Nick Merrill

I am a postdoc at the UC Berkeley Center for Long-Term Cybersecurity (CLTC).

I received my PhD in 2018 from the UC Berkeley School of Information,


The social practice of computer security Security is organized around threats, speculative scenarios that describe possible attacks. How software engineers imagine these threats, and how they see certain threats as legitimate (or not), largely dictate what people are vulnerable to when they interact with computers.

This project seeks to push on the boundaries of what developers accept as a security threat, and what these boundaries mean for the types of threats developers catch (and miss).

I am developing a game to help software engineers forecast security threats, and studying their gameplay to understand the percieved boundaries of computer security.

More soon...

Security rhetoric

How does security describe itself? These projects examine the tools and dialogues around security, and how they shape security's practice.

James Pierce, Sarah Fox, Nick Merrill, Richmond Wong. Differential Vulnerabilities and a Diversity of Tactics: What toolkits teach us about cybersecurity. CSCW '18. (Coming soon)

James Pierce, Sarah Fox, Nick Merrill, Richmond Wong, Carl DiSalvo. An Interface Without a User: An exploratory design study of online privacy policies and digital legalese. DIS '18.

Nick Merrill. Better Not to Know?: The SHA1 Collision & the Limits of Polemic Computation. LIMITS '17.

Mind-reading machines What can machines know about the mind? This work seeks to understand people's beliefs about this question: how these beliefs affect and arise from interactions with digital sensors, from prior beliefs about the mind and the body, and how these beliefs may shape the design of technical systems in the future.

I built a working brain-computer interface to study how software engineers conceive of the brain and mind (CHI '18), and studied how people build emotional interpretations around basic biosignals (CSCW '17).

During my PhD, I studied how sensing technologies blur the line between sensing bodies and sensing minds, and what this moving boundary means for the future of security online.

Nick Merrill. Mind Reading & Telepathy for Beginners & Intermediates: What People Think Machines Can Know About the Mind, and Why Their Beliefs Matter (2018), my dissertation.

Richmond Y Wong, Nick Merrill, John Chuang. When BCIs have APIs: Design fictions of everyday brain-computer interface adoption. DIS '18. Honorable mention

Nick Merrill, John Chuang. From Scanning Brains to Reading Minds: Talking to engineers about brain-computer interface. CHI '18.

Nick Merrill, Coye Cheshire. Trust Your Heart: Assessing cooperation and trust with biosignals in computer-mediated interactions. CSCW '17. Honorable mention

Nick Merrill, Coye Cheshire. Habits of the Heart (rate): Social Interpretation of Biosignals in Two Interaction Contexts. ACM GROUP '16.

Fall, 2017. INFO 290T: Mind Reading & Telepathy for Beginners & Intermediates. Designed and taught with John Chuang.

Passthoughts Why passthoughts? Well, traditional passwords are easy to guess and difficult to remember, while possession factors (like phones or fobs) are easy to lose. Meanwhile, biometric identifiers like fingerprints are easy to steal and difficult to change (remember the eyeball transplant scene from Minority Report?).

Passthoughts combine multiple factors of authentication into a single step: a knowledge factor (your secret thought), and a biometric factor (the unique way you express your thought neurally). Passthoughts are easy to change, but difficult to fake, even if you know the correct passthought.

I see of passthoughts as a good way to protect something important, like a password manager. I also see it as a useful test-case for probing the future of consumer brain-computer interface.

Passthought authentication allows you to think a secret thought to log into things. A brainscanning device collects signatures of the corresponding neural activity and uses them as a password, or passthought.

Tanya Piplani, Nick Merrill, John Chuang. Faking it, Making it: Fooling and Improving Brain-Based Authentication with Generative Adversarial Networks. BTAS '18. (Coming soon)

Max T. Curran, Nick Merrill, Swapan Gandhi, John Chuang. Exploring the Feasibility and Performance of One-Step Multi-Factor Authentication with Ear-EEG. PhyCS '18. (Coming soon)

Nick Merrill, Max T Curran, John Chuang. Is the Future of Authenticity All In Our Heads? Moving passthoughts from the lab to the world. NSPW '17.

Max Curran, Nick Merrill, John Chuang, Swapan Gandhi One-step, three-factor authentication in a single earpiece. UBICOMP '17.

Nick Merrill, Max Curran, Jong Kai Yang, John Chuang Classifying mental gestures with in-ear EEG. BSN '17.

Max Curran, Jong Kai Yang, Nick Merrill, John Chuang. Passthoughts authentication with low cost EarEEG. EMBC '16.

In the press...

NEO.LIFE. When computers read your mind, you’ll need a great passthought. July 15, 2017.

Techonomy. Will your next password be a brainwave? June 20, 2017.

KRON4. New brainwave reading tech from Cal Berkeley released. November 18, 2016.

CNET. Use your eyes, voice -- and thoughts -- to replace passwords. July 4, 2016.

Tech Republic. Is it time to replace passwords with passthoughts?. March 17, 2015.

Virtual worlds

How do people relate to each other in online virtual worlds?

Joshua McVeigh-Schultz, Elena Márquez Segura, Nick Merrill, Katherine Isbister. What's It Mean to "Be Social" in VR?: Mapping the Social VR Design Ecology. DIS '18.

Brooke Foucault-Welles, Nick Merrill, Thomas Rousse, Noshir Contractor. Virtually friends: An exploration of friendship claims and expectations in immersive virtual worlds (2014). Journal for Virtual Worlds Research.

Software Do try the Aaronson Oracle...

signal-protocol (2016). Signal Messenger's key ratchet, packaged for node and browsers. (HN)

aaronson oracle (2016). Press the 'f' and 'd' keys randomly. Just use your "free will." (HN) (2015). Encrypted, pseudonymous chat in the web browser.

npm packages (2015-2017). 50+ tiny, UNIX-styled javascript modules.

BCI review (2017-). Brain-computer interface news & opinion.

About me

I grew up in Los Angeles and now live in the East Bay, Ohlone territory. My father is a retired journalist & screenwriter who is much more interesting than I am.

ffff at berkeley edu
(my public key)