8-533 / 8-733 / 19-608 / 95-818: Privacy Policy, Law, and Technology

Semester Project

All students in this course will be required to complete a project that they work on throughout the semester. Students are encouraged to work in small groups of up to four students. Expectations about the size of the project will scale with the size of the group.

Schedule

September 12 - Project assignment discussed in class
October 15 - One-paragraph project description due (5 points)
October 24 - Project proposal due (10 points)
November 21 - Draft paper due (10 points)
Thursday, December 5 - Poster fair (15 points)
December 16, noon - Final paper due (60 points)

The various project assignments due before the final paper are designed to make sure you are making progress on your project throughout the semester and to give you opportunities to get feedback on your work along the way. Your draft paper will be graded for completeness, not content. For example, you will receive full credit for your draft paper if it has all the expected components and it appears that you put some effort into your draft, even if the content is unpolished. However, if your draft is missing an essential component (for example, a bibliography), you will not receive full credit. You will also lose points for submitting project components late. All project-related assignments will be graded within one week if they are submitted on time. You may also submit these assignments early for early feedback.

Deliverables

One-paragraph Project Description

Turn in a one-paragraph description of the project you intend to complete. If this is a team project, make sure you list all the team members. Please email your one-paragraph description as plain text (cut and paste into the body of your email) to privacy-homework AT cups DOT cs DOT cmu DOT edu and put "project description NAME1 NAME2" in the subject line (where NAME1 and NAME2 etc. are the names of the people proposing this project. If you want early feedback or help deciding between a few project ideas, please discuss with the professor or TA.

Project Proposal

The project proposal should include:

You might think of the project proposal as being similar to a grant proposal (without the need to fill out government forms or prepare a budget request). In the process of preparing this proposal you should conduct a literature review so that you can cite the relevant related work in your proposal. Besides being a graded assignment, the project proposal serves as a way for you to organize your thoughts about how to proceed with your semester project and to communicate them to your instructor. You will receive feedback on your proposal that may result in some changes to your project plans.

Writing quality (grammar, spelling, clarity, etc.) will be taken into account in your grade.

Please email your project proposal as a PDF file to privacy-homework AT cups DOT cs DOT cmu DOT edu and put "project proposal" in the subject line.

Draft Paper

Your draft paper should be a nearly complete version of your final project report. Please leave place holders for anything that is still incomplete and explain briefly what you expect to add in the final paper. If you developed software or created something as part of the project, please provide screen shots, a link to a demo, or other information so that the instructor can give you feedback on that part as well. Submit your draft paper BOTH via email and hard copy. Submit your draft double-spaced or with wide margins so that there is plenty of room for writing comments. Staple your draft in the top left corner. Do not submit it in a binder or report cover. Your electronic submission should be a PDF file emailed to privacy-homework AT cups DOT cs DOT cmu DOT edu and have "draft paper" in the subject line.

Final Paper

Your project report should document the work you have done on your project. It should include an updated version of the literature review, and background and motivation from your project proposal. If your project primarily involved writing a paper, then your project report may be the only artifact you submit. On the other hand, if you developed software or created something as part of this project, you should submit whatever you created in addition to the report. In the latter case, the report should document what you did and may include information about obstacles you encountered, testing and evaluation, design rationale, etc., as appropriate. Please consult with the instructor about what should be included in your report if you have any doubts. You will be graded both on your results as well as the accompanying explanation in your report.

Students enrolled in the 12-unit versions of this course are expected to write up their report in a format suitable as a conference paper submission.

Because of all the opportunities you have to get feedback on your project during the semester, the final paper and poster presentation will be graded with fairly high standards. What I will be looking for depends a lot on the particular project you choose. Here are some things I will be looking for in most papers.

Please submit your final paper BOTH via email and hard copy. Your electronic submission should be sent to privacy-homework AT cups DOT cs DOT cmu DOT edu and should have "final paper" in the subject line.

Poster

A poster session (open to the public) will be scheduled during the last week of classes. You should prepare a poster that provides an overview of your project. A 32x40 inch foam core board and easel will be provided to each student. I will also provide thumb tacks, construction paper, glue sticks and other supplies. You may prepare your poster as a set of up to 9 8.5x11 sheets of paper or print it as a single sheet. SCS provides a large format poster printer by the SCS computing facilities help desk. More details about the poster session will be provided in class.

Your poster grade will be based on the content of your poster, the visual presentation, your oral presentation, and your ability to answer questions. Be prepared to give a three-minute presentation to your instructor or other poster evaluator and answer their questions.

Project ideas

The following are a list of suggested projects. Students may select one of these projects or develop their own project idea in consultation with the instructor.

Privacy protection strategies used on social networks

Conduct a study of social network users (in general or pick a particular one -- Facebook, Twitter, etc.) to determine their strategies for protecting their privacy. Do they self-censor, setup multiple accounts, use protected tweets, etc.? What strategies are most popular? What privacy threats do people believe they are protecting against? What privacy threats do they feel they have not adequately protected against? You might use interviews, focus groups, or surveys for this project. This is best as a group project, preferably with at least one team member who has experience with survey or interview research. You will need IRB approval for this project--plan to get it early.

Sector-specific privacy-policy analysis

Are all privacy policies of similar companies similar? Or do consumers have meaningful choices? What are the factors that consumers might use to compare privacy policies? The Usable Privacy Policy Project is developing tools to semi-automatically read privacy policies and present key features to users in an easy-to-digest format. As a first step, the project needs to collect policies, determine what the key features are, and manually code these features for a set of policies. Select a type of website (e.g. retail, healthcare, news and information, third-party advertiser, etc.) and collect privacy policies for several dozen websites of that type. Come up with a set of features of these policies that might be interesting to consumers. Review each policy and determine what it says about each feature. Create a spreadsheet of your data and write a report describing your findings and discussing lessons learned.

Privacy art installation

Create an interactive art piece that illustrates a privacy-related concept, makes viewers more aware of privacy issues, or causes the viewer to reflect on their feelings about privacy. Write a report that documents the piece, describes how viewers interacted with it or reacted to it, and includes relevant background.

International Privacy Survey

For decades, a small number of researchers have aimed to understand the international dimensions of privacy. For instance, in what ways do privacy norms compare and contrast across cultures? What types of behaviors are considered private in some countries, yet public in others? Are privacy concerns universal, or are some privacy concerns isolated to particular countries? Does the conception of privacy itself differ across countries? Many past studies of cultural differences in privacy have suffered from small or biased samples, surveys that were only available in English, or surveys that were restricted to only a small number of countries. Design and conduct an international privacy survey that investigates some of these questions using Amazon's Mechanical Turk or another popular crowdsourcing site. This is best as a group project, preferably with at least one team member who has experience with survey research and with team members from diverse cultural backgrounds. You will need IRB approval for this project--plan to get it early.

Privacy Notice-- In What Language?

The Internet has made the world smaller. Users from hundreds of different countries, speaking hundreds of different languages, access globally popular websites like Google, Facebook, Wikipedia, and Pinterest. However, members of Professor Cranor's CUPS lab have recently shown that even if a site is offered in a particular language, critical privacy information is not necessarily available at all in that language. Just last month, the Dutch Data-Protection Authority took action against a company in part for failing to translate privacy information to Dutch for users in the Netherlands. In this project, you will systematically identify global websites or third-party advertising companies that regularly collect information from users around the world and quantify the extent to which they translate privacy-critical information into other languages.

Database of Financial Companies' Privacy Practices

For years, privacy advocates have pushed for privacy information to be presented to consumers in standardized formats. These standardized formats allow both consumers and computer programs to compare companies' privacy practices. Although standardized formats have yet to be adopted on a large scale in most industries, a large number of financial companies in the United States have begun to use a standardized format for annual privay disclosures required under the Gramm-Leach-Bliley Act. Earlier this year, Professor Cranor and her students wrote computer programs to automatically download and parse privacy disclosures from thousands of financial companies. (See paper.) In this project, you will design an interactive website/database that enables consumers to compare financial companies' privacy practices, find companies that better protect their privacy, and suggest corrections for any incorrect or out of date information in the database.

Privacy software development

Design and implement a privacy-related software tool that offers functionality or features that are different from the other tools currently available. You might develop a stand-alone tool or develop a module for another piece of software, for example Mozilla. Depending on the scope of what you have in mind, it may not be feasible to implement your entire design during this semester, in which case you should implement one component of the design and document the rest of the design, perhaps also implementing a mocked up user interface. Your report should explain the rationale behind your design, the types of privacy protections this software offers, who would be interested in using it, and how it differs from other software currently available.

Privacy software user interface design

Perform user studies and propose new user interface designs for a piece of privacy software (e.g. privacy tools built into web browsers, or tools like Ghostery, DoNotTrackMe, etc.). You might study the entire user interface or focus on one particular aspect, for example the icons used for presenting information to users. Your report should discuss your findings and your proposed design changes, as well as the broader implications for the design of privacy software or our understanding about the ways people conceptualize privacy. This is best done as a team project with at least one team member who is familiar with human-computer interaction methods. This project will require IRB approval (so plan ahead).

Privacy software review

Conduct a "Consumer Reports" style review of consumer privacy software products and services. You should identify a type of product or service to investigate and develop a set of criteria for evaluating and comparing these products. Then you should carry out tests on a set of these products. Your review should include background information on these products and advice for consumers as well as the results of your evaluations. Unlike the real "Consumer Reports" your report is not limited to a few magazine pages, so you can (and should) go into a bit more detail than you will usually find in a magazine review.

Assessment of web browser privacy features

Compare the privacy features in the major web browsers (or alternatively in the major mobile web browsers) and evaluate them in terms of their privacy protection functionality and usability. As a starting point see: CDT's Browser Privacy Features: A Work in Progress (now out of date) and this blog post about privacy features in Internet Explorer 9. You might do a study where you visit a set of web sites with each browser to determine how the privacy features behave at each site. You might conduct a user study to evaluate usability or simply conduct a heuristic usability evaluation. Provide a clear discussion of the various privacy threats that browsers can protect against and evaluate how each browser does. Identify gaps where protections are inadequate and propose new features or redesign existing features to fill those gaps.