Adrienne Porter Felt’s job is to keep you secure on Chrome.
Felt, 29, who earned a computer science degree from the University of Virginia in 2008, leads the usable security team at Google working on the popular Internet browser.
“‘Usable security’ means that we build, maintain and improve the security features that Chrome users see,” she said. “That includes things like the lock next to the URL and security questions.”
That lock displayed next to the URL tells if the user’s connection is secure or if there is a problem. Felt, a software engineer, is also working on improving “Web permissions.”
“My colleagues in Chrome are building lots of new [Application Programming Interfaces] that will allow websites to have more of the features of Android or iOS apps, like Bluetooth connectivity,” Felt said. “However, you don’t want every website that you go to to be able to use your camera, connect to your Bluetooth speakers or send notifications. Instead, websites have to ask the user for the permission.
“I work on projects such as making the permission requests clear, incentivizing developers to ask for permission in a polite way, and studying the effects on users of too many permission requests.”
Working on Web permissions ties directly into Felt’s undergraduate work on Facebook apps.
“When I was at UVA, I did research projects studying the security ramifications of the Facebook app ecosystem,” she said “Permissions were a big part of that; when you start using a Facebook app, you need to grant it permission to access parts of your profile, post on your wall, etc.”
As a student, she used the Facebook applications to build things she wanted to share with her friends and sorority sisters, but she also discovered security bugs allowing others to spy, using the applications.
“Facebook has its own first-party content, but the applications are made by other people, companies that are not Facebook. Facebook ‘sandboxes’ the apps because otherwise they could collect data from your private profiles,” she said. “Sandboxing” an application limits its privileges to its intended functions, decreasing opportunities for malicious software to compromise the program.
Felt started working in security when she was a second-year engineering student, responding to a request from computer science professor David Evans. He said Felt stood out amongst her peers because of her “well-thought-out answers and meticulous diagrams.”
“For the summer after her second year, she joined a project one of my Ph.D. students was working on to use the disk drive controller to detect malware based on the reads and writes it makes that are visible to the disk,” Evans said. “She did great work on that project, and by the end of the summer was envisioning her own research ideas. She came up with the idea of looking at privacy issues in Facebook applications, which, back in 2007, was just emerging, and no one else was yet looking into privacy issues like this.”
Taking Evans’ offer for a research project was a turning point in Felt’s life, showing her something she liked that she could do well.
“It turned out that I really loved it,” she said. “I like working in privacy and security because I enjoy helping people control their digital experiences. I think of it as, ‘I’m professionally paranoid so that other people don’t need to be.’”
She continued her studies, earning a Ph.D. in computer science at the University of California, Berkeley.
“As a graduate student at UC-Berkeley, I started looking at the security properties of Android applications,” she said. “They also have permissions. And now that I’m at Google, I’m working on permissions for websites in Chrome.”
"I’m professionally paranoid so that other people don’t need to be." - Adrienne Porter Felt
Felt returned to UVA last week to give the School of Engineering and Applied Science’s Distinguished Alumni Lecture at Rice Hall, where she described her work, gave some insight into the engineering and design work that goes on behind the scenes and pitched some open problems and challenges to the audience.
“Usable security is the ‘face’ of security to Chrome’s billion users,” she said. “It’s a hard space because we need to represent extremely complex technical situations in a simple, approachable [user interface]. Often users see a simple icon, but underneath is a huge amount of engineering work.”
Evans, who was drawn into cybersecurity in the 1990s when he was Ph.D. candidate at the Massachusetts Institute of Technology, said Felt’s success is unsurprising.
“It was clear she was going to be a star researcher very early,” he said. “Within the first few weeks in my group, she was able to understand on her own a complex new area and start identifying issues with what we were doing and coming up with new ideas to improve things.
“She’s done a great variety of work in her career, but like her work here as an undergraduate, nearly all of it is focused on improving the privacy and security of computing for typical users,” he said. “It’s been great to follow her career as she has become well-respected and widely known throughout the research community, and has been able to initiate and lead a group at Google doing novel work to bring research ideas into products that billions of people use.”
Felt said she enjoys helping others in her work preserving privacy, which requires her to think like an attacker.
“I think about what could go wrong,” she said. “I want to prevent problems before they are released.”