We developed classifiers to predict privacy labels based on the text of privacy policies. Our study suggests that our technique achieves an F1 score of over 98%. We then proceeded to analyze a little over 350,000 apps in the iOS app store. Results suggest that discrepancies are quite common. In particular we find that nearly 30% of mobile apps seem to have privacy labels that disclose practices not disclosed in their privacy policies. In our view, while it is easy to blame app developers/publishers, app stores, as the more sophisticated and powerful actors, also bear some responsibility and should do a better job helping app publishers create more accurate privacy labels and policies. This includes in particular creating stricter standards for third party libraries, which, based on our earlier research, are often the source of inaccuracies.

‍

Askahth Jain, David Rodriguez, Jose del Alamo, and Norman Sadeh, "ATLAS: Automatically Detecting Discrepancies between Privacy Policies and Privacy Labels", 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Amsterdam, June 2023.

Aerin Zhang, "Undertanding People's Diverse Privacy Attitudes: Notification, Control and Regulatory Implications", Language Technologies Institute PhD Program, School of Computer Science, Carnegie Mellon University. March 17, 2023

‍

Back in 2013, we reported on research that showed how privacy labels could help app store users make better informed decisions. Our paper was published at CHI. In December 2020 Apple introduced privacy labels in its app store, crediting our earlier research for influencing their decision. Six months later the Google Play Store followed with its privacy (or "safety") labels. A year ago, we published a study at PoPETS, showing that unfortunately in their current form iOS privacy labels fall short. In a new paper published at USEC this month, we estimate to what extent iOS privacy labels (in their current form) answer those privacy questions people actually care about. Our study suggests that the answer might be "less than 50% of the time." Follow the link below to read our USEC2023 paper "Do Privacy Labels Answer People's Privacy Questions"".

‍

Just gave a keynote at the 1st International Workshop on "Privacy Algorithms in Systems."  My talk focused on "Privacy in the Age of AI and the Internet of Things".

Here's a CyLab press release summarizing the result of a study conducted with my PhD student, Aerin Zhang,  Yuanyuan Feng, Yaxing Yao and Lorrie Cranor on the usability of iOS Privacy Labels in their current form.

This research was presented at PoPETS 2022 earlier this month.

The full article is available here

This research is taking place under the umbrella of our Usable Privacy Policy Project

Helping Mobile App Developers Create Accurate Privacy Labels. by Jack Gardner, Akshath Jain, Yuanyuan Feng, Kayla Reiman, Zhi Lin and Norman Sadeh. In this work we discuss the design and evaluation of a tool to help iOS developers generate privacy labels. The tool combines static code analysis to identify likely data collection and use practices with interactive functionality designed to prompt developers to elucidate analysis results and carefully reflect on their applications’ data practices. We conducted semi-structured interviews with iOS developers as they used an initial version of the tool. We discuss how these results motivated us to develop an enhanced software tool, Privacy Label Wiz, that more closely resembles interactions developers reported to be most useful in our semi-structured interviews. We present findings from our interviews and the enhanced tool motivated by our study. We also outline future directions for software tools to better assist developers communicating their mobile app’s data practices to different audiences.

Honored to see our work on Livehoods, mining public social media data to understand the dynamics of cities, selected for the test of time award at AAAI's 16th International Conference on Web and Social Media.

Here's CMU's School of Computer Science press release.

Stop the Spread: A Contextual Integrity Perspective on the Appropriateness of COVID-19 Vaccination Certificates

Shikun Zhang, Yan Shvartzshnaider, Yuanyuan Feng, Helen Nissenbaum, and Norman Sadeh

‍

We present an empirical study exploring how privacy influences the acceptance of vaccination certificate (VC) deployments across different realistic usage scenarios. The study employed the privacy framework of Contextual Integrity, which has been shown to be particularly effective to capture people's privacy expectations across different contexts. We use a vignette methodology, where we selectively manipulate salient contextual parameters understood to potentially impact people's attitudes towards VCs. We surveyed 890 participants from a demographically-stratified sample of the US population to gauge the acceptance and overall attitudes towards possible VC deployments to enforce vaccination mandates and the different information flows VCs might entail. Analysis of results collected at part of this study are used to derive general normative observations about different possible VC practices and to provide guidance for the possible VC deployments in different contexts.

Here's a video of Aerin's presentation

Gave a keynote at Cyburgh 2022 on "Privacy as a New Tech Sector".

Panelist at Privacy Symposium in Venice.

My talk focused on "Making Privacy Humanly Tractable".

Justin Cranshaw, "Depicting Places in Information Systems: Closing the Gap Between Representation and Experience", PhD Dissertation, School of Computer Science technical report CMU-ISR-22-106, May 2022.

Interviewed by Pulitzer-winner Kathleen Gallagher as she launches her "Midwest Moxie' podcast, which features interviews with entrepreneurs.

My ICISSP keynote focused on "Why Usability Has Become Privacy's Biggest Challenge and What We Can Do About It".

See below for a copy of my slides.

Our paper about people’s perceptions of advanced video analytics has been selected to receive the prestigious Future of Privacy Forum’s annual Privacy Papers for Policymakers Award.

The paper titled “‘Did you know this camera tracks your mood? Understanding Privacy Expectations and Preferences in the Age of Video Analytics,” was originally published and presented at the 2021 Privacy Enhancing Technologies Symposium.

Click on the link below for the CyLab/S3D press release.

‍

Reflections on the limitations and strengths of human and artificial intelligence and how our work in user-oriented security and privacy aims to develop practical solutions where both forms of intelligence are deployed to best complement one another. The presentation builds on our anti-phishing work, including work at Wombat Security Technologies, as well as research at CMU in the context of the Usable Privacy Policy Project and the Personalized Privacy Assistant Project.

In response to increased demand from industry, we launched a new certificate program in privacy engineering earlier this Fall semester. The program is remote but involves live lectures and interactions with our faculty as well as both individual and group exercises. The program is delivered over 4 consecutive weekends. We will be running 4 cohorts per year.

Survey of the students who completed the program indicate they all felt they learned a ton and really enjoyed the live interactions and group exercises.

Following our 2013 proposing the adoption of mobile app privacy labels, both Apple (Fall 2020) and Google (Spring 2021) have now announced the introduction of such labels in their app stores - see our 2013 CHI article with Patrick Gage Kelley and Lorrie Cranor here.

It appears however that in the form in which they have been introduced, these labels are not fully delivering on their promises - with anecdotal evidence suggesting that both developers and end-users struggle to fully understand what these labels mean and how to use them. As part of this project, we will be conducting an in-depth study of the usability of current iOS mobile app privacy labels (joint work with my PhD student, Aerin Zhang, and with Lorrie Cranor) and will also be developing tools to help mobile app developers create more accurate privacy labels.

D. Smullen, "Informing the Design and Refinement of Privacy and Security Controls", Ph.D. Thesis, Software Engineering PhD Program, Technical Report CMU-ISR-21-111, School of Computer Science, Carnegie Mellon University, Pittsburgh, PA. September 2021.

A few quotes related to our work on a privacy infrastructure for the Internet of Things. Our infrastructure is now hosting descriptions of about 150,000 IoT data collection systems and devices.

Abhilasha Ravichander presents our research at the 59th Annual Meeting of the Association for Computational Linguistics and the 11th International Joint Conference on Natural Language Processing (ACL/IJCNLP). Here's the abstract:

Privacy plays a crucial role in preserving democratic ideals and personal autonomy. The dominant legal approach to privacy in many jurisdictions is the “Notice and Choice” paradigm, where privacy policies are the primary instrument used to convey information to users. However, privacy policies are long and complex documents that are difficult for users to read and comprehend. We discuss how language technologies can play an important role in addressing this information gap, reporting on initial progress towards helping three specific categories of stakeholders take advantage of digital privacy policies: consumers, enterprises, and regulators. Our goal is to provide a roadmap for the development and use of language technologies to empower users to reclaim control over their privacy, limit privacy harms, and rally research efforts from the community towards addressing an issue with large social impact. We highlight many remaining opportunities to develop language technologies that are more precise or nuanced in the way in which they use the text of privacy policies.

S Zhang, Y Feng, L Bauer, LF Cranor, A Das, and N Sadeh, “Did you know this camera tracks your mood?”: Understanding Privacy Expectations and Preferences in the Age of Video Analytics Proceedings on Privacy Enhancing Technologies, 2, 1, Apr 2021.

Cameras are everywhere, and are increasingly coupled with video analytics software that can identify our face, track our mood, recognize what we are doing, and more. We present the results of a 10-day in-situ study designed to understand how people feel aboutt hese capabilities, looking both at the extent to which they expect to encounter them as part of their everyday activities and at how comfortable they are with the presence of such technologies across a range of realistics cenarios. Results indicate that while some widespread deployments are expected by many (e.g., surveillance in public spaces), others are not, with some making people feel particularly uncomfortable. Our results further show that individuals’ privacy preferences and expectations are complicated and vary with a number of factors such as the purpose for which footage is captured and analyzed, the particular venue where it is captured, and whom it is shared with. Finally, we discuss the implications of people’s rich and diverse preferences on opt-in or opt-out rights for the collection and use (including sharing) of data associated with these video analytics scenarios as mandated by regulations. Because of the user burden associated with the large number of privacy decisions people could be faced with, we discuss how new types of privacy assistants could possibly be configured to help people manage these decisions.

‍

People hold a myriad of misconceptions about the tools meant to help them protect their privacy and security. Here is a recent CyLab article on research that was presented by Peter Story at this week’s Privacy Enhancing Technologies Symposium.

Peter Story, Daniel Smullen, Yaxing Yao, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub, Awareness, Adoption, and Misconceptions of Web Privacy Tools. Proceedings on Privacy Enhancing Technologies Symposium (PoPETS 2021), 3, Jul 2021

‍

Presentation of our research by my PhD student, Daniel Smullen, at PoPETS2021:

"Browser users encounter a broad array of potentially intrusive practices: from behavioral profiling, to crypto-mining, fingerprinting, and more. We study people’s perception, awareness, understanding, and preferences to opt out of those practices..."

‍

P. Story, "Design and Evaluation of Security and Privacy Nudges: From Protection Motivation Theory to Implementation Intentions", CMU-ISR-21-107, School of Computer Science, Carnegie Mellon University. August 2021.

Y Feng, Y Yao, N Sadeh, "A Design Space for Privacy Choices: Towards Meaningful Privacy Control in the Internet of Things." Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, May 2021.

“Notice and choice” is the predominant approach for data privacy protection today. There is considerable user-centered research on providing effective privacy notices but not enough guidance on designing privacy choices. Recent data privacy regulations worldwide established new requirements for privacy choices, but system practitioners struggle to implement legally compliant privacy choices that also provide users meaningful privacy control. We construct a design space for privacy choices based on a user-centered analysis of how people exercise privacy choices in real-world systems. This work contributes a conceptual framework that considers privacy choice as a user-centered process as well as a taxonomy for practitioners to design meaningful privacy choices in their systems. We also present a use case of how we leverage the design space to finalize the design decisions for a real-world privacy choice platform, the Internet of Things (IoT) Assistant, to provide meaningful privacy control in the IoT.

‍

Adoption of our recommended logo and text for CCPA's opt-out, following work where our group considered and systematically evaluated a number possible designs. This research will also be presented at CHI'2021 in May.

Hana Habib, Yixin Zou, Yaxing Yao, Alessandro Acquisti, Lorrie Cranor, Joel Reidenberg, Norman Sadeh, Florian Schaub, "Toggles, dollar signs, and triangles: How to (in) effectively convey privacy choices with icons and link texts" to appear in Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems.

‍

Just released new version of our IoT Privacy Infrastructure and IoT Assistant app. The infrastructure enables people to publicize the presence of IoT data collection processes at different locations and the IoT Assistant app enables people to discover them. Check it out!

The California Office of the Attorney General (“Cal AG”) just announced they would rely on icons and text we designed and evaluated for the new California Consumer Privacy Act (CCPA). Here’s the CyLab’s press release summarizing the work we conducted to inform and refine the design. And here’s the official March 2021 press release from the Cal AG acknowledging our contribution.

The launch of our IoT Privacy Infrastructure and our IoT Assistant App is garnering media coverage. Here are a few recent articles:

CNET article "This app lets you see IoT devices around you and what data they’re taking"

Gizmodo article, "This App Tells You When Nearby Smart Devices Are Snooping on You" where a journalist plays with our IoT Assistant app in Manhattan.

Other articles in Engadget, BoingBoing, Vice, etc.

November 2020 The Decision Sciences Institute announced that our 1998 article on Modeling Supply Chain Dynamics: A Multiagent Approach is one of the 15 most cited papers in the 50 year history of its Decision Sciences Journal. This was joint work with my former PhD student Jay Swaminathan and my colleague Steve Smith At the time, people were relying on monolithic models that failed to capture the effects of information exchange policies or the competitive nature of the market places in which supply chain entities operate. The icons and accompanying text can be downloaded from the Cal AGs site.

November 2020: Just announced two new options in our privacy engineering program Both options are designed for working professionals interested in getting privacy engineering training without having to leave their existing jobs.

Here's the CyLab press release

Presenting our work on the Design of a Privacy Infrastructure for the Internet of Things at 2020 USENIX Privacy Engineering Practice and Respect Conference (PEPR’20).

August 2020 Peter Story presents our work on From Intent to Actions: Nudging Users Towards Secure Mobile Payments at the 2020 Symposium on Usable Privacy and Security.

Our group presents three articles at the annual Federal Trade Commission’s Privacy Con conference

• -Zhang, Feng, Das, Bauer, Cranor and Sadeh, Understanding People’s Privacy Attitudes Towards Video Analytics

• Habib, Zou, Jannu, Sridhar, Swoopes, Acquisti, Cranor, Sadeh, Schaub, An Empirical Analysis of Data Deletion and Opt-Out Choices on 150 Websites

• Habib, Pearman, Wang, Zou, Acquisti, Cranor, Sadeh, Schaub, ‘It’s a Scavenger Hunt’: Usability of Websites’ Opt-Out and Data Deletion Choices

Here's a CyLab press release.

July 2020“ Daniel Smullen presents our work on The Best of Both Worlds: Mitigating Accuracy and User Burden in Capturing People’s Mobile App Privacy Preferences the 20th Privacy Enhancing Technologies Symposium. Here’s the CyLab press release

Apple iOS14 introduces mobile app privacy nutrition labels similar to those proposed in the CHI’2013 “Privacy as Part of the App Decision Making Process” paper I co-authored with Patrick Gage Kelley and Lorrie Cranor – Apple informed us a little before the announcement…

Our paper on “Evaluating How Global Privacy Principles Answer Consumers’ Questions About Mobile App Privacy“ (Joel R. Reidenberg, Norman Sadeh, Thomas Norton, and Abhilasha Ravichander) will be discussed by Kevin Moriarty (FTC) at the 2020 Privacy Law Scholar Conference

Online Privacy+Security Forum panel on IoT Privacy in the Age of CCPA and GDPR with Achim Klabunde (Advisor to the European Data Protection Supervisor) and Gabriela Zanfir-Fortuna (Senior Policy Counsel, Future of Privacy Forum)

Habib, Pearman, Wang, Zou, Acquisti, Cranor, Sadeh, Schaub, ‘It’s a Scavenger Hunt’: Usability of Websites’ Opt-Out and Data Deletion Choices

-Habib, Zou, Jannu, Sridhar, Swoopes, Acquisti, Cranor, Sadeh, Schaub, An Empirical Analysis of Data Deletion and Opt-Out Choices on 150 Websites

Vinay Kumar and Roger Iyengar remotely present our paper on , Finding a Choice in a Haystack: Automatic Extraction of Opt-Out Statements from Privacy Policy Text at the 2020 Web Conference. Concurrently, we are releasing our "Opt-Out Easy" browser extension, which enables people to quickly access opt-out links otherwise buried deep in the text of privacy policies. We rely on machine learning to automatically identify and classify opt-out choices with precision and recall above 90%. The extension is available in the Chrome Store and the Firefox Store. Here's a CyLab press release on this work ("What If Opting Out of Data Collection Were Easy?"). Detailed instructions on how to install and use the extension are available here.

Here's the paper citation:

Vinayshekhar Bannihatti Kumar, Roger Iyengar, Namita Nisal, Yuanyuan Feng, Hana Habib, Peter Story, Sushain Cherivirala, Margaret Hagan, Lorrie Faith Cranor, Shomir Wilson, Florian Schaub, Norman Sadeh, "Finding a Choice in a Haystack: Automatic Extraction of Opt-Out Statements from Privacy Policy Text", WWW ’20, Apr 2020 [pdf]

‍

Zhang, Feng, Das, Bauer, Cranor and Sadeh, Understanding People’s Privacy Attitudes Towards Video Analytics

We are launching a Privacy Infrastructure for the Internet of Things.

The Infrastructure includes a portal, where owners of IoT devices and systems as well as volunteer contributors can publicize the presence of IoT resources, the data they collect and more generally their data practices, including any privacy choices they make available to people. The infrastructure also features an IoT Assistant mobile app (available in both the iOS store and Google Play Store), which people can use to discover nearly IoT resources, their data practices as well as any available privacy options (e.g., opt-in, opt-out, deletion, access, etc.). Check out short videos about the IoT Privacy Infrastructure and our IoT Assistant app.

Check out also the CyLab press release on the infrastructure and the project's website, where you can access research articles and additional videos.

Our Societal Computing PhD program releases new faculty highlight videos

January 28, 2020: Come and join us as we celebrate Privacy Day at CMU

July 2019: PoPETS 2019 article detailing how we analyzed over 1 million Android apps for potential privacy compliance issues presented in Stockholm. See also CyLab press release discussing our MAPS mobile app privacy compliance tool.

June 2019: Honored to receive $100k award from Mozilla for our work on personalized privacy assistants.

(Image Credit: Wallpaper Access)

May 2019: What if Computers Understood Privacy Policies? A Look at Advances in Natural Language Processing through the Lens of Privacy

May 2019: Presenting our Privacy Infrastructure for IoT and our work on Personalized Privacy Assistant at IAPP Global Privacy Summit in DC.

April 2019: Quoted in recent Gizmodo piece on privacy risks associated with the widespread adoption of smart speakers

March 2019: Co-organizing AAAI Spring Symposium on Privacy-Enhancing AI and Language Technologies (PAL2019) at Stanford.

March 2019: CyLab article discusses our work on technology to automatically read privacy policies

March 2019: Panelist, Cybersecurity Commercialization Founders and Funders Workshop Schwarz Center for Entrepreneurship, Tepper School of Business, Carnegie Mellon University

Feb 1, 2019 : Co-Organizing Privacy Day Celebration at CMU

Feb 1, 2019: Op-ed in the Hill: Congress: Make Privacy the Rule – Not the Exception

November 29, 2018: Wombat Security Technologies: How We Got to a $225M Exit by Phishing our Customers, TiE Pittsburgh keynote, Schwartz Center for Entrepreneurship, Carnegie Mellon University

November 2018 Nice article in Trends about me (here’s the Google Translation from Dutch into English)

October 24, 2018: Panelist, Debating Ethics: Dignity and Respect in Data-Driven Life, 40th International Conference of Data Protection and Privacy Commissioners, European Parliament, Brussels. A CyLab Q&A, following the panel can be found here . You can watch a video of my initial remarks here or watch the full panel here , or you can read the conference report

August 2018: Awarded new $1.2M NSF grant for collaboration with Serge Egelman and Helen Nissenbaum to inform the development of privacy controls in mobile and IoT using contextual integrity

June 2018: Keynote at NSF Workshop on Security Assured Cyberinfrastructure in Pennsylvania (SAC-PA2), Pittsburgh, PA, June 2018

May 2018: Expert Address at Hong Kong University, “Artificial Intelligence, the Internet of Things and Privacy: Are We Doomed?”

May 15, 2018: Honored to receive the 2018 Pittsburgh Venture Capital Association (PVCA) Outstanding Entrepreneur award together with Joe Ferrara. PVCA’s awards recognize “remarkable entrepreneurs…for their extraordinary contributions to innovation and the region’s entrepreneurial vitality”. Here’s a list of earlier honorees

Article at the Annual Privacy Forum in Barcelona:

Schiffner, Berendt et al. Towards a Roadmap for Privacy Technologies and the General Data Protection Regulation: A transatlantic initiative

Article at the Annual Privacy Forum in Barcelona:

Story, Zimmeck, Sadeh, Which Apps have Privacy Policies?

April 2018: Interviewed on local KDKA TV news channel about Facebook and the Cambridge Analytica fiasco‍

Image: Inc.Magazine

April 2018: Quoted in Wired article discussing the limitations of app permissions, including the way in which permission bundling forces users to make impossible decisions – as shown in our research.

March 29, 2018: Panelist at IAPP’s Inaugural Privacy Engineering Section Forum IAPP Global Summit, Washington DC. I’m on the panel titled: “The Regulators View: Engineering Mitigation Efforts”.

March 1, 2018: After an amazing 10 years, Wombat Security Technologies, the CMU spinoff I co-founded with Jason Hong and Lorrie Cranor to commercialize results of our research on combating phishing attacks was acquired by Proofpoint for $225M. Here is the CMU press release. The original Proofpoint press release is here. This is also covered in news articles abroad (e.g., here’s a French article in Le Monde Informatique).

March 1, 2018: Check out article and video on our technology to automatically interpret statements found in privacy policies. The article is based on the new release of our explore.usableprivacy.org website. Here’s also an article in Fast Company/Co-Design

Feb. 28, 2018: Our research group presents two papers and several posters at the FTC’s annual Privacy Conference. I’ll be presenting our work on privacy assistants to help users keep up with the broad deployment of cameras and computer vision algorithms – see our article here

Jan 26, 2018: Announcing the release of new interactive website showcasing machine-generated annotations of a little over 7,000 privacy policies

Jan 26, 2018: Co-Organizing Privacy Day Celebration at CMU. See also CyLab announcement here.

November 2017: Wombat Security Technologies ranked 135th fastest growing company in North America in Deloitte’s 2017 Technology Fast 500. See Wombat’s press release including other recent accomplishments.

October 2017: Panelist at 3 Rivers Venture Fair (Pittsburgh) – Panel on Cybersecurity

October 2017: Wombat Security Technologies is clear leader for 4th consecutive year in Gartner’s 2017 Magic Quadrant in Security Awareness Computer-Based Training

October 2017: Panelist at Privacy + Security Forum (Washington, DC) – Panel titled “From Big Data, to Machine Learning, to AI“

August 2017: Our 2017 SOUPS article on Privacy Preferences and Expectations in an IoT World discussed on the CyLab website

June 2017: Best paper award at ACM MMSys Conference for our article on A Scalable and Privacy-Aware IoT Service for Live Video Analytics

July 2017: Anupam Das presents our article on Assisting Users in a World Full of Cameras: A Privacy-aware Infrastructure for Computer Vision Applications at workshop on the Bright and Dark Sides of Computer Vision: Challenges and Opportunities for Privacy and Security IEEE Conference on Computer Vision and Pattern Recognition Workshops (CVPRW)

March 2017: IoT Security and Privacy: What Can We Learn from the Mobile App Stores? Expert address at Hong Kong University

May 2017: Invited Speaker at FTC Technology and Consumer Protection Workshop (ConPro’17) in San Jose (co-located with 38th IEEE Symposium on Security & Privacy Conference)

May 2017: MIT Technology Review article on our Privacy Assistant work – Personal AI Privacy Watchdog Could Help you Regain Control of Your Data

May 2017: I am the recipient of a Google faculty research award for my work on a privacy infrastructure for the Internet of Things.

April 2017: Our mobile app privacy compliance work featured on CyLab website

February 2017: What If Computers Understood Privacy Policies? And, What If They Knew What We Care About? is the title of my Cylab Distinguished Seminar on February 20. Here’s a link to the video

February 2017: Christian Science Monitor mentions our research

February 2017: Just released first version of our Privacy Assistant in the Google Play store. For the time being, it’s only available for rooted Android phones. Hoping that over time we can make it available to everyone. The launch is also getting some nice press coverage, including The Verge, PC Magazine and the Boston Globe

January 2017: As lead PI of our Usable Privacy Policy Project Frontier project, participated in panel on Conceiving and Running Center-Scale Frontier Projects at NSF’s Secure and Trustworthy Cyberspace (SaTC) Principal Investigators’ Meeting

January 2017: Sebastian Zimmeck to present our paper on Automated Analysis of Privacy Requirements for Mobile Apps at the FTC’s PrivacyCon conference

January 2017: Project by Amanda Holt, Thomas Koike and Roykrong Sukkerd to help the visually impaired identify phishing emails. See also CyLab article here featured on CyLab webpage. The project was conducted in my Information Security and Privacy class this past Fall semester

January 2017: Co-organizing Privacy Day at CMU with Lorrie Cranor

November 2016: Wombat Security Technologies ranked 144th fastest growing company in North America in Deloitte’s 2016 Technology Fast 500 and also fastest growing company in Pennsylvania for second year in a row

November 2016: CMU press release on our mobile app compliance tool and our work with the California AG

November 2016: I’ll be giving the opening keynote at the AAAI Fall Symposium on Privacy and Language Technologies DC. Our Usable Privacy Policy Project will also be presenting four papers at the Symposium.

October 2016: Gartner Group positions Wombat Security Technologies as Leader in its magic quadrant for cybersecurity training for 3rd consecutive year

October 2016: The California AG’s Office has been piloting our Mobile App Privacy Compliance tool for the past several months. See recent press release from the Cal AG’s Office This is research funded under our Usable Privacy Policy Project and our Personalized Privacy Assistant project

October 2016: FTC Chairwoman Ramirez mentions our privacy assistant for the Internet of Things in interview with MIT Technology Review

September 2016: Our privacy work is featured in CIO Magazine

August 2016: Recent coverage in Ed Tech article focusing on security and privacy in IoT

August 2016: FTC Chairwoman Edith Ramirez mentions our Personalized Privacy Assistant project in her keynote address at the Technology Policy Institute Aspen Forum

July 2016: Our Personalized Privacy Assistant is featured on CMU’s home page and also in Tech Crunch, Science Daily, Quartz, TribLive, Campus Technology, etc.

June 2016: Our Usable Privacy Policy Project’s newsletter is now available

June 2016: Expert address at Hong Kong University on Privacy in the Age of IoT: New Technologies to Help Users and Regulators

June 2016: Our article on Personalized Privacy Assistants for Mobile App Permissions, “Follow My Recommendations: A Personalized Assistant for Mobile App Permissions” received the IAPP SOUPS Privacy Award

June 2016: Kiplinger publishes an article on our Explore.UsablePrivacy.Org website

May 2016: Three articles on our research have been accepted for presentation at the 12th USENIX Symposium on Usable Privacy and Security (SOUPS 2016)

• Follow My Recommendations: A Personalized Assistant for Mobile App Permissions
  Bin Liu, Mads Schaarup Andersen, Florian Schaub, Hazim Almuhimedi, Shikun (Aerin) Zhang, Norman Sadeh, Yuvraj Agarwal, and Alessandro Acquisti, Carnegie Mellon University

• How Short Is Too Short? Studying Privacy Notice Design for Wearables
  Joshua Gluck, Florian Schaub, Amy Friedman, Hana Habib, Norman Sadeh, Lorrie Faith Cranor, and Yuvraj Agarwal, Carnegie Mellon University
• Expecting the Unexpected: Understanding Mismatched Privacy Expectations Online
  Ashwini Rao, Florian Schaub, Norman Sadeh, and Alessandro Acquisti, Carnegie Mellon University; Ruogu Kang, Facebook

April 2016: Our WWW2016 article titled “Crowdsourcing Annotations of Websites’ Privacy Policies: Can It Really Work?“ was nominated for the best paper award

March 11, 2016: We have released a new website showcasing a corpus of 23,000 privacy policy annotations. The site features color-coded navigation functionality that enables users to interactively explore privacy practice statements for nearly 200 different websites. This is research conducted under our Usable Privacy Policy project. See CyLab press release and also articles in Consumerist and LifeHacker

January 28, 2016: Hosting Ed Felten, US Deputy Chief Technology Officer (White House), as part of 2016 Privacy Day event at CMU – more details available here.

January 14, 2016: Three papers on our research to be presented at the first FTC Privacy Conference – PrivacyCon – here’s also an IAPP summary of the event highlighting our presentations:

• To Deny, or Not to Deny: A Personalized Privacy Assistant for Mobile App Permissions
• Towards Usable Privacy Policies: Semi-Automatically Extracting Data Practices from Websites’ Privacy Policies
• Expecting the Unexpected: Understanding Mismatched Privacy Expectations Online

November 2015: Notice and Choice for IoT: Why We Need Personalized Privacy Assistants UC Irvine, Informatics Seminar speaker. See also our project’s website

November 2015: Wombat Security Technologies ranked 104th fastest growing company in North America in Deloitte’s 2015 Technology Fast 500 – and the fastest growing company in Pennsylvania

October 2015: Wombat Security Technologies named a clear leader in 2015 Gartner Magic Quadrant for Security Awareness Computer-Based Training Vendors

October 2015: Awarded a DARPA Brandeis grant to work on personalized privacy assistants for the Internet of Things and Big Data – work in collaboration with Alessandro Acquisti, Lujo Bauer, Lorrie Cranor and Anupam Datta at CMU and teams at UC Irvine and Honeywell.

September 2015: I’m the lucky recipient of a Summer 2015 Google Research Award for my work on learning people’s mobile app privacy preferences

September 2015: National Science Foundation grant on personalized privacy assistants for smartphone apps with a particular focus on user behavior – work in collaboration with Yuvraj Agarwal and Lorrie Cranor.

July 2015: Giving closing keynote at 2nd annual workshop on Privacy Personas and Segmentation at SOUPS 2015

July 2015: Invited to present our research findings to FTC Commissioner Julie Brill and her staff

July 2015: Our research in privacy and our master’s program in privacy engineering are featured in The Link

July 2015: Invited to present our privacy work at event organized by the Future of Privacy Forum

July 2015: We have been selected to lead the development of novel privacy technologies for Google’s new Web of Things initiative – see CMU press release and a few other articles in the press (e.g., Pittsburgh Post Gazette , Campus Technology)

May 2015: Jose M. del Alamo and I are co-chair of the 2015 International Workshop on Privacy Engineering (IWPE’15) (collocated with the 36th IEEE Symposium on Security and Privacy)

March 2015: Nice article in the Wall Street Journal on our mobile app privacy research. The full study will be presented at CHI’2015 next month. Here’s also the CMU press release. Around 50 news articles have been published in the past few days (including articles in the US, UK, Germany, France, India, Brazil, China, Vietnam, Netherlands and more). Here is the one in Wired and here’s a cool blog post in futurity that also talks about our work on personalized privacy assistants. See also project website here

January 28, 2015: FTC Commissioner Julie Brin will join us to celebrate Privacy Day at CMU – I will be participating in the panel on Privacy Research and Public Policy (here are also some photos and here’s a video the panel)

January 14, 2015: Sharing our experience at Wombat Security Technologies on “SBIR Success Panel“ at 2015 Government Cybersecurity SBIR Workshop in DC.

January 2015: My PhD student, Bin Liu, is awarded a Yahoo! InMind fellowship for work to develop a personalized privacy assistant for the InMind Project

December 2014: Our paper on on Mobile App Privacy Nudging has been accepted for publication at CHI2015 – H. Almuhimedi, F. Schaub, N. Sadeh, I. Adjerid, A. Acquisti, J. Gluck, L. Cranor and Y. Agrawal, Your Location has been Shared 5,398 Times! A Field Study on Mobile App Privacy Nudging

November 2014: An app developed over the summer at Microsoft by my PhD student, Justin Cranshaw, is featured on CMU’s homepage. The Microsoft Garage “Journeys & Notes” app connects people with similar commutes. Congrats Justin!

October 2014: Our Ubicomp2012 and SOUPS 2014 work on modeling user privacy preferences is the basis for a cool new website grading mobile apps based on their privacy practices:

-J. Lin, B. Liu, N. Sadeh, and J.I. Hong, Modeling Users’ Mobile App Privacy Preferences: Restoring Usability in a Sea of Permission Settings , 2014 – SOUPS 2014

-J. Lin, S. Amini, J. Hong, N. Sadeh, J. Lindqvist, J. Zhang, Expectation and Purpose: Understanding Users’ Mental Models of Mobile App Privacy through Crowdsourcing – Ubicomp2012

October 2014

August 2014: Partnering with Eric Nyberg and Alan Black to offer a new mobile app development course exploring applications of IBM Watson’s cognitive technology. (See also CMU Students Get to Work, Play with Computer Jeopardy! Champion Watson in Pittsburgh Tribune or IBM’s Watson is Going to College in Venture Beat)

August 2014:

F. Liu, R. Ramanath, N. Sadeh, and N.A. Smith, A Step Towards Usable Privacy Policy: Automatic Alignment of Privacy Statements in Proc. of the 25th International Conference on Computational Linguistics, Dublin, August 2014.

July 2014

July 2014:

• Co-organizing SOUPS 2014 workshop on Privacy Personas and Segmentation

• Jialiu Lin presents: J. Lin, B. Liu, N. Sadeh, and J.I. Hong, Modeling Users’ Mobile App Privacy Preferences: Restoring Usability in a Sea of Permission Settings , 2014 ACM Symposium on Usable Security and Privacy (SOUPS 2014), July 2014.

One of our two posters also wins the best poster award

July 2014

June 2014: Rohan Ramanath presents Unsupervised Alignment of Privacy Policies Using Hidden Markov Models in Proc. of the Annual Meeting of the Association for Computational Linguistics (ACL’14), Baltimore, MD, June 2014

June 2014: Co-organizing workshop on the Future of Privacy Notice and Choice at CMU

May 2014: Mobile App Privacy: How Bad Is It & What Can We Do About It?

April 2014: WWW2014: Bin Liu presents our paper on Reconciling Mobile App Privacy and Usability on Smartphones: Could User Privacy Profiles Help?

April 2014: Justin Cranshaw successfully presents his dissertation proposal

April 2014: two papers at CHI2014 in Toronto

• Cranshaw, K. Luther, P.G. Kelley, N. Sadeh, The Curated City: Capturing Individual City Guides Through Social Curation , In Proceedings of the 32nd annual SIGCHI Conference on Human Factors in Computing Systems, CHI2014. April 2014
• Y. Wang, P.G. Leon, A. Acquisti, L.F. Cranor, A. Forget, and N. Sadeh, A Field Trial of Privacy Nudges for Facebook , In Proceedings of the 32nd annual SIGCHI Conference on Human Factors in Computing Systems, CHI2014. April 2014

February 2014: Our Livehoods project listed among top 10 emerging technologies at Davos World Economic Forum

February 2014: Mobile & Pervasive Computing Services Project Fair: 16 projects from my Mobile & Pervasive Computing Services course compete for top prize.

Jan 2014: Co-hosting White House Chief Privacy Officer, Nicole Wong, at CMU as part of Data Privacy Day – see also event webpage and an article in the Pittsburgh Post Gazette, a video of the keynote , and some photos

December 2013: A settlement has now been reached – see the FTC consent order

December 2013: Our WWW2014 article on Reconciling Mobile App Privacy and Usability on Smartphones: Could User Privacy Profiles Help? is now available as a Tech Report (CMU-CS-13-128/CMU-ISR-13-114)

November 2013

October 2013

October 2013

September 2013: Shomir Wilson presents our joint paper on Privacy Manipulation and Acclimation in a Location Sharing Application at Ubicomp2013 in Zurich.

September 2013

August 2013

August 2013: CMU press release about our new NSF Frontier project on Usable Privacy Policies and nice articles in the Pittsburgh Post Gazette and the Pittsburgh Business Times

August 2013:
B. Fu, J. Lin, Lei Li, C. Faloutsos, J. Hong, N. Sadeh. Why People Hate Your App – Making Sense of User Feedback in a Mobile App Store

August 2013: See NSF’s press release

July 2013: The Mobile Commerce Lab receives $180,000 research gift from Google under its “Privacy and Security Focused Program” for our work on “Smart privacy profiles for mobile apps”.

July 2013

May 2013

May 2013:

• P. Gage Kelley, L. Cranor, N. Sadeh, Privacy as Part of the App Decision-Making Process
• Sleeper, Manya, Justin Cranshaw, Patrick Gage Kelley, Blase Ur, Alessandro Acquisti, Lorrie Cranor, Norman Sadeh. I read my Twitter the next morning and was astonished: A conversational perspective on Twitter regrets

May 2013

April 2013

March/April 2013: Our article on the shortage of privacy engineers is featured in IEEE Security and Privacy

Feb. 2013: CSCW2013 presentation by Hazim Almuhimedi of our joint paper Tweets Are Forever: A Large-Scale Quantitative Analysis of Deleted Tweets

Feb. 2013: Our group was just awarded a Google app engine grant for our work on Livehoods and our Twitter nudging research. Thank you, Google!

January 28, 2013

January 2013: CMU press release on our Mobile App Privacy work: Did Your Smartphone Flashlight Rat You Out? Crowdsourcing Privacy Concerns of Mobile Apps . A nice piece in The Red Tape Chronicles and one in the Pittsburgh Tribune Review

October 2012

October 2012

October 2012

September 2012: Ubicomp2012 presentation of our paper on Expectation and Purpose: Understanding Users’ Mental Models of Mobile App Privacy through Crowdsourcing (authors: J. Lin, S. Amini, J. Hong, N. Sadeh, J. Lindqvist, J. Zhang)

September 2012: Patrick Gage Kelley (COS PhD student) defends his dissertation on Designing Privacy Notices Supporting User Understanding and Control (Thesis Committee: Lorrie Cranor, Norman Sadeh, Alessandro Acquisti and Sunny Consolvo)

CMU press release and a nice article in the Pittsburgh Post Gazette presenting new Privacy Engineering Masters Program

August 2012: Jialiu Lin (CSD PhD student) presents her thesis proposal on Understanding and Capturing People’s Mobile App Privacy Preferences (Thesis Committee: Jason Hong, Norman Sadeh, Mahadev Satyanarayanan, Sunny Consolvo)

June 11, 2012

June 2012

June 2012: See also our livehoods website.

May 2012

May 2012

May 2012

May 2012: – e.g., see Pittsburgh Post Gazette article , CMU press release, CMU homepage , WTAE interview , Wall Street Journal blog and media coverage abroad (e.g. Heise Online , Wired.it and Haaretz)

April 2012: See also MIT review article , Fast Company article or Wired’s blog

March 2012

March 2012: User-Controllable Privacy: An Oxymoron? – Slides downloadable below

February 21, 2012: Further speculation about the implications of the US Supreme Court’s ruling in US v Jones, including some comments I made on 3rd party doctrine here. See also Wall Street Journal article on FBI turns off thousands of GPS devices after Court ruling

January 23, 2012 – US Supreme Court unanimously agrees with our view that placing a GPS device under someone’s vehicle constitutes a search & that doing so without a warrant violated the defendent’s privacy. At the same time, they do not address more fundamental issues relating to expectations of privacy – See Supreme Court’s Opinion here and CDT’s statement here.

January 2012

December 2011: See also our USEC2012 article on A Conundrum of Permissions: Installing Applications on an Android Smartphone

November 2011

November 2011: See also interview in CMU’s Piper

October 2011

October – November 2011: . See also ComputerWorld article and CMU home page coverage

September 2011

July 2011

July 2011

June 2011

June 2011

May 2011

April 2011

March 2011

March 2011 – Michael Benisch (COS PhD student) defends his dissertation on Using Expressiveness to Improve the Efficiency of Social and Economic Mechanisms (Thesis Committee: Norman Sadeh, Tuomas Sandholm, Geoff Gordon, Craig Boutilier)

January 2011

January 2011 - See Pittsburgh Post Gazette article

October 2010

October 2010

September 2010 – Using mock phishing attacks to train people to protect themselves from real attacks

September 2010

September 2010

July 2010

July 2010

June 2010

May 2010 – Pittsburgh Post-Gazette Startup Zipano sells privacy software to control who can find you

May 2010

May 2010

May 2010

March 2010

March 2010

February 2010

February 2010 – The New York Times

Nov. 2009

November 2009

August 2009

June 2009

May 2009

April 2009

April 2009

March 2009

March 2009

March 2009

March 2009

April 2009

March 2009

February 2009 - See also CMU homepage article

February 2009

December 2008

Fall 2008

August 2008 –Keynote, SAP Annual North American Academic Symposium, Palo Alto.

July 2008

June 2008

June 2008 – Workshop on Opportunistic RF Localization for Next Generation Wireless Devices, Worcester Polytechnic Institute

May 2008: Expert Address, Hong Kong University, May 2008

June 2007

April 2007

October 2006 – MyCampus project featured in mobile commerce article in Pittsburgh Post Gazette

August 2006 – “Mobile and Pervasive Commerce: The New Frontier”, opening keynote, 8th International Conference on Electronic Commerce (ICEC-06), Fredericton, Canada.

*June 2006 – “Ambient Intelligence: The MyCampus Experience”, keynote speaker, 14th IT21 Conference (Theme: “U-Society”), Seoul, Korea, June 2006 – see Korea IT Times article

May 2006 -“MyCampus: Research Overview”, guest speaker, NTT DoCoMo, Yokosuka Research Park, Japan, May 2006

April 2006 – CMieux wins Exhibition Supply Chain Trading Competition event at CS50