CyLab researchers to present at USENIX PEPR 2026

CyLab Security and Privacy Institute researchers are set to present three papers and lead one activity at the 2026 USENIX Conference on Privacy Engineering Practice and Respect (PEPR '26).

The conference will take place in Santa Clara, CA on June 1st and 2nd, bringing together privacy practitioners and researchers who are focused on designing and building products and systems with privacy and respect for their users and the societies in which they operate.

In addition to the CyLab research being presented at the conference, the CMU Privacy Engineering Program is hosting an alumni dinner on June 2nd. Alumni who would like to attend should contact one of the Privacy Engineering program directors for further details and to RSVP.

PEPR was co-founded in 2019 by CyLab Director Lorrie Cranor and CyLab alumnus Lea Kissner because there were no conferences where privacy engineering practitioners could talk about their experiences and learn from each other and from privacy researchers.

Below, we’ve compiled a list of presentations led by CyLab Security and Privacy Institute researchers at this year’s event.

Papers

User (Non-)Compliance with Age Verification: Evidence from a Deceptive Web Experiment

Authors: Yanzi Lin, Cheng Zhang, Madelyne Xiao, Lorrie Faith Cranor, and Sarah Scheffler; Carnegie Mellon University

Presenter: Lorrie Faith Cranor

Abstract: Twenty-five U.S. states have laws requiring some websites to perform "strong" age verification to ensure that visitors to sites containing "material harmful to minors" are over-age – and more states are considering similar laws. Under these laws, self-attesting one's age by checking a box is insufficient. Users must verify their age by using IDs, AI facial analysis, or other "commercially reasonable" options. However, users may find these approaches to age verification privacy-invasive, insecure, or inconvenient, and some users may even turn away from a website entirely if prompted with one of these methods. Our team at Carnegie Mellon University ran a 1,635-participant experiment to find out what users do when they encounter various age verification options and followed up with a survey to probe their reasoning. We'll talk about our study methods, our findings, and what policy makers and organizations that are required to age verify can learn from our results.

Designing for Civic Trust: An Infrastructure to Help Long Beach Residents Manage Their CCPA Rights

Authors: Omar Moncayo, City of Long Beach; Norman Sadeh, Carnegie Mellon University; and Gwen Shaffer, California State University, Long Beach

Presenters: Omar Moncayo, Norman Sadeh, and Gwen Shaffer

Abstract: Cities increasingly rely on digital technologies to manage transportation, utilities, public services, and other urban functions. These technologies, operated by both municipal agencies and private vendors, collect and process data about people in many everyday contexts. Despite existing privacy regulations, residents often lack practical ways to understand these data practices or exercise applicable rights, and cities face challenges translating policy into scalable, operational solutions.

This presentation describes ongoing work to deploy a Smart City Privacy Infrastructure in partnership with the City of Long Beach. The effort builds on California’s consumer privacy framework and leverages CMU’s IoT Privacy Infrastructure to support greater transparency and accountability across a broad ecosystem of smart city technologies, including mechanisms that allow people to rely on authorized agents, as envisioned under CCPA, to help manage privacy interactions at scale. We discuss the motivation for this work, the architectural approach used to support heterogeneous systems, and the practical challenges encountered when working with individual city departments and external vendors. The talk highlights progress to date, including onboarding technologies spanning transportation, mobility services, utilities, and other urban deployments, as well as the launch of a city-facing assistant application to help people discover and understand data collection in their environment. We conclude by discussing lessons learned, remaining challenges, and opportunities for broader adoption.

Envisioning and Mitigating Privacy Risks for Consumer-Facing AI Product Concepts through Human-AI Teaming

Authors: Hao-Ping Lee, Carnegie Mellon University; Yu-Ju Yang, University of Illinois Urbana-Champaign; Matthew Bilik, University of Washington; Isadora Krsek, Thomas Serban von Davier, Kyzyl Monteiro, Jason Lin, Shivani Agarwal, Jodi Forlizzi, and Sauvik Das, Carnegie Mellon University

Presenter: Hao-Ping (Hank) Lee

Abstract: AI creates and exacerbates privacy risks, yet product teams often lack the expertise to spot and mitigate issues early—leaving privacy experts to translate principles and correct late-stage choices. What if teams could draft a solid privacy "first draft" before involving experts? We present Privy, a human-AI teaming tool powered by generative AI (GenAI) that enhances non-privacy-expert practitioners' privacy awareness during AI product ideation. Privy helps teams surface likely privacy risks and propose concrete mitigations, producing high-quality intake artifacts so experts can focus on product-specific, high-impact decisions. We grounded Privy's design in a formative study with 11 practitioners and evaluated it with 24 additional practitioners; 13 independent privacy experts rated the resulting privacy assessments high quality, with relevant risks and appropriate mitigations. Practitioners found Privy useful and usable, reporting improved awareness, motivation, and ability in doing privacy work. We conclude with design roles for integrating GenAI into privacy workflows.

Activities

Privacy Story Time: Explaining Privacy Concepts to Four-year-olds (and Their Parents)

Tuesday, 10:20 am–10:50 am

Researcher: Lorrie Faith Cranor

Description: Join us during the morning break for a reading and discussion by Lorrie Faith Cranor of her new picture book, "Privacy, Please!" Lorrie will explain why she wrote this book, her sources of inspiration and information, and how she went about explaining privacy concepts to young children. She will discuss how she defines privacy for this audience and how she gives children the vocabulary to ask for privacy and examples of how they can achieve it, despite the need for adult supervision. She’ll talk about boundaries and discuss how privacy can help children calm down and recharge, be creative, keep their bodies safe, and more. Finally, she’ll talk about what she has learned from her discussions about privacy with children and caregivers and lessons for privacy engineers. (Signed books will be available for $12 after the talk.)