05-436 / 05-836 / 08-534 / 08-734 / 19-534 / 19-734
Usable Privacy and Security

Spring 2017: GHC 4102, Mondays and Wednesdays 3:00pm-4:20pm

Professor Lorrie Cranor
lorrie AT cmu DOT edu
http://lorrie.cranor.org/
Office: CIC 2207
Office hours: By appointment

       

Javed Ramjohn, Teaching Assistant
jramjohn AT andrew. DOT cmu DOT edu
Office hours: By appointment

Course Description

There is growing recognition that technology alone will not provide all of the solutions to security and privacy problems. Human factors play an essential role in these areas, and it is important for security and privacy experts to have an understanding of how people will interact with the systems they develop. This course is designed to introduce students to a variety of usability and user-interface problems related to privacy and security and to give them experience in understanding and designing studies aimed at helping to evaluate usability issues in security and privacy systems. The course is suitable both for students interested in privacy and security who would like to learn more about usability, as well as for students interested in usability who would like to learn more about security and privacy. Much of the course will be taught in a graduate seminar style in which all students will be expected to do reading assignments for each class. Students will also work on a group project throughout the semester.

The course is open to all students who have technical backgrounds. The 12-unit course numbers (8-734, 5-836, 19-734) are for PhD students and masters students. Students enrolled in these course numbers will be expected to play a leadership role in a group project that produces a paper suitable for publication. The 9-unit 500-level course numbers (8-534, 5-436, 19-534) are for juniors, seniors, and masters students. Students enrolled in these course numbers will have less demanding project and presentation requirements.

Readings

Readings will be assigned from the following text (available from all the usual online stores, and in ebook form via the CMU library)

Additional readings will be assigned from papers available online or handed out in class. In cases where a subscription is required for access, access should be available for free when you are coming from a CMU IP address (on campus or via CMU EZproxy or library VPN).

Course Schedule

Note, schedule is subject to change. The class web site will have the most up-to-date version. Links to slides and homework assignments will not work until the slides and assignments are posted. Slides will usually be posted the day after each lecture. Homework assignments will usually be posted on the day the previous assignment is due.

Wednesday, January 18

01. Course overview and introductions [SLIDES]

No readings for this class

Monday, January 23

02. Introduction to security; usable encryption [SLIDES]

Required reading:

Optional reading:

Wednesday, January 25

03. Reasoning about the human in the loop [SLIDES | Privacy Illustrated]

Required reading:

Optional reading:

Monday, January 30

04. Introduction to privacy [SLIDES]

Assignment: Homework 1 due

Required reading:

Optional reading:

Wednesday, February 1

05. Introduction to experimental design: overview of methods, ethics/deception, and ecological validity [SLIDES]
Guest lecturer: Abby Marsh

Required reading:

Optional reading:

Monday, February 6

06. Introduction to crowdsourced studies [SLIDES]

Assignment: Homework 2 due
Project: Discuss course projects in class

Required reading:

Optional reading:

Wednesday, February 8

07. Participant recruitment and surveys [SLIDES]

Required reading:

Optional reading:

Monday, February 13

08. Interviews, focus groups, and diary studies + analyzing qualitative data [SLIDES]

Assignment: Homework 3 due
Project: preference forms due

Required reading:

Optional reading:

Wednesday, February 15

09. Practicalities of research: IRBs and teamwork [SLIDES]
Guest lecturer: Abby Marsh

Project: teams assigned in class

No readings for this class

Monday, February 20

10. Quantitative data collection, lab and field studies, simulating attacks [SLIDES]

Assignment: Homework 4 due

Required reading:

Optional reading:

Wednesday, February 22

11. Analyzing quantitative data with statistics [SLIDES]
Guest lecturers: Hana Habib and Jessica Colnago

Project: proposal due

Required reading:

Optional reading:

Monday, February 27

12. Security warnings [SLIDES]

Assignment: Homework 5 due

Required reading:

Optional reading:

Wednesday, March 1

13. Passwords [SLIDES]

Required reading:

Optional reading:

Monday, March 6

14. Authentication beyond text passwords [SLIDES]

Assignment: Homework 6 due
Project: IRB applications must be submitted to the IRB no later than this date

Required reading:

Optional reading:

Wednesday, March 8

15. In-class midterm exam 1

No readings for this class

Monday, March 13

spring break

Wednesday, March 15

spring break

Monday, March 20

16. Privacy notice and choice [SLIDES]

Required reading:

Optional reading:

Wednesday, March 22

17. Evaluating disclosures [SLIDES]

Required reading:

Optional reading:

Monday, March 27

18. Progress report presentations

Project: progress report due

Required reading:

Wednesday, March 29

19. Progress report presentations

No required reading

Monday, April 3

20. Privacy and anonymity tools [SLIDES]

Assignment: Homework 7 due

Required reading:

Optional reading:

Wednesday, April 5

21. Social networks and privacy [SLIDES]
Guest lecturer: Abby Marsh

Optional reading:

Monday, April 10

22. Privacy and security for mobile devices and IoT [SLIDES]

Assignment: Homework 8 due

Required reading:

Optional reading:

Wednesday, April 12

23. SSL, PKIs, and secure communication [SLIDES]

Required reading:

Optional reading:

Monday, April 17

24. Mental models and folk models of security and privacy [SLIDES]

Assignment: Homework 9 due

Optional reading:

Wednesday, April 19

25. In-class midterm exam 2

No readings for this class

Monday, April 24

26. User education/training; anti-phishing [SLIDES]

Required reading:

Optional reading:

Wednesday, April 26

27. Access control and policy configuration [SLIDES]

Optional reading:

Monday, May 1

29. Usable privacy and security in safety-critical devices [SLIDES]

Assignment: Homework 10 due

Optional reading:

Wednesday, May 3

29. Final project presentations

No required reading

Course Requirements and Grading

Your final grade in this course will be based on:

This class will have no final exam. Final projects presentations will be held on the last day of class. You are required to be present for your group's final presentation.

Homework

All homework is due in printed form in class at 3:00 PM on the due date, unless specified otherwise on the schedule above. Homework may not be submitted after 3:05 pm, and we do not accept late homework. Your single lowest homework grade will be dropped from your homework average.

Students taking the 12-unit version of the course will be asked to submit a short summary (3-7 sentences) and a "highlight" for particular readings specified in each homework assignment. The highlight may be something you found particularly interesting or noteworthy, a question you would like to discuss in class, a point you disagree with, etc.

Readings and Quizzes

Students are expected to complete the assigned reading prior to class so that they can participate fully in class discussions. To verify that students have completed the assigned reading, each class will begin with a short quiz. The quizzes will cover major points of the readings, including methodological techniques, findings, high-level takeaways, and major recommendations the authors made. Your single lowest quiz grade will be dropped.

Students taking the 12-unit version of this course are expected to do additional readings each week. In some cases, we will specify which extra reading(s) to do. In other cases, we will specify that students can choose from any of the optional readings for the week. All other students are encouraged to review some of the optional readings that they find interesting, but they need not submit summaries or highlights of the optional readings.

Midterms

We will hold two in-class midterms during the course. These midterms will be centered around designing experiments, interpreting results, and analyzing research claims related to usable privacy and security. In essence, performing well on these exams will require that you apply the skills you learn in this course, rather than remembering trivia. The best way to prepare for these exams is to critically read all of the assigned papers for the course and to be an engaged participant in class discussions and in-class design assignments throughout the semester.

Project

Students will work on semester projects in small groups that include students with a variety of areas of expertise. A choice of projects will be provided, and students will be given an opportunity to indicate their preferences before projects are assigned. Students who have their own ideas for projects should discuss them with the instructors early in the semester. As part of the project students will:

Students are encouraged to submit their project as a poster to the 2017 Symposium On Usable Privacy and Security, and/or as a full paper to SOUPS 2018 or another conference. A paper submission will likely require additional work after the end of the semester. To submit a poster will only require submitting a 2-page abstract. Professor Cranor will provide funds for one student from each project team to attend the SOUPS conference if their paper or poster is accepted.

Students signed up for the 12-unit version of this course are expected to play a leadership role in a project group that writes a project paper suitable for publication. Your final paper should be written in a style suitable for publication at a conference or workshop. The conference papers in the readings provide good examples of what a conference paper looks like and the style in which they are written. Papers should follow the SOUPS 2017 technical papers formatting instructions. However, your report for the class need not adhere to the SOUPS page limits and should not be a blind submission; please include the names of the authors for the purposes of the class project.

Copyright Policy

All teaching materials in this class, including course slides, homeworks, assignments, practice exams and quizzes, are copyrighted; reproduction, redistribution and other rights solely belong to the instructor. In particular, it is not permissible to upload any or part of these materials to public or private websites without the instructor's explicit consent. Violating this copyright policy will be considered as an academic integrity violation, with the consequences discussed above. Reading materials are also copyrighted by their respective publishers and cannot be reposted or distributed without prior authorization from the publisher.

Collaboration Policy

You are permitted to talk to the instructor, or to anyone else about any of the homework assignments. Any assistance, though, must be limited to discussion of the problem and sketching general approaches to a solution. Each student must write out his or her own solutions to the homeworks. Consulting another student's solution is prohibited, and submitted solutions may not be copied from any source. These and any other form of collaboration on assignments constitute cheating. Any form of collaboration is strictly prohibited on the exams and is considered cheating. If you have any question about whether some activity would constitute cheating, please feel free to ask. Cheating on an assignment/exam will result in failure of the course, and the university administration (department, college) will be notified per the appropriate procedures. Simply stated, feel free to discuss problems with each other, but do not cheat. It is not worth it, and you will get caught. In addition to the above, please also review fully and carefully Carnegie Mellon University's policies regarding Cheating and Plagiarism (http://www.cmu.edu/policies/documents/Cheating.html); Undergraduate Academic Discipline (http://www.cmu.edu/policies/documents/AcadRegs.html); and Graduate Academic Discipline (http://www.cmu.edu/policies/documents/GradDisc.html). In addition to the terms of the Graduate Academic Discipline policy, it is INI and ECE's policy that an INI or an ECE graduate student may not drop a course in which a disciplinary action is assessed or pending without the course instructor's explicit approval.

Take Care of Yourself

Do your best to maintain a healthy lifestyle this semester by eating well, exercising, avoiding drugs and alcohol, getting enough sleep and taking some time to relax. This will help you achieve your goals and cope with stress. All of us benefit from support during times of struggle. You are not alone. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is often helpful. If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. Counseling and Psychological Services (CaPS) is here to help: call 412-268-2922 and visit their website at http://www.cmu.edu/counseling. Consider reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help.

If you or someone you know is feeling suicidal or in danger of self-harm, call someone immediately, day or night:

If the situation is life threatening, call the police:

-----