Privacy Engineering at CMU and Privacy Decision Making with Dr. Lorrie Cranor

Dr. Lorrie Cranor began her career in privacy 25 years ago and has been a professor at Carnegie Mellon University in the School of Computer Science for 19 years. Today, she serves as director and professor for the CMU privacy engineering program.

In this episode, Dr. Cranor discusses how she started her career in privacy and then eventually moved into academics. She talks about the history of the CMU privacy engineering program, what the program entails as a student, and the career opportunities available to graduates.

Dr. Cranor's area of research focuses on the usability of privacy and privacy decision making. She discusses several recent studies looking at how real world users understand and navigate cookie consent popups and design best practices for companies. She also explains privacy labels and how developers building applications on iOS and Android can do a better job creating these labels.

We also discuss the future of privacy education and technologies, touching on the responsibilities of companies and privacy-enhancing technologies like differential privacy.

Topics:

• How did you get interested in security and privacy and start working in this field?
• What’s the history of CMU’s Privacy Engineering Program? How did it start?
• Which department is the program part of?
• If I’m taking the Master’s degree program, what does that consist of?
• What’s the typical undergraduate background of someone taking the Master’s degree program?
• Do graduates typically end up working as privacy engineers and what sort of companies do they end up at?
• What’s the difference between the Master’s program and the certificate program?
• How has engagement with the privacy program changed over the past decade?
• Should privacy education be part of a standard software engineering undergraduate program?
• How would you describe your areas of privacy research and the types of problems you’re interested in studying?
• What have you discovered about how individuals make privacy-related decisions?
• How can companies go beyond the bare minimum in terms of communicating privacy choices to their users?
• Privacy choices are notoriously difficult to navigate and understand, what does your research help teach us about improving the usability of UX for privacy controls?
• How can you test privacy choice? Does the collection of test data potentially violate someone’s privacy?
• What is a privacy nutrition label and what problems is it meant to address?
• Starting in 2020, Apple started using this concept by requiring that all apps in the Apple app store include a privacy label. Labels are self-generated by the app developer. How good is the resulting privacy label if the developer lacks privacy training and education?
• What are the common mistakes developers are making with creating these privacy labels?
• What advice do you have for developers so that they can create an accurate privacy label?
• Cookie consent overlays and popups are now very common. What event led to the introduction of these consent dialogs for consumers?
• What problems have you discovered with the usability of cookie consent screens?
• Do we need privacy regulations like GDPR to be more prescriptive in terms of how you meet their requirements, which could include usability guidelines for something like cookie consent?
• Thoughts on the future of privacy engineering?
• What are your predictions about privacy education and awareness over the next 5-10 years?

Resources:

• CMU's Privacy Program
• Dr. Cranor's Research

Related episode:

• Data Protocol’s Privacy Engineering Certificate Course with Jake Ward

‍