Privacy Policy, Law, and Technology (original) (raw)

This course focuses on policy issues related to privacy from the perspectives of governments, organizations, and individuals. We will begin with a historical and philosophical study of privacy and then explore recent public policy issues. We will examine the privacy protections provided by laws and regulations, as well as the way technology can be used to protect privacy. We will emphasize technology-related privacy concerns and mitigation, for example: social networks, smartphones, behavioral advertising (and tools to prevent targeted advertising and tracking), anonymous communication systems, big data, and drones.

This course is part of a three-course series of privacy courses offered as part of the MSIT-Privacy Engineering masters program. These courses may be taken in any order or simultaneously. Foundations of Privacy (offered in the Fall semester) offers more indepth coverage of technologies and algorithms used to reason about and protect privacy. Engineering Privacy in Software (offered in the Spring semester) focuses on the methods and tools needed to design systems for privacy.

This course is intended primarily for graduate students and advanced undergraduate students (juniors and seniors) with some technical background. Programming skills are not required. 8-733, 19-608, and 95-818 are 12-unit courses for PhD students. Students enrolled under these course numbers will have extra assignments and will be expected to do a project suitable for publication. 8-533 is a 9-unit course for undergraduate students. Masters students may register for any of the course numbers permitted by their program. This course will include a lot of reading, writing, and class discussion. Students will be able to tailor their assignments to their skills and interests, focusing more on programming or writing papers as they see fit. However, all students will be expected to do some writing and some technical work. A large emphasis will be placed on research and communication skills, which will be taught throughout the course.

Peter P. Swire and Kenesa Ahmad. Foundations of Information Privacy and Data Protection: A Survey of Global Concepts, Laws and Practices. IAPP: 2012.

J.C. Cannon. Privacy in Technology: Standards and Practices for Engineers and Security and IT Professionals. IAPP: 2014.

All online papers are either publicly available for free, available through the CMU library for free, or available in a password-protected part of this website to students in this course. (The CMU library provides a VPN for off-campus and wireless access to library materials.)

This year IAPP is offering CMU students a Student Certification Package which includes: 1 year IAPP membership + textbooks + online training materials + practice exam + 1 Computer Based Test Exam for $140 per student.

Normally you would have to pay 50forstudentmembership,50 for student membership, 50forstudentmembership,550 to take the exam, over 100forthebooks,andover100 for the books, and over 100forthebooks,andover1000 for access to the online training materials and practice tests. So this is a good deal. If you are taking 8-533 / 8-733 / 19-608 / 95-818 Privacy Policy, Law and Technology you will need these books for class, so even if you don't plan to take the exam you might want to get the student package.

Exams will take place at local Kryterion testing centers (seehttp://www.kryteriononline.com/Locate-Test-Center - the most convenient center to CMU is at 118 52nd Street 15201). You can schedule the exam whenever you want. If you are taking CMU privacy engineering classes this fall, we recommend you take the exam in Dec. or January.

If you would like to sign up for the student certification package, please fill out the form at: https://goo.gl/forms/SFrU0OmJjQAL58IQ2. We will send this information to IAPP and they will contact you to collect your payment information. We would like to get people signed up by Sept. 2 so that everyone who needs their books for class will get them promptly.

Note, this schedule is subject to change. The class web site will have the most up-to-date version of this calendar. Assignments will be finalized at least one week before due date or as announced in class.

Date

Topics

Assignment

Tuesday, Aug. 30

Overview

• Introductions
• Syllabus
• Topics to be covered
• Course preview picture tour

No required reading

Thursday, Sept. 1

Conceptions of privacy

• What is privacy? What does privacy mean to you?
• How has privacy been conceptualized over time?

Required reading:

• Eggers, D. The Circle (excerpt) McSweeney's, Oct. 2013. Print.
• Swire, P. and Ahmad, K. Chapter 1: Common Principles and Approaches to Information Privacy and Data Protection [Pages 1-15 ONLY] In Foundations of Information Privacy and Data Protection. IAPP, 2012.

Optional reading

• R. Kemp and A. Moore. Privacy. Library Hi Tech 25.1 (2007):58-78.
• Nissenbaum, H., A Contextual Approach to Privacy Online. Daedalus 140(4), Fall 2011:32-48.
• S. Warren and L. Brandeis. The Right to Privacy. Harvard Law Review Vol. IV, No. 5. Dec. 15, 1890.

Tuesday, Sept. 6

Privacy harms

• Types of privacy harms
• Why does privacy matter?

Research and communication skills

• Avoiding plagiarism
• Creating a bibliography and citing sources

Required reading:

• Daniel Solove, 'I've Got Nothing to Hide' and Other Misunderstandings of Privacy, San Diego Law Review, Vol. 44, 2007.
• Calo, M. Ryan, The Boundaries of Privacy Harm. Indiana Law Journal, Vol. 86, No. 3, 2011.

Optional reading:

• Daniel Solove, A Taxonomy of Privacy, University of Pennsylvania Law Review, Vol. 154, No. 3, p. 477, January 2006.

Thursday, Sept. 8

Debate on the virtue of forgetting

Homework 1 discussion

Homework 1 due

Required reading:

• European privacy requests for search removals
• Google Transparency Report - Frequently Asked Questions
• Sylvia Tippmann and Julia Powles Google accidentally reveals data on 'right to be forgotten' requests The Guardian, July 14, 2015

Optional reading:

• Viktor Mayer-Schönberger, Delete: The Virtue of Forgetting in the Digital Age, Princeton University Press, 2011 (Chapter 1)
• Peter Fleischer Foggy Thinking About the Right to Oblivion Personal Blog, blogspot.com (Google's Global Privacy Counsel)
• Conor Friedersdorf This Man Has Nothing to Hide -- Not Even His Email PasswordThe Atlantic, August 26 2014

Tuesday, Sept. 13

Privacy economics, attitudes, and behavior

Research and communications skills

• Human Subjects Research

Required reading:

• Hal Varian, Economic Aspects of Personal Privacy, in Privacy and Self-Regulation in the Information Age, 1997.
• Alessandro Acquisti, Laura Brandimarte, and George Loewenstein Privacy and human behavior in the age of information Science 30 January 2015: 509-514.

Optional reading:

• Alessandro Acquisti and Jens Grossklags, Privacy and Rationality in Individual Decision Making, IEEE Security & Privacy, January/February 2005, pp. 24-30.
• Juan Pablo Carrascal, Christopher Riederer, Vijay Erramilli, Mauro Cherubini, and Rodrigo de Oliveira. 2013. Your browsing behavior for a big mac: economics of personal information online. WWW2013, 189-200.
• L. Brandimarte, A. Acquisti, G. Loewenstein. Misplaced Confidences: Privacy and the Control Paradox. Social Psychological and Personality Science May 2013 vol. 4 no. 3 340-347.
• J. Tsai, S. Egelman, L. Cranor, and A. Acquisti. The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study. Information Systems Research, published online February 2010.

Thursday, Sept. 15

Fair information practices and privacy principles

Introduce course project

Research and communication skills

• Using library resources
• Writing a literature review

Required reading:

• Swire and Ahmad, Foundations of Information Privacy and Data Protection Chapter 1 p 15-23
• Lorrie Faith Cranor, I Didn't Buy it for Myself, in Designing Personalized User Experiences in eCommerce, 2004.

Optional reading:

• Cate, Fred H., The Failure of Fair Information Practice Principles (2006). Consumer Protection in the Age of the Information Economy, 2006.
• Robert Gellman. Fair Information Practices: A Basic History. Version 1.92, June 24, 2013.

Tuesday, Sept. 20

Privacy law overview

Homework 2 Discussion

Homework 2 due

Required reading:

• Swire and Ahmad, Foundations of Information Privacy and Data Protection Chapters 2 and 3

Optional reading:

• Solove, Daniel J. and Hartzog, Woodrow, The FTC and the New Common Law of Privacy (August 19, 2013).

Thursday, Sept. 22

Privacy regulation, self-regulation, and enforcement

Project selection form due before class

Required reading:

• The White House. Fact Sheet: Plan to Protect Privacy in the Internet Age by Adopting a Consumer Privacy Bill of Rights,
• FTC. Protecting Consumer Privacy in an Era of Rapid Change. March 2012. (Skim through the entire report, but you can skip the footnotes and appendixes)

Optional reading:

• L.F. Cranor, K. Idouchi, P.G. Leon, M. Sleeper, B. Ur. Are They Actually Any Different? Comparing Thousands of Financial Institutions' Privacy Practices. WEIS 2013.
• Bamberger, Kenneth A. and Mulligan, Deirdre K., Privacy on the Books and on the Ground. Stanford Law Review, Vol. 63, January 2011.

Tuesday, Sept. 27

Privacy notice and choice

Required reading:

• L.F. Cranor. Necessary But Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice. Journal of Telecommunications and High Technology Law, Vol. 10, No. 2, 2012.
• N Lundblad and B Masiello, "Opt-in Dystopias", (2010) 7:1 SCRIPTed 155.
• Watch Fred Cate’s opening keynote from the Workshop on the Future of Privacy Notice and Choice (42 minutes)

Optional reading:

• Carlos Jensen and Colin Potts, Privacy policies as decision-making tools: an evaluation of online privacy notices, CHI 2004, pp. 471-478.
• Irene Pollach, What's wrong with online privacy policies?, CACM Sept. 2007, 50(9): 103-108.
• P.G. Leon, B. Ur, R. Balebako, L.F. Cranor, R. Shay, and Y. Wang. Why Johnny Can't Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising. CHI 2012.
• P.G. Kelley, L.J. Cesca, J. Bresee, and L.F. Cranor. Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach. CHI2010.
• First Chapter of More Than You Wanted to Know: The Failure of Mandated Disclosure Omri Ben-Shahar & Carl E. Schneider
• A. McDonald and L. Cranor. The Cost of Reading Privacy Policies. I/S: A Journal of Law and Policy for the Information Society. 2008.
• Solove, Daniel J., Privacy Self-Management and the Consent Dilemma 126 Harvard Law Review 1880 (2013)

Thursday, Sept. 29

International Privacy Laws and Cultural Differences

Homework 3 discussion

Homework 3 due

Required reading:

• Nir Kshetri, China's Data Privacy Regulations: A Tricky Tradeoff between ICT's Productive Utilization and Cybercontrol, Security & Privacy, IEEE , vol.12, no.4, pp.38,45, July-Aug. 2014
• B. Ur and Y. Wang. A Cross-Cultural Framework for Protecting User Privacy in Online Social Media. In WWW Workshop on Privacy and Security in Online Social Media (PSOSM13), Rio de Janeiro, Brazil, 2013.

Optional reading:

• Paul Beynon Davies Personal identity management and electronic government: The case of the national Identity Card in the UK Journal of Enterprise Information Management 2007 20:3, 244-270
• J. Lin, M. Benisch, N. Sadeh, J. Niu, J. Hong, B. Lu, and S. Guo. A comparative study of location-sharing privacy preferences in the United States and China. Personal and Ubiquitous Computing. vol 17, num 4., April 2013, pp. 697-711.
• Kumaraguru, P., and Sachdeva, N. Privacy in India: Attitudes and Awareness V 2.0. Tech. rep., Precog-TR-12-001, Precog@IIIT-Delhi, 2012.
• Harris, Andrew, Seymour Godman, and Patrick Traynor. Privacy and security concerns associated with mobile money applications in Africa. (2013).
• Donovan, K. and Martin, A. 2014. The Rise of African SIM Registration: The Emerging Dynamics of Regulatory Change. First Monday 19, 1-2 (February).

Tuesday, Oct. 4

Internet monitoring and web tracking

Required reading:

• L. Cranor, M. Sleeper, and B. Ur. Chapter 5 Tracking and Surveillance. In Privacy Handbook for IT Professionals. 2013.
• Swire and Ahmad, Foundations of Information Privacy and Data Protection Chapter 5
• JC Cannon, Privacy in Technology, Chapter 6.3 through 6.6, pages 147-164.

Optional reading:

• Jonathan Mayer and John Mitchell. Third-party web tracking: Policy and technology. IEEE Symposium on Security and Privacy 2012.
• Fruchter, N., Miao, H., Stevenson, S., and Balebako, R. Variations in Tracking in Relation to Geographic Location. In Proc. W2SP 2015. (This paper was a result of a final project in this class last year.)
• B. Ur, P.G. Leon, L.F. Cranor, R. Shay, and Y. Wang. Smart, Useful, Scary, Creepy: Perceptions of Online Behavioral Advertising, SOUPS 2012.
• R. Balebako, P.G. Leon, R. Shay, B. Ur, L.F. Cranor. Measuring the Effectiveness of Privacy Tools for Limiting Behavioral Advertising. W2SP 2012.
• P.G. Leon, B. Ur, Y. Wang, M. Sleeper, R. Balebako, R. Shay, L. Bauer, M. Christodorescu, L.F. Cranor. What Matters to Users? Factors that Affect Users' Willingness to Share Information with Online Advertisers. SOUPS 2013.
• Lalit Agarwal, Nisheeth Shrivastava, Sharad Jaiswal, Saurabh Panjwani. Do Not Embarrass: Re-Examining User Concerns for Online Tracking and Advertising. SOUPS 2013.
• G. Acar, M. Juarez, N. Nikiforakis, C. Diaz, S. Gürses, F. Piessens and B. Preneel. FPDetective: Dusting the Web for Fingerprinters. In Proceedings of CCS 2013, Nov. 2013.
• P.G. Leon, J. Cranshaw, L.F. Cranor, J. Graves, M. Hastak, B. Ur. What Do Online Behavioral Advertising Disclosures Communicate to Users?, WPES 2012.
• David M. Kristol. 2001. HTTP Cookies: Standards, privacy, and politics. ACM Trans. Internet Technol. 1, 2 (Nov. 2001), 151-198. http://doi.acm.org/10.1145/502152.502153

Thursday, Oct. 6

W3C

The Platform for Privacy Preferences (P3P) and Do Not Track

One-paragraph project description due

Required reading:

• P.G. Leon, L.F. Cranor, A.M. McDonald, and R. McGuire. Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens WPES 2010.
• JC Cannon, Privacy in Technology, Chapter 6.7 through 6.10, pages 165-182.
• W3C. Tracking Compliance and Scope. W3C Working Draft. [read/skim the latest published version]

Optional reading

• Harry Hochheiser, The Platform for Privacy Preferences as a social protocol, ACM Transactions on Internet Technology, 2(4), 2002.
• The Platform for Privacy Preferences 1.1 (P3P1.1) Specification. W3C 2006.
• P. Resnick and L. Cranor. Protocols for Automated Negotiations with Buyer Anonymity and Seller Reputations. (2000). Netnomics 2(1):1-23.
• L. Cranor, L., Egelman, S. Sheng, A. McDonald, and A. Chowdhury. P3P Deployment on Websites. Electronic Commerce Research and Applications, Volume 7, Issue 3, Autumn 2008, Pages 274-293.
• W3C Tracking Preference Expression (DNT). W3C Working Draft. [read/skim the latest published version]

Tuesday, Oct. 11

Homework 4 discussion

Delving further into privacy policies

Homework 4 due

Required reading:

• J. R. Reidenberg, T. D. Breaux, L. F. Cranor, B. French, A. Grannis, J. T. Graves, F. Liu, A. M. McDonald, T. B. Norton, R. Ramanath, N. C. Russell, N. Sadeh, F. Schaub, Disagreeable Privacy Policies: Mismatches between Meaning and Users' Understanding., Berkeley Technology Law Journal, vol. 30, 1, pp.39-88, May 2015.

Optional readings:

• Any Sept. 27 optional readings you haven't already read

Thursday, Oct. 13

Privacy on social networks

Required reading:

• Yang Wang, Gregory Norcie, Saranga Komanduri, Alessandro Acquisti, Pedro Giovanni Leon, and Lorrie Faith Cranor. I regretted the minute I pressed share: A qualitative study of regrets on Facebook. In Proc. of SOUPS, p. 10. ACM, 2011.
• Morrison, Caren Myers Passwords, Profiles, and the Privilege against Self-Incrimination: Facebook and the Fifth Amendment; 65 Ark. L. Rev. 133 (2012)
• JC Cannon, Privacy in Technology, Chapter 6 through 6.2, pages 137-146.

Optional reading:

• Manya Sleeper, Rebecca Balebako, Sauvik Das, Amber Lynn McConahy, Jason Wiese, and Lorrie Faith Cranor. 2013. The post that wasn't: exploring self-censorship on facebook. In Proc of CSCW '13. ACM
• Yang Wang, Pedro Giovanni Leon, Alessandro Acquisti, Lorrie Faith Cranor, Alain Forget, and Norman Sadeh. 2014. A field trial of privacy nudges for facebook. In Proc of SIGCHI Conference on Human Factors in Computing Systems (CHI '14).

Tuesday, Oct. 18

Location tracking

Required reading:

• Janice Tsai, Patrick Gage Kelley, Lorrie Faith Cranor and Norman Sadeh, Location Sharing Technologies: Privacy Risks and Controls, I/S: A Journal of Law and Policy for the Information Society, Vol. 6, No. 2, Summer 2010, pp. 119-151.
• Yves-Alexandre de Montjoye, Cesar A. Hidalgo, Michel Verleysen & Vincent D. Blondel. Unique in the Crowd: The privacy bounds of human mobility. Scientific Reports 3, Article number: 1376. 25 March 2013.
• Greg Sterling, Jules Polonetsky & Stephany Fan Understanding Beacons: A guide to Beacon Technologies Future of Privacy Forum, Dec. 2014

Optional reading:

• A. Narayanan, N. Thiagarajan, M. Lakhani, M. Hamburg, and D. Boneh. Location privacy via private proximity testing. NDSS 2011.
• Ann Cavoukian, Nelish Bansal, Nick Koudas, Building Privacy into Mobile Location Analytics (MLA) Through Privacy by Design, privacybydesign.ca

Thursday, Oct. 20

Mid-term

Midterm Review:

• JC Cannon, Privacy in Technology, Chapters 2 and 3, pages 25-82.
• Review all lecture notes

Tuesday, Oct. 25

Biometrics and facial recognition

Field trip to CMU biometrics lab after brief lecture

Homework 5 discussion

Homework 5 due

Required reading

• A Face in the Crowd: Say goodbye to anonymity, 60 Minutes, August 25, 2013
• Anil K. Jain, Arun Ross and Salil Prabhakar, An Introduction to Biometric Recognition, IEEE Transactions on Circuits and Systems for Video Technology, Special Issue on Image- and Video-Based Biometrics, Vol. 14, No. 1, January 2004.

Optional reading:

• J. Pato and L. Millett, Eds. Biometric Recognition: Challenges and Opportunities. National Academies Press, 2010. [You can read just Chapter 4: Cultural, Social, and Legal Considerations]
• Mordini and Massari. Body, Biometrics and Identity. Bioethics Volume 22 Number 9 2008 pp 488-498.
• Matsumoto, Matsumoto, Yamada, and Hoshino. Impact of Artificial "Gummy" Fingers on Fingerprint Systems. Proceedings of SPIE Vol. #4677, Optical Security and Counterfeit Deterrence Techniques IV, Thursday-Friday 24-25 January 2002.

Thursday, Oct. 27

Guest lecture: Lorrie Cranor

The FTC and consumer privacy

Project proposal due

Required reading

• FTC: Most Americans Don't Know How Much Companies Track And Sell Their Data
• Edith Ramirez, Protecting Consumer Privacy in the Digital Age: Reaffirming the Role of Consumer Control, Technology Policy Institute Aspen Forum, August 22, 2016.

Tuesday, Nov. 1

Guest lecture: Bin Liu

Smartphone privacy concerns

Required reading:

• K. Harris, Privacy on the go: recommendations for the mobile ecosystem, California Department of Justice, January 2013
• Balebako, R., C. Bravo-Lillo, Cranor, L. Is Notice Enough: Mitigating the Risks of Smartphone Data Sharing I/S: A Journal of Law and Policy for the Information Society

Optional reading:

• P.G. Kelley, L.F. Cranor, and N. Sadeh. Privacy as Part of the App Decision-Making Process. CHI 2013.
• P.G. Kelley, S. Consolvo, L.F. Cranor, J. Jung, N. Sadeh, D. Wetherall. A Conundrum of Permissions: Installing Applications on an Android Smartphone. Workshop on Usable Security. March 2, 2012, Bonaire.<.li>
• A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner. Android Permissions: User Attention, Comprehension, and Behavior. SOUPS 2012.
• J. King. "How Come I'm Allowing Strangers To Go Through My Phone?"--Smartphones and Privacy Expectations. Draft 2013.

Project proposal due

Thursday, Nov. 3

Government surveillance

Homework 6 discussion

Homework 6 due

Required reading:

• Angwin, Julia. Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance. Macmillan, 2014. Chapter 2

Optional reading:

• C. Soghoian. The Spies We Trust: Third Party Service Providers and Law Enforcement Surveillance. Indiana University Dissertation, August 2012. [**Only Chapter 7 is required reading - pp.82-92 of the PDF file.**]
• NSA collects millions of e-mail address books globally. The Washington Post, Oct. 14, 2013.
• American Civil Liberties Union and ACLU of Virginia. Brief of Amici Curiae American Civil Liberties Union and ACLU of Virginia in support of party-in-interest - appellant's appeal seeking reversal [Lavabit amicus brief]
• Connecting the Dots Can the tools of graph theory and social-network studies unravel the next big plot? American Scientist
• Glenn Greenwald, Ewen MacAskill, Laura Poitras, Spencer Ackerman and Dominic Rushe. Microsoft handed the NSA access to encrypted messages. The Guardian, 11 July 2013.
• Barton Gellman and Ashkan Soltani. NSA collects millions of email address books
• Craig TimburgFor sale: Systems that can secretly track where cellphone users go around the globe Washington Post, August 24 2014

Tuesday, Nov. 8

Election day

Identity and anonymity

Required reading:

• David Chaum, Security without Identification: Card Computers to make Big Brother Obsolete, 1987.
• Yves-Alexandre de Montjoye, Laura Radaelli, Vivek Kumar Singh, and Alex ``Sandy'' Pentland Unique in the shopping mall: On the reidentifiability of credit card metadata Science 30 January 2015: 536-539.
• JC Cannon, Privacy in Technology, Chapter 5 through 5.2 (pages 115-128).

Optional reading:

• Michael Reiter and Aviel Rubin, Anonymous Web transactions with Crowds, CACM 42(2), February 1999, pp. 32-48.
• Ann Cavoukian, 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age, 2006.
• Marc Waldman, Aviel Rubin, and Lorrie Cranor, The architecture of robust publishing systems, TOIT, 1(2), Nov. 2001, pp. 199-230.
• A. Pfitzmann and M. Hansen, Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management - A Consolidated Proposal for Terminology.
• Kim Cameron, The Laws of Identity, 2005.

Thursday, Nov. 10

Data privacy and big data

Required reading:

• Omer Tene and Jules Polonetsky, Big Data for All: Privacy and User Control in the Age of Analytics, 11 Nw. J. Tech. & Intell. Prop. 239 (2013).
• Latanya Sweeney, k-Anonymity: a model for protecting privacy, International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 10 (5), 2002; 557-570.

Optional reading:

• E. Klarreich, Privacy by the Numbers: A New Approach to Safeguarding Data. Scientific American. Dec. 21, 2013.
• Sweeney L. Matching Known Patients to Health Records in Washington State Data. Harvard University. Data Privacy Lab. White Paper 1089-1. June 2013.
• Latanya Sweeney, Information Explosion, in Confidentiality, Disclosure, and Data Access: Theory and Practical Applications for Statistical Agencies, Urban Institute, Washington, DC, 2001.
• Daniel C. Barth-Jones The 'Re-Identification' of Governor William Weld's Medical Information: A Critical Re-Examination of Health Data Identification Risks and Privacy Protections, Then and Now (June 4, 2012).
• A. Machanavajjhala, J.Gehrke, D. Kifer and M. Venkitasubramaniam. l-Diversity: Privacy Beyond k-Anonymity. ICDE 2006.

Tuesday, Nov. 15

Privacy engineering, privacy by design, and privacy governance

Required reading:

• Ann Cavoukian, Privacy by Design, 2009.
• Sarah Spiekermann and Lorrie Faith Cranor. Engineering Privacy. IEEE Transactions on Software Engineering Vol. 35, No. 1, January/February, 2009, pp. 67-82.
• JC Cannon, Privacy in Technology, Chapter 5.3 through 5.5, pages 129-136.

Optional reading:

• Simson Garfinkel, De-Identification of Personal Information, NIST, Oct. 2015.
• Javier Salido, Data Governance for Privacy, Confidentiality and Compliance: A Holistic Approach, ISACA Journal, Volume 6, 2010.
• Rubinstein, Ira and Good, Nathan, Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents (August 11, 2012). Berkeley Technology Law Journal, Forthcoming.

Thursday, Nov. 17

Mid-term

Midterm Review:

• Chris Clifton, Chapter 4 Identity and Anonymity. In Privacy Handbook for IT Professionals. 2013.
• JC Cannon, Privacy in Technology, Chapter 7, pages 183-210.
• Review all lecture notes from beginning of semester

Tuesday, Nov. 22

Guest Speaker: Zack Weinberg

Internet Censorship

Homework 7 due

Required reading:

• S. Burnett, N. Feamster "Encore: Lightweight Measurement of Web Censorship with Cross-Origin Requests"ACM SIGCOMM Computer Communication Review 45.4 (2015): 653-667.

Optional reading:

• N. Aase, et al. "Whiskey, Weed, and Wukan on the World Wide Web: On Measuring Censors' Resources and Motivations." FOCI. 2012.
• A. Chaabane, et al. "Censorship in the wild: Analyzing internet filtering in syria." Proceedings of the 2014 Conference on Internet Measurement Conference. ACM, 2014.
• A. Abdou, M. Ashraf, and P.C. van Oorschot. "On the Evasion of Delay-Based IP Geolocation."

Thursday, Nov. 24

Thanksgiving break, no class

Tuesday, Nov. 29

Health and electronic records

Creating a research poster

Research and communications skills

• How to write a research paper
• How to create a research poster

Required reading:

• "George Doe" and Julia Belluz With genetic testing, I gave my parents the gift of divorce vox.com, Sept. 9 2014
• Kotz, D., Avancha, S., & Baxi, A. (2009). A privacy framework for mobile health and home-care systems. Privacy in Medical and Home-Care Systems, 12.

Optional reading:

• Gymrek M, McGuire AL, Golan D, Halperin E, Erlich Y. Identifying personal genomes by surname inference. Science. 2013 Jan 18;339(6117):321-4.
• L. Rodriguez, et al. Research ethics: the complexities of genomic identifiability. Science. 2013; 339: 275-276.
• M. Humbert, E. Ayday, J.-P. Hubaux and A. Telenti. Addressing the Concerns of the Lacks Family: Quantification of Kin Genomic Privacy. 20th ACM Conference on Computer and Communications Security (CCS 2013), Berlin, Germany, 2013.
• Yaniv Erlich & Arvind Narayanan Routes for breaching and protecting genetic privacy Nature Reviews Genetics 15, 409-421 doi:10.1038/nrg3723

Thursday, Dec. 1

Guest Speaker: Mahmood Sharif

Privacy in the age of face and voice recognition

Draft paper due

Required Reading

• Acquisti A., Gross R. and Stutzman F. (2014) "Face Recognition and Privacy in the Age of Augmented Reality," Journal of Privacy and Confidentiality: Vol. 6: Iss. 2, Article 1.

Optional Reading

• Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K. Reiter. 2016. Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA, 1528-1540. DOI: https://doi.org/10.1145/2976749.2978392
• Carlini, Nicholas, Pratyush Mishra, Tavish Vaidya, Yuankai Zhang, Micah Sherr, Clay Shields, David Wagner, and Wenchao Zhou. "Hidden voice commands." In 25th USENIX Security Symposium (USENIX Security 16), Austin, TX. 2016.

Tuesday, Dec. 6

No Class

No required reading

Thursday, Dec. 8

Poster fair
GHC 4405

No required reading

Friday, Dec. 16

Final project due at noon

You are expected to complete the reading assignments before the class session for which they were assigned. Class discussions will often be based on these assignments and you will not be able to participate fully if you have not done the reading. It is suggested that you write up summaries and highlights as you read each chapter or paper and bring them with you to class.

Quizzes at the beginning of each class will be based on the readings for that day. It is suggested that you arrive on time in order to complete the daily quiz with sufficient time.

All homework assignments must be typed and submitted electronically on Blackboard by class on the day it is due. Every homework submission must include a properly formatted bibliography that includes all works you referred to as you prepared your homework. These works should be cited as appropriate in the text of your answers.

All homework is due at the beginning of class on the due date. You will lose 10% for turning in homework late (5 minutes or more after class has started) on the due date. You will lose an additional 10% for each late day after that. We reserve the right to take off additional points or refuse to accept late homework submitted after the answers have been discussed extensively in class. Reasonable extensions will be granted to students with excused absences or extenuating circumstances. Please contact me as soon as possible to arrange for an extension.

Cheating and plagiarism will not be tolerated. Students caught cheating or plagiarizing will receive no credit for the assignment on which cheating occurred. Additional actions -- including assigning the student a failing grade in the class or referring the case for disciplinary action -- may be taken at the discretion of the instructor. Please familiarize yourself with the CMU Policy on Academic Integrity.

Take care of yourself. Do your best to maintain a healthy lifestyle this semester by eating well, exercising, avoiding drugs and alcohol, getting enough sleep and taking some time to relax. This will help you achieve your goals and cope with stress.

All of us benefit from support during times of struggle. You are not alone. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is often helpful.

If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. Counseling and Psychological Services (CaPS) is here to help: call 412-268-2922 and visit their website at http://www.cmu.edu/counseling/. Consider reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help.