Q&A with FTC Chief Technologist Lorrie Cranor

What it means to be a “Cyber Feminist,” the linguistics of scam emails, and having your identity stolen as a privacy researcher.

Lorrie Faith Cranor is the Chief Technologist at the US Federal Trade Commission, and a professor of computer science at Carnegie Mellon. Her recent work has focused on the intersection of human and software vulnerabilities, asking why people find it so hard to adopt programs that help protect online privacy, like plug-ins that make your browsing habits invisible, or email encryption.

Cranor also describes herself as a “cyber-feminist,” and is trailblazing the emerging field of cyber-quilting. We met up at DefCon, the annual hacker convention in Las Vegas, to discuss the linguistics of scam emails, making her own security blankets, and what happens when a privacy researcher’s ID gets stolen.

I recently read a post on Reddit by a “Fed” who was coming to DefCon for the first time, and unsure whether he should tell anyone he worked for the government. Have you experienced any of that tension here at the conference?

For us at the FTC there’s no tension. I think people view the FTC as an agency on the side of people who want more privacy and security, for the most part. We are completely open about being here with the government. We’re all wearing our DefCon FTC t-shirts [FYI: the shirt is comprised of a secret code and was designed by Cranor] so there’s no problem spotting us.

Part of the reason that we’re here at DefCon is to increase our outreach to the community of hackers and researchers who are likely to find [security issues] and give us a heads up.

Have you gotten any interesting tips or feedback after explaining what kind of information you’re looking for?

Yeah, we have. From the hallway conversations, but also some of the talks that I attended. We’re looking not only at specific companies, but also methods for investigation. At Black Hat [another computer security conference that took place early that week] I went to a fascinating talk about forensic linguistics by someone who was analyzing phone calls with scammers for the kind of linguistic cues you could use to identify a scammer.

Ooo! like what?

In this talk, they were focused on IRS scams and things like that. Some of the things that she mentioned were that scammers try to get you to agree with them. So they will make statements and end with “Ok?” or “Alright?” They say it in a way that you’re not going to say no. You’re going to say, “Yeah, alright.” And so if you hear a lot of that, that’s a tipoff. But there are some people who aren’t scammers, they just talk that way. So the next step is you ask them a question. If that’s the way they talk, they will answer your question, but if they’re a scammer, they will be evasive. This is how you can look at linguistic cues to detect IRS fraud scammers.

There are so many different government agencies involved in cyber-security, what exactly is the role of the FTC?

The FTC is a consumer protection agency and one of the areas we have been very interested in lately is protecting consumers online with respect to their data and their privacy. So when there are companies doing things with consumers’ data which is unfair or deceptive, we investigate.

For example, we investigate companies that make promises in their privacy polices about not sharing data, but it appears they actually are sharing data, or device manufacturers whose devices may be leaking data.

We also run something called identitytheft.gov, so people can report id theft cases, and on ftc.gov you can report spam, robocalls, and scams. Some of the larger things are when companies make promises in their privacy policies about not sharing data and then they’re sharing data. Or companies that have consumer devices, and it turns out they’re leaking data.

You’ve done a lot of research testing how consumers use (or don’t use) stuff like plug-ins that stop companies from collecting browsing data.

At Carnegie Mellon University, I run the Cylab Usable Privacy and Security Lab and my students and I have done a lot of work where we bring people into the lab, give them a security or privacy tool, and ask them to install and use it. For the most part, people have trouble. They’ll make all sorts of mistakes. Sometimes they can’t even get [the tool] installed or configured. Sometimes they think it’s working but it’s not, and that’s actually the most dangerous because if you can’t get it installed, at least you know you’re not protected. But if you think everything’s fine but it’s not on, then you’re blindly going around thinking you have privacy when you don’t.

I can see being paranoid about securing things like financial information and personal email, but how worried should I be about companies spying on my browsing history or shopping history?

There are some people who feel like [their browsing habits] are nobody else’s business. Once they track what shoes you’re interested in, then those shoes follow you around the internet; some people find that super annoying. Sometimes what you’re looking at buying is not shoes, but something you don’t necessarily want other people who walk by your computer screen to see ads for. A good example is a woman who is pregnant, not showing yet — her co-workers don’t yet know she’s pregnant — but she’s been shopping for maternity things at home. She starts getting ads for these things at work and people notice, It’s not that they won’t eventually find out, but she wants to have control of when she tells her boss that she’s going on maternity leave.

It’s also possible for companies that do tracking to piece together the different parts of your life and build these complex dossiers. Not only do they know what kind of shoes and clothes you like but they can infer your level of income, your demographics, maybe your sexual preferences, the kind of business you are in, all sorts of stuff. That data maybe used for marketing, but it also may be used as a profile that can be sold to your employer. It might be used to help decide whether to give you insurance or a loan. It might be used in a lawsuit.

Ok, my relative okay-ness with having my browsing habits tracked is definitely dissipating. What can I do about it?

You would get the most bang for your buck using a browser plugin such as Ghostery or Ad Block, or any number of others, and set it to block most of the 3rd party cookies. The problem is that then your shopping carts are going to stop working. So you’ll need to selectively unblock sites. Don’t turn off the blocking tool, but selectively unblock.

A lot of these things are super hard to secure. People say, What do you do? How do you protect yourself? And the short answer is: I don’t. I think making sure that your accounts have good passwords is probably the more important thing. But I myself have been a victim of ID theft in the past few months.

Whoa. What happened?

My cell phone stopped working and my husband’s cell phone stopped working on the same day. I called my carrier and eventually they figured out that somebody had gone into a phone store with a fake ID and said they wanted to upgrade my phones, but didn’t have them with them. They walked out with two brand new iPhones with my phone numbers, charged to my account. So my phone stopped working. I didn’t know that was even possible until it happened to me. I’ve talked to the phone carriers about it, and what they’re doing to prevent it.

What are some of the security measures you’re pushing them to implement?

Well, I think the phone companies need to do a better job of authenticating people before they give out a new SIM card or make any change to any account. I think for the most part, when it’s an in-person transaction, they rely on a drivers license and a store employee who’s not necessarily well-trained at spotting fake IDs to authenticate the person. I think that there’s a lot more that they can do to authenticate customers, whether it’s using one of these services where you scan the license and it goes and looks stuff up, or calling or texting the phone in question when someone requests an upgrade.

The complication is that sometimes customers really do lose their phones, or really do have their phones stolen, and they want to be able to walk into a store — wherever they are in the world — and get a new one. I’m not saying it’s easy for the phone companies to solve that problem, but I think it’s a solvable problem.

Presumably getting away from some of this stuff is part of the reason that you enjoy working with bolts of cloth. Quilting and sewing are such analog pastimes, is this sort of your version of lock-picking (the hacker hobby of choice)?

It is. I started quilting when I was in graduate school, and I was frustrated that my thesis felt like it would never be finished. I needed to do something with my hands where I could see progress, so I started making small quilts. Years later I was a professor and I got to take a sabbatical. So I went over to the art school and they gave me studio space, and I made art quilts.

The studio I was in was filed with new media artists. They were all doing stuff on a computer. And I came in with this sewing machine and set up five tables next to one another and put fabric all over them. They would come up to me and go, “How are you going to connect your computer to that sewing machine?” And I’d say, “I’m not.” And they’d go, “You can put a robotic arm on it!” And I’d say, “No, that’s not what I want to do.” At some point, I turned the sewing machine off and climbed up on the window seat, and for two weeks, sat up there and sewed with a needle and thread. It was just something I needed to do.

How about spinning your own yarn?

I didn’t do that. I did eventually come off the window seat and think about ways that I wanted to integrate computing into my art. So I actually used the computer for quilt design and wrote some programs to generate designs, but then I still cut an sewed the fabric with my hands. I designed a quilt called “security blanket” which visualized the 500 most frequent passwords stolen in the RockYou data breach. The quilt was going to be in a show, and I needed a dress to wear to the show, so I made a dress to match: the password dress.

A literal security blanket?

Yes!