CUPS - CyLab Usable Privacy and Security Laboratory - Carnegie Mellon University, 5000 Forbes Ave., Pittsburgh, PA 15213

Privacy decision making

While most people claim to be very concerned about their privacy, they do not consistently take actions to protect it. Web retailers detail their information practices in their privacy policies, but most of the time this information remains invisible to consumers. Our research focuses on understanding how individuals make privacy-related decisions, finding ways to make privacy information more usable to consumers, and using soft-paternalism to provide privacy nudges. CUPS researchers developed a "nutrition label" for privacy and a search engine for bank privacy policies. We are also studying user attitudes about privacy on social networks, privacy for mobile apps, and as the usability and effectiveness of online tracking opt-out tools. Our Personalized Privacy Assistant Project aims to develop intelligent agents capable of learning the privacy preferences of their users over time, semi-automatically configuring many settings, and making many privacy decisions on their behalf. Our Usable Privacy Policy Project is developing approaches to extracting information from natural-language privacy policies and displaying that information in useful ways for users.

Shikun Zhang, Lily Klucinec, Kyerra Norton, Norman Sadeh, and Lorrie Faith Cranor. Exploring Expandable-Grid Designs to Make iOS App Privacy Labels More Usable. Twentieth Symposium on Usable Privacy and Security (SOUPS 2024).

Xiaoxin Shen, Eman Alashwali, and Lorrie Cranor. What do Privacy Advertisements Communicate to Consumers? Proceedings on Privacy Enhancing Technologies, 2024 (4) 466-502. DOI https://doi.org/10.56553/popets-2024-0126

Soha Jiwani, Rachna Sasheendran, Adhishree Abhyankar, Elijah Bouma-Sims, and Lorrie Cranor. Crumbling Cookie Categories: Deconstructing Common Cookie Categories to Create Categories that People Understand. Proceedings on Privacy Enhancing Technologies, 2024 (3) 561-588. DOI https://doi.org/10.56553/popets-2024-0093

Yanzi Lin, Jaideep Juneja, Eleanor Birrell, Lorrie Faith Cranor. Data Safety vs. App Privacy: Comparing the Usability of Android and iOS Privacy Labels. Proceedings on Privacy Enhancing Technologies, 2024 (2) 182-210. DOI https://doi.org/10.56553/popets-2024-0047

Elijah Bouma-Sims, Sanjnah Ananda Kumar, Lorrie Faith Cranor. Exploring the Privacy Experiences of Closeted Users of Online Dating Services in the US. Proceedings on Privacy Enhancing Technologies, 2024 (2) 160-181. DOI https://doi.org/10.56553/popets-2024-0046

Claire C Chen, Dillon Shu, Hamsini Ravishankar, Xinran Li, Yuvraj Agarwal, and Lorrie Faith Cranor. 2024. Is a Trustmark and QR Code Enough? The Effect of IoT Security and Privacy Label Information Complexity on Consumer Comprehension and Behavior. In Proceedings of the CHI Conference on Human Factors in Computing Systems (CHI '24). Association for Computing Machinery, New York, NY, USA, Article 832, 1–32. https://doi.org/10.1145/3613904.3642011

Tianshi Li, Lorrie Faith Cranor, Yuvraj Agarwal, and Jason I. Hong. 2024. Matcha: An IDE Plugin for Creating Accurate Privacy Nutrition Labels. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 8, 1, Article 33 (March 2024), 38 pages. https://doi.org/10.1145/3643544 [sofware download]

Pardis Emami-Naeini, Janarth Dheenadhayalan, Yuvraj Agarwal, and Lorrie Faith Cranor. 2023. Are consumers willing to pay for security and privacy of IoT devices? In Proceedings of the 32nd USENIX Conference on Security Symposium (SEC '23). USENIX Association, USA, Article 85, 1505–1522.

Andrea Gallardo, Chris Choy, Jaideep Juneja, Efe Bozkir, Camille Cobb, Lujo Bauer, and Lorrie Cranor. Speculative Privacy Concerns About AR Glasses Data Collection. Proceedings on Privacy Enhancing Technologies 2023(4).

Jessica Colnago, Lorrie Cranor, and Alessandro Acquisti. Is There a Reverse Privacy Paradox? An Exporatory Analysis of Gaps Between Privacy Perspectives and Priavcy-Seeking Behaviors. Proceedings on Privacy Enhancing Technologoes, 2023(1).

Elijah Robert Bouma-Sims, Megan Li, Yanzi Lin, Adia Sakura-Lemessy, Alexandra Nisenoff, Ellie Young, Eleanor Birrell, Lorrie Faith Cranor, and Hana Habib. 2023. A US-UK Usability Evaluation of Consent Management Platform Cookie Consent Interface Design on Desktop and Mobile. CHI 2023. Article 163, 1–36. https://doi.org/10.1145/3544548.3580725

Jane Im, Ruiyi Wang, Weikun Lyu, Nick Cook, Hana Habib, Lorrie Faith Cranor, Nikola Banovic, and Florian Schaub. 2023. Less is Not More: Improving Findability and Actionability of Privacy Controls for Online Behavioral Advertising. CHI 2023. Article 661, 1–33. https://doi.org/10.1145/3544548.3580773

Hana Habib and Lorrie Faith Cranor. Evaluating the Usability of Privacy Choice Mechanisms. SOUPS 2022.

Jessica Colnago, Lorrie Faith Cranor, Alessandro Acquisti, and Kate Hazel Jain. Is it a concern or a preference? An investigation into the ability of privacy scales to capture and distinguish granular privacy constructs. SOUPS 2022.

Tianshi Li, Kayla Reiman, Yuvraj Agarwal, Lorrie Faith Cranor, and Jason I. Hong. 2022. Understanding Challenges for Developers to Create Accurate Privacy Nutrition Labels. In Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems (CHI '22). Association for Computing Machinery, New York, NY, USA, Article 588, 1–24. https://doi.org/10.1145/3491102.3502012

Yucheng Li, Deyuan Chen, Tianshi Li, Yuvraj Agarwal, Lorrie Faith Cranor, and Jason I. Hong. 2022. Understanding iOS Privacy Nutrition Labels: An Exploratory Large-Scale Analysis of App Store Data. In CHI Conference on Human Factors in Computing Systems Extended Abstracts (CHI EA '22). Association for Computing Machinery, New York, NY, USA, Article 356, 1–7. https://doi.org/10.1145/3491101.3519739

Hana Habib, Megan Li, Ellie Young, and Lorrie Cranor. 2022. "Okay, whatever": An Evaluation of Cookie Consent Interfaces. In Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems (CHI '22). Association for Computing Machinery, New York, NY, USA, Article 621, 1–27. https://doi.org/10.1145/3491102.3501985

Hana Habib, Sarah Pearman, Ellie Young, Ishika Saxena, Robert Zhang, and Lorrie FaIth Cranor. 2022. Identifying User Needs for Advertising Controls on Facebook. Proc. ACM Hum.-Comput. Interact. 6, CSCW1, Article 59 (April 2022), 42 pages. https://doi.org/10.1145/3512906

Shikun Zhang, Yuanyuan Feng, Yaxing Yao, Lorrie Faith Cranor, and Norman Sadeh. How Usable Are iOS App Privacy Labels? Proceedings on Privacy Enhancing Technologies 2022(4).

Sarah Pearman, Ellie Young, and Lorrie Faith Cranor. User-friendly yet rarely read: A case study on the redesign of an online HIPAA authorization. Proceedings on Privacy Enhancing Technologies 2022(3):558-581.

Peter Story, Daniel Smullen, Rex Chen, Yaxing Yao, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. Increasing adoption of Tor browser using informational and planning nudges. Proceedings on Privacy Enhancing Technologies 2022(2):152-183.

Hana Habib, Yixin Zou, Yaxing Yao, Alessandro Acquisti, Lorrie Cranor, Joel Reidenberg, Norman Sadeh, and Florian Schaub. 2021. Toggles, Dollar Signs, and Triangles: How to (In)Effectively Convey Privacy Choices with Icons and Link Texts. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems (CHI '21). Association for Computing Machinery, New York, NY, USA, Article 63, 1–25.

H. Habib, S. Pearman, J. Wang, Y. Xou, A. Acquisti, L.F. Cranor, N. Sadeh, F. Schaub. "It's a scavenger hunt": Usability of Websites' Opt-Out and Data Deletion Choices. CHI 2020.

J. Colnago, Y. Feng, T. Palanivel, S. Pearman, M. Ung, A. Acquisti, L.F. Cranor, N. Sadeh. Informing the Design of a Personalized Privacy Assistant for the Internet of Things. CHI 2020.

Hana Habib, Yixin Zou, Aditi Jannu, Neha Sridhar, Chelse Swoopes, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. An Empirical Analysis of Data Deletion and Opt-Out Choices on 150 Websites. SOUPS 2019.

Pardis Emami-Naeini, Henry Dixon, Yuvraj Agarwal, and Lorrie Faith Cranor. 2019. Exploring How Privacy and Security Factor into IoT Device Purchase Behavior. CHI 2019.

Cynthia E Schairer, Cynthia Cheung, Caryn Kseniya Rubanovich, Mildred Cho, Lorrie Faith Cranor, Cinnamon S Bloss. Disposition toward privacy and information disclosure in the context of emerging health technologies. Journal of the American Medical Informatics Association, Volume 26, Issue 7, July 2019, Pages 610–619.

Hana Habib, Jessica Colnago, Vidya Gopalakrishnan, Sarah Pearman, Jeremy Thomas, Alessandro Acquisti, Nicolas Christin, and Lorrie Faith Cranor. Away From Prying Eyes: Analyzing Usage and Understanding of Private Browsing. Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), Baltimore, MD, pp. 159-175.

A. Acquisti, I. Adjerid, R. Balebako, L. Brandimarte, L.F. Cranor, S. Komanduri, P.G. Leon, N. Sadeh, F. Schaub, M. Sleeper, Y. Wang, S. Wilson. Nudges for Privacy and Security: Understanding and Assisting Users’ Choices Online. ACM Computing Surveys (CSUR) 50(3), article no. 44, August 2017.

Pardis Emami Naeini, Sruti Bhagavatula, Hana Habib, Martin Degeling, Lujo Bauer, Lorrie Cranor, and Norman Sadeh. Privacy Expectations and Preferences in an IoT World. SOUPS 2017, Santa Clara, CA, July 12-14, 2017.

L.F. Cranor, P.G. Leon, and Blase Ur. A Large-Scale Evaluation of U.S. Financial Institutions’ Standardized Privacy Notices. ACM Transactions on the Web. August 2016 Article No.: 17.

F. Schaub, R. Balebako, A. Durity, and L. Cranor. A Design Space for Effective Privacy Notices. SOUPS 2015.

Balebako, R., Schaub, F., Adjerid, I., Acquisti, A., Cranor, L. The Impact of Timing on the Salience of Smartphone App Privacy Notices. 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), 2015, ACM.

H. Almuhimedi, F. Schaub, N. Sadeh, I. Adjerid, A. Acquisti, J. Gluck, L. F. Cranor, Y. Agarwal. Your Location has been Shared 5,398 Times!: A Field Study on Mobile App Privacy Nudging. CHI2015.

A. Rao, F. Schaub, N. Sadeh. What do they know about me? Contents and Concerns of Online Behavioral Profiles. PASSAT ’14. December 2014. J. R. Reidenberg, T. D. Breaux, L. F. Cranor, B. French, A. Grannis, J. T. Graves, F. Liu, A. M. McDonald, T. B. Norton, R. Ramanath, N. C. Russell, N. Sadeh, F. Schaub. Disagreeable Privacy Policies: Mismatches between Meaning and Users’ Understanding. 42nd Research Conference on Communication, Information and Internet Policy (TPRC ’14). September 2014.

L. Cranor, A. Durity, A. Marsh, and B. Ur. Parents' and Teens' Perspectives on Privacy in a Technology-Filled World. SOUPS 2014.

Y. Wang, P. Leon, A. Acquisti, L.F. Cranor, A. Forget, N. Sadeh. A Field Trial of Privacy Nudges for Facebook. ACM SIGCHI Conference on Human Factors in Computing Systems (CHI2014). [teaser video]

Rebecca Balebako, Abigail Marsh, Jialiu Lin, Jason Hong, Lorrie Faith Cranor. The Privacy and Security Behaviors of Smartphone App Developers. Workshop on Usable Security (USEC 2014). San Diego, CA, February 23, 2014.

Rebecca Balebako, Rich Shay, and Lorrie Faith Cranor. Is Your Inseam a Biometric? A Case Study on the Role of Usability Studies in Developing Public Policy. Workshop on Usable Security (USEC 2014). San Diego, CA, February 23, 2014.

L.F. Cranor, C. Hoke, P. Leon, A. Au. Are They Worth Reading? An In-Depth Analysis of Online Advertising Companies’ Privacy Policies TPRC 2014.

Lujo Bauer, Lorrie Faith Cranor, Saranga Komanduri, Michelle L. Mazurek, Michael K. Reiter, Manya Sleeper, Blase Ur. The Post Anachronism: The Temporal Dimension of Facebook Privacy. Workshop on Privacy in the Electronic Society. Berlin, Germany. November 2013.

R. Balebako, R. Shay, and L.F. Cranor. Is Your Inseam a Biometric? Evaluating the Understandability of Mobile Privacy Notice Categories. CMU CyLab Technical Report CMU-CyLab-13-011.

P.G. Leon, B. Ur, Y. Wang, M. Sleeper, R. Balebako, R. Shay, L. Bauer, M. Christodorescu, L.F. Cranor. What Matters to Users? Factors that Affect Users' Willingness to Share Information with Online Advertisers. In Proceedings of the Eight Symposium On Usable Privacy and Security (SOUPS ’13), Newcastle, United Kingdom, 2013.

R. Balebako, J. Jung, W. Lu, L.F. Cranor, and C. Nguyen. "Little Brothers Watching You:" Raising Awareness of Data Leaks on Smartphones In Proceedings of the Eight Symposium On Usable Privacy and Security (SOUPS ’13), Newcastle, United Kingdom, 2013.

B. Ur and Y. Wang. A Cross-Cultural Framework for Protecting User Privacy in Online Social Media. In WWW Workshop on Privacy and Security in Online Social Media (PSOSM ’13), Rio de Janeiro, Brazil, 2013.

Y. Wang, P. Leon, L. Cranor, A. Acquisti, X. chen, and K. Scott. Privacy Nudges for Social Media: An Exploratory Facebook Study. In WWW Workshop on Privacy and Security in Online Social Media (PSOSM ’13), Rio de Janeiro, Brazil, 2013.

L.F. Cranor, K. Idouchi, P.G. Leon, M. Sleeper, B. Ur. Are They Actually Any Different? Comparing Thousands of Financial Institutions’ Privacy Practices. WEIS 2013.

P.G. Kelley, L.F. Cranor, and N. Sadeh. Privacy as Part of the App Decision-Making Process. CHI 2013.

M. Sleeper, J. Cranshaw, P.G. Kelley, B. Ur, A. Acquisti, L.F. Cranor, N. Sadeh. "I read my Twitter the next morning and was astonished": A conversational perspective on Twitter regrets. CHI 2013.

F. Stutzman, R. Gross, A. Acquisti. Silent Listeners: The Evolution of Privacy and Disclosure on Facebook. Journal of Privacy and Confidentiality: Vol. 4: Iss. 2, Article 2.

M. Sleeper, R. Balebako, S. Das, A.L. McConahy, J. Wiese, and L.F. Cranor. The Post that Wasn’t: Exploring Self-Censorship on Facebook. CSCW 2013, February 2013.

L.F. Cranor. Necessary But Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice. Journal of Telecommunications and High Technology Law, Vol. 10, No. 2, 2012. [See also related blog post]

B. Ur, P.G. Leon, L.F. Cranor, R. Shay, and Y. Wang. Smart, Useful, Scary, Creepy: Perceptions of Online Behavioral Advertising, Technical Report CMU-CyLab-12-007, April 2, 2012. SOUPS 2012.

B. Ur, M. Sleeper, L.F. Cranor. {Privacy, Privacidad, Приватност} Policies in Social Media: Providing Translated Privacy Notice. PSOSM 2012.

R. Balebako, P.G. Leon, R. Shay, B. Ur, L.F. Cranor. Measuring the Effectiveness of Privacy Tools for Limiting Behavioral Advertising. W2SP 2012.

P.G. Leon, J. Cranshaw, L.F. Cranor, J. Graves, M. Hastak, B. Ur. What Do Online Behavioral Advertising Disclosures Communicate to Users?, Technical Report CMU-CyLab-12-008, April 2, 2012. WPES 2012.

L.F. Cranor. Can Users Control Online Behavioral Advertising Effectively? IEEE Security & Privacy. March/April 2012 (vol. 10 no. 2) pp. 93-96.

P.G. Leon, B. Ur, R. Balebako, L.F. Cranor, R. Shay, and Y. Wang. Why Johnny Can't Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising. CHI 2012. [Extended version available as CyLab tech report]

P.G. Kelley, S. Consolvo, L.F. Cranor, J. Jung, N. Sadeh, D. Wetherall. A Conundrum of Permissions: Installing Applications on an Android Smartphone. Workshop on Usable Security. March 2, 2012, Bonaire.

B. Ur and Y. Wang. Online Social Networks in a Post-Soviet State: How Hungarians Protect and Share on Facebook. iConference 2012.

P.G. Kelley, R. Brewer, Y. Mayer, L.F. Cranor, and N. Sadeh, An investigation into Facebook friend grouping. 13th IFIP TC 13 international Conference on Human-Computer interaction (INTERACT). Lisbon, Portugal, September 5-9, 2011, 216-233.

S. Komanduri, R. Shay, G. Norcie, B. Ur, L.F. Cranor. AdChoices? Compliance with Online Behavioral Advertising Notice and Choice Requirements. In I/S: A Journal of Law and Policy for the Information Society, 7:3 2011. [I/S]

J. Wiese, P.G. Kelley, L.F. Cranor, L. Dabbish, J.I. Hong and J. Zimmerman. Are You Close with Me? Are You Nearby? Investigating Social Groups, Closeness, and Willingness to Share UbiComp 2011.

Y. Wang, S. Komanduri, P.G. Leon, G. Norcie, A. Acquisti, L.F. Cranor. I regretted the minute I pressed share: A Qualitative Study of Regrets on Facebook. SOUPS 2011.

Y. Wang, G. Norcie, L.F. Cranor. Who Is Concerned about What? A Study of American, Chinese and Indian Users Privacy Concerns on Social Network Sites. 4th International Conference on Trust & Trustworthy Computing (TRUST 2011).

R. Balebako, P.G. Leon, H. Almuhimedi, P.G. Kelley, J. Mugan, A. Acquisti, L.F. Cranor, and N. Sadeh. Nudging Users Towards Privacy on Mobile Devices. The 2nd International Workshop on Persuasion, Influence, Nudge & Coercion through mobile devices, May 8, 2011, Vancouver, Canada (at CHI2011).

A. McDonald and L. Cranor. A Survey of the Use of Adobe Flash Local Shared Objects to Respawn HTTP Cookies. CyLab Technical Report, January 31, 2011.

P.G. Leon, L.F. Cranor, A.M. McDonald, and R. McGuire. Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens WPES 2010.

A.M. McDonald and L.F. Cranor. Beliefs and Behaviors: Internet Users' Understanding of Behavioral Advertising. 38th Research Conference on Communication, Information and Internet Policy. October 2, 2010.

A.M. McDonald and L.F. Cranor. Americans' Attitudes About Internet Behavioral Advertising Practices. WPES 2010.

B. Meeder, J. Tam, P.G. Kelley, and L.F. Cranor. RT @IWantPrivacy: Widespread Violation of Privacy Settings in the Twitter Social Network. Web 2.0 Security and Privacy 2010 (W2SP 2010). May 20, 2010.

A.M. McDonald and L.F. Cranor. An Empirical Study of How People Perceive Online Behavioral Advertising. Carnegie Mellon CyLab Technical Report CMU-CyLab-09-015, November 10, 2009.

P.G. Kelley, L.J. Cesca, J. Bresee, and L.F. Cranor. Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach. CHI2010. [Originally published as Carnegie Mellon CyLab Technical Report CMU-CyLab-09-014, November 10, 2009.]

J.Y. Tsai. The Impact of Salient Privacy Information on Decision-Making, PhD Thesis, Engineering & Public Policy Department, Carnegie Mellon University, Pittsburgh, PA, August 2009.

A.M. McDonald, R.W. Reeder, P.G. Kelley, and L.F. Cranor. A comparative study of online privacy policies and formats. Privacy Enhancing Technologies Symposium 2009.

P. Kelley, J. Bresee, L. Cranor, and R. Reeder. A "Nutrition Label" for Privacy. SOUPS 2009

S. Egelman, J. Tsai, L. Cranor, and A. Acquisti. 2009. Timing Is Everything? The Effects of Timing and Placement of Online Privacy Indicators. CHI '09: Proceedings of the SIGCHI conference on Human Factors in Computing Systems.

A. McDonald and L. Cranor. The Cost of Reading Privacy Policies. I/S: A Journal of Law and Policy for the Information Society 2008 Privacy Year in Review issue. [Paper originally presented at TPRC 2008, Sept 26-28, 2008, Arlington, VA.]

L. Cranor, L., Egelman, S. Sheng, A. McDonald, and A. Chowdhury. P3P Deployment on Websites. Electronic Commerce Research and Applications, Volume 7, Issue 3, Autumn 2008, Pages 274-293.

J. Tsai, S. Egelman, L. Cranor, and A. Acquisti. The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study. Information Systems Research, published online February 2010. Winner of the Information Systems Research/Association for Information Systems' Best Published Paper Award 2012. [Paper first presented at the Workshop on the Economics of Information Security, June 7-8, 2007, Pittsburgh, PA.]

S. Egelman, L. Cranor, and A. Chowdhury. An Analysis of P3P-Enabled Web Sites among Top-20 Search Results. Proceedings of the Eighth International Conference on Electronic Commerce August 14-16, 2006, Fredericton, New Brunswick, Canada.

J. Gideon, S. Egelman, L. Cranor, and A. Acquisti. Power Strips, Prophylactics, and Privacy, Oh My! In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.

L. Cranor, P. Guduru, and M. Arjula. User Interfaces for Privacy Agents. ACM Transactions on Computer-Human Interaction, June 2006, pp 135-178.

P. Kumaraguru and L. Cranor. Privacy Indexes: A Survey of Westin's Studies. ISRI Technical Report. CMU-ISRI-05-138, 2005.

P. Kumaraguru and L. Cranor. Privacy in India: Attitudes and Awareness. In Proceedings of the 2005 Workshop on Privacy Enhancing Technologies (PET2005), 30 May - 1 June 2005, Dubrovnik, Croatia.

L. Cranor. Web Privacy with P3P (2002). Sebastopol, CA: O'Reilly & Associates, Inc.

Privacy policy