie.cranor.org/pubs/longpass-chi2014.pdf

  33. Y. Wang, P. Leon, A. Acquisti, L.F. Cranor, A. Forget, N. Sadeh. A Field Trial of Privacy Nudges for Facebook. ACM SIGCHI Conference on Human Factors in Computing Systems (CHI2014).  http://yangwang.syr.edu/papers/CHI2014.pdf

  34. M.L. Mazurek, S. Komanduri, T. Vidas, L. Bauer, N. Christin, L.F. Cranor, P.G. Kelley, R. Shay, and B. Ur. Measuring Password Guessability for an Entire University. ACM CCS 2013.  https://www.cylab.cmu.edu/research/techreports/2013/tr_cylab13013.html

  35. C. Bravo-Lillo, L.F. Cranor, J. Downs, S. Komanduri, R.W. Reeder, S. Schechter, and M. Sleeper. Your Attention Please: Designing security-decision UIs to make genuine risks harder to ignore. In Proceedings of the Eight Symposium On Usable Privacy and Security (SOUPS ’13), Newcastle, United Kingdom, 2013.  http://cups.cs.cmu.edu/soups/2013/proceedings/a6_Bravo-Lillo.pdf

  36. P.G. Leon, B. Ur, Y. Wang, M. Sleeper, R. Balebako, R. Shay, L. Bauer, M. Christodorescu, L.F. Cranor. What Matters to Users? Factors that Affect Users' Willingness to Share Information with Online Advertisers. In Proceedings of the Eight Symposium On Usable Privacy and Security (SOUPS ’13), Newcastle, United Kingdom, 2013.  http://cups.cs.cmu.edu/soups/2013/proceedings/a7_Leon.pdf

  37. B. Ur, P.G. Kelley, S. Komanduri, J. Lee, M. Maass, M. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, and L.F. Cranor. How does your password measure up? The effect of strength meters on password creation. USENIX Security 2012.  http://www.ece.cmu.edu/~lbauer/papers/2012/usenix2012-meters.pdf

  38. P. Klemperer, Y. Liang, M. Mazurek, M. Sleeper, B. Ur, L. Bauer, L.F. Cranor, N. Gupta, and M. Reiter. Tag, You Can See It! Using Tags for Access Control in Photo Sharing. CHI 2012.  http://www.ece.cmu.edu/~lbauer/papers/2012/chi2012-tags.pdf

  39. L.F. Cranor. Necessary But Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice. Journal of Telecommunications and High Technology Law, Vol. 10, No. 2, 2012.  http://www.jthtl.org/content/articles/V10I2/JTHTLv10i2_Cranor.PDF