Education

Carnegie Mellon University Engineering & Public Policy Ph.D., completed September, 2010. Thesis: Footprints Near the Surf: Individual Privacy Decisions in Online Contexts. Committee members: Lorrie Faith Cranor (chair), Alessandro Acquisti, Deirdre K. Mulligan, Jon M. Peha.

Carnegie Mellon University H. John Heinz School of Public Policy and Management. M.S. in Public Policy and Management with a concentration in Internet Policy, May, 2006.

Carnegie Mellon University B.A., Professional Writing, 1993.

Additional non-degree course work in law at Golden Gate University (Contracts, Torts, Civil Procedure, Criminal Law, and Legal Writing) and De Anza College (Real Estate Law).

Publications

McDonald, A. M, and Cranor, L. F. Beliefs and Behaviors: Internet Users’ Understanding of Behavioral Advertising. 38th Research Conference on Communication, Information and Internet Policy (Telecommunications Policy Research Conference) October 2, 2010.

McDonald, A. M., and Cranor, L. F. Americans’ Attitudes About Internet Behavioral Advertising Practices. Proceedings of the 9th Workshop on Privacy in the Electronic Society (WPES) October 4, 2010.

Leon, P. G., Cranor, L. F., McDonald, A. M., and McGuire, R. Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens. To appear in Proceedings of the 9th Workshop on Privacy in the Electronic Society (WPES) October 4, 2010. [CMU Tech Report]

McDonald, A. M. Cookie Confusion: Do Browser Interfaces Undermine Understanding? In Proceedings of the 28th International Conference Extended Abstracts on Human Factors in Computing Systems (2010). CHI EA '10. [Author's version]

McDonald, A. M., Reeder, R. W., Kelley, P. G., and Cranor, L. F. A Comparative Study of Online Privacy Policies and Formats. Privacy Enhancing Technologies Symposium, August 5-7 2009. [Author's version]

McDonald, A. and Cranor, L. The Cost of Reading Privacy Policies. I/S: A Journal of Law and Policy for the Information Society. 2008 Privacy Year in Review issue. [Author's version]

Cranor, L., Egelman, S., Sheng, S., McDonald, A., and Chowdhury, A. P3P Deployment on Websites. Electronic Commerce Research and Applications, Volume 7 , Issue 3 (November 2008). Pages 274-293. [Author's version]

Reeder, R., Cranor, L., Kelly, P. and McDonald, A. A User Study of the Expandable Grid Applied to P3P Privacy Policy Visualization. In Proceedings of the Workshop on Privacy in the Electronic Society (WPES 2008), Washington, DC, USA, October 2008.

James, R., Kim, W. T., McDonald, A. M., McGuire, R. A Usability Evaluation of a Home Monitoring System. SOUPS '07: Proceedings of the 3rd Symposium on Usable Privacy and Security. Pages 143-144, July 2007.

McDonald, A. M. and Cranor, L. F. How Technology Drives Vehicular Privacy. I/S: A Journal of Law and Policy for the Information Society, 2(3), Fall 2006, 981-1015. [Author's version]

Technical Reports

McDonald, A. M. and Cranor, L. F. A Survey of the Use of Adobe Flash Local Shared Objects to Respawn HTTP Cookies. [CMU Tech Report]

Leon, P. G., Cranor, L. F., McDonald, A. M., and McGuire, R. Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens.[CMU Tech Report]

McDonald, A. M., and Cranor, L. F. An Empirical Study of How People Perceive Online Behavioral Advertising. CyLab Technical Report 09-015. November 10, 2009. [CMU Tech Report]

Cranor, L. F., McDonald, A. M., Egelman, S. and Sheng, S. 2006 Privacy Policy Trends Report. CyLab Privacy Interest Group. January 31, 2007. [Author's version]

Presentations

Policy

FTC Commissioner and staff. Preview of work on user expectations for Do Not Track. July 13, 2011.

Federal Trade Commission staff. Preview of work on user expectations for Do Not Track. June 15, 2011.

Federal Trade Commission staff. Beliefs and Behaviors: Internet Users’ Understanding of Targeted Advertising. October 13, 2010.

Supported Lorrie Faith Cranor's panel discussion on consumer privacy expectations at the Federal Trade Commission's first privacy roundtable, December 7, 2009.

Supported a portion of Lorrie Faith Cranor’s testimony to the Federal Trade Commission Ehavioral Advertising: Tracking, Targeting, & Technology town hall meeting, November 2, 2007.

Invited Talks

Symposium On Usable Privacy and Security (SOUPS). The Battle over the Behavioral Advertising Choice Mechanisms. Panelist. [Video] July 22, 2011

Katholieke Universiteit Leuven. Do Not Track and US Privacy Bills. June 24, 2011.

Online Tracking Protection & Browsers. Regulatory landscape: consent to be tracked? Panelist. June 22-23, 2011.

Federated Social Web Europe, Following Social Advertising in the United States. June 3-5, 2011.

Rapleaf 2011 Personalization Summit. Personalization and Privacy: A Birds Eye View. Panelist. May 26, 2011.

Privacy Identity Innovation (PII) 2011. Panelist. May 18-21, 2011.

W3C Workshop. Position paper for the W3C Do Not Track Workshop.

Yale ISP, From Mad Men to Mad Bots. Discussion of the Psychology of Online Advertising. March 25-26, 2011. [presentation, 4th panel]

Microsoft. Beliefs and Behaviors: Internet Users’ Understanding of Targeted Advertising. October 28, 2010.

Carnegie Mellon Silicon Valley Talks on Computing Systems. August 11, 2010. [Video Archive]

Google Tech Talk. Privacy Targets: Three User Studies on Internet Privacy and Targeted Advertising. June 1, 2010. [Video]

eMetrics panel discussion with Bob Page (Yahoo! Analytics) and John McKean (Center for Information Based Competition.) "The Great Cookie Debate or Your Personally Identifiable Information or Your Life!" October 22, 2009. [Overview]

Google Tech Talk. Online Privacy: Industry Self Regulation in Practice. September 17, 2009. [Video | Slides in PDF]

Conference Presentations

SOUPS 2011, The Battle Over Behavioral Advertising Choice Mechanisms. Panelist. July 22, 2011.

9th Workshop on Privacy in the Electronic Society (WPES). Americans’ Attitudes About Internet Behavioral Advertising Practices, with L. F. Cranor. October 4, 2010.

38th Research Conference on Communication, Information and Internet Policy (TPRC). Beliefs and Behaviors: Internet Users’ Understanding of Behavioral Advertising, with L. F. Cranor. October 2, 2010.

Privacy Law Scholars Conference (PLSC). Impressions and Privacy: A study of American Internet Users’ Attitudes about Targeted Advertising, with L. Cranor. June 3, 2010.

Privacy Enhancing Technologies Symposium. A comparative study of online privacy policies and formats, with R. Reeder, P. G. Kelley, and L. F. Cranor. August 5-7 2009.

The 36th Research Conference on Communication, Information and Internet Policy (TPRC). The Cost of Reading Privacy Policies, with L. Cranor. Sep 27, 2008.

Poster Sessions

Americans' Attitudes About Internet Behavioral Advertising Practices. Symposium On Usable Privacy and Security (SOUPS) July 22, 2011.

Cookie Confusion: Do Browser Interfaces Undermine Understanding? Human Factors in Computing Systems (CHI) April 12, 2010.

A Comparative Study of Online Privacy Policies and Formats. Symposium on Usable Privacy and Security (SOUPS) July 15-17, 2009.

The Time Value of Reading Online Privacy Policies. Computers, Freedom and Privacy (CFP) June 1, 2009.

A Comparative Study of Online Privacy Policies and Formats. Freedom and Privacy (CFP) June 1, 2009.

The Time Value of Reading Online Privacy Policies. CyLab Partners Conference, October, 2008.

Technical and Policy Responses to Spyware. Telecommunications Policy Research Conference (TPRC) September, 2008.

2006 Privacy Policy Trends Report. Carnegie Mellon Privacy Mind Swap Poster Fair, October 19, 2007.

A User Study of the Expandable Grid Applied to P3P Privacy Policy Visualization. Carnegie Mellon Privacy Mind Swap Poster Fair, October 19, 2007.

P3P Deployment on Websites. Carnegie Mellon Privacy Mind Swap Poster Fair, October 19, 2007.

Technical and Policy Responses to Spyware. Anti-phishing Working Group eCrime Researchers Summit, October 7, 2006.

How Technology Drives Vehicular Privacy. Gordon Science & Technology Policy Conference, August, 2006.

Technical and Policy Responses to Spyware. CyLab Partners Conference, April, 2006.

How Technology Drives Vehicular Privacy. Carnegie Mellon Privacy Poster Fair, December 14, 2005.

Experience

Technology Policy

Carnegie Mellon University, Research Assistant, staff position, 5/06 – 8/06
Under the direction of Professor Jon M. Peha, managed a group of three students to investigate spyware traffic on the Carnegie Mellon network. Determined schedule and priorities for students. Used Snort on Red Hat with custom anonymization tools to ensure privacy. Responsible for IRB (Institutional Review Board) interactions. Performed data analysis in mySQL, SAS, and R.

Center for Democracy & Technology, Washington, DC. Summer intern, 5/05 – 7/05
Authored two internal papers on RFID (Radio Frequency Identification) including research on security issues and privacy. Participated in events on layered privacy notices, Real ID, and the PATRIOT Act. Edited written comments to the Federal Election Committee. Attended FEC and Senate Intelligence Committee hearings.

Teaching Experience — Carnegie Mellon

Project manager. Policy Dimensions of New Space Technologies, Spring, 2008. Responsible for a team of six undergraduate students as they defined, designed, and performed research regarding “new space” (entrepreneurial rather than NASA-led) business models, technologies, and federal policies. We submitted findings to our client, the Federal Aviation Agency. Created and graded quizzes. Contributed to assigning midterm and final grades.

Guest lecturer. Useable Privacy and Technology, Spring, 2008. Topic: Online privacy policies. Also led a class tour of a biometrics laboratory.

Guest lecturer. Useable Privacy and Technology, Spring, 2007. Topic: Visualizing privacy [slides]

Guest lecturer. Privacy Policy, Law, and Technology, Fall, 2007. Topic: Privacy policies and privacy communication.

Editorial Experience

Program Committee, Privacy Enhancing Technologies Symposium (PETS), 2011.

Reviewer, Information Systems Frontiers, 2010.

Program Committee, Privacy Enhancing Technologies Symposium (PETS), 2010.

Political Experience

Advance volunteer from 1997-2002 for the Vice President of the United States and a United States Senator. Worked with the Secret Service and Silicon Valley CEOs. Part-time volunteer for multiple campaigns from 1995 to 2008, full-time volunteer for three months in 2002. Experience with campaigns at all levels (Town Council, San Francisco Board of Supervisors, VA House, United States Senate, United States President.) Responsibilities: campaign manager, site lead, event planner, media coordinator, motorcade lead, phone bank manager, delegate to a State convention.

Writing Experience

A decade of experience working for software startups. Specialized in single-source cross-platform documentation, ranging from online help to API manuals. Wrote and edited thousands of pages; as team lead, was responsible for scheduling and mentoring new hires; advocated for usability testing and customer contact to meet reader's needs.

Technical Writer, Contractor for San Francisco Bay area software companies	7/01 – 5/04
Ariba, Mountain View, CA Software Quality Engineer; Technical Writer	4/98 – 7/01
Z-AXIS, San Mateo, CA. Technical Writer	3/97 – 4/98
Visix Software, Reston, VA. Technical Writer	3/95 – 3/97

Awards and Honors

CyLab Usable Privacy and Security Meritorious Achievement Certificate, 2010.

Barbara Lazarus Women@IT Fellowship, 2006-7. Received full tuition and stipend support for one year of doctoral scholarship.

Friedman Fellowship, summer 2005. Received support for a summer of technology policy work in Washington, DC.

Service

Volunteer work on conference logistics for multiple years:

• Symposium on Usable Privacy and Security (SOUPS)
• Freedom to Connect (F2C)
• Anti-Phishing Working Group (APWG) eCrime Summit

Department representative to Graduate Student Assembly (GSA) 2006-7. Successfully argued against two proposed university policies, leading to improved compromise solutions for case-by-case evaluation of non-resident PhD health care coverage and multiple sheltered locations for smokers. Co-created guidelines to fund events with non-department attendees. Finished the year with a modest surplus.

Media Coverage

Coverage of user expectations of Do Not Track:

• Davis, Wendy. Study: Consumers Define Do-Not-Track More Broadly Than Web Companies. The Online Daily Examiner. (3 May, 2011) [original]
• Tarren, Brian. Do-not-track isn't just about advertising, say web users. Research. (4 May, 2011) [original]

Coverage of LSO (“Flash cookie”) study:

• Davis, Wendy. Have Web Sites Cut Back On Flash Cookies? Daily Online Examiner. (31 Jan, 2011) [original]
• Mullen, Joe. New Study Shows Persistence Of ‘Flash Cookies’ Paid Content. (1 Feb, 2011) [original]
• Tarran, Brian. Flash cookie respawning 'on the wane', say Carnegie Mellon researchers. Research. (3 Feb, 2011) [original]

Coverage of errors in P3P compact policies:

• Davis, Wendy. Privacy Snafu As Web Sites Bypass Cookie-Blockers. Daily Online Examiner. (10 Sep, 2010) [original]
• Dissent. Is your browser being lied to? Survey says: “Maybe”. PogoWasRight. (13 Sep, 2010) [original]
• Marc. Cookie Control. p2pnet news. (13 Sep, 2010) [original]
• Marc. Cookie Control: Part II. p2pnet news. (14 Sep, 2010) [original]
• Maier, Fran. Let's talk P3P. TRUSTe. (13 Sep, 2010) [original]
• Richmond, Riva. A Loophole Big Enough for a Cookie to Fit Through. The New York Times. (17 Sep, 2010) [original]
• Tarran, Brian. Oh crumbs! Cookies left unblocked by code errors, say academics. Research-Live. (13 Sep, 2010) [original]

P3P compact policies enforcement actions:

• Del Vecchio et al v. Amazon.com class action filing
• Eaton, Nick. Suit: Amazon fradulently collects, shares users' personal info. Seattle PI. (3 Mar, 2011.) [original]
• Enright, Allison. Privacy suit takes aim at Amazon. Internet Retailer. (4 Mar, 2011.) [original]

Coverage of mental models of online advertising and behavioral targeting:

• Davis, Wendy. Study: Consumers Equate BT With `Privacy Harm' Daily Online Examiner. (17 Nov, 2009) [original | cached PDF]
• Kessler, Sarah. Online Behavior Tracking and Privacy: 7 Worst Case Scenarios. Mashable. (3 Nov, 2010) [original]
• Trager, Louis. Privacy Desires Unmet: User Ignorance, Assumptions Undermine Targeted Ad Self-Regulation, Say Researchers. Communications Daily. (11 August, 2010) [CommDaily is only available to subscribers]

Our findings about the value of the time required to read privacy policies were covered by technology and legal publications, and blogged internationally in multiple languages. Highlights:

• Radio interview with Free Press on The Cost of Reading Privacy Policies (17 Oct, 2008) [Original transcript | cached PDF | cached audio]
• Anderson, Nate. Study: Reading online privacy policies could cost $365 billion a year. Ars Technica. (8 Oct 2008) [original | cached PDF]
• Davis, Wendy. Online Execs Object To Privacy Statement Report. MediaPost's Online Media Daily. (9 Oct 2008) [original | cached PDF]
• McGee, Matthew. Average privacy policy takes 10 minutes to read, research finds OUT-LAW News. (6 Oct 2008) [original | cached PDF]
• Slashdot, 20 Hours a Month Reading Privacy Policies (10 Oct 2008) [original]
• Whoriskey, Peter. Lost in the Fine Print: It Would Take a Week to Read All Your Privacy Policies. Washington Post I.T. (26 Sept 2008) [original | cached PDF]
• Wilson, Tim. Users, Enterprises Pay for Poor Privacy Policies, Study Says. Dark Reading. (7 Oct 2008) [original | cached PDF]