Carnegie Mellon University

Norman Sadeh

Dr. Norman Sadeh

Professor of Computer Science; Co-Director, Privacy Engineering Program

Address
5000 Forbes Avenue
Pittsburgh, PA 15213

Bio

Norman Sadeh is a Professor in the School of Computer Science at Carnegie Mellon University (CMU). Dr. Sadeh has (co-)founded and (co-)directed several graduate programs at CMU. This includes the Privacy Engineering Program (co-founder and co-director, 2012-present), the PhD Program in Societal Computing (co-founder and co-director, 2003-2013), and the MBA track in Technology Strategy and Product Management launched jointly by the Tepper School of Business and the School of Computer Science (co-founder and director, 2005-2017). Norman’s current research interests include cybersecurity, online privacy, Human-AI Interaction, AI governance, mobile computing, the Internet of Things, user-oriented machine learning, language technologies, and semantic web technologies.

Dr. Sadeh is well known for his pioneering work on AI-based privacy enhancing technologies, including the development of privacy assistants, the development of automated privacy compliance tools, and the development of NLP-based privacy enhancing technologies. He has also conducted foundational work on modeling people's privacy expectations and preferences and on privacy and security nudging. His work has been credited with influencing the development of privacy-enhancing solutions at companies that include Apple, Google and Facebook/Meta (e.g., more expressive mobile app permissions, background privacy reminders/nudges, privacy dashboards, privacy compliance tools, mobile app privacy labels). Dr. Sadeh is the lead designer of CMU's Privacy Infrastructure for the Internet of Things (IoT). Results of his research have also informed privacy policy and activities at regulatory agencies, including the Federal Trade Commission and the California Office of the Attorney General (e.g., mobile app privacy compliance, CCPA privacy opt-out notices, IoT privacy).

Norman is also a successful entrepreneur. He was the founding CEO and, until its acquisition, the chairman and chief scientist of Wombat Security Technologies, a company that defined the multi-billion dollar user-oriented cybersecurity market. Wombat was acquired by Proofpoint in February 2018. By that time Wombat had well over 2,000 corporate customers, and had been named a clear leader in the Gartner Group’s Magic Quadrant in Security Awareness Computer-Based Training for 4 years in a row (since the inception of Gartner’s Quadrant in this sector). It had also been identified as one of the 500 fastest growing technology companies in North America for three consecutive years in Deloitte’s Technology Fast 500. In May 2018, Norman was honored with the 2018 Outstanding Entrepreneur of the Year award from the Pittsburgh Venture Capital Association. As of 2024, technologies Norman developed with colleagues at CMU and Wombat are used to protect tens of millions of users around the world against cybersecurity attacks such as phishing, including employees at over 75% of the Fortune 100 companies.

Earlier in his career, Prof Sadeh conducted seminal work in AI planning and scheduling, agent-based supply chain management, workflow management, automated trading, including the design and launch of the international supply chain trading agent competition. His work on constrained-based scheduling introduced a probabilistic model of the search space for constraint satisfaction problems and demonstrated how this model could inform the development of particularly effective variable and value ordering search heuristics. His work on agent-based supply chain management was among the very first to demonstrate the importance of modeling the decentralized and competitive nature of supply chains and of offering practical approaches for studying and managing these interactions. Products based on this earlier research were deployed and commercialized by organizations such as IBM, CACI, Raytheon, Mitsubishi, Boeing, Numetrix (eventually acquired by JD Edwards/PeopleSoft/Oracle), ILOG (eventually acquired by IBM), and the US Army. Prof.

Prof. Sadeh's 2001 best-selling book on M-Commerce provided an overview of emerging trends and anticipated future developments that eventually coalesced into the emergence and broad adoption of smartphones. It highlighted usability, security and privacy challenges mobile commerce ecosystems would have to address, the need for standardized APIs for managing contextual attributes and associated privacy decisions and previewed how smart assistants would eventually usher a new wave of innovation in this space.

Norman's work with his collaborators on the livehoods project, using social media data to interpret the dynamic patterns of cities and help understand their social fabric, was recognized with a test of time award by the AAAI Conference on Web and Social Media (ICWSM). His work on automatically recognizing mobile user activities while minimizing battery life has also influenced technologies found in most modern smartphones.

In the late nineties Norman served as Chief Scientist of the EUR 550 million European Union's e-Commerce initiative, which included all pan-European research in cybersecurity and privacy as well as contributions to several major European public policy initiatives.

Norman received his Ph.D. in Computer Science at CMU with a major in Artificial Intelligence and a minor in Operations Research. He holds a MS degree in computer science from the University of Southern California and a BS/MS degree in electrical engineering and applied physics from the Free University of Brussels (Belgium) as “Ingénieur Civil Physicien”.

Dr. Sadeh's research as well as his views on cybersecurity, privacy, mobile and IoT technologies are often covered in the press (e.g. Wall Street Journal, Wired, New York Times, Chronicle of Higher Education, Pittsburgh Post Gazette, Kiplinger, Huffington Post, Fast Company, Tech Crunch).

Between 2008 and 2019, he was also a visiting professor at Hong Kong University, where he would spend 2 weeks each year.

Education

  • PhD, Computer Science, Carnegie Mellon University
  • MS, Computer Science, University of Southern California
  • BSc/MS, Electrical Engineering & Applied Physics, Free University of Brussels

Research

Areas of Research Interest:

  • Analysis & Assurance
  • Network Science and Social Networks
  • APIs & Frameworks
  • Organizations
  • Applied Systems and Infrastructure
  • Privacy and Security
  • Autonomous Systems
  • Software Data Analysis
  • Complex Socio-Technical Systems
  • Computing Technology and Policy
  • Developer Tools

Projects

Usable Privacy Policies

Natural language privacy policies have become the de facto standard to address expectations of “notice and choice” on the Web. However, users generally do not read these policies and those who do struggle to understand them. Initiatives, such as P3P and Do Not Track aimed to address this problem by developing machine-readable formats to convey a website's data practices. However, many website operators are reluctant to embrace such approaches.

Opt-Out Easy Browser Extension

New study shows dearth of privacy opt-out choices and offers solution to empower users to readily identify choices often buried deep in the text of privacy policies

Personalized Privacy Assistants

The Internet of Things (IoT) and Big Data are making it impractical for people to keep up with the many different ways in which their data can potentially be collected and processed. What is needed is a new, more scalable paradigm that empowers users to regain appropriate control over their data.

Privacy Infrastructure and Assistant for the Internet of Things

Have you ever seen a sign that reads "this area under camera surveillance" and wondered whether the cameras are coupled to facial recognition or scene recognition software, who that footage might be shared with, and for how long it is retained? Until today, there was no standard mechanism to communicate this type of information to people. Yet smart sensors are everywhere. They are part of what is now referred to as the Internet of Things (“IoT”) with billions of devices already deployed today. The IoT Privacy Infrastructure developed at Carnegie Mellon University has been designed to address this problem.

Explore Annotated Privacy Policies

The Walt Disney Company has a rich tradition of bringing great stories, characters and experiences to our guests around the world, and our sites and applications are createdto entertain and connect guests with the best that we have to offer on the platforms and devices our guests prefer. Our privacy policy is designed to provide transparency into our privacy practices and principles, in a format that our guests can navigate, read and understand. We are dedicated to treating your personal information with care and respect.

Privacy Nudging

Smartphone users are often unaware of the data collected by apps running on their devices. We report on a study that evaluates the benefits of giving users an app permission manager and sending them nudges intended to raise their awareness of the data collected by their apps. Our study provides both qualitative and quantitative evidence that these approaches are complementary and can each play a significant role in empowering users to more effectively control their privacy.

Learn more about Dr. Sadeh's projects

Publications

D. Rodriguez, I. Yang, J.M. Del Alamo, and N. Sadeh, "Large language models: a new approach for privacy policy analysis at scale," Computing, pp. 1-25, 2024.

D. Rodríguez, C. Fernández-Aller, J.M. Del Alamo, and N. Sadeh, "Data Retention Disclosures in the Google Play Store: Opacity Remains the Norm," in Proc. 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2024, pp. 19-23.

S. Zhang, L. Klucinec, K. Norton, N. Sadeh, and L. Cranor, "Exploring Expandable-Grid Designs to Make iOS App Privacy Labels More Usable," in Proc. USENIX Symposium on Usable Privacy and Security (SOUPS), 2024.

R. Chen, R. Wang, N. Sadeh, and F. Fang, "Missing Pieces: How Framing Uncertainty Impacts Longitudinal Trust in AI Decision Aids--A Gig Driver Case Study," arXiv preprint arXiv:2404.06432, 2024.

N. Sadeh, B. Liu, A. Das, M. Degeling, and F. Schaub, "Personalized privacy assistant," U.S. Patent Application 18/239,267, 2024.

D. Rodriguez, J.M. Del Alamo, C. Fernández-Aller, and N. Sadeh, "Sharing is not always caring: Delving into personal data transfer compliance in Android apps," IEEE Access, 2024.

D. Rodríguez, C. Fernández, J.M. del_Alamo, and N. Sadeh, "Data Retention Period Disclosures in Privacy Policies," Mendeley Data, 2024.

S. Zhang, L. Klucinec, K. Norton, N. Sadeh, and L.F. Cranor, "Exploring Expandable-Grid Designs to Make iOS App Privacy Labels More Usable," in Proc. Twentieth Symposium on Usable Privacy and Security (SOUPS 2024), 2024, pp. 139-157.

Y. Feng, A. Ravichander, Y. Yao, S. Zhang, and R. Chen, "Understanding How to Inform Blind and Low-Vision Users about Data Privacy through Privacy Question Answering Assistants," in Proc. 33rd USENIX Security Symposium (USENIX Security 24), 2024, pp. 2065-2082.

Learn more about Dr. Sadeh's publications