
Lorrie Faith Cranor
Professor Carnegie Mellon University
- Pittsburgh PA
Lorrie Faith Cranor has authored over 150 research papers on online privacy, usable security, and other topics.
Biography
Areas of Expertise
Media Appearances
You'll No Longer Need to Set a Password With New Microsoft Accounts
CNET online
2025-05-02
Lorrie Cranor (CyLab) supports the security benefits of passkeys over passwords but cautions that "usability" remains a concern—especially when users lose or upgrade devices or share accounts. She emphasized that companies must "support users who run into problems" by offering reliable fallback options.
Visit this store for a free iris scan to ‘prove’ you’re human, not AI
The Washington Post online
2025-05-02
On launch day for World ID, a digital identity system backed by iris scans, people enrolled by having their eyes scanned to prove they’re human amid growing concerns over AI impersonation and privacy. “Now I have features from the scan of my iris encrypted and stored on my phone, but if somebody else gets access to my phone or if a robot takes over my phone, does that mean that they can demonstrate that they’re human or maybe even me?" said Lorrie Cranor (CyLab) who is skeptical of the product.
Thieves took their iPhones. Apple won’t give their digital lives back.
Washington Post online
2025-04-20
Iphone theft victims are taking Apple to court to reclaim their personal data. “I find it odd that Apple is fighting this without explaining their rationale," said Lorrie Cranor (CyLab).
New password guidelines: What to know
WBUR online
2024-12-03
“Some people are concerned about them because they say, ‘What if my password manager gets hacked?’ Or every now and then you'll read a news report that a big password manager has had a security problem.
“The reality is that that doesn't happen very often. And when it does happen, usually you're informed right away. And so, as a result of these occasional breaches, there hasn't been a lot of damage, relatively speaking."
Annoying Password Rules Actually Make Us Less Secure
The Wall Street Journal online
2023-03-11
Does your company network or a frequently visited website force you to come up with a new password because it has declared your old one is past its expiration date?
How to tell if a gadget is secure? Look for this new government seal.
The Washington Post online
2023-07-19
Professor Lorrie Cranor of Carnegie Mellon University, whose research includes ways to make better security and privacy disclosures to users, said she hopes the final standard doesn’t gloss over privacy.
Mandatory password updates are passe
The Washington Post online
2022-08-18
“Most people, if they know they're going to have to change their password on a regular basis, they will pick a relatively weaker password and use a pattern for how they change it,” Lorrie Cranor, director of CyLab Security and Privacy Institute at Carnegie Mellon University, told me. And weaker passwords that are easy to predict are catnip for malicious hackers.
Google Settings Still Confusing After $85 Million Lawsuit Over How Confusing They Were
Gizmodo online
2022-10-05
“There’s a lot of fine print when you pause location history. Most people aren’t going to read it, and even if you do, it is confusing,” says Lorrie Cranor, a professor at Carnegie Mellon University whose research includes privacy settings and interfaces. “I’m a privacy expert and I still find it difficult to understand exactly what is getting turned off.”
Personalities of Pittsburgh: Lorrie Cranor is securing privacy in the digital age
Pittsburgh Business Times online
2022-09-30
Lorrie Cranor has dedicated her career to cybersecurity and protecting personal information.
Social
Industry Expertise
Accomplishments
Distinguished Professor of Engineering Award
2022
Carnegie Mellon University College of Engineering
Alumni Achievement Award
2019
McKelvey School of Engineering, Washington University in St. Louis
AAAS Fellow
2020
Allen Newell Award for Research Excellence
2019
Carnegie Mellon University School of Computer Science
Andrew Carnegie Fellow
2019
Education
Washington University in St. Louis
B.S.
Engineering and Public Policy
1992
Washington University in St. Louis
D.Sc.
Engineering and Policy
1996
Washington University in St. Louis
M.S.
Technology and Human Affairs
1993
Washington University in St. Louis
M.S.
Computer Science
1996
Affiliations
- The Future of Privacy Forum Advisory Board
- Deep Lab : Founding member
- Wombat Security Technologies : Co-founder
Links
Patents
User-controllable learning of policies
US8423483B2
2010-02-11
Various embodiments are directed to a computer implemented method for updating a policy that is enforced by a computer program. In one embodiment, a computer communicates, to a user, data regarding one or more decisions made by the program over a period of time according to a policy. Each decision is made on the particular policy in force at the time the decision is made. Policy data for the policy is stored in a machine readable format.
Articles
Less is Not More: Improving Findability and Actionability of Privacy Controls for Online Behavioral Advertising
CHI '23: Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems2023
Tech companies that rely on ads for business argue that users have control over their data via ad privacy settings. However, these ad settings are often hidden. This work aims to inform the design of findable ad controls and study their impact on users’ behavior and sentiment. We iteratively designed ad control interfaces that varied in the setting’s (1) entry point (within ads, at the feed’s top) and (2) level of actionability, with high actionability directly surfacing links to specific advertisement settings, and low actionability pointing to general settings pages (which is reminiscent of companies’ current approach to ad controls).
Understanding iOS Privacy Nutrition Labels: An Exploratory Large-Scale Analysis of App Store Data
CHI EA '22: Extended Abstracts of the 2022 CHI Conference on Human Factors in Computing Systems2022
Since December 2020, the Apple App Store has required all developers to create a privacy label when submitting new apps or app updates. However, there has not been a comprehensive study on how developers responded to this requirement. We present the first measurement study of Apple privacy nutrition labels to understand how apps on the U.S. App Store create and update privacy labels.
“Okay, whatever”: An Evaluation of Cookie Consent Interfaces
CHI '22: Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems2022
Many websites have added cookie consent interfaces to meet regulatory consent requirements. While prior work has demonstrated that they often use dark patterns — design techniques that lead users to less privacy-protective options — other usability aspects of these interfaces have been less explored. This study contributes a comprehensive, two-stage usability assessment of cookie consent interfaces. We first inspected 191 consent interfaces against five dark pattern heuristics and identified design choices that may impact usability. We then conducted a 1,109-participant online between-subjects experiment exploring the usability impact of seven design parameters.
Identifying User Needs for Advertising Controls on Facebook
Proceedings of the ACM on Human-Computer Interaction2022
We conducted an online survey and remote usability study to explore user needs related to advertising controls on Facebook and determine how well existing controls align with these needs. Our survey results highlight a range of user objectives related to controlling Facebook ads, including being able to select what ad topics are shown or what personal information is used in ad targeting.
Understanding Challenges for Developers to Create Accurate Privacy Nutrition Labels
CHI '22: Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems2022
Apple announced the introduction of app privacy details to their App Store in December 2020, marking the first ever real-world, large-scale deployment of the privacy nutrition label concept, which had been introduced by researchers over a decade earlier. The Apple labels are created by app developers, who self-report their app’s data practices. In this paper, we present the first study examining the usability and understandability of Apple’s privacy nutrition label creation process from the developer’s perspective.