15-508 / 17-801 / 19-608 / 95-818: Privacy Policy, Law, and Technology

Mini Project

In this mini project our class will draft a privacy policy and accompanying P3P policy for a real web site. The mini project will be done in several parts, which will be assigned as part of homework assignments throughout the semester.

The mini project will be done in small groups. Here are the group assignments:

• SCS Group: bfk, emmartin, sme, pkumarag
• INI Group: dwsmith, rdhar, rholzer, rmahon
• EPP/PPM Group: kzelonis, rciampa, mgeiger, atagert, xsheng, vijge
• Misc. Group: fahd, bleber, jnahmias, chinting, dmorda

The first person listed in each group should serve as the group leader. The group leader is responsible for coordinating when the group will meet together and for submitting the assignments on behalf of the group.

This semester we will draft a privacy policy for The Carnegie Pulse, an online student newspaper at CMU. The student editors (Nick Ennis, Jason Surovy, and Lindsey Arroyo) will meet with our class on September 30 and October 21 to answer questions and provide feedback.

Part 1 - Due September 30 (as part of HW5)

(I) Review the privacy policies of at least 3 other student newspapers, such as Student Life, the Yale Daily News, the Daily Pennsylvanian, or others. For each one:

• (a) Provide the URL of the privacy policy.
• (b) List any content that is missing from the policy or described inadequately. See Cranor p. 67 for a list of content to look for in a privacy policy. For each missing or inadequate item explain whether it is missing completely, too confusing, etc. (If nothing is missing, say so.)
• (c) List any practices described by the policy that you consider to be inadequate from a privacy perspective. Briefly explain why the practice is inadequate and how you would recommend improving it. (If you think the policy offers adequate privacy protections, say so.)
• (d) Critique the presentation of the policy, including both the readability and formatting.

(II) Familiarize yourself with The Carnegie Pulse web site. Make a list of questions you will need to answer in order to draft a privacy policy for tcpulse.com. You will have an opportunity to ask these questions in class on September 30.

Part 2 - Due October 14 (as part of HW7)

Draft a privacy policy for tcpulse.com. Format it as an HTML file suitable for posting on their web site (but include a note that this is a draft and not the official policy). Post the file and submit the URL via email, or submit the HTML file itself via email.

Your policy will be graded on the following points:

accuracy

Your privacy policy should accurately reflect the Pulse's information practices.

completeness

Your privacy policy should address at least all of the bullet points on Cranor p. 67.

readability

Your privacy policy should be easy to understand. It should be written in clear, concise, and correct English, and should be carefully proofread. Points will be taken off for sloppy organization, spelling, punctuation, and grammar.

formatting

Your privacy policy's formatting should aid reading, with section headings that stand out, lists set off with bullet points, important points or words emphasized, readable fonts, etc. The document should look professional.

usefulness

Your privacy policy should be useful to the Pulse in that it should address the needs expressed by the Pulse editors.

• SCS Group
• INI Group
• EPP/PPM Group
• Misc Group

Part 3 - Due October 28 (as part of HW9)

Review the draft privacy policies created by the other teams. Based on your review and the feedback provided by the Pulse editors, create a revised privacy policy. Feel free to cut and paste from other teams' drafts. Once again, format your policy in HTML and submit the file or a URL. Your policy will again be graded on accuracy, completeness, readability, formatting, and usefulness, as described under Part 2, above.

• SCS Group
• INI Group
• EPP/PPM Group
• Misc Group

Part 4 - Due November 11 (as part of HW11)

(I) Create a plan for P3P enabling tcpulse.com. Do the following:

• (a) Describe your plan. Be sure to address at least the following issues:
  • (i) how many P3P policies to create
  • (ii) whether to use the well-known location or alternatives
  • (iii) whether to use compact policies
  • (iv) whether to combine policies in the policy reference file or to have policies in separate files
• (b) Briefly state the rationale for each of your choices on the four issues listed in part (a).

(II) Create the necessary P3P files as outlined in your plan. Make sure you validate them!

Submit via email the following files or URLs pointing to these files:

• your P3P plan
• p3p files
• a set of instructions for posting the P3P files on the tcpulse.com site

Your plan, P3P files, and instructions will be graded on:

rationale

your decisions in (I) should meet the needs of the Pulse website, and your rationale should explain how your decisions meet the Pulse's needs

completeness

the Pulse should be able to fully P3P enable their site by simply follow your instructions

correctness

the P3P files you submit should accurately reflect the privacy policy you wrote for Part 3 of the mini project and should be bug-free