8-533 / 8-733 / 19-608 / 95-818: Privacy Policy, Law, and Technology

Homework 7 - due November 18, 2014


Don't forget to properly cite all sources (including assigned readings) and include a bibliography with all homework assignments.

Reading assignment: October 28-November 18 readings

1. [20 points] 12-unit students: Read and write a summary of one optional reading paper. After each summary (in a separate paragraph) provide a "highlight" for that chapter. This can be something new you learned that you found particularly interesting, a point you would like to discuss further in class, a question the chapter did not fully answer, something you found confusing, a point you disagree with, or anything else you found noteworthy.

2. [40 points] The table below contains information from the course roster for a hypothetical CMU class. Suppose some researchers were interested in finding out whether there was any correlation between grades in this class and student college, department, or class.

The required reading by Dr. Latanya Sweeney describes k-anonymity. For clarification on l-diversity see blog post or for even deeper insights, the l-diversity paper.

SCS     CS      Junior
SCS     CS      Junior
SCS     CS      Senior
SCS     CS      Senior
SCS     HCI     Master
SCS     HCI     Doc
SCS     SE      Master
SCS     SE      Doct
SCS     ROB     Doct
CIT     ECE     Junior
CIT     ECE     Senior
CIT     ECE     Master
CIT     EPP     Junior
CIT     EPP     Doct
CIT     MSE     Senior
CIT     INI     Master
CIT     INI     Master
CMU     IS      Master
CMU     IS      Master
CMU     IT      Master
HNZ     PPM     Master
HNZ     PPM     Master
HNZ     PPM     Master

3. [40 points] Pick a consumer software product or service that may collect information from or about its users and may transmit some or all of that information off the consumer's device or share information collected by a service with other parties. Use the Microsoft Privacy Guidelines to analyze this software. List all the applicable guidelines and try to determine whether/how the software complies with each one by using the software and reading its documentation. You may be able to get some additional relevant information about the product support web site for that product. Make a table showing each guideline and how the software complies with or violates it (or explaining why you are unable to determine this). In the case of violations, what changes would you recommend to comply with these guidelines. [If you find you are unable to make a determination for most of the guidelines, pick another piece of software to analyze.]

4. [20 points] The Electronic Frontier Foundation has launched IFightSurveillance.org with information on fighting surveillance. The first recommended step is to create a Threat Model assessment. Build your own threat model assessment.

The steps below are directly quoted from EFF website, and are included here so that you understand what specifically you are required to include in the homework. You may fuzz, anonymize, or black-out any information you do not want to share with your TA. In step 1, select one specific asset you want to protect, such as your homework for this class, your music or video files, or your smartphone contacts list.

  1. "Write down a list of data that you keep, where it's kept, who has access to it, and what stops others from accessing it."
  2. "Make a list of who might want to get ahold of your data or communications."
  3. "Write down what your adversary might want to do with your private data."
  4. "Asses your risk"

5. Extra Credit Opportunity [5 points]. In Chapter 4 of Swire and Ahmad, there may be statements that are out-of-date, oversimplified, or missing recent developments. If so, we should draw this to the attention of the publisher. We are offering extra credit in case you discover any such concerns. Describe the page number, the concern, and cite any sources that explain why it is a concern.