8-533 / 8-733 / 19-608 / 95-818: Privacy Policy, Law, and Technology

Fall 2014: Tuesday and Thursday 3 - 4:20 pm, NSH 3002
Class web site: http://cups.cs.cmu.edu/courses/pplt-fa14/ [previous semesters]
Class mailing list: http://cups.cs.cmu.edu/mailman/listinfo/privacy-class

Instructor: Lorrie Cranor, Professor of Computer Science and Engineering & Public Policy

Email: lorrie AT cs DOT cmu DOT edu
Web: http://lorrie.cranor.org/
Office: CIC 2207
Office hours: by appointment

Teaching Assistant: Rebecca Balebako

Email: balebako AT cmu DOT edu
Web: http://www.rebeccahunt.com

Office: CIC 2222H

Office hours: by appointment

Course Description

This course focuses on policy issues related to privacy from the perspectives of governments, organizations, and individuals. We will begin with a historical and philosophical study of privacy and then explore recent public policy issues. We will examine the privacy protections provided by laws and regulations, as well as the way technology can be used to protect privacy. We will emphasize technology-related privacy concerns and mitigation, for example: social networks, smartphones, behavioral advertising (and tools to prevent targeted advertising and tracking), anonymous communication systems, big data, and drones.

This course is part of a three-course series of privacy courses offered as part of the MSIT-Privacy Engineering masters program. These courses may be taken in any order or simultaneously. Foundations of Privacy (offered in the Fall semester) offers more indepth coverage of technologies and algorithms used to reason about and protect privacy. Engineering Privacy in Software (offered in the Spring semester) focuses on the methods and tools needed to design systems for privacy.

This course is intended primarily for graduate students and advanced undergraduate students (juniors and seniors) with some technical background. Programming skills are not required. 8-733, 19-608, and 95-818 are 12-unit courses for PhD students. Students enrolled under these course numbers will have extra assignments and will be expected to do a project suitable for publication. 8-533 is a 9-unit course for undergraduate students. Masters students may register for any of the course numbers permitted by their program. This course will include a lot of reading, writing, and class discussion. Students will be able to tailor their assignments to their skills and interests, focusing more on programming or writing papers as they see fit. However, all students will be expected to do some writing and some technical work. A large emphasis will be placed on research and communication skills, which will be taught throughout the course.

Required Text

Peter P. Swire and Kenesa Ahmad. Foundations of Information Privacy and Data Protection: A Survey of Global Concepts, Laws and Practices. IAPP: 2012. Order this book from the IAPP at https://privacyassociation.org/certify/get-started/cipt/. If you plan to take the IAPP CIPP exams, you will need to join the IAPP, so you might as well join now and get the book at a discount.

All online papers are either publicly available for free, available through the CMU library for free, or available in a password-protected part of this website to students in this course. (The CMU library provides a VPN for off-campus and wireless access to library materials.)

Optional texts

JC Cannon. Privacy in Technology: Standards and Practices for Engineers and Security and IT Professionals. (Order this book from the IAPP as well. If you plan to take the CIPT exam, this book is recommended. If you plan to take other IAPP certification exams, get the recommended book for those exams.)

Dave Eggers. The Circle. Knopf, 2013.

Objectives:

By the end of this course, students should:

Be able to discuss why privacy is important to society
Be familiar with the fair information practice principles as well as the privacy law and policy landscape in the United States
Understand the differences between privacy regulation in the US and EU, and be able to discuss different regulatory approaches to privacy
Be able to read, understand, and evaluate privacy policies
Understand the mechanics of online tracking and other technologies with privacy implications
Be able to communicate the privacy implications of a technology with policy-makers, lawyers, and engineers
Be prepared to pass the IAPP Certified Information Privacy Professional exams (These exams will be given on campus this spring. They will be offered free of charge to students who are IAPP student members. See https://privacyassociation.org/certify/programs/ )

Course Schedule

Note, this schedule is subject to change. The class web site will have the most up-to-date version of this calendar. Assignments will be finalized at least one week before due date or as announced in class.

Date	Topics	Assignment
Tuesday, August 26	Overview [slides] Introductions Syllabus Topics to be covered Course preview picture tour	No required reading
Thursday, August 28	Conceptions of privacy [slides] What is privacy? What does privacy mean to you? How has privacy been conceptualized over time?	Required reading: The Circle (excerpt) Swire and Ahmad, Foundations of Information Privacy and Data Protection Chapter 1 pages 1-15 Optional reading R. Kemp and A. Moore. Privacy. Library Hi Tech 25.1 (2007):58-78. Nissenbaum, Helen F., Privacy as Contextual Integrity. Washington Law Review, Vol. 79, No. 1, 2004. S. Warren and L. Brandeis. The Right to Privacy. Harvard Law Review Vol. IV, No. 5. December 15, 1890.
Tuesday, September 2	Privacy harms [slides] Types of privacy harms Why does privacy matter? Research and communication skills Avoiding plagiarism Creating a bibliography and citing sources	Required reading: Daniel Solove, 'I've Got Nothing to Hide' and Other Misunderstandings of Privacy, San Diego Law Review, Vol. 44, 2007. Calo, M. Ryan, The Boundaries of Privacy Harm. Indiana Law Journal, Vol. 86, No. 3, 2011. Optional reading: Daniel Solove, A Taxonomy of Privacy, University of Pennsylvania Law Review, Vol. 154, No. 3, p. 477, January 2006.
Thursday, September 4	Debate on the virtue of forgetting [slides] Homework 1 discussion	Required reading: Bennett, Steven C The Right to Be Forgotten: Reconciling EU and US Perspectives 30 Berkeley J. Int'l L. 161 (2012) Optional reading: Viktor Mayer-Schönberger, Delete: The Virtue of Forgetting in the Digital Age, Princeton University Press, 2011 (Chapter 1) Peter Fleischer Foggy Thinking About the Right to Oblivion Personal Blog, blogspot.com (Google's Global Privacy Counsel) Conor Friedersdorf This Man Has Nothing to Hide -- Not Even His Email PasswordThe Atlantic, August 26 2014 Homework 1 due
Tuesday, September 9	Privacy economics, attitudes, and behavior [slides] Research and communications skills Human Subjects Research	Required reading: Hal Varian, Economic Aspects of Personal Privacy, in Privacy and Self-Regulation in the Information Age, 1997. Alessandro Acquisti and Jens Grossklags, Privacy and Rationality in Individual Decision Making, IEEE Security & Privacy, January/February 2005, pp. 24-30. Optional reading: Juan Pablo Carrascal, Christopher Riederer, Vijay Erramilli, Mauro Cherubini, and Rodrigo de Oliveira. 2013. Your browsing behavior for a big mac: economics of personal information online. WWW2013, 189-200. L. Brandimarte, A. Acquisti, G. Loewenstein. Misplaced Confidences: Privacy and the Control Paradox. Social Psychological and Personality Science May 2013 vol. 4 no. 3 340-347. J. Tsai, S. Egelman, L. Cranor, and A. Acquisti. The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study. Information Systems Research, published online February 2010.
Thursday, September 11	Fair information practices and privacy principles [slides] Introduce course project Research and communication skills Using library resources Writing a literature review	Required reading: Swire and Ahmad, Foundations of Information Privacy and Data Protection Chapter 1 p 15-23 Lorrie Faith Cranor, I Didn't Buy it for Myself, in Designing Personalized User Experiences in eCommerce, 2004. Optional reading: Cate, Fred H., The Failure of Fair Information Practice Principles (2006). Consumer Protection in the Age of the Information Economy, 2006. Robert Gellman. Fair Information Practices: A Basic History. Version 1.92, June 24, 2013.
Tuesday, September 16	Privacy law overview [slides] Homework 2 Discussion Introduce course project	Required reading: Swire and Ahmad, Foundations of Information Privacy and Data Protection Chapters 2 and 3 Optional reading: Solove, Daniel J. and Hartzog, Woodrow, The FTC and the New Common Law of Privacy (August 19, 2013). Homework 2 due
Thursday, September 18	Privacy regulation, self-regulation, and enforcement [slides]	Required reading: The White House. Fact Sheet: Plan to Protect Privacy in the Internet Age by Adopting a Consumer Privacy Bill of Rights, FTC. Protecting Consumer Privacy in an Era of Rapid Change. March 2012. Optional reading: L.F. Cranor, K. Idouchi, P.G. Leon, M. Sleeper, B. Ur. Are They Actually Any Different? Comparing Thousands of Financial Institutions' Privacy Practices. WEIS 2013. Bamberger, Kenneth A. and Mulligan, Deirdre K., Privacy on the Books and on the Ground. Stanford Law Review, Vol. 63, January 2011.
Tuesday, September 23	Privacy notice and choice [slides]	Required reading: L.F. Cranor. Necessary But Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice. Journal of Telecommunications and High Technology Law, Vol. 10, No. 2, 2012. N Lundblad and B Masiello, "Opt-in Dystopias", (2010) 7:1 SCRIPTed 155. Watch Fred Cate’s opening keynote from the Workshop on the Future of Privacy Notice and Choice (42 minutes) https://www.cylab.cmu.edu/news_events/events/fopnac/media.html Optional reading: Carlos Jensen and Colin Potts, Privacy policies as decision-making tools: an evaluation of online privacy notices, CHI 2004, pp. 471-478. Irene Pollach, What's wrong with online privacy policies?, CACM September 2007, 50(9): 103-108. P.G. Leon, B. Ur, R. Balebako, L.F. Cranor, R. Shay, and Y. Wang. Why Johnny Can't Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising. CHI 2012. P.G. Kelley, L.J. Cesca, J. Bresee, and L.F. Cranor. Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach. CHI2010. First Chapter of More Than You Wanted to Know: The Failure of Mandated Disclosure Omri Ben-Shahar & Carl E. Schneider A. McDonald and L. Cranor. The Cost of Reading Privacy Policies. I/S: A Journal of Law and Policy for the Information Society. 2008. Solove, Daniel J., Privacy Self-Management and the Consent Dilemma 126 Harvard Law Review 1880 (2013)
Thursday, September 25	International Privacy Laws and Cultural Differences [slides] Homework 3 discussion	Required reading: Nir Kshetri, China's Data Privacy Regulations: A Tricky Tradeoff between ICT's Productive Utilization and Cybercontrol, Security & Privacy, IEEE , vol.12, no.4, pp.38,45, July-Aug. 2014 B. Ur and Y. Wang. A Cross-Cultural Framework for Protecting User Privacy in Online Social Media. In WWW Workshop on Privacy and Security in Online Social Media (PSOSM13), Rio de Janeiro, Brazil, 2013. Optional reading: Paul Beynon‐Davies Personal identity management and electronic government: The case of the national Identity Card in the UK Journal of Enterprise Information Management 2007 20:3, 244-270 J. Lin, M. Benisch, N. Sadeh, J. Niu, J. Hong, B. Lu, and S. Guo. A comparative study of location-sharing privacy preferences in the United States and China. Personal and Ubiquitous Computing. vol 17, num 4., April 2013, pp. 697-711. Kumaraguru, P., and Sachdeva, N. Privacy in India: Attitudes and Awareness V 2.0. Tech. rep., Precog-TR-12-001, Precog@IIIT-Delhi, 2012. Harris, Andrew, Seymour Godman, and Patrick Traynor. Privacy and security concerns associated with mobile money applications in Africa." (2013). Homework 3 Due
Tuesday, Sept 29	Internet monitoring and web tracking [slides]	Required reading: L. Cranor, M. Sleeper, and B. Ur. Chapter 7 Tracking and Surveillance. In Privacy Handbook for IT Professionals. 2013. Swire and Ahmad, Foundations of Information Privacy and Data Protection Chapter 5 Optional reading: B. Ur, P.G. Leon, L.F. Cranor, R. Shay, and Y. Wang. Smart, Useful, Scary, Creepy: Perceptions of Online Behavioral Advertising, SOUPS 2012. R. Balebako, P.G. Leon, R. Shay, B. Ur, L.F. Cranor. Measuring the Effectiveness of Privacy Tools for Limiting Behavioral Advertising. W2SP 2012. P.G. Leon, B. Ur, Y. Wang, M. Sleeper, R. Balebako, R. Shay, L. Bauer, M. Christodorescu, L.F. Cranor. What Matters to Users? Factors that Affect Users' Willingness to Share Information with Online Advertisers. SOUPS 2013. Lalit Agarwal, Nisheeth Shrivastava, Sharad Jaiswal, Saurabh Panjwani. Do Not Embarrass: Re-Examining User Concerns for Online Tracking and Advertising. SOUPS 2013. P.G. Leon, B. Ur, Y. Wang, M. Sleeper, R. Balebako, R. Shay, L. Bauer, M. Christodorescu, L.F. Cranor. What Matters to Users? Factors that Affect Users' Willingness to Share Information with Online Advertisers. In Proceedings of the Eight Symposium On Usable Privacy and Security (SOUPS ’13), Newcastle, United Kingdom, 2013. G. Acar, M. Juarez, N. Nikiforakis, C. Diaz, S. Gürses, F. Piessens and B. Preneel. FPDetective: Dusting the Web for Fingerprinters. In Proceedings of CCS 2013, Nov. 2013. P.G. Leon, J. Cranshaw, L.F. Cranor, J. Graves, M. Hastak, B. Ur. What Do Online Behavioral Advertising Disclosures Communicate to Users?, WPES 2012. David M. Kristol. 2001. HTTP Cookies: Standards, privacy, and politics. ACM Trans. Internet Technol. 1, 2 (November 2001), 151-198. http://doi.acm.org/10.1145/502152.502153
Thursday, October 2	W3C The Platform for Privacy Preferences (P3P) [slides]	Required reading: Harry Hochheiser, The Platform for Privacy Preferences as a social protocol, ACM Transactions on Internet Technology, 2(4), 2002. P.G. Leon, L.F. Cranor, A.M. McDonald, and R. McGuire. Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens WPES 2010. Optional reading The Platform for Privacy Preferences 1.1 (P3P1.1) Specification. W3C 2006. P. Resnick and L. Cranor. Protocols for Automated Negotiations with Buyer Anonymity and Seller Reputations. (2000). Netnomics 2(1):1-23. L. Cranor, L., Egelman, S. Sheng, A. McDonald, and A. Chowdhury. P3P Deployment on Websites. Electronic Commerce Research and Applications, Volume 7, Issue 3, Autumn 2008, Pages 274-293.
Tuesday, October 7	Do Not Track [slides] Homework 4 discussion	Required reading: W3C. Tracking Compliance and Scope. W3C Working Draft. [read/skim the latest published version] W3C Tracking Preference Expression (DNT). W3C Working Draft. [read/skim the latest published version] Jonathan Mayer and John Mitchell. Third-party web tracking: Policy and technology. IEEE Symposium on Security and Privacy 2012. Optional reading J. McDonald and J. Peha. Track Gap: Policy Implications of User Expectations for the 'Do Not Track' Internet Privacy Feature. TPRC 2011. O. Tene and J. Polonetsky. To Track or 'Do Not Track': Advancing Transparency and Individual Control in Online Behavioral Advertising. Minnesota Journal of Law, Science & Technology 13.1. 2012 Hoofnagle, Chris Jay, Urban, Jennifer M. and Li, Su, Privacy and Modern Advertising: Most US Internet Users Want 'Do Not Track' to Stop Collection of Data about their Online Activities (October 8, 2012). Amsterdam Privacy Conference, 2012 Homework 4 due
Thursday, October 9	Biometrics and facial recognition [slides] Field Trip to CMU biometrics lab after brief lecture	Required reading A Face in the Crowd: Say goodbye to anonymity, 60 Minutes, August 25, 2013 Anil K. Jain, Arun Ross and Salil Prabhakar, An Introduction to Biometric Recognition, IEEE Transactions on Circuits and Systems for Video Technology, Special Issue on Image- and Video-Based Biometrics, Vol. 14, No. 1, January 2004. Optional reading: J. Pato and L. Millett, Eds. Biometric Recognition: Challenges and Opportunities. National Academies Press, 2010. [You can read just Chapter 4: Cultural, Social, and Legal Considerations] Mordini and Massari. Body, Biometrics and Identity. Bioethics Volume 22 Number 9 2008 pp 488-498. Matsumoto, Matsumoto, Yamada, and Hoshino. Impact of Artificial "Gummy" Fingers on Fingerprint Systems. Proceedings of SPIE Vol. #4677, Optical Security and Counterfeit Deterrence Techniques IV, Thursday-Friday 24-25 January 2002.
Tuesday, October 14	Location tracking [slides]	Required reading: Janice Tsai, Patrick Gage Kelley, Lorrie Faith Cranor and Norman Sadeh, Location Sharing Technologies: Privacy Risks and Controls, I/S: A Journal of Law and Policy for the Information Society, Vol. 6, No. 2, Summer 2010, pp. 119-151. Yves-Alexandre de Montjoye, Cesar A. Hidalgo, Michel Verleysen & Vincent D. Blondel. Unique in the Crowd: The privacy bounds of human mobility. Scientific Reports 3, Article number: 1376. 25 March 2013. Ann Cavoukian, Nelish Bansal, Nick Koudas, Building Privacy into Mobile Location Analytics (MLA) Through Privacy by Design, privacybydesign.ca Optional reading: A. Narayanan, N. Thiagarajan, M. Lakhani, M. Hamburg, and D. Boneh. Location privacy via private proximity testing. NDSS 2011. One-paragraph project description due
Thursday, October 16	Privacy on social networks [slides] Homework 5 discussion	Required reading: Yang Wang, Gregory Norcie, Saranga Komanduri, Alessandro Acquisti, Pedro Giovanni Leon, and Lorrie Faith Cranor. I regretted the minute I pressed share: A qualitative study of regrets on Facebook. In Proc. of SOUPS, p. 10. ACM, 2011. Morrison, Caren Myers Passwords, Profiles, and the Privilege against Self-Incrimination: Facebook and the Fifth Amendment; 65 Ark. L. Rev. 133 (2012) Optional reading: Manya Sleeper, Rebecca Balebako, Sauvik Das, Amber Lynn McConahy, Jason Wiese, and Lorrie Faith Cranor. 2013. The post that wasn't: exploring self-censorship on facebook. In Proc of CSCW '13. ACM Yang Wang, Pedro Giovanni Leon, Alessandro Acquisti, Lorrie Faith Cranor, Alain Forget, and Norman Sadeh. 2014. A field trial of privacy nudges for facebook. In Proc of SIGCHI Conference on Human Factors in Computing Systems (CHI '14). Homework 5 due
Tuesday, October 21	Parents, teenagers, and student privacy issues [slides]	Required reading: Marwick, Alice E., Murgia-Diaz, Diego and Palfrey, John G., Youth, Privacy and Reputation (Literature Review). Berkman Center Research Publication No. 2010-5; Harvard Public Law Working Paper No. 10-29. Optional reading: Pew Internet, 2012. Parents, teens, and online privacy. d. boyd, E. Hargittai, J. Schultz, and J. Palfrey. Why parents help their children lie to Facebook about age: unintended consequences of the Children's Online Privacy Protection Act. First Monday, 7 November 2011. Alexei Czeskis, Ivayla Dermendjieva, Hussein Yapit, Alan Borning, Batya Friedman, Brian Gill, and Tadayoshi Kohno. Parenting from the pocket: value tensions and technical directions for secure and private parent-teen mobile safety. SOUPS 2010. COPPA overview on EPIC website
Thursday, October 23	Smartphone privacy concerns [slides]	Required reading: K. Harris, Privacy on the go: recommendations for the mobile ecosystem, California Department of Justice, January 2013 Balebako, R., C. Bravo-Lillo, Cranor, L. Is Notice Enough: Mitigating the Risks of Smartphone Data Sharing I/S: A Journal of Law and Policy for the Information Society Optional reading: P.G. Kelley, L.F. Cranor, and N. Sadeh. Privacy as Part of the App Decision-Making Process. CHI 2013. P.G. Kelley, S. Consolvo, L.F. Cranor, J. Jung, N. Sadeh, D. Wetherall. A Conundrum of Permissions: Installing Applications on an Android Smartphone. Workshop on Usable Security. March 2, 2012, Bonaire.<.li> A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner. Android Permissions: User Attention, Comprehension, and Behavior. SOUPS 2012. J. King. "How Come I'm Allowing Strangers To Go Through My Phone?"--Smartphones and Privacy Expectations. Draft 2013. Project proposal due
Tuesday, October 28	Identity and anonymity [slides] Homework 6 discussion	Required reading: David Chaum, Security without Identification: Card Computers to make Big Brother Obsolete, 1987. Optional reading: Michael Reiter and Aviel Rubin, Anonymous Web transactions with Crowds, CACM 42(2), February 1999, pp. 32-48. Ann Cavoukian, 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age, 2006. Marc Waldman, Aviel Rubin, and Lorrie Cranor, The architecture of robust publishing systems, TOIT, 1(2), November 2001, pp. 199-230. A. Pfitzmann and M. Hansen, Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management - A Consolidated Proposal for Terminology. Kim Cameron, The Laws of Identity, 2005. Homework 6 due
Thursday, October 30	Data privacy and big data [CANCELLED]	See November 6th
Tuesday, November 4 Election day	Mid-term	No new reading
Thursday, November 6	Data privacy and big data [slides]	Required reading: Chris Clifton, Chapter 4 Identity and Anonymity. In Privacy Handbook for IT Professionals. 2013. Omer Tene and Jules Polonetsky, Big Data for All: Privacy and User Control in the Age of Analytics, 11 Nw. J. Tech. & Intell. Prop. 239 (2013). Latanya Sweeney, k-Anonymity: a model for protecting privacy, International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 10 (5), 2002; 557-570. Optional reading: E. Klarreich, Privacy by the Numbers: A New Approach to Safeguarding Data. Scientific American. December 21, 2013. Sweeney L. Matching Known Patients to Health Records in Washington State Data. Harvard University. Data Privacy Lab. White Paper 1089-1. June 2013. Papers from Privacy and Big Data Symposium (you can select just one to write-up for your homework assignment) Latanya Sweeney, Information Explosion, in Confidentiality, Disclosure, and Data Access: Theory and Practical Applications for Statistical Agencies, Urban Institute, Washington, DC, 2001. Daniel C. Barth-Jones The 'Re-Identification' of Governor William Weld's Medical Information: A Critical Re-Examination of Health Data Identification Risks and Privacy Protections, Then and Now (June 4, 2012). A. Machanavajjhala, J.Gehrke, D. Kifer and M. Venkitasubramaniam. l-Diversity: Privacy Beyond k-Anonymity. ICDE 2006.
Tuesday, November 11	Privacy engineering, privacy by design, privacy impact assessments, and privacy governance [slides]	Required reading: Microsoft, Privacy Guidelines for Developing Software Products and Services, 2007. Sarah Spiekermann and Lorrie Faith Cranor. Engineering Privacy. IEEE Transactions on Software Engineering Vol. 35, No. 1, January/February, 2009, pp. 67-82. Optional reading: Javier Salido, Data Governance for Privacy, Confidentiality and Compliance: A Holistic Approach, ISACA Journal, Volume 6, 2010. Rubinstein, Ira and Good, Nathan, Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents (August 11, 2012). Berkeley Technology Law Journal, Forthcoming.
Thursday, November 13	Government surveillance [slides]	Required reading: Angwin, Julia. Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance. Macmillan, 2014. Chapter 2 J. Risen and L. Poitras N.S.A. Collecting Millions of Faces From Web ImagesMay 31, 2014 Optional reading: C. Soghoian. The Spies We Trust: Third Party Service Providers and Law Enforcement Surveillance. Indiana University Dissertation, August 2012. [Only Chapter 7 is required reading - pp.82-92 of the PDF file.] NSA collects millions of e-mail address books globally. The Washington Post, October 14, 2013. American Civil Liberties Union and ACLU of Virginia. Brief of Amici Curiae American Civil Liberties Union and ACLU of Virginia in support of party-in-interest - appellant's appeal seeking reversal [Lavabit amicus brief] Connecting the Dots Can the tools of graph theory and social-network studies unravel the next big plot? American Scientist Glenn Greenwald, Ewen MacAskill, Laura Poitras, Spencer Ackerman and Dominic Rushe. Microsoft handed the NSA access to encrypted messages. The Guardian, 11 July 2013. Barton Gellman and Ashkan Soltani. NSA collects millions of email address books Craig TimburgFor sale: Systems that can secretly track where cellphone users go around the globe Washington Post, August 24 2014
Tuesday, November 18	Drones [Guest Speaker Nathan Michael] [slides] Homework 7 discussion	Required Reading The Drone as Privacy Catalyst December 12, 2011 64 Stan. L. Rev. Online 29 Optional Reading Brookings to Legislatures: Stop Worrying and Learn to Love the DroneSean Gallaghar, ArsTechnica.com Nov 13, 2014 Homework 7 due
Thurs, November 20	Data breach and identity theft [slides] Research and communications skills How to write a research paper How to create a research poster	Required reading: S. Dingman, S. Silcoff, R. Greenspan Hacked: The escalating arms race against cybercrimeThe Globe and Mail. Oct 24, 2014 Swire and Ahmad, Foundations of Information Privacy and Data Protection Chapter 4 Optional reading: Jason Hong, The State of Phishing Attacks, CACM Vol 55 No 1, pp. 74-81, January 2012. Paul N. Otto, Annie I. Anton, David L. Baumer, The ChoicePoint Dilemma: How Data Brokers Should Handle the Privacy of Personal Information, IEEE Security & Privacy. Draft project paper due
Tuesday, November 25	Health and genetic privacy [slides]	Required reading: "George Doe" and Julia Belluz With genetic testing, I gave my parents the gift of divorce vox.com, Sept. 9 2014 Yaniv Erlich & Arvind Narayanan Routes for breaching and protecting genetic privacy Nature Reviews Genetics 15, 409-421 doi:10.1038/nrg3723 Optional reading: Gymrek M, McGuire AL, Golan D, Halperin E, Erlich Y. Identifying personal genomes by surname inference. Science. 2013 Jan 18;339(6117):321-4. L. Rodriguez, et al. Research ethics: the complexities of genomic identifiability. Science. 2013; 339: 275-276. M. Humbert, E. Ayday, J.-P. Hubaux and A. Telenti. Addressing the Concerns of the Lacks Family: Quantification of Kin Genomic Privacy. 20th ACM Conference on Computer and Communications Security (CCS 2013), Berlin, Germany, 2013.
Thursday, November 27	Thanksgiving break, no class
Tuesday, December 2	Exam Discussion [slides]	No required reading
Thursday, December 4	Poster fair GHC 6115	No required reading
Dec 11	Final Exam	1-4pm
Friday, December 12, noon	Deadline	Final project due

Course Requirements and Grading

Your final grade in this course will be based on:

10% class participation (class attendance, participation in class and online discussions)
15% quizzes
25% homework assignments
25% project
25% Midterm and final exam

You are expected to complete the reading assignments before the class session for which they were assigned. Class discussions will often be based on these assignments and you will not be able to participate fully if you have not done the reading. It is suggested that you write up summaries and highlights as you read each chapter or paper and bring them with you to class.

Quizzes at the beginning of each class will be based on the readings for that day. It is suggested that you arrive on time in order to complete the daily quiz with sufficient time.

All homework assignments must be typed and submitted in hard copy in class on the day it is due. Every homework submission must include a properly formatted bibliography that includes all works you referred to as you prepared your homework. These works should be cited as appropriate in the text of your answers.

All homework is due at the beginning of class on the due date. You will lose 10% for turning in homework late (5 minutes or more after class has started) on the due date. You will lose an additional 10% for each late day after that. I reserve the right to take off additional points or refuse to accept late homework submitted after the answers have been discussed extensively in class. Reasonable extensions will be granted to students with excused absences or extenuating circumstances. Please contact me as soon as possible to arrange for an extension.

Cheating and plagiarism will not be tolerated. Students caught cheating or plagiarizing will receive no credit for the assignment on which cheating occurred. Additional actions -- including assigning the student a failing grade in the class or referring the case for disciplinary action -- may be taken at the discretion of the instructor. Please familiarize yourself with the CMU Policy on Academic Integrity.

A class mailing list has been setup for announcements, questions, and further discussion of topics discussed in class. Students will be expected to contribute to mailing list discussions. Students should post (non-personal) course-related questions to this mailing list rather than sending them to the instructor directly. Students are encouraged to post course-related items of interest to this mailing list.