People of ACM - Lorrie Faith Cranor

April 19, 2016

How did you initially become interested in the areas of usable privacy and security?

When I worked for AT&T Labs-Research in the 1990s I worked on the Platform for Privacy Preferences (P3P) standard being developed at the World Wide Web Consortium. After several years of working on P3P it became clear to me that besides standardizing the protocol and privacy vocabulary, it was important that we have usable tools for end users that implement the standard. Nobody was talking about how to build these tools for users, so I decided to take this on and convinced my boss to fund the development of the "Privacy Bird" P3P plug-in. I talked to my friends in the HCI group and started reading up on how to make usable privacy and security tools. There was very little on this topic in the research literature at the time and it seemed like an area where there was a real need.

When I came to CMU I decided to focus my research efforts on usable privacy and security. I started the CUPS Lab, but I also wanted to expand the community doing research in this area outside of CMU. I started the Symposium On Usable Privacy and Security (SOUPS) in 2005 and have been pleased to see it grow into a great annual event.

In many areas of computing, developers incorporate usability considerations into the earliest stages of design. Why do you believe this has traditionally not been the case in the privacy and security realms?

Traditionally the people who work on security and privacy have little or no expertise in usability, and usability folks have little security expertise. In both industry and academia they have sat in different departments. In addition, for a long time I don't think the security industry even viewed usability as important, and certainly not something worth investing in. Thankfully, that is changing. We're starting to see a lot of cross fertilization between these communities, and companies are now willing to invest in usable security.

Can you discuss the recent technological advances that will allow passwords to be both more secure and easier to remember?

Passwords are old technology, and fundamentally I think there are limitations to both their security and memorability. But since it doesn't seem they will be fully replaced in the near future, we need to make the best of the situation. At CMU we've been doing research in this area for several years now, with a focus on how to improve password policies.

Password security is improved through better security practices on the server, slow hash functions, limiting the number of attempts users can make to log in, and good password policies. Using a second factor also enhances the security.

To make passwords easier to remember we need companies to implement sensible password policies that force users to create passwords that are long and unpredictable, but do not require regular password changes. Forced password changes every 60 or 90 days are completely counterproductive because people pick weaker passwords to start with and change them in very predictable ways. Password managers are another approach that allows users to have strong and unique passwords that they don't actually have to remember.

Based on your research and your leadership at CUPS, what might be some key areas you will focus on as Chief Technologist for the FTC?

Consumer protection related to privacy and security are areas near and dear to me, and I am looking forward to contributing to the work the FTC is doing in these areas. I hope to be able to use my expertise related to usability evaluation of privacy and security tools in the process. I will also be looking at new technologies that are being rolled out and trying to help the FTC get ahead in its understanding of the implications for consumer privacy. Finally, I'm very interested in finding ways to better bridge the gap between academic researchers and policymakers.


Lorrie Faith Cranor recently assumed the role of Chief Technologist at the Federal Trade Commission (FTC), which works for consumers to prevent fraudulent, deceptive and unfair business practices. A recognized leader in the usable privacy and security field, she is a Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University (CMU). At CMU, she is the director of the Cylab Usable Privacy and Security Laboratory (CUPS) and the co-director of the MSIT-Privacy Engineering Masters Program.

Cranor has authored more than 150 papers, published four books, including co-editing Security and Usability. She was named an ACM Fellow in 2014. She is also a member of USACM, the US Public Policy Council of ACM.