CyLab researchers win Test of Time Award at USEC 2025

A team featuring CyLab researchers was honored with the Test of Time Award at the 2025 Symposium on Usable Security and Privacy (USEC 2025).

Held in San Diego on February 24, USEC 2025 served as an international forum for research and discussion in the area of human factors in security and privacy.

The research team, featuring Patrick Gage Kelley (Ph.D.’12), CyLab alumnus; Lorrie Cranor, CyLab director; and Norman Sadeh, co-director of Carnegie Mellon University’s Privacy Engineering Program, received the Test of Time Award for its landmark 2012 paper A Conundrum of Permissions: Installing Applications on an Android Smartphone.

The USEC Test of Time Award recognizes papers published at least 10 years prior that have had a lasting impact on the field of usable security and privacy. Kelley, who served as lead writer on the paper, accepted the award at USEC 2025 on behalf of his colleagues, and also presented the keynote address at the symposium, where he discussed the evolution of privacy labels and their ongoing impact on transparency.

 “It’s a great feeling to know that this work that we started when I was a Ph.D. student has actually lasted,” said Kelley. “It has been around and it has led to ongoing privacy research, which is a reflection of evolving social and societal norms.”

The research, which was conducted when iPhones and app stores were still nascent technologies, focused on understanding people's privacy preferences and the effectiveness of privacy settings, particularly in the context of location sharing and social media. The research team wanted to better understand the discrepancy between user awareness and the actual permissions that users granted to apps when they downloaded them from app stores in the early days of smartphones.

 “At the time, there was no way of  controlling the permissions granted to an app once you had downloaded it,” said Sadeh. “And many people did not realize what they were granting when they were downloading apps.”

“A Conundrum of Permissions” and other papers on mobile app privacy written by these co-authors more than a decade ago have had a wide-ranging impact on industry practices, including the adoption of privacy labels by iOS and Android. These studies also led to the implementation of a permission dashboard on smartphones, and the introduction of increasingly expressive privacy controls and of nudges to prompt users to review their settings — features that are now ubiquitous in the contemporary mobile device ecosystem.

More recently, Cranor and Sadeh have conducted research with their students and colleagues examining the usability of mobile app privacy labels that are now in the app stores.

“Our research has uncovered a wide range of usability problems and has resulted in proposals for new label designs and tools to make it easier for mobile app developers to create accurate labels,” said Cranor. “We’re hoping that lessons from our studies will also make their way into industry practice.”

Kelley, who now works as a security, privacy, and anti-abuse researcher at Google, says that the implementation of app labels has led to new research on transparency, accuracy, and user understanding of privacy labels.

“A lot of the work I’m currently doing focuses on individuals with increased digital risk profiles, such as people who work on political campaigns in the United States, and YouTube creators,” said Kelley. “Another thing I have been thinking about a lot are AI systems and their privacy implications. Are we making these AI systems safe enough, and how do we even know what constitutes ‘safe enough’ in this space?”