15-508 / 17-801 / 19-608 / 95-818: Privacy Policy, Law, and Technology

Computation, Organizations and Society

Fall 2005: MW 9 - 10:20 am, NSH 3002
Class web site: http://lorrie.cranor.org/courses/fa05/ [Fall 2004 class web site]
Class mailing list: http://cups.cs.cmu.edu/mailman/listinfo/privacy-class
Homework submission: privacy-homework AT cups DOT cs DOT cmu DOT edu

Professor: Lorrie Cranor

Teaching Assistant: Cynthia Kuo

Course Description

Privacy issues have been getting increasing attention from law makers, regulators, and the media. As a result, businesses are under pressure to draft privacy policies and post them on their web sites, chief privacy officers are becoming essential members of many enterprises, and companies are taking pro-active steps to avoid the potential reputation damage of a privacy mistake. As new technologies are developed, they increasingly raise privacy concerns -- the World Wide Web, wireless location-based services, and RFID chips are just a few examples. In addition, the recent focus on national security and fighting terrorism has brought with it new concerns about governmental intrusions on personal privacy. This course provides an indepth look into privacy, privacy laws, and privacy-related technologies and self-regulatory efforts. Students will study privacy from philosophical, historical, legal, policy, and technical perspectives.

This course is intended primarily for graduate students and advanced undergraduate students (juniors and seniors) studying computer science, computer engineering, information systems, and related fields however, it is appropriate for other students who have strong technical backgrounds. Graduate students will be expected to take on more substantial projects than the undergraduate students. This course will include a lot of reading, writing, and class discussion. Students will be able to tailor their assignments to their skills and interests, focusing more on programming or writing papers as they see fit. However, all students will be expected to do some writing and some technical work. A large emphasis will be placed on research and communication skills, which will be taught throughout the course.

Required Texts

Readings will be assigned from the following texts. Additional readings will be assigned from papers available online or handed out in class.

Course Schedule

Note, this is subject to change. The class web site will have the most up-to-date version of this calendar.

Week 1 (August 29, August 31): Overview

Week 1 slides

Reading Assignment:
- Solove 1, 2
- Cranor 1

Week 2 (September 7): History and Philosophy

Week 2 slides

Reading Assignment:
- Solove 3
- Americans and Online Privacy (Turow)

Homework 1 due September 7

Week 3 (September 12, 14): Fair Information Practice Principles and Privacy Laws

Week 3 slides

Reading Assignment:
- Cranor 2
- Solove 4
- A Review of the Fair Information Principles
- I Didn't Buy it for Myself (Cranor)
- Managing Information Technology Security and Privacy Compliance (Stampley)

Homework 2 due September 14

Week 4 (September 19, 21): Privacy Self-Regulation and Economics

Week 4 slides

Reading Assignment:
- Solove 5
- How Privacy Notices Promote Informed Consumer Choice (Culnan)
- Privacy: Finding a Balanced Approach to Consumer Options (Gellman)
- Economic Aspects of Personal Privacy (Varian)
- With a Grain of Salt (Harper and Singleton)'
- [Optional: Beyond Concern (Cranor, Reagle, and Ackerman)]
- [Optional: Do privacy seals in e-commerce really work? (Moores and Dhillon)]

Project brainstorming due September 19
Homework 3 due September 21

Week 5 (September 26, 28): Online Privacy Concerns

Guest speaker 9/26: Serge Egelman

Week 5 slides

Reading Assignment:
- Cranor 3
- Detecting web bugs with Bugnosis (Alsaid and Martin)
- FTC and Spam (Allman)
- CRS Internet Privacy Report
- Spyware: Background and Policy Issues for Congress
- [Optional: Web bugs in contemporary use (Martin, Wu, Alsaid)]
- [Optional: Suing spammers for fun and profit (Egelman)]
- [Optional: Collateral Damage in the Fight Against Spam (Cohn and Newitz)]
- [Optional: Stopping Spyware at the Gate (Good et al) ]

Homework 4 due September 28

Week 6 (October 3, 5): Introduction to P3P

October 5: Discussion with privacy policy project client

Week 6 slides

Reading Assignment:
- Cranor 5, 6, 7
- Searching for Privacy (Byers, Cranor, Kormann, and McDaniel)
- Cookies and Web browser design (Millett, Friedman, and Felten)
- [Optional: Cranor 12]

One-paragraph project description due October 3
Homework 5 due October 5 (includes privacy policy project part 1)

Week 7 (October 10, 12): Privacy Authorization Languages

Week 7 slides

Reading Assignment:
- Cranor 11, 13
- [Optional: User Interfaces for Privacy Agents (Cranor, Guduru, and Arjula)]

Homework 6 due October 12 (includes privacy policy project part 2)

Week 8 (October 17, 19): P3P Legal and Policy Issues

Week 8 slides

Reading Assignment:
- Cranor Foreword, 4
- The Platform for Privacy Preferences as a social protocol (Hochheiser)
- [Optional: Automated analysis of P3P-enabled Web sites (Byers, Cranor, and Kormann)]
- [Optional: Cranor 14]

Project proposal due October 19

Week 9 (October 24, October 26): Identity, Anonymity and Privacy Enhancing Technologies

Guest speaker 10/24: Ian Goldberg

October 26: Discussion with privacy policy project client

Week 9 slides

Reading Assignment:
- Solove 6
- Identity Theft (Givens)
- NAS Report, Chapters 1 and 2
- Security without Identification (Chaum 1987)
- Anonymous Web transactions with Crowds (Reiter and Rubin)
- [Optional: The architecture of robust publishing systems (Waldman, Rubin, and Cranor)]
- [Optional: Off-the-record communication (Borisov, Goldberg, and Brewer)]

Homework 7/8 due October 26

Week 10 (October 31, November 2): Data Privacy and Biometrics

Week 10 slides

Guest speaker 10/31: Brad Malin [slides]

Reading Assignment:
- Solove 7, 8
- Sweeney 2001
- Sweeney 2002

Homework 9 due November 2

Week 11 (November 7, 9): Government Surveillance and Civil Liberties

Week 11 slides

Reading Assignment:
- Solove 9, 10, 11
- Bigger Monster, Weaker Chains
- [Optional: The Transparent Society (Brin)]
- [Optional: We like to watch (Goldstein)]
- [Optional: Big Brother in the Wires]

Homework 10 due November 9 (includes privacy policy project part 3)

Week 12 (November 14, 16): Privacy and Technology

Week 12 slides

Reading Assignment:
- Enabling Video Privacy through Computer Vision (Senior et al)
- RFID Privacy (Garfinkel, Jules, and Pappu)
- Candy-Coated Bits
- Faustian Deal (Caloyannides)
- Developing Privacy Guidelines for Social Location Disclosure Applications and Services (Iachello et al)

Draft project due November 14
Homework 11 due November 16 (includes privacy policy project part 4)

Week 13 (November 21): Healthcare Privacy and Workplace Privacy

Guest speaker 11/21: Michael Shamos [slides]

Reading Assignment:
- 9 to 5 (Balkovich, Bikson, and Bitko)
- Myths and Facts about HIPAA
- Workplace Privacy
- A Brief Summary of the HIPAA Medical Privacy Rule
- [Optional: HPP Privacy Guide, Presidential Health]

Homework 12 due November 28

Week 14 (November 28, 30): Current Issues

Week 14 slides

No required reading
No homework

Week 15 (December 5, 7): Project Presentations and Poster Fair

Poster fair December 14, 2:30-4:30 pm (tentative)

Final project due December 9, 3 pm

Final exam Week: Project Presentations

This class will have no final exam. However, project presentations will be scheduled during our final exam slot, Tuesday, December 13, 1-4 pm. All students are expected to attend.

Course Requirements and Grading

Your final grade in this course will be based on:

You are expected to complete the weekly reading assignments prior to the first class each week. Class discussions will often be based on these assignments and you will not be able to participate fully if you have not done the reading. It is suggested that you write up summaries and highlights as you read each chapter or paper and bring them with you to class.

All homework assignments must be typed and submitted electronically in Microsoft Word or PDF to privacy-homework AT cups DOT cs DOT cmu DOT edu. (Use this address only for submitting homework, not for asking questions about the homework.) Please place the homework number in the subject line (for example, "hw1"). Every homework submission must include a properly formatted bibliography that includes all works you referred to as you prepared your homework. These works should be cited as appropriate in the text of your answers.

All homework is due at 8:55 am on the due date. We will often discuss homework in class, so you should bring an electronic or hard copy of your homework with you to all classes. You will lose 5% for turning in homework after 8:55 am on the day it is due. You will lose an additional 5% for each late day after that. I reserve the right to take off additional points or refuse to accept late homework submitted after the answers have been discussed extensively in class. Reasonable extensions will be granted to students with excused absences or extenuating circumstances. Please contact me as soon as possible to arrange for an extension.

Cheating and plagiarism will not be tolerated. Students caught cheating or plagiarizing will receive no credit for the assignment on which cheating occurred. Additional actions -- including assigning the student a failing grade in the class or referring the case for disciplinary action -- may be taken at the discretion of the instructor.

A class mailing list has been setup for announcements, questions, and further discussion of topics discussed in class. Students will be expected to contribute to mailing list discussions. Students should post (non-personal) course-related questions to this mailing list rather than sending them to the instructor directly. Students are encouraged to post course-related items of interest to this mailing list.