8-533 / 8-733 / 19-608: Privacy Policy, Law, and Technology

Computation, Organizations and Society

Fall 2007: Tuesday and Thursday 10:30-11:50 am, NSH 3002
Class web site: http://cups.cs.cmu.edu/courses/privpolawtech-fa07/ [previous semesters]
Class mailing list: http://cups.cs.cmu.edu/mailman/listinfo/privacy-class
Homework submission: privacy-homework AT cups DOT cs DOT cmu DOT edu

Professor: Lorrie Cranor

Teaching Assistant: Kami Vaniea

Course Description

Privacy issues have been getting increasing attention from law makers, regulators, and the media. As a result, businesses are under pressure to draft privacy policies and post them on their web sites, chief privacy officers are becoming essential members of many enterprises, and companies are taking pro-active steps to avoid the potential reputation damage of a privacy mistake. As new technologies are developed, they increasingly raise privacy concerns -- the World Wide Web, wireless location-based services, and RFID chips are just a few examples. In addition, the recent focus on national security and fighting terrorism has brought with it new concerns about governmental intrusions on personal privacy. This course provides an in-depth look into privacy, privacy laws, and privacy-related technologies and self-regulatory efforts. Students will study privacy from philosophical, historical, legal, policy, and technical perspectives and learn how to engineer systems for privacy.

This course is intended primarily for graduate students and advanced undergraduate students (juniors and seniors) with some technical background. Programming skills are not required. 8-733 and 19-608 are 12-unit courses for PhD students. Students enrolled under these course number will have extra reading and presentation assignments and will be expected to do a project suitable for publication. 8-533 is a 9-unit courses for undergraduate students. Masters students may register for any of the course numbers. This course will include a lot of reading, writing, and class discussion. Students will be able to tailor their assignments to their skills and interests, focusing more on programming or writing papers as they see fit. However, all students will be expected to do some writing and some technical work. A large emphasis will be placed on research and communication skills, which will be taught throughout the course.

Required Texts

Readings will be assigned from the following texts. Additional readings will be assigned from papers available online or handed out in class. The web sites for the two required texts also contain pointers to a variety of other books and online resources relevant to this course.

Course Schedule

Note, this is subject to change. The class web site will have the most up-to-date version of this calendar.

Date

Topics

Assignment

Tuesday, August 28

Overview [slides]

  • Introductions and review of syllabus
  • Overview of topics to be covered in this course
  • Course preview picture tour

Thursday, August 30

Conceptions of privacy [slides]

Required reading:

Tuesday, September 4

History and philosophy of privacy [slides]

Required reading:

  • Privacy, Information, and Technology, 1C Introduction: Philosophical Perspectives, pp. 33-55.

Optional reading:

Thursday, September 6

Guest lecture, Janice Tsai: Privacy attitudes and behavior

  • Privacy Finder study
  • Privacy surveys - overview and role
  • Research and communication skills: Human Subjects Research

Required reading:

Optional reading:

Homework 1 due

Tuesday, September 11

Fair Information Practices [slides]

Required reading:

Thursday, September 13

Privacy law [slides]

  • US privacy laws - common law, constitutional law, statutory law
  • European Union Directive
  • Privacy, Information, and Technology, 1B Introduction: Information Privacy Law: Origins and Types, pp. 8-33.

Optional reading:

Tuesday, September 18

Privacy self-regulation and the privacy profession [slides]

  • Privacy self-regulation
  • Privacy seal programs - TRUSTe, BBBOnline, etc.
  • Chief privacy officers
  • Industry codes and voluntary guidelines
  • Privacy policies
  • Is privacy self-regulation working?
  • International Association of Privacy Professional (IAPP)
  • Privacy-related organizations

Required reading:

  • Privacy, Information, and Technology, 4B Privacy, Business Records, and Financial Information: Regulating Business Records and Databases, pp. 197-249.
  • Web Privacy with P3P, Foreword, pp. xi-xiii.
  • Robert Gellman, Privacy: Finding a Balanced Approach to Consumer Options, in Considering Consumer Privacy: A Resource for Policymakers and Practitioners, 2003.

Optional reading:

  • Privacy, Information, and Technology, 4G Privacy, Business Records, and Financial Information: Privacy Policies: Private vs. Public Enforcement, p. 285-309.
  • Trevor Moores and Gurpeet Dhillon, Do privacy seals in e-commerce really work? CACM, December 2003, pp. 265-271.

Thursday, September 20

Guest lecture, Alessandro Acquisti: Economics of privacy

Required reading:

Optional reading:

Homework 2 due

Tuesday, September 25

Web privacy [slides]

Required reading:

  • Privacy, Information, and Technology, 4A Privacy, Business Records, and Financial Information: The Collection and Use of Personal Data, pp. 185-197.
  • Web Privacy with P3P, Chapter 2: The Online Privacy Landscape, pp. 12-29.
  • Adil Alsaid and David Martin, Detecting Web Bugs With Bugnosis: Privacy Advocacy Through Education, Privacy Enhancing Technologies Workshop, 2002.

Optional reading:

Thursday, September 27

Introduction to P3P [slides]

  • How P3P works
  • P3P user agents
  • P3P history, politics, and evaluation
  • P3P legal and policy issues
  • Writing privacy policies

Required reading

  • Web Privacy with P3P, Chapter 4: P3P History, pp. 43-57.
  • Web Privacy with P3P, Chapter 5: Overview and Options, pp. 61-80.
  • Web Privacy with P3P, Chapter 12: P3P User Agents and Other Tools, pp. 203-213.
  • Harry Hochheiser, The Platform for Privacy Preferences as a social protocol, ACM Transactions on Internet Technology, 2(4), 2002.

Optional reading:

Tuesday, October 2

Deploying P3P on web sites [slides]

  • Creating P3P policies
  • P3P validation and authoring tools

Required reading:

  • Web Privacy with P3P, Chapter 6: P3P Policy Syntax, pp. 81-109.
  • Web Privacy with P3P, Chapter 7: Creating P3P Policies, pp. 110-132.

Optional reading

  • Web Privacy with P3P, Chapters 8, 9, 10, 11, pp. 133-202.

Project brainstorming due

Thursday, October 4

eCrime Researchers Summit - no class

Attend the at least one panel or at least two paper presentations at eCRS.

Optional reading:

Homework 3 due

Tuesday, October 9

Guest lecture, Ponnurangam Kumaraguru: phishing

  • spam
  • phishing and anti-phishing
  • identity theft
  • Spyware

Required reading:

  • Privacy, Information, and Technology, 4C Privacy, Business Records, and Financial Information: Spam, pp. 249-251.
  • Privacy, Information, and Technology, 4D Privacy, Business Records, and Financial Information: Identity Theft, pp. 251-256.

Optional reading:

Thursday, October 11

Privacy policy management [slides]

  • homework 3 discussion
  • privacy policy authorization languages - APPEL, EPAL, etc.
  • privacy policy management
  • initial discussion with privacy policy project client [Doug Markiewicz's slides]

Required reading:

One-paragraph project description due

Tuesday, October 16

Guest lecture, Aleecia McDonald: Privacy policy research

  • privacy policy trends
  • communicating about privacy
  • standardizing privacy notice formats

Required reading:

Optional reading:

Thursday, October 18

Search engines and social networks [slides]

  • homework 4 discussion
  • privacy and social networks
  • privacy and search engines

Required reading:

Optional reading:

Homework 4 due

Tuesday, October 23

Guest lecture, Sarah Spiekermann: Privacy in ubiquitous computing [slides]

  • privacy in ubiquitous computing
  • privacy and location-based services
  • RFID

Required reading:

Optional reading:

Thursday, October 25

Identity and anonymity [slides]

  • identity, identification, credentials, and authentication
  • anonymity
  • anonymity tools
  • Privacy Enhancing Technologies (PETs)
  • Discuss privacy policy project drafts in class

Required reading:

Optional reading:

Project proposal due

Tuesday, October 30

Data privacy [slides]

  • K-anonymity
  • de-identification and re-identification
  • Data linking and data profiling
  • Techniques for protecting data privacy

Required reading:

Optional reading:

Thursday, November 1

Guest lecture, Marios Savvides: biometrics

Required reading:

  • Anil K. Jain, Arun Ross and Salil Prabhakar, An Introduction to Biometric Recognition, IEEE Transactions on Circuits and Systems for Video Technology, Special Issue on Image- and Video-Based Biometrics, Vol. 14, No. 1, January 2004.

Optional reading:

Homework 5 due

Tuesday, November 6 (election day)

Guest lecture, Steve Sheng: Financial privacy

  • Gramm-Leach-Bliley Act
  • Fair Credit Reporting Act
  • multi-factor authentication for online banking
  • financial privacy policy study

Required reading:

  • Privacy, Information, and Technology, 4E Privacy, Business Records, and Financial Information: Financial Information, pp. 256-268.

Thursday, November 8

Engineering privacy [slides]

  • Privacy by policy vs. privacy by architecture
  • homework 5 discussion

Required reading:

Optional reading:

Tuesday, November 13

Guest lecture, Anupam Datta [slides]

  • Privacy as contextual integrity
  • Privacy policy specification and enforcement

Required reading:

Optional reading:

Thursday, November 15

Law enforcement and government surveillance [slides]

  • law enforcement and surveillance
  • wiretapping and bugging
  • new surveillance technologies
  • US crypto regulation
  • government surveillance initiatives: Clipper chip, Carnivore, TIA, Echelon, airline passenger screening etc.
  • Research and communication skills: Organizing a research paper
  • Research and communication skills: How to write a good paper
  • Research and communication skills: Creating a research poster

Required reading:

  • Privacy, Information, and Technology, 2A Law Enforcement, Technology, and Surveillance: The Fourth Amendment and Emerging Technology, pp. 57-83.
  • Privacy, Information, and Technology, 3B Privacy and Government Records and Databases: Government Records of Personal Information, pp. 144-175.
  • Privacy, Information, and Technology, 4F Privacy, Business Records, and Financial Information: Government Access to Financial and Business Records, pp. 268-284.

Tuesday, November 20

Guest lecture, Michael Shamos: workplace privacy and medical privacy

  • Medical records privacy issues
  • HIPPA
  • Workplace privacy regulations
  • Workplace privacy invasions

No required reading

Optional reading:

Homework 6 due

Thursday, November 22

Thanksgiving break, no class

Tuesday, November 27

Law enforcement and government surveillance [slides]

Required reading:

  • Privacy, Information, and Technology, 2B Law Enforcement, Technology, and Surveillance: Federal Electronic Surveillance Law, pp. 83-112.
  • Privacy, Information, and Technology, 2C Law Enforcement, Technology, and Surveillance: Government Computer Searches, pp. 112-131.
  • Privacy, Information, and Technology, 3A Privacy and Government Records and Databases: Public Access to Government Records pp. 134-144.

Optional reading:

Thursday, November 29

current issues

No required reading

Draft project paper due

Tuesday, December 4

Poster fair

No required reading

Thursday, December 6

current issues

No required reading

Monday, December 17, 1-4pm, Porter Hall A22

Final project presentations

This class will have no final exam. However, project presentations will be scheduled during our final exam slot. All students are expected to attend.

Final project papers are due December 13 at 10 am.

Course Requirements and Grading

Your final grade in this course will be based on:

You are expected to complete the reading assignments before the class session for which they were assigned. Class discussions will often be based on these assignments and you will not be able to participate fully if you have not done the reading. It is suggested that you write up summaries and highlights as you read each chapter or paper and bring them with you to class.

All homework assignments must be typed and submitted electronically in Microsoft Word or PDF to privacy-homework AT cups DOT cs DOT cmu DOT edu. (Use this address only for submitting homework, not for asking questions about the homework.) Please place the homework number in the subject line (for example, "hw1"). Every homework submission must include a properly formatted bibliography that includes all works you referred to as you prepared your homework. These works should be cited as appropriate in the text of your answers.

All homework is due at 10 am on the due date. We will often discuss homework in class, so you should bring an electronic or hard copy of your homework with you to all classes. You will lose 5% for turning in homework after 10 am on the day it is due. You will lose an additional 5% for each late day after that. I reserve the right to take off additional points or refuse to accept late homework submitted after the answers have been discussed extensively in class. Reasonable extensions will be granted to students with excused absences or extenuating circumstances. Please contact me as soon as possible to arrange for an extension.

Cheating and plagiarism will not be tolerated. Students caught cheating or plagiarizing will receive no credit for the assignment on which cheating occurred. Additional actions -- including assigning the student a failing grade in the class or referring the case for disciplinary action -- may be taken at the discretion of the instructor.

A class mailing list has been setup for announcements, questions, and further discussion of topics discussed in class. Students will be expected to contribute to mailing list discussions. Students should post (non-personal) course-related questions to this mailing list rather than sending them to the instructor directly. Students are encouraged to post course-related items of interest to this mailing list.