CMU Privacy Policy Mini Project

CMU does not currently have a comprehensive privacy policy or a web site privacy policy. In this project, our class will develop draft policies for CMU web sites in both English and computer-readable (P3P) form. This project has several parts. Each part will be assigned as a question on one of the weekly homeworks.

Part 1 - Policy Review

a. Review the various privacy-related policies already in place at CMU, including the computing policy, Blackboard privacy guidelines, student privacy rights, privacy of faculty offices, and other relevant policies (here is a good list of policies). Prepare a list of all aspects of privacy that are covered by these policies.

b. Read the privacy policies of at least four other universities (please list the URLs of the policies you read). What did you find in these policies that you liked? What did you find in these policies that you did not like? (You should comment on the format, style, content, and substance of these policies.)

c. What is missing from the CMU policies? Are there any additional areas that you think should be covered? If you were to create a privacy policy to post on the CMU web site, what areas of policy would you need to document that are not covered by the collection of CMU policies that you read?

Part 2 - CMU Web Site Review

Spend some time looking at the CMU web sites. Look at the site map on the main CMU web site. Use the search facility to find pages that include forms.

What is the purpose of the main CMU web site ( What kinds of data appear to be collected on this site? Is this data collected from the general public or just members of the CMU community? Who appears to be responsible for this data (a specific department, central administration, etc.)?

What other web sites are there in the domain (you don't need to list all of them, but try to list groups of web sites). What kinds of data are collected on these sites? Is this data collected from the general public or just members of the CMU community? Who appears to be responsible for this data?

Imagine that you are on a committee that is trying to create a web site privacy policy for CMU. Make some recommendations about the scope of the policy -- which sites or parts of sites should be covered by a general web site privacy policy? (If you want you can suggest multiple options.) Should there be other policies and if so who should be responsible for them? What questions would you need to have answered before you could draft a web site privacy policy for CMU? (Here is a good example of a committee report that proposes some options for CMU computing policies.)

Part 3 - Draft Privacy Policy

Imagine that the CMU privacy policy committee has decided to post a web site privacy policy for CMU. The committee has decided that the policy should include:

Create a web page or set of web pages that includes all of these components. Ideally, you should post this web page (suitably labeled as a draft for a course project and not the official CMU policy) and include the URL in your homework. If you are unable to post it yourself, please email the HTML file(s) to me and I will post them. (We are posting them so that you can each review each others' drafts, but they will be publicly accessible.) I am interested in seeing not only the content of what you put into your draft policy, but also how you write and format it so that it is easily understandable. Feel free to borrow ideas from some of the other policies you looked at. The policy you create should match current CMU practice as best you can determine. There will probably be some areas where you don't really know what the current policy or practice is. In those cases, write the policy to reflect what you think it should be, both from the perspective of protecting privacy as well as being practical in the CMU environment.

Please turn in:

  1. the URL for your policy (or email me your policy file)
  2. A list of points in the privacy policy that the committee should go over to make sure they agree that this is the appropriate policy. For each one provide an explanation about the recommendation in your draft.
  3. A list of the URLs or other sources that you borrowed ideas from and a brief explanation of what ideas you borrowed from each.

Part 4 - Draft Privacy Policy Review

Review the privacy policy drafts written by the students in this class.

  1. For each draft policy, provide a list of what you like about it. Be specific.
  2. How would you proceed to create the second draft of a privacy policy? (For example, use the format of policy X, most of the text from policy Y, but substituting the A section from policy Q, and adding the B section from policy R.)

Part 5 - Revise Draft Privacy Policy

I have divided the class into the following sub-committees, each chaired by a graduate student:

Candice, Bella, Vincent, Ramya

Pei-Chao, Ben, Matt, Christina

Ashish, Indrani, Eduardo

Each committee should produce a new draft of the policy, using your Part 4 work as a starting point. The chair should post the policy (or delegate this to someone else) and submit the URL to me.

Part 6 - Draft P3P Policy

Do this part with the same committee you worked with for Part 5.

1. Come up with an overall plan for P3P-enabling the CMU web sites. Determine how many policies there should be and who should be responsible for creating them. Where should the policies and policy reference files live? Should the well-known location, HTTP header, or embedded link mechanism be used? Should compact policies be used, and, if so, where? Post your plan (formatted in HTML) on the server where you posted the policy you created in part 5 and send me the URL.

2. Create a P3P policy that would be applicable to the main CMU home page (it should correspond with the policy you created in Part 5). Post it on the server where you posted the policy you created in part 5 and send me the URL.

3. Create a P3P policy reference file that indicates that the P3P policy you posted for question 2 applies to the page(s) where you posted the CMU privacy policy and the page(s) where you posted your plan for P3P-enabling CMU web sites. Post the policy reference file in an appropriate place (if you can't post it at the well-known location, add embedded link tags or configure your server to issue P3P headers). Send me the URL. (Don't forget to test to make sure you have properly P3P-enabled these pages.)