Aleecia M. McDonald
aleecia at aleecia dotcom
Director of Privacy
Center for Internet & Society
Stanford Law School

I research topics in Internet privacy and security. I work to contribute to a more coherent picture of how, why, and when people make choices about protecting themselves online, and what that means to them. My interests span users' mental models of online interaction, study of and creation of usable tools to support online decision making, and how people learn about and reason about online trust issues. In addition to technical tools, I focus on technically informed policy approaches in standards bodies, regulatory agencies, and legislation in the United States and European Union nations.

Education

Carnegie Mellon University Engineering & Public Policy Ph.D., September, 2010. Thesis: Footprints Near the Surf: Individual Privacy Decisions in Online Contexts. Committee members: Lorrie Faith Cranor (chair), Alessandro Acquisti, Deirdre K. Mulligan, Jon M. Peha.

Carnegie Mellon University H. John Heinz School of Public Policy and Management. M.S. in Public Policy and Management with a concentration in Internet Policy, May, 2006.

Carnegie Mellon University B.A., Professional Writing, 1993.

Employment

Stanford University Center for Internet & Society, Director of Privacy, staff position, 12/12 – present
Conduct privacy research. Directed three summer students (2013) in research regarding privacy access and correction rights, the "right to be forgotten" in the US and EU, and a quantitative analysis of the Chilling Effects database regarding the de-linking of copyrighted information. Created a hands-on privacy workshop speaker series covering Mozilla's Lightbeam, Tor, GPG, HTTPSEverywhere, and speakers on corporate and government surveillance. Created the Cookie Clearinghouse. Successfully applied for the first-ever NSF funding for CIS, as part of a multi-university Frontier award. Proposed projects for cy pres funding In re Google Referrer Header Privacy Litigation (preliminary approval; pending).

Stanford University Center for Internet & Society, Resident Fellow, half-time staff position, 11/11 – 11/12
Under the direction of M. Ryan Calo, performed research regarding mobile privacy policies. Led efforts to standardize what it would take to comply with an Internet user's request not to be tracked online.

Mozilla Corporation, Senior Privacy Researcher, contract and part-time employment, 3/11 – 11/12
First hire into Mozilla's privacy team in the legal department. Worked with engineering to publish internal and external documents regarding Do Not Track implementations. Conducted research on privacy preferences for Mozilla Test Pilot users.

Carnegie Mellon University, Research Assistant, staff position, 5/06 – 8/06
Under the direction of Professor Jon M. Peha, managed a group of three students to investigate spyware traffic on the Carnegie Mellon network. Determined schedule and priorities for students. Used Snort on Red Hat with custom anonymization tools to ensure privacy. Responsible for IRB (Institutional Review Board) interactions. Performed data analysis in mySQL, SAS, and R.

Center for Democracy & Technology, Summer Intern, 5/05 – 7/05
Authored two internal papers on RFID (Radio Frequency Identification) including research on security issues and privacy. Participated in events on layered privacy notices, Real ID, and the PATRIOT Act. Edited written comments to the Federal Election Committee. Attended FEC and Senate Intelligence Committee hearings.

Prior Writing Experience

A decade of experience working for software startups. Specialized in single-source cross-platform documentation, ranging from online help to API manuals. Wrote and edited thousands of pages; as team lead, was responsible for scheduling and mentoring new hires; advocated for usability testing and customer contact to meet reader's needs.

Professional Service

Member of EPIC's Advisory Board (2014) [press release].

Member of Center for Democracy & Technology's Academic Advisory Board (2014).

Cookie Clearinghouse, Director (June 2013-present). The Cookie Clearinghouse provides information for users to make choices about online privacy. The Cookie Clearinghouse publishes free-to-use information for web browsers, users, and others [statement from Mozilla].

World Wide Web Consortium (W3C), Tracking Protection Working Group, co-chair, 8/11– 11/12. The Tracking Protection Working Group is chartered to improve user privacy and user control by defining mechanisms for expressing user preferences around Web tracking and for blocking or allowing Web tracking elements. As co-chair, I focused on standardizing the meaning of Do Not Track. We worked on consensus decisions involving over 100 working group members from advertising / self-regulatory groups, corporations, browser makers, privacy advocates, and academics.

California Office of Privacy Protection's Mobile Privacy Policy Advisory Group (2012).

Publications
Journal Publications
  1. McDonald, A. M., and Lowenthal, T. Nano-Notice: Privacy Disclosure at a Mobile Scale. Journal of Information Policy, Vol. 3 (2013), pg. 331-354.
  2. McDonald, A. M., and Cranor L. F. A Survey of the Use of Adobe Flash Local Share Objects to Respawn HTTP Cookies Journal of Information Policy, Vol. 7, Issue 3 (2011), pg. 639-687.
  3. McDonald, A. M., and Cranor, L. F. Americans’ Attitudes About Internet Behavioral Advertising Practices. Proceedings of the 9th Workshop on Privacy in the Electronic Society (WPES) October 4, 2010.
  4. Leon, P. G., Cranor, L. F., McDonald, A. M., and McGuire, R. Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens. Proceedings of the 9th Workshop on Privacy in the Electronic Society (WPES) October 4, 2010. [CMU Tech Report]
  5. McDonald, A. M., Reeder, R. W., Kelley, P. G., and Cranor, L. F. A Comparative Study of Online Privacy Policies and Formats. Privacy Enhancing Technologies Symposium, August 5-7 2009. [Author's version]
  6. McDonald, A. and Cranor, L. The Cost of Reading Privacy Policies. I/S: A Journal of Law and Policy for the Information Society. 2008 Privacy Year in Review issue. [Author's version]
  7. Cranor, L., Egelman, S., Sheng, S., McDonald, A., and Chowdhury, A. P3P Deployment on Websites. Electronic Commerce Research and Applications, Vol. 7, Issue 3 (November 2008). Pages 274-293. [Author's version]
  8. Reeder, R., Cranor, L., Kelly, P. and McDonald, A. A User Study of the Expandable Grid Applied to P3P Privacy Policy Visualization. In Proceedings of the Workshop on Privacy in the Electronic Society (WPES 2008), Washington, DC, USA, October 2008.
  9. James, R., Kim, W. T., McDonald, A. M., McGuire, R. A Usability Evaluation of a Home Monitoring System. SOUPS '07: Proceedings of the 3rd Symposium on Usable Privacy and Security. Pages 143-144, July 2007.
  10. McDonald, A. M. and Cranor, L. F. How Technology Drives Vehicular Privacy. I/S: A Journal of Law and Policy for the Information Society, 2(3), Fall 2006, 981-1015. [Author's version]
Conference Proceedings
  1. McDonald, A. M. User Perceptions of Online Advertising. Yale ISP Conference (March 25-26, 2011).
  2. McDonald, A. M., and Peha, J. M. Track Gap: Policy Implications of User Expectations for the 'Do Not Track' Internet Privacy Feature. 39th Research Conference on Communication, Information and Internet Policy (Telecommunications Policy Research Conference) September 25, 2011.
  3. McDonald, A. M, and Cranor, L. F. Beliefs and Behaviors: Internet Users’ Understanding of Behavioral Advertising. 38th Research Conference on Communication, Information and Internet Policy (Telecommunications Policy Research Conference) October 2, 2010.
  4. McDonald, A. M. Cookie Confusion: Do Browser Interfaces Undermine Understanding? In Proceedings of the 28th International Conference Extended Abstracts on Human Factors in Computing Systems (2010). CHI EA '10. [Author's version]
Technical Reports
  1. McDonald, A. M. and Cranor, L. F. A Survey of the Use of Adobe Flash Local Shared Objects to Respawn HTTP Cookies. [CMU Tech Report]
  2. Leon, P. G., Cranor, L. F., McDonald, A. M., and McGuire, R. Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens.[CMU Tech Report]
  3. McDonald, A. M., and Cranor, L. F. An Empirical Study of How People Perceive Online Behavioral Advertising. CyLab Technical Report 09-015. November 10, 2009. [CMU Tech Report]
  4. Cranor, L. F., McDonald, A. M., Egelman, S. and Sheng, S. 2006 Privacy Policy Trends Report. CyLab Privacy Interest Group. January 31, 2007. [Author's version]
In Review
  1. Reidenberg, J., McDonald, A. M., Schaub, F., Sadeh, N., Acquisti, A., Breaux, T., Cranor, L. F., Liu, F., Grannis, A., Grey, J., Norton, T., Ramanath, R., Russell, N. C, Smith, N. A., Wilson, S. Disagreeable Privacy Policies: Mismatches between Meaning and Users' Understanding. (Abstract submitted; manuscript in preparation.)
  2. Grogan, S. and McDonald, A. M. Can I See Too? Contrasting Data Access and Correction in the United States and Europe.
  3. McDonald, A. M. Browser Wars: A New Sequel? To appear in The Journal on Telecommunications and High Technology Law (JTHTL), Vol. 11 (2013). [Slides from talk]
Related Non-Academic Publications
  1. W3C Tracking Protection Working Group suite of documents (as a co-chair, I was primarily responsible for the Tracking Preference Expression Definitions and Compliance draft, but also contributed text to the Tracking Preference Expression draft, and commented on the Tracking Selection Lists draft) 2011-2013.
  2. Mozilla Corporation, The Do Not Track Field Guide (co-authored with Sid Stamm; substantial input from Alex Fowler) 2011.
  3. Mozilla Corporation, Online help for Do Not Track (authored the initial help files regarding Do Not Track shipped with Mozilla's Firefox browser) 2011.
  4. McDonald, A. M. Position Paper for the W3C Do Not Track Workshop W3C Workshop on Web Tracking and User Privacy, Princeton, April 28-29, 2011.
Awards and Honors

Towards effective Web privacy notice and choice: a multi-disciplinary perspective. Team member of a multi-university NSF Secure and Trustworthy Cyberspace (SaTC) Frontier award. [NSF press release | Stanford press release]

CyLab Usable Privacy and Security Meritorious Achievement Certificate, 2010.

Barbara Lazarus Women@IT Fellowship, 2006-7. Received full tuition and stipend support for one year of doctoral scholarship.

Friedman Fellowship, summer 2005. Received support for a summer of technology policy work in Washington, DC.

Teaching Experience

Stanford University. Law-405, Privacy and Technology, Spring 2013
Designed and co-taught with Jennifer Granick. Taught the legal basis for privacy, ways in which new technologies challenge existing legal and social frameworks, "notice and choice" and other theories for online privacy, how online advertising intersects with privacy, privacy enhancing technologies (PETS), privacy by design (PbD), and re-identification.

Carnegie Mellon University. Project manager. Policy Dimensions of New Space Technologies, Spring, 2008.
Responsible for a team of six undergraduate students as they defined, designed, and performed research regarding “new space” (entrepreneurial rather than NASA-led) business models, technologies, and federal policies. We submitted findings to our client, the Federal Aviation Agency. Created and graded quizzes. Contributed to assigning midterm and final grades.

Guest Lecturer

Stanford University. M. Ryan Calo's law class, April 2012. Topic: Do Not Track.

University of California, Berkeley. Deirdre K. Mulligan's Technology and Delegation, Fall 2011. Co-presented with Nick Doty. Topic: Do Not Track Overview.

Carnegie Mellon University. Lorrie Faith Cranor's Usable Privacy and Technology, Fall, 2011. Topic: Do Not Track.

Carnegie Mellon University. Lorrie Faith Cranor's Usable Privacy and Technology, Spring, 2008. Topic: Online privacy policies. Also led a class tour of a biometrics laboratory.

Carnegie Mellon University. Lorrie Faith Cranor's Usable Privacy and Technology, Spring, 2007. Topic: Visualizing privacy [slides]

Carnegie Mellon University. Lorrie Faith Cranor's Privacy Policy, Law, and Technology, Fall, 2007. Topic: Privacy policies and privacy communication.

Editorial Experience

Program Committee, Hot Topics in Privacy Enhancing Technologies (HotPETs), 2014.

Program Committee, ASE International Conference on Privacy, Security, Risk and Trust (PASSAT), 2014.

Reviewer, Journal of Information Policy (JIP), 2014.

Program Committee, IEEE Web 2.0 Security and Privacy, (W2SP), 2014.

Program Committee, Workshop on Privacy in the Electronic Society (WPES), 2012.

Program Committee, Privacy Enhancing Technologies Symposium (PETS), 2011.

Reviewer, Information Systems Frontiers, 2010.

Program Committee, Privacy Enhancing Technologies Symposium (PETS), 2010.

Presentations
Policy

Do Not Track briefings and progress updates. While co-chair of the W3C Tracking Protection Working Group, I conducted outreach to keep policy makers informed. From September, 2011 to June, 2013 I held approximately two dozen meetings and spoke with (alphabetized)

  • Rosa Barcelo, Policy Coordinator, DG INFSO (EU)
  • Senator Blumenthal's staff
  • Christian Fjeld, Senior Counsel on the Senate Commerce, Science, and Transportation Committee
  • FTC Chairman Leibowitz, FTC Commissioner Brill, FTC Commissioner Ohlhausen, FTC staff
  • John Morris, Director of Internet Policy, and John Verdi, Director of Privacy Initiatives, National Telecommunications and Information Administration (NTIA).
  • Joseph Wender, Legislative Director for US Representative Ed Markey
  • Danny Witzner, Deputy Chief Technology Officer of the White House Office of Science and Technology Policy

 

Testimony before the California Assembly Select Committee on Privacy. Privacy Implications of the New Mobile App Ecosystem. March 26, 2013.

Testimony before the California Assembly Judiciary Committee, the Assembly Business, Professions and Consumer Protection Committee, and the Assembly Select Committee on Privacy. Balancing Privacy and Opportunity in the Internet Age. December 12, 2013.

Supported Alex Fowler's testimony to the US Senate Commerce Committee Hearing on Do Not Track, June 27, 2012.

Discussion with the California Attorneys General Consumer Protection Lawyers. Organized by Chris Hoofnagle, University of California at Berkeley. December 14, 2011.

Joseph Wender, Legislative Director for US Representative Ed Markey. Briefing on privacy technologies. October 18, 2011.

FTC staff regarding mobile privacy research. March 20, 2012.

FTC Commissioner Brill and staff. Preview of research findings on user expectations for Do Not Track. July 13, 2011.

Federal Trade Commission staff. Preview of research findings on user expectations for Do Not Track. June 15, 2011.

Federal Trade Commission staff. Beliefs and Behaviors: Internet Users' Understanding of Targeted Advertising. October 13, 2010.

Supported Lorrie Faith Cranor's panel discussion on consumer privacy expectations at the Federal Trade Commission's first privacy round table, December 7, 2009.

Supported a portion of Lorrie Faith Cranor's testimony to the Federal Trade Commission Ehavioral Advertising: Tracking, Targeting, & Technology town hall meeting, November 2, 2007.

Invited Talks

World Affairs Council. The Internet of Things: Ubiquity Fueled by Innovation (moderator). May 7, 2014.

Stanford Technology Law Review Symposium. CalOPPA panel regarding the "Do Not Track" provisions of AB 370 (moderator). April 11, 2014.

American Bar Association. Video Games and Big Data: The More You Play, the More Others Learn, Ethical Obligations. March 17, 2014.

Stanford Parents' Weekend. Internet Privacy: Policies and Practices. February 22, 2014.

University of Amsterdam Institute for Information Law (IViR) and University of California, Berkeley School of Law. Workshop on Browsers and Tracking Protection. February 12, 2014.

Stanford Political Science department. Regulatory challenges and privacy issues associated with mobile technologies. January 17, 2014.

Stanford Institute for Economic Policy Research. Big Data, Big Issues. October 25, 2013.

University of California, Berkeley. TRUST security seminar. September 26, 2013.

Microsoft (LCA Speaker Series). The Cookie Clearinghouse. September 17, 2013.

Privacy Identity Innovation (PII). Data Collection and Consent: Next Steps for Digital Advertising. September 16, 2013.

Terms and Conditional May Apply. Discussion following local movie premier, August 3, 2013.

AdMonsters. Cookie Clearinghouse. July 10, 2013.

IAPP Summit. The Status of Do Not Track. March, 2013.

Public Policy Students Colloquium. Internet Privacy: Policies and Practices. April 9, 2014.

USC Annenberg Innovation Summit 2013 (discussant). April 4, 2013.

Mobile 2.0. Mobile Security and Privacy and Trust - How Will Consumers Be Protected? September 11, 2012.

Interactive Advertising Bureau (IAB) Town Hall. Do-Not-Track and Digital Advertising: What Happens Next? June 12, 2012.

Future of Privacy Forum's App Privacy Summit (discussant). April 25, 2012.

Microsoft (Online Services Division). December 8, 2011.

Katholieke Universiteit Leuven. Do Not Track and US Privacy Bills. June 24, 2011.

Institute for Information Law of the University of Amsterdam and the Berkeley Center for Law & Technology of the University of California School of Law. Online Tracking Protection Workshop. June 22-23, 2011.

Online Tracking Protection & Browsers. Regulatory landscape: consent to be tracked? Panelist. June 22-23, 2011.

Federated Social Web Europe, Following Social Advertising in the United States. June 3-5, 2011.

Rapleaf 2011 Personalization Summit. Personalization and Privacy: A Birds Eye View. Panelist. May 26, 2011.

Privacy Identity Innovation (PII) 2011. Panelist. May 18-21, 2011.

W3C Workshop. Position paper for the W3C Do Not Track Workshop.

Yale ISP, From Mad Men to Mad Bots. Discussion of the Psychology of Online Advertising. March 25-26, 2011. [presentation, 4th panel]

Admonsters Conference on Do Not Track. May 3, 2012.

Microsoft. Beliefs and Behaviors: Internet Users’ Understanding of Targeted Advertising. October 28, 2010.

Carnegie Mellon Silicon Valley Talks on Computing Systems. August 11, 2010. [Video Archive]

Google Tech Talk. Privacy Targets: Three User Studies on Internet Privacy and Targeted Advertising. June 1, 2010. [Video]

eMetrics panel discussion with Bob Page (Yahoo! Analytics) and John McKean (Center for Information Based Competition.) "The Great Cookie Debate or Your Personally Identifiable Information or Your Life!" October 22, 2009. [Overview]

Google Tech Talk. Online Privacy: Industry Self Regulation in Practice. September 17, 2009. [Video | Slides in PDF]

Conference Presentations

University of Colorado. Silicon Flatirons. November 2, 2011.

Symposium On Usable Privacy and Security (SOUPS). The Battle over the Behavioral Advertising Choice Mechanisms. Panelist. [Video] July 22, 2011

9th Workshop on Privacy in the Electronic Society (WPES). Americans’ Attitudes About Internet Behavioral Advertising Practices, with L. F. Cranor. October 4, 2010.

38th Research Conference on Communication, Information and Internet Policy (TPRC). Beliefs and Behaviors: Internet Users’ Understanding of Behavioral Advertising, with L. F. Cranor. October 2, 2010.

Privacy Law Scholars Conference (PLSC). Impressions and Privacy: A study of American Internet Users’ Attitudes about Targeted Advertising, with L. F. Cranor. June 3, 2010.

Privacy Enhancing Technologies Symposium. A comparative study of online privacy policies and formats, with R. Reeder, P. G. Kelley, and L. F. Cranor. August 5-7 2009.

The 36th Research Conference on Communication, Information and Internet Policy (TPRC). The Cost of Reading Privacy Policies, with L. Cranor. Sep 27, 2008.

Media Coverage

Interviews regarding privacy with CBS, NBC, NPR, The Washington Post, The New York Times, Time Magazine, Tech Republic, The Register, ComputerWorld, Bloomberg BNA, Adweek, Ad Age, Business Insider, Politico, The Atlantic, and many others.

Do Not Track efforts generated thousands of articles, few of which I contributed to.

Coverage of research regarding user expectations of Do Not Track:

  • Davis, Wendy. Study: Consumers Define Do-Not-Track More Broadly Than Web Companies. The Online Daily Examiner. (3 May, 2011) [original]
  • Tarran, Brian. Do-not-track isn't just about advertising, say web users. Research. (4 May, 2011) [original]

Coverage of LSO (“Flash cookie”) study:

  • Davis, Wendy. Have Web Sites Cut Back On Flash Cookies? Daily Online Examiner. (31 Jan, 2011) [original]
  • Mullen, Joe. New Study Shows Persistence Of ‘Flash Cookies’ Paid Content. (1 Feb, 2011) [original]
  • Tarran, Brian. Flash cookie respawning 'on the wane', say Carnegie Mellon researchers. Research. (3 Feb, 2011) [original]

Coverage of errors in P3P compact policies:

  • Davis, Wendy. Privacy Snafu As Web Sites Bypass Cookie-Blockers. Daily Online Examiner. (10 Sep, 2010) [original]
  • Dissent. Is your browser being lied to? Survey says: “Maybe”. PogoWasRight. (13 Sep, 2010) [original]
  • Marc. Cookie Control. p2pnet news. (13 Sep, 2010) [original]
  • Marc. Cookie Control: Part II. p2pnet news. (14 Sep, 2010) [original]
  • Maier, Fran. Let's talk P3P. TRUSTe. (13 Sep, 2010) [original]
  • Richmond, Riva. A Loophole Big Enough for a Cookie to Fit Through. The New York Times. (17 Sep, 2010) [original]
  • Tarran, Brian. Oh crumbs! Cookies left unblocked by code errors, say academics. Research-Live. (13 Sep, 2010) [original]

P3P compact policies enforcement actions:

  • Del Vecchio et al v. Amazon.com class action filing
  • Eaton, Nick. Suit: Amazon fraudulently collects, shares users' personal info. Seattle PI. (3 Mar, 2011.) [original]
  • Enright, Allison. Privacy suit takes aim at Amazon. Internet Retailer. (4 Mar, 2011.) [original]

Coverage of mental models of online advertising and behavioral targeting:

  • Davis, Wendy. Study: Consumers Equate BT With `Privacy Harm' Daily Online Examiner. (17 Nov, 2009) [original | cached PDF]
  • Kessler, Sarah. Online Behavior Tracking and Privacy: 7 Worst Case Scenarios. Mashable. (3 Nov, 2010) [original]
  • Trager, Louis. Privacy Desires Unmet: User Ignorance, Assumptions Undermine Targeted Ad Self-Regulation, Say Researchers. Communications Daily. (11 August, 2010) [CommDaily is only available to subscribers]

Our findings about the value of the time required to read privacy policies were covered by technology and legal publications, and blogged internationally in multiple languages. Highlights:

  • Radio interview with Free Press on The Cost of Reading Privacy Policies (17 Oct, 2008) [Original transcript | cached PDF | cached audio]
  • Anderson, Nate. Study: Reading online privacy policies could cost $365 billion a year. Ars Technica. (8 Oct 2008) [original | cached PDF]
  • Davis, Wendy. Online Execs Object To Privacy Statement Report. MediaPost's Online Media Daily. (9 Oct 2008) [original | cached PDF]
  • McGee, Matthew. Average privacy policy takes 10 minutes to read, research finds OUT-LAW News. (6 Oct 2008) [original | cached PDF]
  • Slashdot, 20 Hours a Month Reading Privacy Policies (10 Oct 2008) [original]
  • Whoriskey, Peter. Lost in the Fine Print: It Would Take a Week to Read All Your Privacy Policies. Washington Post I.T. (26 Sept 2008) [original | cached PDF]
  • Wilson, Tim. Users, Enterprises Pay for Poor Privacy Policies, Study Says. Dark Reading. (7 Oct 2008) [original | cached PDF]