8-533 / 8-733 / 19-608 / 95-818: Privacy Policy, Law, and Technology

Semester Project

All students in this course will be required to complete a project that they work on throughout the semester. Students will work in small groups of three to six students. Expectations about the size of the project will scale with the size of the group.

Schedule

September 11 - Project assignment discussed in class
October 14 - One-paragraph project description due (5 points)
October 23 - Project proposal due (10 points)
November 20 - Draft paper due (10 points)
Thursday, December 4 - Poster fair (15 points)
December 12, noon - Final paper due (60 points)

The various project assignments due before the final paper are designed to make sure you are making progress on your project throughout the semester and to give you opportunities to get feedback on your work along the way. Your draft paper will be graded for completeness, not content. For example, you will receive full credit for your draft paper if it has all the expected components and it appears that you put some effort into your draft, even if the content is unpolished. However, if your draft is missing an essential component (for example, a bibliography), you will not receive full credit. You will also lose points for submitting project components late. All project-related assignments will be graded within one week if they are submitted on time. You may also submit these assignments early for early feedback.

Deliverables

One-paragraph Project Description

Turn in a one-paragraph description of the project you intend to complete. List all the team members. Please email your one-paragraph description as plain text (cut and paste into the body of your email) to privacy-homework AT cups DOT cs DOT cmu DOT edu and put "project description NAME1 NAME2" in the subject line (where NAME1 and NAME2 etc. are the names of the people proposing this project. If you want early feedback or help deciding between a few project ideas, please discuss with the professor or TA.

Project Proposal

The project proposal should include:

You might think of the project proposal as being similar to a grant proposal (without the need to fill out government forms or prepare a budget request). In the process of preparing this proposal you should conduct a literature review so that you can cite the relevant related work in your proposal. Besides being a graded assignment, the project proposal serves as a way for you to organize your thoughts about how to proceed with your semester project and to communicate them to your instructor. You will receive feedback on your proposal that may result in some changes to your project plans.

Writing quality (grammar, spelling, clarity, etc.) will be taken into account in your grade.

Please email your project proposal as a PDF file to privacy-homework AT cups DOT cs DOT cmu DOT edu and put "project proposal" in the subject line.

Draft Paper

Your draft paper should be a nearly complete version of your final project report. Please leave place holders for anything that is still incomplete and explain briefly what you expect to add in the final paper. If you developed software or created something as part of the project, please provide screen shots, a link to a demo, or other information so that the instructor can give you feedback on that part as well. Submit your draft paper BOTH via email and hard copy. Submit your draft double-spaced or with wide margins so that there is plenty of room for writing comments. Staple your draft in the top left corner. Do not submit it in a binder or report cover. Your electronic submission should be a PDF file emailed to privacy-homework AT cups DOT cs DOT cmu DOT edu and have "draft paper" in the subject line.

Final Paper

Your project report should document the work you have done on your project. It should include an updated version of the literature review, and background and motivation from your project proposal. If your project primarily involved writing a paper, then your project report may be the only artifact you submit. On the other hand, if you developed software or created something as part of this project, you should submit whatever you created in addition to the report. In the latter case, the report should document what you did and may include information about obstacles you encountered, testing and evaluation, design rationale, etc., as appropriate. Please consult with the instructor about what should be included in your report if you have any doubts. You will be graded both on your results as well as the accompanying explanation in your report.

Students enrolled in the 12-unit versions of this course are expected to write up their report in a format suitable as a conference paper submission.

Because of all the opportunities you have to get feedback on your project during the semester, the final paper and poster presentation will be graded with fairly high standards. What I will be looking for depends a lot on the particular project you choose. Here are some things I will be looking for in most papers.

Please submit your final paper BOTH via email and hard copy. Your electronic submission should be sent to privacy-homework AT cups DOT cs DOT cmu DOT edu and should have "final paper" in the subject line.

Poster

A poster session (open to the public) will be scheduled during the last week of classes. You should prepare a poster that provides an overview of your project. A 32x40 inch foam core board and easel will be provided to each student. I will also provide thumb tacks, construction paper, glue sticks and other supplies. You may prepare your poster as a set of up to 9 8.5x11 sheets of paper or print it as a single sheet. SCS provides a large format poster printer by the SCS computing facilities help desk. More details about the poster session will be provided in class.

Your poster grade will be based on the content of your poster, the visual presentation, your oral presentation, and your ability to answer questions. Be prepared to give a three-minute presentation to your instructor or other poster evaluator and answer their questions.

Project ideas

The following are a list of suggested projects. Students may select one of these projects or develop their own project idea in consultation with the instructor.

Privacy protection strategies used on social networks

Conduct a study of social network users (in general or pick a particular one -- Facebook, Twitter, etc.) to determine their strategies for protecting their privacy. Do they self-censor, setup multiple accounts, use protected tweets, etc.? What strategies are most popular? What privacy threats do people believe they are protecting against? What privacy threats do they feel they have not adequately protected against? You might use interviews, focus groups, or surveys for this project. You will need IRB approval for this project--plan to get it early.

Privacy art installation

Create an interactive art piece that illustrates a privacy-related concept, makes viewers more aware of privacy issues, or causes the viewer to reflect on their feelings about privacy. Write a report that documents the piece, describes how viewers interacted with it or reacted to it, and includes relevant background.

International Privacy Survey

For decades, a small number of researchers have aimed to understand the international dimensions of privacy. For instance, in what ways do privacy norms compare and contrast across cultures? What types of behaviors are considered private in some countries, yet public in others? Are privacy concerns universal, or are some privacy concerns isolated to particular countries? Does the conception of privacy itself differ across countries? Many past studies of cultural differences in privacy have suffered from small or biased samples, surveys that were only available in English, or surveys that were restricted to only a small number of countries. Design and conduct an international privacy survey that investigates some of these questions using Amazon's Mechanical Turk or another popular crowdsourcing site. You will need IRB approval for this project--plan to get it early.

Privacy Notice-- In What Language?

The Internet has made the world smaller. Users from hundreds of different countries, speaking hundreds of different languages, access globally popular websites like Google, Facebook, Wikipedia, and Pinterest. However, members of Professor Cranor's CUPS lab have recently shown that even if a site is offered in a particular language, critical privacy information is not necessarily available at all in that language. The Dutch Data-Protection Authority took action against a company in part for failing to translate privacy information to Dutch for users in the Netherlands. In this project, you will systematically identify global websites or third-party advertising companies that regularly collect information from users around the world and quantify the extent to which they translate privacy-critical information into other languages.

Privacy software development

Design and implement a privacy-related software tool that offers functionality or features that are different from the other tools currently available. You might develop a stand-alone tool or develop a module for another piece of software, for example Mozilla. Depending on the scope of what you have in mind, it may not be feasible to implement your entire design during this semester, in which case you should implement one component of the design and document the rest of the design, perhaps also implementing a mocked up user interface. Your report should explain the rationale behind your design, the types of privacy protections this software offers, who would be interested in using it, and how it differs from other software currently available.

Privacy software user interface design

Perform user studies and propose new user interface designs for a piece of privacy software (e.g. privacy tools built into web browsers, or tools like Ghostery, DoNotTrackMe, etc.). You might study the entire user interface or focus on one particular aspect, for example the icons used for presenting information to users. Your report should discuss your findings and your proposed design changes, as well as the broader implications for the design of privacy software or our understanding about the ways people conceptualize privacy. This is best done as a team project with at least one team member who is familiar with human-computer interaction methods. This project will require IRB approval (so plan ahead).

Privacy software review

Conduct a "Consumer Reports" style review of consumer privacy software products and services. You should identify a type of product or service to investigate and develop a set of criteria for evaluating and comparing these products. Then you should carry out tests on a set of these products. Your review should include background information on these products and advice for consumers as well as the results of your evaluations. Unlike the real "Consumer Reports" your report is not limited to a few magazine pages, so you can (and should) go into a bit more detail than you will usually find in a magazine review.

Assessment of web browser privacy features

Compare the privacy features in the major web browsers (or alternatively in the major mobile web browsers) and evaluate them in terms of their privacy protection functionality and usability. As a starting point see: CDT's Browser Privacy Features: A Work in Progress (now out of date) and this blog post about privacy features in Internet Explorer 9. You might do a study where you visit a set of web sites with each browser to determine how the privacy features behave at each site. You might conduct a user study to evaluate usability or simply conduct a heuristic usability evaluation. Provide a clear discussion of the various privacy threats that browsers can protect against and evaluate how each browser does. Identify gaps where protections are inadequate and propose new features or redesign existing features to fill those gaps.

Web measurement study

Conduct a web measurement study that provides data on the prevalence of tracking, advertising, or privacy leakages. You might study whether Do Not Track is effective in preventing tracking or behavioral ads, or whether there is racial bias or price discrimination in e-commerce sites or ads. This could be a replication of previous work using more recent technologies, or focus on a new area.

Survey of online privacy browser extensions

Many browser extensions exist that aim to protect the privacy of users when visiting websites. The goal of this project is to categorize such browser extensions available for common browsers (e.g. Firefox, Chrome) or proposed in research and to analyze what kind of features they offer. A special emphasis should be placed on the user interfaces of those extensions. What kind of information do they communicate to users? If and how do they make users aware of privacy issues of a website? What support to they offer to users for managing their privacy?

The limits of location privacy

Location privacy has significant security implications in both civilian and military settings. In civilian settings, smartphones might leak acceleration information which, in aggregate, determines an end-user's location. In military settings, communications devices and/or road topology might expose information from which an adversary -- given sufficient mathematical models -- could derive a rough location. Thus, I propose the following research problem: under what conditions is it possible to navigate from a known starting location to a destination without revealing the destination to an adversary? Given some positive or negative answer to this question, what are the policy and/or legal implications? How can results be disseminated to stakeholders?