Nick Merrill

I am a postdoc at the UC Berkeley Center for Long-Term Cybersecurity (CLTC).

I received my PhD in 2018 from the UC Berkeley School of Information,


Security games Security is organized around threats, speculative scenarios that describe possible attacks. How people imagine threats—and who does the imagining—largely dictates what people are vulnerable to when they interact with computers.

This project uses role-playing games to help engineers and designers discover threats they might otherwise miss. It also aims to draw new entrants into the practice of security.

(Improv) games to help vulnerable persons discover security threats.

Adversary Personas. A card-driven improv game for imagining security threats.

More soon...

Security rhetoric

How does security describe itself? These projects examine the tools and dialogues around security, and how they shape security's practice.

James Pierce, Sarah Fox, Nick Merrill, Richmond Wong. Differential Vulnerabilities and a Diversity of Tactics: What toolkits teach us about cybersecurity. CSCW '18.

James Pierce, Sarah Fox, Nick Merrill, Richmond Wong, Carl DiSalvo. An Interface Without a User: An exploratory design study of online privacy policies and digital legalese. DIS '18.

Nick Merrill. Better Not to Know?: The SHA1 collision & the limits of polemic computation. LIMITS '17.

Mind-reading machines What can machines know about the mind? This work seeks to understand people's beliefs about this question: how these beliefs affect and arise from interactions with digital sensors, from prior beliefs about the mind and the body, and how these beliefs may shape the design of technical systems in the future.

I built a working brain-computer interface to study how software engineers conceive of the brain and mind (CHI '18), and studied how people build emotional interpretations around basic biosignals (CSCW '17).

During my PhD, I studied how sensing technologies blur the line between sensing bodies and sensing minds, and what this moving boundary means for the future of security online.

Nick Merrill, John Chuang. Models of Minds: Reading the mind beyond the brain. alt.chi '19.

Nick Merrill. Mind Reading & Telepathy for Beginners & Intermediates: What people think machines can know about the mind, and why their beliefs matter. Ph.D. Dissertation. Advisor: John Chuang. University of California, Berkeley, 2018.

Richmond Y Wong, Nick Merrill, John Chuang. When BCIs have APIs: Design fictions of everyday brain-computer interface adoption. DIS '18. Honorable mention

Nick Merrill, John Chuang. From Scanning Brains to Reading Minds: Talking to engineers about brain-computer interface. CHI '18.

Nick Merrill, Coye Cheshire. Trust Your Heart: Assessing cooperation and trust with biosignals in computer-mediated interactions. CSCW '17. Honorable mention

Nick Merrill, Coye Cheshire. Habits of the Heart (rate): Social interpretation of biosignals in two interaction contexts. ACM GROUP '16.

Fall, 2017. INFO 290T: Mind Reading & Telepathy for Beginners & Intermediates. Designed and taught with John Chuang.

Passthoughts Why passthoughts? Well, traditional passwords are easy to guess and difficult to remember, while possession factors (like phones or fobs) are easy to lose. Meanwhile, biometric identifiers like fingerprints are easy to steal and difficult to change (remember the eyeball transplant scene from Minority Report?).

Passthoughts combine multiple factors of authentication into a single step: a knowledge factor (your secret thought), and a biometric factor (the unique way you express your thought neurally). Passthoughts are easy to change, but tough for an attacker to fake, even if they know their target's secret thought.

I see of passthoughts as a good way to protect something important, like a password manager. I also see it as a useful test-case for probing the future of consumer brain-computer interface.

Passthought authentication allows you to think a secret thought to log into things. A brainscanning device collects signatures of the corresponding neural activity and uses them as a password, or passthought.

Nick Merrill, Max T. Curran, Swapan Gandhi, John Chuang. One-Step, Three-Factor Passthought Authentication with Custom-Fit, In-Ear EEG. Frontiers in Neuroscience.

Tanya Piplani, Nick Merrill, John Chuang. Faking it, Making it: Fooling and improving brain-based authentication with generative adversarial networks. BTAS '18.

Max T. Curran, Nick Merrill, Swapan Gandhi, John Chuang. Exploring the Feasibility and Performance of One-Step Multi-Factor Authentication with Ear-EEG. PhyCS '18. Best student paper

Nick Merrill, Max T Curran, John Chuang. Is the Future of Authenticity All In Our Heads? Moving passthoughts from the lab to the world. NSPW '17.

Max Curran, Nick Merrill, John Chuang, Swapan Gandhi One-step, three-factor authentication in a single earpiece. UBICOMP '17.

Nick Merrill, Max Curran, Jong Kai Yang, John Chuang Classifying Mental Gestures with In-Ear EEG. BSN '17.

Max Curran, Jong Kai Yang, Nick Merrill, John Chuang. Passthoughts Authentication with Low-Cost EarEEG. EMBC '16.

In the press...

NEO.LIFE. When computers read your mind, you’ll need a great passthought. July 15, 2017.

Techonomy. Will your next password be a brainwave? June 20, 2017.

KRON4. New brainwave reading tech from Cal Berkeley released. November 18, 2016.

IEEE Spectrum. In-Ear EEG Makes Unobtrusive Brain-Hacking a Real Possibility. July 7, 2016.

CNET. Use your eyes, voice -- and thoughts -- to replace passwords. July 4, 2016.

Tech Republic. Is it time to replace passwords with passthoughts?. March 17, 2015.

Virtual worlds

How do people relate to each other in online virtual worlds?

Joshua McVeigh-Schultz, Elena Márquez Segura, Nick Merrill, Katherine Isbister. What's It Mean to "Be Social" in VR?: Mapping the social VR design ecology. DIS '18.

Brooke Foucault-Welles, Nick Merrill, Thomas Rousse, Noshir Contractor. Virtually friends: An exploration of friendship claims and expectations in immersive virtual worlds (2014). Journal for Virtual Worlds Research.

Software Do try the Aaronson Oracle...

signal-protocol (2016). Signal Messenger's key ratchet, packaged for node and browsers. (HN)

aaronson oracle (2016). Press the 'f' and 'd' keys randomly. Just use your "free will." (HN) (2015). Encrypted, pseudonymous chat in the web browser.

npm packages (2015-2017). 50+ tiny, UNIX-styled javascript modules.

BCI review (2017-). Brain-computer interface news & opinion.

About me

I grew up in Los Angeles and now live in the East Bay, Ohlone territory. My father is a retired journalist & screenwriter who is much more interesting than I am.

ffff at berkeley edu
(my public key)