CyLab mentioned in the media


Libert found Facebook and Google trackers on porn sites
New York Times

A new study conducted by CyLab’s Tim Libert and other researchers has scanned 22,484 pornography sites and found them riddled with trackers from major technology companies such as Facebook and Google. 93% of these websites sent data to an average of seven third-party domains, and only 17% of them have privacy policies. Facebook and Google denied that they used information collected by their trackers on pornography websites for creating marketing profiles, but it is unclear why they are collecting data from those websites.


CMU creates center to fight online disinformation
Pittsburgh Business Times

Carnegie Mellon has created a new center to study how disinformation is spread online and how to counter its effects. The center also aims to grow a connected community of researchers working in the field and educate journalists and policymakers. It will be directed by Kathleen Carley of the Institute for Software Research and co-directed by EPP/CyLab’s Douglas Sicker and David Banks, head of Philosophy in Dietrich College.

Cranor on FaceApp security and privacy

CyLab Director Lorrie Cranor spoke with TIME about security and privacy of the recent FaceApp Challenge, which has led to photos being shared on social media of people as the older version of themselves. Using the app, people upload a photo and use different filters to make themselves look twenty or more years older. Several celebrities have used the app and posted their photos, spurring the app’s popularity. However, the challenge has also led to privacy concerns due to the photo access. “You’re giving a blank check to the company. A lot of people think that a privacy policy gives them protection but it usually doesn’t,” Cranor says. “Anytime you provide your image you never know what is going to happen with it.”

Cranor on Sony’s robot dog Aibo

CyLab Director Lorrie Cranor was interviewed by CNET about Sony’s robot dog Aibo and the product’s access to users’ personal data. Aibo is equipped with artificial intelligence, sensors, microphones, and cameras to help it interact with people and collect information about users. According to Sony’s privacy policy, it may share “non-personal” and hashed/de-identified data with third parties. However, Cranor says this data can still be used as identifiers. “[Sony collects] IP addresses and unique device identifiers but they don't treat this as personal information,” she said. “This is information that could be used to identify people, but they're not treating it as personal information. That's a little concerning.”

Cranor discusses CyLab and cybersecurity with PBT
Pittsburgh Business Times

In an interview with Pittsburgh Business Times, CyLab Director Lorrie Cranor discussed security and privacy of Internet of Things (IoT) devices. “There is a growing number of IoT devices that are everywhere in the home environment, but also in businesses and in cities,” said Cranor. “The problem is that a lot of them are fairly low cost devices and not enough effort has been put into making sure that they are actually secured.” Aside from IoT devices, CyLab has also been involved in privacy policies, artificial intelligence, and anti-phishing research. Several CyLab outreach projects, including an online program that teaches middle and high school students cybersecurity skills, also encourage people to consider careers in cybersecurity.

Panat, Goyal, and Hong discuss cybersecurity with PBT
Pittsburgh Business Times

CyLab’s Rahul Panat, Vipul Goyal, and Jason Hong were recently quoted by Pittsburgh Business Times about the cybersecurity projects they are working on. Believing that blockchain can help secure the energy grid, Panat and Goyal are planning to create a complete prototype of the eight-node blockchain system. They said that combining high temperature sensor networks with blockchain technology could help the energy grid decentralize, thereby making it harder for criminals to hack machines without being detected. Meanwhile, Hong is designing an IoT Hub prototype, a system that would manage the security of all IoT devices in a home or business. He is also working on strategies people can use to identify the specific locations of smart devices in a room.

Acquisti in WSJ on GDPR
Wall Street Journal

Europe’s new privacy law, the General Data Protection Regulation (GDPR), appears to benefit Google and Facebook for now. These big players have gained more money from advertisers and they can ask for consent directly from a larger pool of individuals. However, CyLab’s Alessandro Acquisti says it is too early to tell whether the GDPR will favor Facebook and Google or weaken their businesses at the end. “We should be extremely cautious about distinguishing between short-term effects and long-term effects,” he says. “Until we see how cases will be litigated and their outcomes, and until we do empirical studies about downstream impacts, there is no way to resolve these opposing claims.” 


Acquisti’s new paper questions the benefits of behavioral advertising

Many online advertisers believe that ads shown based on users’ browsing activities will yield more profit. However, CyLab’s Alessandro Acquisti and researchers from other institutions have questioned this idea. In their new paper, “Online Tracking and Publishers’ Revenues: An Empirical Analysis,” the researchers have suggested that online publishers only make 4% more revenue from those targeted ads compared to contextual, non-targeted ads.

Cranor expresses concerns about tools that monitor children online
The Wall Street Journal

To keep their children away from troubles online, many parents use monitoring tools such as Bark to track their texts, emails, and social media posts. While Bark claims that they preserve a level of privacy for children, it does ask for the passwords to their social media accounts. Bark argues that the risk of children encountering problematic things online is much higher than the risk of their data being hacked. However, CyLab Director Lorrie Cranor thinks otherwise. “I’m always nervous about any service provider that wants my password. That’s fundamentally insecure,” said Cranor. As a parent of three teenagers, she does not use any monitoring or control tools. “I’m sure they look at things I’d prefer them not to, but my instinct tells me most things aren’t extremely terrible,” she added.

Cranor comments on British spy agency proposal to access encrypted messages
The Washington Post

Along with fellow researchers, human rights groups, and large tech companies, CyLab Director Lorrie Cranor has signed an open letter to Britain’s Government Communications Headquarters (GCHQ) to condemn their proposal that would allow law enforcement to spy on encrypted messages. Government access to encryption has been a controversial topic for years; while law enforcement believes it is a vital tool against criminals, privacy advocates and tech companies argue that it poses threats to cybersecurity and personal privacy. “All the proposals that I’ve seen for how to address this raise a lot of concerns about giving law enforcement too-broad access and opening that backdoor to bad actors and all sorts of other issues,” said Cranor. “It’s a case where it’s hard to have your cake and eat it, too.”

Acquisti explains why people don’t fight for their privacy
The New York Times

Although most people claim to treasure privacy, they continue to expose themselves online without taking any action to protect their information. This paradox may seem bizarre, but CyLab’s Alessandro Acquisti points out that people’s conflicting impulses are actually quite rational. To fully understand our vulnerabilities and protect our privacy, we have to spend lots of time and effort, including changing how we search, purchase, and connect with others. “There’s a sense that the fight to protect your data is unwinnable,” says Acquisti. “You’d have to learn about other tools, it’s costly in time, and it might not even help, because your data is already out there.”

Acquisti quoted on controversial facial recognition technology
The New York Times

Facial recognition has stimulated countless debates over the past two decades due to the privacy concerns it brings and its potential for gender and racial biases. Nevertheless, experts noted that this technology is constantly growing. “There are still technical limitations on it, but the computational power keeps growing, and the databases keep growing, and the algorithms keep improving,” said CyLab’s Alessandro Acquisti in The New York Times.

Acquisti quoted on the value publishers get from behavior advertising
The Wall Street Journal

Behavioral advertising, a technique that collects information about people’s browsing activity typically through cookies, has a dominant position in digital advertising nowadays. Its externalities such as harm to privacy were often justified because of their supposedly huge value to publishers. However, researchers at CMU and other universities suggest publishers only get about 4% more revenue for an ad impression that has a cookie enabled than for one that doesn’t. The online ad ecosystem is complex and opaque, said CyLab’s Alessandro Acquisti. It is “hard to understand how much value each participant in the ecosystem is adding to the process, and whether the fees different intermediaries receive are commensurate to their value added,” he said.

Carley receives honorary doctorate from University of Zurich
Institute for Software Research

CyLab/EPP’s Kathleen Carley has been awarded an honorary doctorate by the University of Zurich, Switzerland. Carley was awarded the honorary degree for “pioneering contributions to our understanding of social systems by means of computational methods. Through the development of new methods to study social networks, she shaped the development of data science and computational social science and provided important stimuli for the study of digital societies.”


CMU aims to develop privacy and security systems for Internet of Things
Pittsburgh Business Times

CyLab has recently announced its funded projects for the Secure and Private Internet of Things (IoT) Initiative. According to CyLab/ECE’s Vyas Sekar, the initiative aims to address security and privacy risks associated with IoT “before it’s too late.” From four sponsors, CyLab will receive more than $3 million for the next three to five years.

Rajkumar comments on Tesla’s future plans
The Associated Press

ECE’s Raj Rajkumar was recently quoted by The Associated Press in an article concerning Elon Musk’s plan to start converting Tesla’s electric cars into self-driving vehicles for 2020. Rajkumar called Musk’s plan a “pipe dream” and said that he is “overpromising, which is typical.” Following his announcement, Musk has also been accused of shirking public safety, and Rajkumar agrees, stating, “People will die.”

Christin says dark-web ecosystem undented by law enforcement efforts

Despite having brought down multiple marketplaces for illicit goods and drugs over the past several years, law enforcement officials across the world are still struggling to contain the emergence of new dark-web markets to replace them. “History has taught us that this ecosystem is very, very resilient,” says CyLab’s Nicolas Christin “It's part of a cycle, and we’re in the chaotic part of the cycle. We’ll have to see how it recovers. But if I were a betting person I would put more money on it recovering than on it dramatically changing.” International law enforcement has made major improvements in coordination and methodology, but according to Christin, their efforts don’t “seem to have dented the ecosystem in a major way.”

Donahue elevated to University Professors
CMU News

ChemE/EPP’s Neil Donahue was among the Carnegie Mellon faculty recently elevated to the rank of University Professor, the highest distinction a faculty member can achieve. Donahue was nominated and recommended by now-fellow University Professors. Donahue said, “This is a huge honor.”

Bossa Nova improves robots using HawXeye tech

Walmart has expanded its use of CMU startup Bossa Nova’s shelf-stocking robots from 50 to 350 stores nationwide. After purchasing HawXeye, another CMU spinoff developed in CMU’s Biometrics lab, Bossa Nova further improved the product identification of the robots. The upgraded robots are capable of identifying all stock keeping units and any exceptions over a span of two minutes.

Cranor quoted on the future of privacy
SC Magazine

CyLab Director Lorrie Cranor was quoted in a recent article discussing the future of privacy, specifically how much access companies can have to personal information and how long they can retain it. Cranor believes that privacy is a combination of technology and policy and that, in the future, “New technology can be used to set and enforce access controls, store data in encrypted form and to de-identify data.”


Cranor named Andrew Carnegie Fellow

CyLab Director Lorrie Cranor has been named to the 2019 Class of Andrew Carnegie Fellows by the Carnegie Corporation of New York. As one of 32 distinguished scholars and writers selected, Cranor will have the opportunity to pursue a research sabbatical that will allow her to take her research on security and usability to the next level.

Cranor speaks at WiCyS Conference

CyLab Director Lorrie Cranor was among a collection of prominent names in cybersecurity speaking before over 1,300 attendees at last month’s Women in Cybersecurity (WiCyS) Conference. The conference provided opportunities for networking and encouraged continued growth in the number of women represented in cybersecurity, which has risen from 11% of the workforce five years ago to 20% today.

Brumley on Nielsen’s departure and cybersecurity
The Washington Post

In an article from The Washington Post, cybersecurity experts in government, academia, and the private sector discussed the implications and consequences of Kirstjen Nielsen’s ouster from the Department of Homeland Security. A majority of people believe her departure will hurt the DHS’s security mission due to her experience in cybersecurity and government policy, while others say the mission wasn’t doing well under her leadership. “Nielsen’s departure is another sad indication that the government lacks the will to make real cybersecurity and safety improvements,” said ECE’s David Brumley.

Sarjoun Skaff named one of 10 transforming retail industry
Business Insider

Bossa Nova Robotics co-founder and CTO Sarjoun Skaff was recently named one of Business Insider’s 10 people transforming the retail industry. The startup works with Carnegie Mellon’s biometrics lab to produce machines that work in retail store aisles, taking inventory and noting out-of-stock products. The company is currently working the Walmart to implement the machines in stores. “I admit to being naive when we first started this,” Skaff said. “As we started to build them, we started to realize the scope, the magnitude of the challenge is enormous.”

Savvides comments on improvements in facial recognition AI

CyLab/ECE’s Biometrics Center Director Marios Savvides recently commented for a piece on the growing prevalence of AI powered facial recognition software. “We live in a time where AI can surpass the human brain's capability,” he said. Savvides and his group are working to further improve the accuracy of facial recognition software, particularly in cases where the face is partially obstructed.

Walmart to add Bossa Nova robots to workforce

Walmart has announced the company will add thousands of robots to its workforce, taking lower-level responsibilities such as scrubbing floors, scanning boxes, and checking inventory. As retailers aim to cut costs and increase efficiency, the introduction of robotic workers has been eminent. Forbes featured the move, and explained that according to a study by Carnegie Mellon startup Bossa Nova Robotics, the manufacturer behind the worker robots, 99 percent of the top retailers surveyed reported some kind of inventory problem, while 76 said that using robots in stores would improve employee productivity.

Bossa Nova Robotics and the future of retail technology

A TechCrunch article interviewed Bossa Nova Robotics CTO and co-founder Sarjoun Skaff about the company’s starring role in Walmart’s new initiative to introduce robots into its workforce. Created in 2005 by Carnegie Mellon Ph.D. students, Bossa Nova develops robots designed to make sense of the “black box” of inventory in the store. While some people fear robots replacing human jobs, Skaff argues that the robots will help their jobs, not take them. “Our robot doesn’t have arms right now, so it’s not replacing the manual labor of restocking a shelf,” he says. “It’s displacing the tedious task of looking for problems, which is really mind-numbing.…As soon as we can tell you where the problems are, you can spend your time fixing them, restocking the shelves and spending more time with shoppers.”

Leaders in cybersecurity gather at CMU for WiCyS Conference

More than 1,200 women, including many College of Engineering faculty and alumnae, gathered from March 28-30 for the Carnegie Mellon’s Women in Cybersecurity (WiCyS) Conference. INI Director Dena Haritos Tsamitis, CyLab Director Lorrie Cranor, and ECE’s Giulia Fanti and Limin Jia were all featured as prominent leaders advocating for an expanded workforce through support for women in cybersecurity. A panel discussing how women in tech groups can spark culture shifts in companies included INI alumna Saralee Kunlong, a senior software engineer at Yellow Pages; INI alumna Divya Ashok, senior director of product management at Salesforce; and Era Vuksani, a graduate student studying information security.

Cranor on password security and social network privacy
Random but Memorable

CyLab Director Lorrie Cranor was a special guest on an episode of podcast “Random but Memorable.” She spoke about her research on the human side of security, privacy, and passwords, and discussed the changes in password standards and management over the last several years, conceding that while there have been changes in standard, there still hasn’t been much change. While password managers and generators are becoming more common, there are still people who resist them. “We hear all sorts of reasons. People who just don’t know about them….there’s a lot of misinformation, there’s a lot of confusion,” Cranor said. She also spoke about informed consent for data privacy in social media companies.

Sekar on automated visitor security systems

ECE/CyLab’s Vyas Sekar was interviewed by NBC News about the safety and privacy of automated visitor security systems, which are replacing receptionists and security guards in businesses, schools, hotels, and hospitals. An IBM X-Force Red study revealed that five different systems are vulnerable in previously unknown places, making not only individuals’ information susceptible, but also company information if connected to a wider network. “An attacker always looks for the weakest link, so if they find one of these systems that collects personal data and is network-connected, it’s like a goldmine for them,” Sekar said. “If these systems are not secured and a company does not have the right security practices in place, then that’s a big security risk.”

Hong discusses spam in Reader’s Digest
Reader’s Digest

Spam emails are an inevitable part of communicating online, and yet many of us are still unsure of exactly how they work against us. As CyLab’s Jason Hong notes in Reader’s Digest, different types of spam emails lead to different user consequences. To combat this, Hong warns us to be wary of emails that have urgent tasks and recommends that we use different passwords for each of our accounts. Spam can be a problem, but knowing what to expect and how to deal with it is half the battle.


Savvides on AI and facial recognition

CyLab/ECE’s Marios Savvides spoke with CNET in an article about how AI has helped to drastically improve facial recognition. While there are privacy and bias concerns, facial recognition is now being used more widely, at airports, in home security systems, and on cruises, with a 99.7 percent accuracy for the most cutting-edge systems. However, even deep learning neural networks can make mistakes. Savvides, director of the CyLab Biometrics Center, separates some of the data to make things clearer for the neural net. His team can reconstruct faces even in conditions that aren’t optimal. “We live in a time where AI can surpass the human brain’s capability,” he says.

Parno quoted in PopSci on end-to-end encryption
Popular Science

Mark Zuckerberg’s recent announcement regarding end-to-end encryption and the future of Facebook’s messaging services has stirred up quite a bit of chatter within the tech communities. While encryption is essential to privacy, leading experts in the field point out that there are both pros and cons. One proponent of encryption is ECE’s Bryan Parno, who emphasizes that it is essentially impossible to break. “To the best of our knowledge, as cryptographers, the amount of time it would take to decrypt those messages without knowing the key is hideously large,” Parno told Popular Science.

Cranor quoted in NEXTPittsburgh on WiCyS

CyLab Director Lorrie Cranor spoke with NEXTPittsburgh about the 2019 Women in Cybersecurity (WiCyS) conference. From March 28-30, Carnegie Mellon hosted the conference, which aimed to support and connect young women in this critical field that is only 14 percent women in the U.S. (and 11 percent worldwide).  “A lot of our important critical systems are not as secure as we would like them to be,” said Cranor, who is one of the keynote speakers of the conference. “If half your population is not considering this as a viable career path, then you’re really cutting into the pool of available workers.” 

Acquisti quoted on possible impacts of stricter data privacy rules
The Wall Street Journal

CyLab’s Alessandro Acquisti was quoted in a WSJ article about how big tech companies like Facebook and Google handle customers’ personal information and what stricter privacy rules could do to these companies. Some say that stricter rules will benefit big companies that have more resources at their disposal, but others say that stricter rules will undercut big companies’ advertising and weaken their advantage over smaller companies. Acquisti says, “Both are reasonable claims. But it is far too early to tell which will turn out to be true.”