Lorrie Cranor is Associate Research Professor of Computer Science and Engineering & Public Policy at Carnegie Mellon University where she is director of the CyLab Usable Privacy and Security Laboratory (CUPS). Dr. Cranor is also Chief Scientist of Wombat Security Technologies, Inc. She has authored over 80 research papers on online privacy, phishing and semantic attacks, spam, electronic voting, anonymous publishing, usable access control, and other topics.
posted by Richard Power
CyLab Chronicles: Let's talk about the NSF IGERT grant to support the Carnegie Mellon Usable Privacy and Security Doctoral Training Program. What is the significance of this grant? What kinds of career path will such a PhD. launch your students into? What professional focuses would be enhanced by such a degree? Where will the impact of individuals with this degree be felt?
Lorrie Cranor: This grant provides resources for a program that allows Carnegie Mellon University PhD students to do a PhD in a traditional area with a concentration on usable privacy and security. We have a core required course on usable privacy and security, and are using this grant to support the development of several new courses in related research areas such as behavioral economics of privacy, and biometrics. The grant also provides funding for PhD fellowships and for equipment for our usability lab. Carnegie Mellon University has been one of the leading universities doing usable security research as well as privacy research. This grant allows us to take our programs a step further and achieve a critical mass of students and faculty working in these areas. I expect students in our program will follow a variety of career paths. Most will probably pursue research careers in industry or academia. In some cases their focus will be in traditional areas (for example, network security), but their training in usability will give them a big advantage when addressing human factors issues in their work. In other cases I expect they will continue on to do interdisciplinary research right at the intersection of usability, security, and privacy. We're hearing from companies that they recognize a need for improving the usability of secure systems, and they want to hire people who have been trained to work in this area.
CyLab Chronicles: Your team will be presenting four papers at ACM Conference on Human Factors in Computing Systems (CHI 2010). One of them relates your team's research into "Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach." What problems are you tackling in this effort? What solutions have you come up with? What is the potential impact of this research? What is its current status?
Cranor: Privacy notices are notoriously difficult to read and understand, and they aren't really that useful to consumers. We have been working on developing a standardized tabular format for privacy policies, similar to nutrition labels, that makes it easy for people to compare the policies of two companies side-by-side before making a purchase. We can generate these privacy nutrition labels automatically for web sites that have computer-readable privacy policies published in the standard P3P format. We've developed a search engine (http://privacyfinder.org/) that annotates search results with privacy meters that you can click on to display privacy nutrition labels. We've tested this approach with users and found that standardized privacy notices allow users to find information in privacy policies more quickly and accurately than they can with the typical text policies on web sites today. We're working on further refinements to our approach based on the results of our studies. We've also gotten involved with industry group efforts to develop standard privacy icons. The Future of Privacy Forum is working on a behavioral advertising icon, and Mozilla has just started an effort to develop standard privacy icons to display in web browsers. This is an area that seems to be getting a lot of interest right now from regulators as well, especially the US Federal Trade Commission.
[NOTE: Here are the other three papers the CUPS team will be presenting at CHI 2010: Access Control for Home Data Sharing: Attitudes, Needs and Practices, authored by M. Mazurek, J.P. Arsenault, J. Bresee, N. Gupta, I. Ion, C. Johns, D. Lee, Y. Liang, J. Olsen, B. Salmon, R. Shay, K. Vaniea, L. Bauer, L.F. Cranor, G.R. Ganger, and M.K. Reiter. Are Your Participants Gaming the System? Screening Mechanical Turk Workers, authored by J. Downs, M. Holbrook, S. Sheng, and L. Cranor. Who Falls for Phish? A Demographic Analysis of Phishing Susceptibility and Effectiveness of Interventions, authored by S. Sheng, M. Holbrook, P. Kumaraguru, L. Cranor, and J. Downs]
CyLab Chronicles: SOUPS is six years old. Let's talk about its evolution. How has it grown over the years, how has it developed? What role has it come to play in the field of cyber privacy and security research? What would you like to tell us about SOUPS 2010?
Cranor: We started with about 75 attendees in 2005 and now have double that. We also get more paper and poster submissions now. But more important than the numbers, I think SOUPS has helped contribute to the growing awareness that usable security is important. DHS just issued their Roadmap for Cybersecurity Research, which lists usable security as one of the 11 hard problems in information security that belong on the national R&D agenda. The National Academy of Sciences is currently preparing a report on usable security, sponsored by NSF and NIST. And traditional security as well as human-computer interaction conferences are increasingly listing usable security in their call for papers. We created SOUPS, in part, because it was hard to publish usable security papers in traditional venues. The good news is that now we can publish usable security papers in a variety of places. But SOUPS remains an important venue for bringing together researchers in this area. Our experiment with holding SOUPS on the Google corporate campus in 2009 worked very, and for 2010 we're excited to bring SOUPS to the Microsoft campus in Redmond, WA. Having large numbers of participants from local companies on hand for discussions with our academic participants has been quite beneficial.
CyLab Chronicles: Last year, you and two other CyLab researchers, Jason Hong and Norman Sadeh spun off Wombat Security Technologies from CUPS research. Give us an update on Wombat. What's new? What are its latest offerings? What can you tell us about future plans?
Cranor: Wombat has been growing and there has been a lot of interest in our products. Our Anti-Phishing Phil training game has been licensed by companies, universities, and government agencies around the world, including the US Department of State and US Department of Energy. We've developed some translations of Phil into other languages and we'll soon offer trial versions on our website in a few languages. This month we expect to roll out our latest training game, Anti-Phishing Phyllis, which focussed on identifying Phishing emails.
CyLab Chronicles: Where are we in the search for Usable Privacy and Security? What progress is being made? What are the near-term challenges and opportunities? What are the long-term goals? How has the concept of usability impacted our approaches to privacy and security in general?
Cranor: I think we're finally making progress on making people in the security field aware of the need for usability. And there has been quite a bit of interesting research that is starting to impact real systems. But we have a long way to go. There is no magic formula for how to make security usable, and we have a lot of really challenging problems. In the near term, I think there are a lot of ongoing usable security research projects where a researcher is focussed on a very narrow problem and trying to make progress. But long term we want to not just solve individual problems, but come up with approaches that are going to help us solve whole classes of problems. But the fact that people are starting to ask questions about usability and companies are starting to invest in usable security has been a really big step forward.
Some Relevant Links:
See all CyLab Chronicles articles