05-436 / 05-836 / 08-534 / 08-734 Usable Privacy and Security

Homework 1

Print your homework out and submit it in person at the start of class (3:00pm) on Thursday, January 22rd. Homework will not be accepted after 3:00pm on that day.

• Part 1 (40 points): In light of the "Why Johnny Can't Encrypt" paper, you will perform an expert evaluation of a current encryption tool. Pick a tool from Wikipedia's list of encryption tools. In particular, consider tools listed at the bottom of that page under the "disk encryption," "email clients," and "OTR" messaging categories. Download and install (or, if applicable, simply enable) the tool you chose. Inspired by the Johnny paper, perform an expert evaluation of the tool.
  
  You should turn in four paragraphs describing:
  • Paragraph 1: State what tool you chose and describe the steps you took in your expert evaluation. Essentially, we want you to explain your methodology.
  • Paragraph 2: What usability flaws identified in the Johnny paper still persist 15 years later in this tool? Describe them.
  • Paragraph 3: What usability flaws does this tool have beyond those previously identified in the Johnny paper? Describe them.
  • Paragraph 4: What usability flaws identified in the Johnny paper have been addressed to your satisfaction? How were they addressed?
  If you believe any of those paragraphs is not applicable (e.g., the tool has no usability flaws not described in the Johnny paper), instead briefly explain why you believe it is not applicable.


• Part 2 (50 points): You should work with either one or two partners (groups of 2-3 people) for this part of the assignment. If you really want to, you are permitted to work alone. With your partners, observe people in a public place using a computerized system. For example, you might observe people using a public transit ticket machine, a parking garage pay station, a hardware store self-checkout machine, a library self-checkout machine, or an airport self-check-in kiosk. Stay long enough to observe both experienced and inexperienced users using the system.
  
  Alternatively, recruit a few people you know and observe them using a computer or computerized device (cell phone, microwave oven, etc.) to complete a task. Try to recruit someone who has used the device before and someone who has not.
  
  What kinds of problems did people have using the system? What aspects of the system appeared to be easy to learn? What aspects of the system appeared to be difficult to learn? What aspects of the system seemed to frustrate experienced users? Most importantly, how might the design of the system be improved?
  
  Write up a short report on your observations and recommendations to turn in. Include an appendix with photographs or sketches of key elements of the user interface you observed. The report should be 2-4 pages, plus the appendix. Remember: turn in one report per group listing all members' names.


• Part 3 (10 points): With the same partners from Part 2, create 2-6 powerpoint slides showing photographs or illustrations of the computerized system from Part 2 in action. Choose photos that make the usability aspects of the system clear. You may duplicate photos from your Part 2 appendix.
  
  Do not print out your slides. Instead, one member of the team should email them before class to privacy-homework@mailman.srv.cs.cmu.edu as a pdf file, not as a ppt.


• Part 4 (9-unit students should not do this part. 12-unit students will receive between 0 and 45 points for this part): Write a 3-7 sentence summary and short "highlight" for one optional reading assigned for each of the following classes (3 optional readings total): January 15th, January 20th, and January 22nd.


• Part 5 (officially 0 points, but you cannot pass this course unless you do this): Complete the online IRB training by following the instructions at http://www.cmu.edu/research-compliance/human-subject-research/training.html. Once you get to the CITI page, click "Register" under "Create an account" and enter Carnegie Mellon University as your institution. Choose the "Social & Behavioral Research Investigators" course. You do not need to take the additional courses in responsible conduct of research, animal welfare, or export controls. Note that this training will take a few hours. Please print out and attach your completion certificate to the homework.