05-436 / 05-836 / 08-534 / 08-734 / 19-534 / 19-734 Usable Privacy and Security

Homework 7

Print your homework out and submit it in person at the start of class (3:00pm) on Monday, April 3. Homework will not be accepted after 3:00pm on that day.

Part 1 (50 points):

The National Institute of Standards and Technology has issued a draft set of password guidelines in DRAFT NIST Special Publication 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management.

Review section 5.1.1 (and its subsections) on "Memorized Secrets." Pick two requirements discussed in this section (marked with SHALL or SHALL NOT) and explain why each one is or is not a good requirement, citing evidence from the research literature. You may find evidence in some of the passwords-related papers in the required or optional class readings, in papers mentioned in the class lecture notes, or in some of the CMU CUPS Lab passwords research papers.

Part 2 (50 points):

The US Department of Health and Human Services has launched a Privacy Policy Snapshot Challenge to develop an online tool that will create privacy notices for consumer health technology.

Using the draft model privacy notice content requirements (beginning on page 2), develop a mockup of a privacy notice for a mobile health app designed to run on a smart phone (search for health in the Google Play store or iTunes app store). You may choose an existing health app and its real privacy policy or make up a health app and its privacy policy. Your mockup may be hand drawn, drawn using Powerpoint or your favorite drawing tools, or designed using a rapid-prototyping tool (e.g. Balsamiq). If the privacy notice takes up multiple screens or includes interactive features, show all the screens, pop-ups, etc.

Write a paragraph explaining the rationale behind your major design decisions.

Write a paragraph explaining where/when in the course of selecting, downloading, installing, or using the app users will have the opportunity to see this privacy notice. Why do you recommend making the notice available in this way?

Make sure you cite relevant sources on notice design (for example, from the required or optional readings or lecture notes).

Part 3 (9-unit students should not do this part. 12-unit students will receive between 0 and 45 points for this part): Write a 3--7 sentence summary and short "highlight" for one optional reading assigned for the March 20, March 22, and April 3 classes.