Usable Privacy: Lorrie Faith Cranor '89

by Xinyi Zhou '10

Dr. Lorrie Faith Cranor ’89 is an associate professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University. She directs the CyLab Usable Privacy and Security Laboratory and co-directs the MSIT Privacy-Engineering master’s program. She is a co-founder of Wombat Security Technologies, Inc., and she sits on the Board for the Electronic Frontier Foundation. After considering many qualified candidates, the Magnet Foundation Board selected Dr. Cranor for the Magnet Foundation's 2014 Distinguished Alumni Award. She will receive the award and will give a short talk at the Magnet Research Conference at Blair on the evening of February 27th, 2014.

What was it like to be part of the first Magnet class in 1989?It was exciting to be part of the first Magnet class, but also a little scary. A lot of my friends in 8th grade thought I was crazy to go to this new magnet program at Blair high school. We got there and they had just finished renovating part of the building for us and it wasn’t entirely finished, and some of the equipment hadn’t arrived yet. The regular Blair students weren’t entirely sure what to make of us either: there were about 100 of us and we were all freshmen that first year. We quickly accepted that they were going to call us “maggots” and that was that. But we all started to make friends both within the Magnet and in the rest of the school. I think those of us in the first class had a sense of adventure and were excited to be part of something new. Not everything went completely smoothly the first year, but it all worked out.

What classes were particularly influential? What extracurriculars were you involved in?

I’m not sure that I was influenced so much by specific classes as I was by the whole program taken together. The Magnet program had such a strong emphasis on problem solving and research methods that is unusual for high school. Research & Experimentation was such a cool class, and that may have helped spark my interest in engineering. It was great to be exposed to mechanical drawing and power tools, and to apply these skills to making scientific instruments. And the classes were challenging. We learned how to think and how to study. Many of my college classmates told me that they had coasted through high school and were having to really work hard and study for the first time in college. But I felt like I had already learned how to handle challenging classes at Blair.

I did a lot of extracurricular activities. I played the flute and piccolo and was in the marching band and the pit orchestra. I was editor of Blair's Silver Quill literary magazine and also a founding editor of the Silver Quest Magnet magazine. We also had a Magnet club in ninth grade and I was president of that for a while. I was involved in student government and ran for the student representative to the Board of Education. I lost, but that freed up more time for another interest: the school newspaper. My senior year I was co-editor-in-chief of Silver Chips. That was an amazing experience, and by the end of that year I was almost ready to major in journalism instead of engineering in college.

What sparked your interest in, as you put it, usable privacy and security?When I worked for AT&T Labs-Research I was involved for several years in a standards effort to develop a computer-readable language for privacy policies. The project focused on back-end interoperability, but I realized that without a good user interface for conveying privacy policy information to end users, the standard was not going to be very useful. So I convinced my boss to fund the development of a privacy policy tool for consumers and I started trying to figure out how to make the tool usable. I looked for research on usable privacy tools and couldn’t find much. There was a little bit published on usable security, but that research was scarce as well. It seemed to me this was an area with a lot of open research questions and not much research.

How would you explain your research focuses? How and why have they evolved over time?

I’ve always been fairly opportunistic about selecting research problems, and I have been influenced by opportunities to collaborate with people around me, and now by the interests of my graduate students. My dissertation was on electronic voting, back before it became a hot issue. Privacy was an interest of mine in grad school and I had the opportunity to get involved in a privacy standards effort at AT&T. And after a couple of years I transferred into the security research group and started collaborating with some really smart security folks. I was involved in a project to develop an anonymous publishing system, and another to analyze security vulnerabilities in movie distribution. Then after I started building privacy tools and realized how little research there was in usable privacy and security, I decided to make that my focus.

I started quilting in grad school. I have always enjoyed art projects and I needed to do something where I could see tangible progress when I was frustrated with my dissertation research. Quilting was somewhat of a random choice. I knew how to sew and a bought a book on quilting and started hand quilting small projects. I loved it, and when I graduated I bought a sewing machine and started making larger quilts. I haven’t had much time for quilting though, especially now with three kids and an academic career. When I had an opportunity to take a sabbatical I wanted to do something really different from what I normally do, but relocating my family for a year was going to be too complicated. I thought about things I might do here in Pittsburgh and decided to try to find a way to spend the year working on art, especially quilting. I had to write up a sabbatical proposal that would get approved by my university, so I figured it would be a good idea to tie quilting to my research somehow. So I said I would visualize privacy and security concepts through art. I didn’t quite know what that meant, but it sounded good and my proposal was approved. The folks at the STUDIO for Creative Inquiry were excited about hosting me and providing me with studio space for a year and I loved hanging out with them. I did manage to produce several pieces that combined quilting with privacy and security as well as some pieces that leveraged my computational skills. One of my favorite pieces is a quilt called “Security Blanket” that visualizes the 1000 most popular passwords stolen from a website. [The quilt won an honorable mention in the NSF International Science & Engineering Visualization Challenge.] I also made a password dress to go with it. What's next for you as you return to research and teaching full-time?

I returned to full-time teaching last fall and also welcomed the first class of a new master’s program in privacy engineering that I co-direct. This is a new concept in master’s programs; there isn’t another program like it anywhere. And since I have never run a master’s program before, everything is new, and everything I am doing, I am doing for the first time and learning how. I taught a privacy course last fall that I’ve taught many times before, but it had been a couple of years. So much has changed in the privacy world in the past two years that I had to make major changes to the way I taught the course. On top of that we received a couple of new grants for large projects last fall, so there were new research projects to get started on. And then there are my 8 PhD students to supervise — they are terrific, but I meet with them all weekly and it takes a lot of time just to keep up with what everyone is doing. So last fall was really busy and I didn’t get much sleep.

You can meet Dr. Cranor and hear her speak to Magnet students at the Magnet Research Convention at Blair on February 27, 2014, starting at 6:30pm.

When I came to Carnegie Mellon, I had to apply for grant money. I applied for some privacy-related grants without success, and decided to try something more security-related. Phishing attacks were picking up and while there was research being done on how to detect phishing emails, there wasn’t much looking at understanding why people were falling for these attacks. So I assembled an interdisciplinary team and wrote a large grant proposal for an anti-phishing project, and it got funded. I also started working with some colleagues who had funding for a project on using smart phones to unlock doors. That project led to projects on access control user interfaces, and then to projects on privacy controls for location sharing, and designing privacy “nutrition labels.” As the US Federal Trade Commission has been exploring privacy issues, I have wanted to conduct policy relevant research too. We did a study on the usability of consumer privacy tools and the effectiveness of privacy self-regulatory programs. I got really interested in how to make passwords more usable and secure after CMU changed our password policy a few years ago. After a few lunch time discussions with some other faculty and a bunch of graduate students, we started a major research effort on passwords that has already resulted in several published papers and is still going strong. What can we do personally to protect our digital privacy?

That’s a hard question to answer and I really wish I had a good answer for this one because I get asked this question all the time. The biggest thing I think people can do that is likely to make a difference is to think before providing information online. If you post to social networks, think about what you are posting and check your privacy settings to limit who can see what you are posting. If you are filling out a form online, don’t provide information that is not really needed and make sure you know who you are giving your information to. Avoid sweepstakes and offers that seem too good to be true. Beyond that, there are all sorts of privacy tools you might want to use to block trackers in your web browser, encrypt your email, and more. But they are not always that easy to use effectively.

You recently took a very interesting sabbatical as a fellow at the CMU STUDIO for Creative Inquiry, working on quilting projects that integrate your interests in technology, privacy and security. How did you get started in quilting? How did you decide to combine your interests in technology and art for your sabbatical?

Dr. Cranor's Research

A few of Dr. Cranor's articles and publications:

    • Teaching Johnny Not to Fall for Phish (pdf)

    • Bridging the Gap in Computer Security Warnings: A Mental Model Approach (pdf)

    • Measuring Password Guessability for an Entire University (pdf)

    • Privacy engineering emerges as a hot new career (pdf)