05-436 / 05-836 / 08-534 / 08-734 Usable Privacy and Security

Spring 2014: GHC 4102, Tuesdays and Thursdays 3:00pm-4:20pm
Class web site: http://cups.cs.cmu.edu/courses/ups-sp14/
Class mailing list: https://mailman.srv.cs.cmu.edu/mailman/listinfo/ups-class

Professor: Lorrie Cranor
Email: lorrie AT cmu DOT edu
Web: http://lorrie.cranor.org/
Phone: 412-268-7534
Office: CIC 2207
Office hours: Wednesdays 3:00pm - 4:00pm and by appointment

Teaching assistant: Blase Ur
Email: blase AT blaseur DOT com
Web: http://www.blaseur.com/
Phone: --
Office: CIC 2222 (cubicles)
Office hours: Tuesdays 4:30pm - 5:30pm and by appointment

Students in this course may also be interested in joining the CUPS mailing list.

This course does not use Blackboard.

Course Description

There is growing recognition that technology alone will not provide all of the solutions to security and privacy problems. Human factors play an important role in these areas, and it is important for security and privacy experts to have an understanding of how people will interact with the systems they develop. This course is designed to introduce students to a variety of usability and user interface problems related to privacy and security and to give them experience in designing studies aimed at helping to evaluate usability issues in security and privacy systems. The course is suitable both for students interested in privacy and security who would like to learn more about usability, as well as for students interested in usability who would like to learn more about security and privacy. Much of the course will be taught in a graduate seminar style in which all students will be expected to do a weekly reading assignment and each week different students will prepare a presentation for the class. Students will also work on a group project throughout the semester.

The course is open to all graduate students who have technical backgrounds. The 12-unit course numbers (08-734 and 5-836) are for PhD students and masters students. Students enrolled in these course numbers will be expected to play a leadership role in a group project that produces a paper suitable for publication. The 9-unit 500-level course numbers (08-534 and 05-436) are for juniors, seniors, and masters students. Students enrolled in these course numbers will have less demanding project and presentation requirements.

Readings

Readings will be assigned from the following text (available in the CMU bookstore and from all the usual online stores):

Research Methods in Human-Computer Interaction. Jonathan Lazar, Jinjuan Heidi Feng, Harry Hochheiser

Additional readings will be assigned from papers available online or handed out in class. In cases where a subscription is required for access, access should be available for free when you are coming from a CMU IP address (on campus or via CMU VPN).

Course Schedule

Note, this is subject to change. The class web site will have the most up-to-date version of this calendar.

Date	Topics	Assignment To be done before coming to class
Tuesday, January 14	01. Course overview and introductions [SLIDES]	No readings for this class.
Thursday, January 16	02. Introduction to HCI methods and the design of experiments [SLIDES] Usability and user interfaces Design and prototyping Types of experiments Evaluation and types of experiments	Required reading: Pedro G. Leon, Blase Ur, Rebecca Balebako, Lorrie Faith Cranor, Richard Shay, and Yang Wang. Why Johnny Can't Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2012. (CHI '12) Alma Whitten and J.D. Tygar. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium, 1999. (USENIX '99) Lazar et al. Research Methods in Human-Computer Interaction. Chapter 2: Experimental Research Lazar et al. Research Methods in Human-Computer Interaction. Chapter 14: Working With Human Subjects No optional readings for this class.
Tuesday, January 21	03. Reasoning About the Human in the Loop (and why we should care) [SLIDES] Introduction to usable security Approaches to making security usable Human-in-the-loop framework Human threat identification and mitigation process	Required reading: Lorrie Faith Cranor. A Framework for Reasoning About the Human in the Loop. In Proceedings of the 1st Conference on Usability, Psychology, and Security, 2008. (UPSEC '08) Anne Adams and Martina Angela Sasse. Users Are Not The Enemy. In Communications of the ACM, Volume 42, Issue 12, pp. 40--46, December 1999. Optional reading: L. Jean Camp. Reconceptualizing the Role of Security User. In Daedalus, Volume 140, Number 4, pp. 93--107, Fall 2011. Butler Lampson. Usable Security: How to Get It. In Communications of the ACM, Volume 52, Issue 11, pp. 25--27, November 2009. Steven Furnell. Making security usable: Are things improving? In Computers & Security, Volume 26, Issue 6, pg. 434--443, September 2007. W. Keith Edwards, Erika Shehan Poole, and Jennifer Stoll. Security Automation Considered Harmful? In Proceedings of the 2007 New Security Paradigms Workshop, 2007. (NSPW '07) M.E. Kabay. Using Social Psychology to Implement Security Policies. In Computer Security Handbook, 4th edition, 2002.
Thursday, January 23	04. Designing field studies that are ethical and ecologically valid, Mechanical Turk [SLIDES] Experimental design process IRB process Homework 1 due	Required reading: Michelle L. Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, and Blase Ur. Measuring Password Guessability for an Entire University. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13) Tom Jagatic, Nathaniel Johnson, Markus Jakobsson, and Filippo Menczer. Social phishing. In Communications of the ACM, Volume 50, Issue 10, pp. 94--100, October 2007. Lazar et al. Research Methods in Human-Computer Interaction. Chapter 3: Experimental Design Optional reading: [Ethics] Cristian Bravo-Lillo, Serge Egelman, Cormac Herley, Stuart Schechter, and Janice Tsai. You Needn't Build That: Reusable Ethics-Compliance Infrastructure for Human Subjects Research. In Proceedings of the Cyber-security Research Ethics Dialog & Strategy Workshop, 2013. (CREDS '13) Tarun Parwani, Ramin Kholoussi, and Panagiotis Karras. How to Hack into Facebook without Being a Hacker. In WWW Workshop on Privacy and Security in Online Social Media, 2013. (PSOSM '13) Alexander De Luca, Marc Langheinrich, and Heinrich Hussmann. Towards Understanding ATM Security - A Field Study of Real World ATM Use. In Proceedings of the Sixth Symposium on Usable Privacy and Security, 2010. (SOUPS '10) Patrick Gage Kelley. Conducting usable privacy and security studies with Amazon's Mechanical Turk. In Proceedings of the Usable Security Experiment Reports Workshop, 2010. (USER '10)
Tuesday, January 28	05. Surveys, interviews, focus groups, diary studies [SLIDES]	Required reading: Xuan Zhao, Niloufar Salehi, Sashi Naranjit, Sara Alwaalan, Stephen Voida, and Dan Cosley. The Many Faces of Facebook: Experiencing Social Media as Performance, Exhibition, and Personal Archive. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2013. (CHI '13) Manya Sleeper, Justin Cranshaw, Patrick Gage Kelley, Blase Ur, Alessandro Acquisti, Lorrie Faith Cranor, and Norman Sadeh. "I read my Twitter the next morning and was astonished": A Conversational Perspective on Twitter Regrets. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2013. (CHI '13) Maritza Johnson, Serge Egelman, and Steven M. Bellovin. Facebook and Privacy: It's Complicated. In Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012. (SOUPS '12) Yang Wang, Saranga Komanduri, Pedro Giovanni Leon, Gregory Norcie, Alessandro Acquisti, and Lorrie Faith Cranor. "I regretted the minute I pressed share": A Qualitative Study of Regrets on Facebook. In Proceedings of the Seventh Symposium on Usable Privacy and Security, 2011. (SOUPS '11) Optional reading: Lazar et al. Research Methods in Human-Computer Interaction. Chapter 5: Surveys Lazar et al. Research Methods in Human-Computer Interaction. Chapter 6: Diaries Lazar et al. Research Methods in Human-Computer Interaction. Chapter 7: Case Studies Lazar et al. Research Methods in Human-Computer Interaction. Chapter 8: Interviews and Focus Groups Lazar et al. Research Methods in Human-Computer Interaction. Chapter 11: Analyzing Qualitative Data
Thursday, January 30	06. Quantitative studies, statistics [SLIDES] Homework 2 due	Required reading: Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L. Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation. In Proceedings of the 21st USENIX Security Symposium, 2012. (USENIX '12) Serge Egelman, David Molnar, Nicolas Christin, Alessandro Acquisti, Cormac Herley, and Shriram Krishnamurthi. Please Continue to Hold: An empirical study on user tolerance of security delays. In Workshop on the Economics of Information Security, 2010. (WEIS '10). If you have minimal background in statistics, read [Introductory] Lazar et al. Research Methods in Human-Computer Interaction. Chapter 4: Statistical Analysis. However, if you have a stronger background in stats, pick one of the more advanced readings from among the optional readings, below. Optional reading: Lazar et al. Research Methods in Human-Computer Interaction. Chapter 10: Usability Testing Lazar et al. Research Methods in Human-Computer Interaction. Chapter 12: Automated Data Collection Methods (Various) Mark S. Kaiser. Any one of the chapters on advanced statistical methods. (Factor Analysis) Frank J. Floyd and Keith F. Widaman. Factor Analysis in the Development and Refinement of Clinical Assessment Instruments. (Mixed Models) Donald Hedeker. Generalized Linear Mixed Models. (Mixed Models) Any one of the chapters on mixed-effects models (with R tutorials) (Repeated Measures) Michael Kristensen and Thomas Hansen. Statistical analyses of repeated measures in physiological research: a tutorial (Regression Analysis) Alan O. Sykes. An Introduction to Regression Analysis. (Regression Analysis) Robert Kieschnick and B.D. McCullough. Regression analysis of variates observed on (0, 1): percentages, proportions and fractions (k-means) Vance Faber. Clustering and the Continuous k-Means Algorithm. (k-means) D.T. Pham, S.S. Dimov, and C.D. Nguyen. Selection of K in K-means clustering (Hidden Markov Models) Lawrence R. Rabiner. A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition
Tuesday, February 4	07. Introduction to security [SLIDES] Discuss course projects in class (no written assignment)	Required reading: Students without a strong security background should read both chapters labeled [Introductory] below. Students with a strong security background (e.g., have taken 700-level security courses at CMU or equivalent) should read two of the papers labeled [Advanced] below. Optional reading: [Introductory] Ross Anderson. Chapter 5: Cryptography In Security Engineering (Second Edition). Wiley, 2008. [Introductory] Ross Anderson. Chapter 21: Network Attack and Defense In Security Engineering (Second Edition). Wiley, 2008. [Advanced] Mingwei Zhang and R. Sekar. Control Flow Integrity for COTS Binaries. In Proceedings of the 22nd USENIX Security Symposium, 2013. (USENIX '13) [Advanced] Bryan Parno, Craig Gentry, Jon Howell, and Mariana Raykova. Pinocchio: Nearly Practical Verifiable Computation. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, 2013. (S&P '13 / Oakland '13) [Advanced] Amir Houmansadr, Chad Brubaker, and Vitaly Shmatikov. The Parrot is Dead: Observing Unobservable Network Communications. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, 2013. (S&P '13 / Oakland '13) [Advanced] Ariel J. Feldman, Aaron Blankstein, Michael J. Freedman, and Edward W. Felten. Social Networking with Frientegrity: Privacy and Integrity with an Untrusted Provider. In Proceedings of the 21st USENIX Security Symposium, 2012. (USENIX '12) [Advanced] Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. In Proceedings of the 21st USENIX Security Symposium, 2012. (USENIX '12) [Advanced] William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation, 2010. (OSDI '10)
Thursday, February 6	08. Introduction to privacy [SLIDES] Defining privacy Online privacy issues Privacy by design Homework 3 due Project preference forms also due	Required reading: Giovanni Iachello and Jason Hong. End-User Privacy in Human-Computer Interaction. In Foundations and Trends in HCI, Volume 1, Number 1, pp. 1--137, 2007. Optional reading: Pedro G. Leon, Justin Cranshaw, Lorrie Faith Cranor, Jim Graves, Manoj Hastak, Blase Ur, and Guzi Xu. What Do Online Behavioral Advertising Disclosures Communicate to Users? In Proceedings of the 11th annual ACM Workshop on Privacy in the Electronic Society, 2012. (WPES '12) Alex Braunstein, Laura Granka, and Jessica Staddon. Indirect Content Privacy Surveys: Measuring Privacy Without Asking About It. In Proceedings of the Seventh Symposium on Usable Privacy and Security, 2011. (SOUPS '11) Alexei Czeskis, Ivayla Dermendjieva, Hussein Yapit, Alan Borning, Batya Friedman, Brian Gill, and Tadayoshi Kohno. Parenting from the Pocket: Value Tensions and Technical Directions for Secure and Private Parent-Teen Mobile Safety. In Proceedings of the Sixth Symposium on Usable Privacy and Security, 2010. (SOUPS '10) Scott Lederer, Jason I. Hong, Anind K. Dey, James A. Landay. Personal Privacy through Understanding and Action: Five Pitfalls for Designers. Carnegie Mellon University Technical Report. Human-Computer Interaction Institute. Paper 78. 2004.
Tuesday, February 11	09. Passwords [SLIDES] Project teams assigned (no written assignment)	Required reading: Cormac Herley and Paul C. van Oorschot. A Research Agenda Acknowledging the Persistence of Passwords. In IEEE Security and Privacy magazine, Volume 10, Issue 1, January 2012. Dinei Florêncio and Cormac Herley. A Large-Scale Study of Web Password Habits. In Proceedings of the 16th international conference on World Wide Web, 2007. (WWW '07) Optional reading: [Security] Ari Juels and Ronald L. Rivest. Honeywords: Making Password-Cracking Detectable. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13) Daniel McCarney, David Barrera, Jeremy Clark, Sonia Chiasson, Paul C. van Oorchot. Tapas: Design, Implementation, and Usability Evaluation of a Password Manager. In Proceedings of the 28th Annual Computer Security Applications Conference, 2012. (ACSAC '12) [Security] Joseph Bonneau. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012. (S&P '12 / Oakland '12) [Security] Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Rich Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012. (S&P '12 / Oakland '12) [HCI] Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman. Of passwords and people: Measuring the effect of password-composition policies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2011. (CHI '11)
Thursday, February 13	10. Challenge questions and secondary authentication [Student presentation by Shing-hon Lau] [SLIDES] Homework 4 due	Required reading: Robert W. Reeder and Stuart Schechter. When the Password Doesn't Work: Secondary Authentication for Websites. In IEEE Security and Privacy magazine, Volume 9, Issue 2, pp. 43--49, March 2011. Stuart Schechter, A. J. Bernheim Brush, and Serge Egelman. It's No Secret: Measuring the Security and Reliability of Authentication via 'Secret' Questions. In Proceedings of the 2009 IEEE Symposium on Security and Privacy, 2009. (S&P '09 / Oakland '09) Optional reading: Eiji Hayashi, Sauvik Das, Shahriyar Amini, Jason Hong, Ian Oakley. CASA: Context-Aware Scalable Authentication. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13) [Industry] Eric Grosse and Mayank Upadhyay, Authentication at Scale, IEEE Security & Privacy (magazine), vol. 11, no. 1, pp. 15-22, January-Febuary 2013. Saurabh Panjwani and Edward Cutrell. Usably Secure, Low-Cost Authentication for Mobile Banking. In Proceedings of the Sixth Symposium on Usable Privacy and Security, 2010. (SOUPS '10) [HCI] Mike Just and David Aspinall. Personal choice and challenge questions: a security and usability assessment. In Proceedings of the Fifth Symposium on Usable Privacy and Security, 2009. (SOUPS '09) Stuart Schechter, Serge Egelman, and Robert W. Reeder. It's not what you know, but who you know: A social approach to last-resort authentication. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2009. (CHI '09)
Tuesday, February 18	11. Censorship, politics, and anonymity [Student presentation by Weisi Dai and Abby Marsh] [SLIDES] Project proposal due	Required reading: Arvind Narayanan, Elaine Shi, and Benjamin I. P. Rubinstein. Link Prediction by De-anonymization: How We Won the Kaggle Social Network Challenge. In Proceedings of the International Joint Conference on Neural Networks, 2011. (IJCNN '11) Optional reading: [Security] Aaron Johnson, Chris Wacek, Rob Jansen, Micah Sherr, and Paul Syverson. Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13) [Security] Simurgh Aryan, Homa Aryan, and J. Alex Halderman. Internet Censorship in Iran: A First Look. In Proceedings of the 3rd USENIX Workshop on Free and Open Communications on the Internet, 2013. (FOCI '13) [Security] Prateek Mittal, Matthew Wright, and Nikita Borisov. Pisces: Anonymous Communication Using Social Networks. In Proceedings of the 20th Annual Network & Distributed System Security Symposium, 2013. (NDSS '13) [Security] Eric Wustrow, Scott Wolchok, Ian Goldberg, and J. Alex Halderman. Telex: Anticensorship in the Network Infrastructure. In Proceedings of the 20th USENIX Security Symposium, 2011. (USENIX '11) Roger Dingledine, Nick Matthewson, and Paul Syverson. Tor: The Second-Generation Onion Router. In Proceedings of the 13th USENIX Security Symposium, 2004. (USENIX '04)
Thursday, February 20	12. Usable privacy and security in the home [Student presentation by Ashutosh Pandey] [SLIDES] Homework 5 due	Required reading: Eun Kyoung Choe, Sunny Consolvo, Jaeyeon Jung, Beverly Harrison, Julie Kientz, and Shwetak Patel. Investigating Receptiveness to Sensing and Inference in the Home Using Sensor Proxies. In Proceedings of the 2012 ACM Conference on Ubiquitous Computing, 2012. (Ubicomp '12) Michelle L. Mazurek, J.P. Arsenault, Joanna Bresee, Nitin Gupta, Iulia Ion, Christina Johns, Daniel Lee, Yuan Liang, Jenny Olsen, Brandon Salmon, Richard Shay, Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, Gregory R. Ganger, and Michael K. Reiter. Access Control for Home Data Sharing: Attitudes, Needs and Practices. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2010. (CHI '10) Optional reading: Jason Hong. Considering privacy issues in the context of Google Glass. In Communications of the ACM, Volume 56, Issue 11, pp. 10--11, November 2013. Stuart Schechter. The User IS the Enemy, and (S)he Keeps Reaching for that Bright Shiny Power Button! In Proceedings of the Workshop on Home Usable Privacy and Security, 2013. (HUPS '13) [HCI] A.J. Brush, Jaeyeon Jung, Ratul Mahajan, and Frank Martinez. Digital Neighborhood Watch: Investigating the Sharing of Camera Data Amongst Neighbors. In Proceedings of the 2013 conference on Computer Supported Cooperative Work, 2013. (CSCW '13) [Security] Tamara Denning, Tadayoshi Kohno, and Henry M. Levy. Computer Security in the Modern Home. In Communications of the ACM, Volume 56, Issue 1, pp. 94--103, January 2013. Tiffany Hyun-Jin Kim, Lujo Bauer, James Newsome, Adrian Perrig, and Jesse Walker. Challenges in Access Right Assignment for Secure Home Networks. In Proceedings of the 5th USENIX Workshop on Hot Topics in Security. (HotSec'10)
Tuesday, February 25	13. Security warnings [Student presentation by Darya Kurilova] [SLIDES]	Required reading: Devdatta Akhawe and Adrienne Porter Felt. Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness. In Proceedings of the 22nd USENIX Security Symposium, 2013. (USENIX '13) Cristian Bravo-Lillo, Lorrie Faith Cranor, Julie Downs, Saranga Komanduri, Robert W. Reeder, Stuart Schechter, and Manya Sleeper. Your Attention Please: Designing security-decision UIs to make genuine risks harder to ignore. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13) Optional reading: [HCI] Na Wang, Jens Grossklags, and Heng Xu. An Online Experiment of Privacy Authorization Dialogues for Social Applications. In Proceedings of the 2013 conference on Computer Supported Cooperative Work, 2013. (CSCW '13) Cristian Bravo-Lillo, Lorrie Faith Cranor, Julie Downs, Saranga Komanduri, Stuart Schechter, and Manya Sleeper. Operating system framed in case of mistaken identity. In Proceedings of the 2012 ACM SIGSAC conference on Computer & Communications Security, 2012. (CCS '12) Cristian Bravo-Lillo, Lorrie Faith Cranor, Julie Downs, and Saranga Komanduri. Bridging the gap in computer security warnings: A mental model approach. In IEEE Security and Privacy magazine, Volume 9, Issue 2, pp. 18--26, March 2011. [HCI] Serge Egelman, Lorrie Faith Cranor, and Jason Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2008. (CHI '08) David Modic and Ross J. Anderson. Reading this May Harm Your Computer: The Psychology of Malware Warnings. Available online on SSRN, 2014.
Thursday, February 27	14. Usable encryption [Student presentation by Sean Segreti] [SLIDES] Homework 6 due	Required reading: Shirley Gaw, Edward W. Felten, and Patricia Fernandez-Kelly. Secrecy, Flagging, and Paranoia: Adoption Criteria in Encrypted Email. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2006. (CHI '06) Optional reading: [Security] Mark D. Ryan. Enhanced certificate transparency and end-to-end encrypted mail. In Proceedings of the 21st Annual Network & Distributed System Security Symposium, 2014 (forthcoming). (NDSS '14) [HCI] Scott Ruoti, Nathan Kim, Ben Burgon, Timothy van der Horst, Kent Seamons. Confused Johnny: When Automatic Encryption Leads to Confusion and Mistakes. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13) [HCI] Sumeet Gujrati and Eugene Y. Vasserman. The usability of Truecrypt, or how i learned to stop whining and fix an interface. In Proceedings of the third ACM Conference on Data and Application Security and Privacy, 2013. (CODASPY '13) [HCI] Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith, and Uwe Sander. Helping Johnny 2.0 to Encrypt His Facebook Conversations. In Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012. (SOUPS '12) [Security] J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. Lest we remember: cold-boot attacks on encryption keys. In Proceedings of the 17th USENIX Security Symposium, 2008. (USENIX '08)
Tuesday, March 4	15. Smartphones, privacy, security [Student presentation by Sakshi Garg and Bin Liu] [SLIDES] IRB applications must be submitted to the IRB no later than this date	Required reading: Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner. Android Permissions: User Attention, Comprehension, and Behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012. (SOUPS '12) Patrick Gage Kelley, Lorrie Faith Cranor, and Norman Sadeh. Privacy as part of the app decision-making process. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2013. (CHI '13) Optional reading: Sebastian Uellenbeck, Markus Dürmuth, Christopher Wolf, and Thorsten Holz. Quantifying the Security of Graphical Passwords: The Case of Android Unlock Patterns. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13) [Security] Manuel Egele, David Brumley, Yanick Fratantonio, Christopher Kruegel. An Empirical Study of Cryptographic Misuse in Android Applications. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13) [Security] Benjamin Livshits and Jaeyeon Jung. Automatic Mediation of Privacy-Sensitive Resource Access in Smartphone Applications. In Proceedings of the 22nd USENIX Security Symposium, 2013. (USENIX '13) [HCI] Rebecca Balebako, Jaeyeon Jung, Wei Lu, Lorrie Cranor, and Carolyn Nguyen. "Little Brothers Watching You:" Raising Awareness of Data Leaks on Smartphones. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13) [Security] Shashi Shekhar, Michael Dietz, and Dan S. Wallach. AdSplit: Separating smartphone advertising from applications. In Proceedings of the 21st USENIX Security Symposium, 2012. (USENIX '12)
Thursday, March 6	16. Privacy notice and privacy policies [Student presentation by Yuan Tian] [SLIDES] Homework 7 due	Required reading: Lorrie Faith Cranor. Necessary But Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice. In Journal of Telecommunications and High Technology Law, Volume 10, Number 2, 2012. Patrick Gage Kelley, Lucian Cesca, Joanna Bresee, and Lorrie Faith Cranor. Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2010. (CHI '10) Optional reading: [HCI] Pedro G. Leon, Blase Ur, Yang Wang, Manya Sleeper, Rebecca Balebako, Richard Shay, Lujo Bauer, Mihai Christodorescu, and Lorrie Faith Cranor. What Matters to Users? Factors that Affect Users' Willingness to Share Information with Online Advertisers. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13) [Behavioral economics] Idris Adjerid, Alessandro Acquisti, Laura Brandimarte, and George Loewenstein. Sleights of Privacy: Framing, Disclosures, and the Limits of Transparency. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13) [HCI] Rebecca Balebako, Richard Shay, and Lorrie Faith Cranor. Is Your Inseam a Biometric? Evaluating the Understandability of Mobile Privacy Notice Categories. Carnegie Mellon University Technical Report CMU-CyLab-13-011, 2013. [HCI] Aleecia McDonald, Robert W. Reeder, Patrick Gage Kelley, and Lorrie Faith Cranor. A Comparative Study of Online Privacy Policies and Formats. In Proceedings of the 9th International Symposium on Privacy Enhancing Technologies, 2009. (PETS '09) Lorrie Faith Cranor, Praveen Guduru, and Manjula Arjula. User interfaces for privacy agents. In ACM Transactions on Computer-Human Interaction (TOCHI), Volume 13, Issue 2, pp. 135--178, June 2006.
Tuesday, March 11	no class (Spring break)	No readings for this class.
Thursday, March 13	no class (Spring break)	No readings for this class.
Tuesday, March 18	17. Biometrics [Student presentation by Chandrasekhar Bhagavatula and Stephen Siena] [SLIDES]	Required reading: Roy A. Maxion. Making Experiments Dependable. In Dependable and Historic Computing, Lecture Notes in Computer Science Volume 6875, pp. 344--357, 2011. Simon Liu and Mark Silverman. A Practical Guide to Biometric Security Technology. In IT Professional magazine, Volume 3, Issue 1, pp. 27--32, January 2001. Optional reading: Alexander Eng and Luay A. Wahsheh. Look into My Eyes: A Survey of Biometric Security. In Tenth International Conference on Information Technology: New Generations, 2013. (ITNG '13) [Security] Tey Chee Meng, Payas Gupta, and Debin Gao. I can be You: Questioning the use of Keystroke Dynamics as Biometrics. In Proceedings of the 20th Annual Network & Distributed System Security Symposium, 2013. (NDSS '13) Chao Shen, Zhongmin Cai, Xiaohong Guan, Youtian Du, and Roy A. Maxion. User Authentication through Mouse Dynamics. In IEEE Transactions on Information Forensics and Security, Volume 8, Number 1, pp. 16--30, January 2013. Felix Juefei-Xu, Khoa Luu, Marios Savvides, Tien D. Bui, and Ching Y. Suen. Investigating age invariant face recognition based on periocular biometrics. In 2011 International Joint Conference on Biometrics, 2011. (IJCB '11) Anil K. Jain, Arun Ross, and Salil Prabhakar. An introduction to biometric recognition. In IEEE Transactions on Circuits and Systems for Video Technology, Volume 14, Issue 1, pp. 4--20, 2004.
Thursday, March 20	18. SSL, PKIs, secure communication [Student presentation by Aditya Marella] [SLIDES] Homework 8 due	Required reading: Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In Proceedings of the 18th USENIX Security Symposium, 2009. (USENIX '09) Simson L. Garfinkel and Robert C. Miller. Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook Express. In Proceedings of the First Symposium on Usable Privacy and Security, 2005. (SOUPS '05). Also go through the The Johnny 2 Construction Kit for Testing Email Security from the SOUPS 2006 Security User Studies Workshop User Studies Construction Kits collection. Optional reading: Sascha Fahl, Marian Harbach, Henning Perl, Markus Koetter, and Matthew Smith. Rethinking SSL Development in an Appified World. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13) [Economics] Hadi Asghari, Michel J.G. van Eeten, Axel M. Arnbak, and Nico A.N.M. van Eijk. Security Economics in the HTTPS Value Chain. In Workshop on the Economics of Information Security, 2013. (WEIS '13). [Security] Jeremy Clark and Paul C. van Oorschot. SoK: SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, 2013. (S&P '13 / Oakland '13) [HCI] Andreas Sotirakopoulos, Kirstie Hawkey, and Konstantin Beznosov. On the Challenges in Usable Security Lab Studies: Lessons Learned from Replicating a Study on SSL Warnings. In Proceedings of the Seventh Symposium on Usable Privacy and Security, 2011. (SOUPS '11) Christopher Soghoian and Sid Stamm. Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL. In Proceedings of the 15th international conference on Financial Cryptography and Data Security (FC '11)
Tuesday, March 25	19. Progress report presentations Project progress report due	Required reading: Stuart Schechter. Common Pitfalls in Writing about Security and Privacy Human Subjects Experiments, and How to Avoid Them, 2009.
Thursday, March 27	20. Progress report presentations	No readings for this class.
Tuesday, April 1	21. Social networks and privacy [Student presentation by Su Mon Kywe and Tatiana Vlahovic] [SLIDES]	Required reading: Michael S. Bernstein, Eytan Bakshy, Moira Burke, and Brian Karrer. Quantifying the Invisible Audience in Social Networks. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2013. (CHI '13) Manya Sleeper, Rebecca Balebako, Sauvik Das, Amber Lynn McConahy, Jason Wiese, and Lorrie Faith Cranor. The Post that Wasn't: Exploring Self-Censorship on Facebook. In Proceedings of the 2013 conference on Computer Supported Cooperative Work, 2013. (CSCW '13) Optional reading: Lujo Bauer, Lorrie Faith Cranor, Saranga Komanduri, Michelle L. Mazurek, Michael K. Reiter, Manya Sleeper, and Blase Ur. The Post Anachronism: The Temporal Dimension of Facebook Privacy. In Proceedings of the 12th annual ACM Workshop on Privacy in the Electronic Society, 2013. (WPES '13) Fred Stutzman, Ralph Gross, and Alessandro Acquisti. Silent Listeners: The Evolution of Privacy and Disclosure on Facebook. In Journal of Privacy and Confidentiality, Volume 4, Number 2, pp. 7--41, 2012. Jason Watson, Andrew Besmer, Heather Richter Lipford. +Your Circles: Sharing Behavior on Google+. In Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012. (SOUPS '12) Sanjay Kairam, Michael J. Brzozowski, David Huffaker, and Ed H. Chi. Talking in Circles: Selective Sharing in Google+. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2012. (CHI '12) Huina Mao, Xin Shuai, and Apu Kapadia. Loose Tweets: An Analysis of Privacy Leaks on Twitter. In Proceedings of the 10th annual ACM Workshop on Privacy in the Electronic Society, 2011. (WPES '11)
Thursday, April 3	22. Trust, mental models, semantic attacks, social engineering, and user education [Student presentation by Jie Chen] [SLIDES] Homework 9 due	Required reading: Fanny Lalonde Lévesque, Jude Nsiempba, José M. Fernandez, Sonia Chiasson, Anil Somayaji. A Clinical Study of Risk Factors Related to Malware Infections. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13) Ponnurangam Kumaraguru, Steve Sheng, Alessandro Acquisti, Lorrie Faith Cranor, and Jason Hong. Teaching Johnny Not to Fall for Phish. In ACM Transactions on Internet Technology (TOIT), Volume 10, Issue 2, May 2010. Optional reading: [HCI] Adrienne Porter Felt, Serge Egelman, Matthew Finifter, Devdatta Akhawe, David Wagner. How to Ask For Permission. In Proceedings of the 7th USENIX conference on Hot Topics in Security, 2012. (HotSec '12) [Security] Franziska Roesner, Tadayoshi Kohno, Alexander Moshchuk, Bryan Parno, Helen J. Wang, and Crispin Cowan. User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012. (S&P '12 / Oakland '12) [HCI] Rick Wash. Folk Models of Home Computer Security. In Proceedings of the Sixth Symposium on Usable Privacy and Security, 2010. (SOUPS '10) [HCI] L. Jean Camp. Mental Models of Privacy and Security. In IEEE Technology and Society magazine, Volume 28, Number 3, pp. 37--46, 2009. [Economics] Cormac Herley. So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users. In Proceedings of the 2009 New Security Paradigms Workshop, 2009. (NSPW '09)
Tuesday, April 8	23. Usable privacy and security in safety-critical devices [Student presentation by Adam Durity and Frankie Catota] [SLIDES]	Required reading: Kevin Fu and James Blum. Inside Risks: Controlling for Cybersecurity Risks of Medical Device Software. In Communications of the ACM, Volume 56, Issue 10, pp. 21--23, October 2013. Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno. Comprehensive Experimental Analyses of Automotive Attack Surfaces. In Proceedings of the 20th USENIX Security Symposium, 2011. (USENIX '11) Optional reading: [Security] Masoud Rostami, Ari Juels, and Farinaz Koushanfar. Heart-to-Heart (H2H): Authentication for Implanted Medical Devices. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13) [Security] Shane S. Clark, Benjamin Ransford, and Kevin Fu. Potentia est Scientia: Security and Privacy Implications of Energy-Proportional Computing. In Proceedings of the 7th USENIX conference on Hot Topics in Security, 2012. (HotSec '12) [Economics] Martin S. Gaynor, Muhammad Zia Hydari, and Rahul Telang. Is Patient Data Better Protected in Competitive Healthcare Markets? In Workshop on the Economics of Information Security, 2012. (WEIS '12). [HCI] Tamara Denning, Alan Borning, Batya Friedman, Brian T. Gill, Tadayoshi Kohno, and William H. Maisel. Patients, Pacemakers, and Implantable Defibrillators: Human Values and Security for Wireless Implantable Medical Devices. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2010. (CHI '10) [Security] Tamara Denning, Kevin Fu, and Tadayoshi Kohno. Absence Makes the Heart Grow Fonder: New Directions for Implantable Medical Device Security. In Proceedings of the 3rd USENIX conference on Hot Topics in Security, 2008. (HotSec '08)
Thursday, April 10	no class (Carnival)	No readings for this class.
Tuesday, April 15	24. Access control and policy configuration, tools for security administration [Student presentation by Ziwei Hu and Norman Wu] [SLIDES]	Required reading: Robert W. Reeder, Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea. More than skin deep: Measuring effects of the underlying model on access-control system usability. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2011. (CHI '11) Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea. Lessons Learned From the Deployment of a Smartphone-Based Access-Control System. In Proceedings of the Third Symposium on Usable Privacy and Security, 2007. (SOUPS '07) Optional reading: Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, and Michael K. Reiter. Studying access control usability in the lab: Lessons learned from four studies. In Proceedings of the 2012 Workshop on Learning from Authoritative Security Experiment Results, 2012. (LASER '12) Peter F. Klemperer, Yuan Liang, Michelle L. Mazurek, Manya Sleeper, Blase Ur, Lujo Bauer, Lorrie Faith Cranor, Nitin Gupta, and Michael K. Reiter. Tag, You Can See It! Using Tags for Access Control in Photo Sharing. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2012. (CHI '12) Serge Egelman, Andrew Oates, and Shriram Krishnamurthi. Oops, I Did It Again: Mitigating Repeated Access Control Errors on Facebook. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2011. (CHI '11) Diana Smetters and Nathan Good. How Users Use Access Control. In Proceedings of the Fifth Symposium on Usable Privacy and Security, 2009. (SOUPS '09) Ross Anderson. Chapter 4: Access Control In Security Engineering (Second Edition). Wiley, 2008.
Thursday, April 17	25. Economics and behavior as part of usability [Student presentation by Pranshu Kalvani] Homework 10 due	Required reading: Yang Wang, Pedro Giovanni Leon, Alessandro Acquisti, Lorrie Faith Cranor, Alain Forget, and Norman Sadeh. A Field Trial of Privacy Nudges for Facebook. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2014 (forthcoming). (CHI '14) Cormac Herley. Why do Nigerian Scammers say they are from Nigeria? In Workshop on the Economics of Information Security, 2012. (WEIS '12). Optional reading: Sören Preibusch, Kat Krol, and Alastair R. Beresford. The Privacy Economics of Voluntary Over-disclosure in Web Forms. In Workshop on the Economics of Information Security, 2012. (WEIS '12). Janice Y. Tsai, Serge Egelman, Lorrie Faith Cranor, and Alessandro Acquisti. The effect of online privacy information on purchasing behavior: An experimental study. In Information Systems Research, Volume 22, Number 2, pp. 254--268, 2011. Alessandro Acquisti. Nudging Privacy: The Behavioral Economics of Personal Information. In IEEE Security and Privacy magazine, Volume 7, Issue 6, pp. 82--85, November 2009. Alessandro Acquisti and Jens Grossklags. Privacy and rationality in individual decision making. In IEEE Security and Privacy magazine, Volume 3, Issue 1, pp. 26--33, January 2005.
Tuesday, April 22	26. Web browser privacy and security [Student presentation by Billy Melicher and Chao Pan]	Required reading: Jonathan R. Mayer and John C. Mitchell. Third-Party Web Tracking: Policy and Technology. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, 2013. (S&P '13 / Oakland '13) Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why Phishing Works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2006. (CHI '06) Optional reading: Franziska Roesner, Christopher Rovillos, Tadayoshi Kohno, and David Wetherall. ShareMeNot: Balancing Privacy and Functionality of Third-Party Social Widgets. In USENIX ;login: magazine, Volume 37, Number 4, August 2012. Blase Ur, Pedro G. Leon, Lorrie Faith Cranor, Richard Shay, and Yang Wang. Smart, Useful, Scary, Creepy: Perceptions of Behavioral Advertising. In Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012. (SOUPS '12) Gaurav Aggarwal, Elie Bursztein, Collin Jackson, and Dan Boneh. An analysis of private browsing modes in modern browsers. In Proceedings of the 19th USENIX Security Symposium, 2010. (USENIX '10) Rachna Dhamija and J.D. Tygar. The Battle Against Phishing: Dynamic Security Skins. In Proceedings of the First Symposium on Usable Privacy and Security, 2005. (SOUPS '05) Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. FPDetective: Dusting the Web for Fingerprinters. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13)
Thursday, April 24	27. Graphical passwords [Student presentation by Zhipeng Tian] Homework 11 due	Required reading: Robert Biddle, Sonia Chiasson, and P.C. van Oorschot. Graphical Passwords: Learning from the First Twelve Years. In ACM Computing Surveys, Volume 44, Issue 4, August 2012. Optional reading: [HCI] Florian Schaub, Marcel Walch, Bastian Könings, and Michael Weber. Exploring the Design Space of Graphical Passwords on Smartphones. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13) Eiji Hayashi, Jason Hong, and Nicolas Christin. Security through a different kind of obscurity: Evaluating Distortion in Graphical Authentication Schemes. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2011. (CHI '11) Sonia Chiasson, Alain Forget, Elizabeth Stobert, P.C. van Oorschot, and Robert Biddle. Multiple password interference in text and click-based graphical passwords. In Proceedings of the 2009 ACM SIGSAC conference on Computer & Communications Security, 2009. (CCS '09) [HCI] Sonia Chiasson, Robert Biddle, and P.C. van Oorschot. A second look at the usability of click-based graphical passwords. In Proceedings of the Third Symposium on Usable Privacy and Security, 2007. (SOUPS '07) [Security] Darren Davis, Fabian Monrose, and Michael K. Reiter. On user choice in graphical password schemes. In Proceedings of the 13th USENIX Security Symposium, 2004. (USENIX '04)
Tuesday, April 29	no class (CHI)	No readings for this class.
Thursday, May 1	no class (CHI)	No readings for this class.
Monday, May 5	FINAL PROJECT PRESENTATIONS from 8:30 AM to 11:30 AM	---
This class will have no final exam. However, the final exam period (Monday, May 5th, 8:30 AM to 11:30 AM) will be used for final project presentations.

Course Requirements and Grading

You are responsible for being familiar with the university standard for academic honesty and plagiarism. Please see the CMU Student Handbook for information. In order to deter and detect plagiarism, online tools and other resources may be used in this class. Students caught cheating or plagiarizing will receive no credit for the assignment on which the cheating occurred. Additional actions -- including assigning the student a failing grade in the class or referring the case for disciplinary action -- may be taken at the discretion of the instructors.

For students taking the 12-unit version of this course, your final grade in this course will be based on:

40% Project
35% Homework
15% Presentation
10% Class participation

For students taking the 9-unit version of this course, your final grade in this course will be based on:

40% Project
50% Homework
10% Class participation

Homework

Homework assignments for this class will include reading summaries and written assignments. All homework is due in printed form in class at 3:00 PM each Thursday, unless specified otherwise. Homework may not be submitted after 3:05 pm, and we do not accept late homework. Your lowest homework grade will be dropped from your homework average.

Students are expected to do reading assignments prior to class so that they can participate fully in class discussions. Students must submit a short summary (3-7 sentences) and a "highlight" for each chapter or article in the reading assignment. The highlight may be something you found particularly interesting or noteworthy, a question you would like to discuss in class, a point you disagree with, etc.

Students taking the 12-unit version of this course are expected to include a summary and highlight for one optional reading of their choice each week. Suggested optional readings are provided, but students may choose other relevant optional readings. All other students are encouraged to review some of the optional readings that they find interesting, but they need not submit summaries or highlights of the optional readings.

Presentation

Each student taking the 12-unit version of this course will be assigned a class lecture to prepare and present (either individually or in a small group). The lecture should be based on the topics covered in that week's reading assignment, but it should go beyond the materials in the required reading. Do not present a lecture that simply summarizes the assigned reading. For example, you might read and present some of the optional readings or related work mentioned in the reading or that you find on your own, you might present some of the relevant optional reading materials (feel free to use relevant materials from other weeks), you might demonstrate software mentioned in the reading, you might critique a design discussed in the reading, or you might design a class exercise for your classmates. If the material you present describes a user study, include a detailed description and critique of the study design. As part of your lecture you should prepare several discussion questions and lead a class discussion. You should also introduce your fellow students to terminology, researchers, and concepts they might not be familiar with. You are also expected to have read and be familiar with all of the optional readings for that particular class.
No later than 24 hours before your presentation, you should email the instructors PowerPoint slides that include discussion questions. These slides will be posted on the class web site. In addition, the instructors may include all or part of your presentation slides and notes in an instructor's guide for future usable privacy and security courses.

Project

Students will work on semester projects in small groups that include students with a variety of areas of expertise. A choice of projects will be provided, and students will be given an opportunity to indicate their preferences before projects are assigned. Students who have their own ideas for projects should discuss them with the instructors early in the semester. As part of the project students will:

Return their project preference form by Thursday, February 6th so that they can be assigned to a project team by Tuesday, February 11th.
Submit a one-page project proposal by Tuesday, February 18th. The proposal should describe the system you propose to design or evaluate, discuss what you hope to learn from your user study and/or the hypotheses you plan to test, and provide an overview of your preliminary user study plan (what types of tasks will you have participants do? what types of people will you recruit? will you use a finished software product, prototype, paper prototype, etc. in your user study? will this be a between-subjects or within-subjects study? will you conduct your study online, in a lab, with paper surveys?)
Complete an IRB application with all necessary attachments and submit it to IRB as early in the semester as possible, and no later than Thursday, February 27th.
Design all questionnaires, scripts, scenarios, interview protocols, etc. necessary to carry out the user study.
Develop any prototypes necessary to carry out the user study.
Pilot test the user study protocol on at least two people (can be members of the class from other project groups) and refine it based on these tests.
Submit a written progress report by Tuesday, March 25th. Your written progress report and presentation should describe your progress to date and any problems you have run into that you would like some advice on. In addition, the written report should include a revised user study plan and the details of your initial pilot user study, including the study design and scripts (and results if you have already completed the initial study)
Give a 10-15 minute progress report presentation on March 25 or March 27.
Conduct a study using the revised protocol with at least 6 subjects (or more if this is not a lab study). Optionally, you can conduct a larger study that would be likely to lead to publishable results. If your study has only 6 subjects, most likely this will be useful mostly as a pilot study and should be positioned as such in your paper.
Give a 15-minute final project presentation during the final exam period.
Write a paper giving an overview of the proposed study, what you hoped to learn from it, what you learned from the pilot study, etc. and submit it by 1:00 pm on Monday, May 12th in both electronic and printed form (to Professor Cranor's office). Your IRB forms, survey forms, etc. should be included as appendices.

Students are encouraged to submit their project as a poster to the 2014 Symposium On Usable Privacy and Security, and/or as a full paper to SOUPS 2015 or another conference. A paper submission will likely require some additional work after the end of the semester. To submit a poster will only require submitting a 2-page abstract. Professor Cranor will provide funds for one student from each project team to attend the SOUPS conference if their paper or poster is accepted.

Students signed up for the 12-unit version of this course are expected to play a leadership role in a project group that writes a project paper suitable for publication. Unless your group has only students signed up for the 9-unit course in it, that means your final paper should be written in a style suitable for publication at a conference or workshop. The conference papers in the readings provide good examples of what a conference paper looks like and the style in which they are written. In addition to describing what you did in your study, your paper should include a related work section and properly-formatted references. Papers should follow the SOUPS 2014 technical papers formatting instructions. However, your paper should not be a blind submission; please include the names of the authors for the purposes of the class project. If you have identified an alternative relevant conference and would prefer to use that conference's submission format for your paper, please discuss it with the instructors.