Lorrie Faith Cranor

Professor Carnegie Mellon University

  • Pittsburgh PA

Lorrie Faith Cranor has authored over 150 research papers on online privacy, usable security, and other topics.

Contact

Carnegie Mellon University

View more experts managed by Carnegie Mellon University

Biography

Lorrie Faith Cranor is a Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University where she is director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering masters program. In 2016 she served as Chief Technologist at the US Federal Trade Commission, working in the office of Chairwoman Ramirez. She is also a co-founder of Wombat Security Technologies, Inc, a security awareness training company. She has authored over 150 research papers on online privacy, usable security, and other topics. She has played a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability (O'Reilly 2005) and founded the Symposium On Usable Privacy and Security (SOUPS). She also chaired the Platform for Privacy Preferences Project (P3P) Specification Working Group at the W3C and authored the book Web Privacy with P3P (O'Reilly 2002). She has served on a number of boards, including the Electronic Frontier FoundationBoard of Directors, and on the editorial boards of several journals. In her younger days she was honored as one of the top 100 innovators 35 or younger by Technology Review magazine. More recently she was named an ACM Fellow for her contributions to usable privacy and security research and education, and an IEEE Fellow for her contributions to privacy engineering. She was previously a researcher at AT&T-Labs Research and taught in the Stern School of Business at New York University. She holds a doctorate in Engineering and Policy from Washington University in St. Louis. In 2012-13 she spent her sabbatical as a fellow in the Frank-Ratchye STUDIO for Creative Inquiry at Carnegie Mellon University where she worked on fiber arts projects that combined her interests in privacy and security, quilting, computers, and technology. She practices yoga, plays soccer, and runs after her three children.

Areas of Expertise

Engineering and Policy
Privacy
Cybersecurity and Privacy
Computer Science
Usable Security

Media Appearances

You'll No Longer Need to Set a Password With New Microsoft Accounts

CNET  online

2025-05-02

Lorrie Cranor (CyLab) supports the security benefits of passkeys over passwords but cautions that "usability" remains a concern—especially when users lose or upgrade devices or share accounts. She emphasized that companies must "support users who run into problems" by offering reliable fallback options.

View More

Visit this store for a free iris scan to ‘prove’ you’re human, not AI

The Washington Post  online

2025-05-02

On launch day for World ID, a digital identity system backed by iris scans, people enrolled by having their eyes scanned to prove they’re human amid growing concerns over AI impersonation and privacy. “Now I have features from the scan of my iris encrypted and stored on my phone, but if somebody else gets access to my phone or if a robot takes over my phone, does that mean that they can demonstrate that they’re human or maybe even me?" said Lorrie Cranor (CyLab) who is skeptical of the product.

View More

Thieves took their iPhones. Apple won’t give their digital lives back.

Washington Post  online

2025-04-20

Iphone theft victims are taking Apple to court to reclaim their personal data. “I find it odd that Apple is fighting this without explaining their rationale," said Lorrie Cranor (CyLab).

View More

Show All +

Social

Industry Expertise

Writing and Editing
Education/Learning
Security
Research

Accomplishments

Distinguished Professor of Engineering Award

2022

Carnegie Mellon University College of Engineering

Alumni Achievement Award

2019

McKelvey School of Engineering, Washington University in St. Louis

AAAS Fellow

2020

Show All +

Education

Washington University in St. Louis

B.S.

Engineering and Public Policy

1992

Washington University in St. Louis

D.Sc.

Engineering and Policy

1996

Washington University in St. Louis

M.S.

Technology and Human Affairs

1993

Show All +

Affiliations

  • The Future of Privacy Forum Advisory Board
  • Deep Lab : Founding member
  • Wombat Security Technologies : Co-founder

Patents

User-controllable learning of policies

US8423483B2

2010-02-11

Various embodiments are directed to a computer implemented method for updating a policy that is enforced by a computer program. In one embodiment, a computer communicates, to a user, data regarding one or more decisions made by the program over a period of time according to a policy. Each decision is made on the particular policy in force at the time the decision is made. Policy data for the policy is stored in a machine readable format.

View more

Articles

Less is Not More: Improving Findability and Actionability of Privacy Controls for Online Behavioral Advertising

CHI '23: Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems

2023

Tech companies that rely on ads for business argue that users have control over their data via ad privacy settings. However, these ad settings are often hidden. This work aims to inform the design of findable ad controls and study their impact on users’ behavior and sentiment. We iteratively designed ad control interfaces that varied in the setting’s (1) entry point (within ads, at the feed’s top) and (2) level of actionability, with high actionability directly surfacing links to specific advertisement settings, and low actionability pointing to general settings pages (which is reminiscent of companies’ current approach to ad controls).

View more

Understanding iOS Privacy Nutrition Labels: An Exploratory Large-Scale Analysis of App Store Data

CHI EA '22: Extended Abstracts of the 2022 CHI Conference on Human Factors in Computing Systems

2022

Since December 2020, the Apple App Store has required all developers to create a privacy label when submitting new apps or app updates. However, there has not been a comprehensive study on how developers responded to this requirement. We present the first measurement study of Apple privacy nutrition labels to understand how apps on the U.S. App Store create and update privacy labels.

View more

“Okay, whatever”: An Evaluation of Cookie Consent Interfaces

CHI '22: Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems

2022

Many websites have added cookie consent interfaces to meet regulatory consent requirements. While prior work has demonstrated that they often use dark patterns — design techniques that lead users to less privacy-protective options — other usability aspects of these interfaces have been less explored. This study contributes a comprehensive, two-stage usability assessment of cookie consent interfaces. We first inspected 191 consent interfaces against five dark pattern heuristics and identified design choices that may impact usability. We then conducted a 1,109-participant online between-subjects experiment exploring the usability impact of seven design parameters.

View more

Show All +