Usable Privacy and Security

05-436 / 05-836 / 17-334 / 17-734 / 19-534 / 19-734
Usable Privacy and Security

Spring 2021: ONLINE Mondays and Wednesdays 2:20 pm-3:40 pm

Professor Lorrie Cranor
pronouns: she/her (Feel free to address me as Professor Cranor, Dr. Cranor, or Lorrie)
lorrie@cmu.edu
http://lorrie.cranor.org/
Office hours: By appointment

Sarah Pearman, teaching assistant
pronouns: she/her (I prefer to just be called Sarah, but if you are more comfortable using titles, Ms. Pearman is okay too)
spearman@cmu.edu
Office hours: By appointment, and available to answer questions after class

Email response times: Both of us are generally available by email 9am-5pm Monday-Friday (Pittsburgh time) and respond quickly during those times. If you email after 5pm, or on the weekend, you might not get a response until the next working day.

Office hours: We don't have set office hours, but we do encourage you to contact us for appointments! We can often arrange a meeting the same day you contact us, if you email before 5pm on weekdays. In addition, we are usually available to answer questions immediately after each class. 

We will be using Piazza for class discussion. Rather than emailing questions about the homework and exams to the professor and TA, we encourage you to post your questions on Piazza. You may also post links to relevant articles and papers in Piazza for your classmates to see. Find our class page at: https://piazza.com/cmu/spring2021/054360583617334177341953419734

Course Description

There is growing recognition that technology alone will not provide all of the solutions to security and privacy problems. Human factors play an essential role in these areas, and it is important for security and privacy experts to have an understanding of how people will interact with the systems they develop. This course is designed to introduce students to a variety of usability and user-interface problems related to privacy and security and to give them experience in understanding and designing studies aimed at helping to evaluate usability issues in security and privacy systems. The course is suitable both for students interested in privacy and security who would like to learn more about usability, as well as for students interested in usability who would like to learn more about security and privacy. All students will work in small teams on a group project throughout the semester. 

The course is open to all students who have at least some technical background (e.g. an undergraduate computer programming course). The 12-unit course numbers (17-734, 5-836, 19-734) are for PhD students and masters students. Students enrolled in these course numbers will have extended homework assignments and will be expected to play a leadership role in a group project that produces a paper suitable for publication. The 9-unit 500-level course numbers (8-534, 5-436, 19-534) are for undergraduates and masters students. 

Course goals

• Gain an appreciation for the importance of usability within security and privacy
• Learn about current research in usable privacy and security
• Learn how to conduct usability studies
• Learn how to critically examine UPS studies 

How this course fits into various programs

This course is required for the Privacy Engineering masters program. It can count as an elective in many other undergraduate and graduate programs.

Undergraduate Concentration in Security and Privacy. This course is part of the undergraduate concentration in security and privacy in both Computer Science and in Electrical & Computer Engineering. In particular, this courses satisfies the "Context Course Area" requirement of the concentration. 

Undergraduate minor in Information Security, Privacy, and Policy. This course is part of the Undergraduate Minor in Information Security, Privacy, and Policy for undergraduate students across the university who are interested in policy issues related to security and privacy. This course can satisfy the privacy elective or additional approved elective requirement.

Interested in learning more about usable privacy and security beyond this course?

Students in this course may also be interested in joining the CyLab Usable Privacy and Security Lab (CUPS) mailing list to get seminar announcements and discussion.

If you are interested in doing more usable privacy and security research after taking this course, please talk to the professor. The CUPS Lab often has opportunities for students to do research for course credit or pay, during the academic year and over the summer. In addition, the professor is happy to talk about graduate programs you might consider.

Course Schedule

See course schedule below. Note, schedule is subject to change. Canvas will have the most up-to-date version. Homework assignments will usually be posted on the day the previous assignment is due.

Lecture slides will usually be posted in the calendar entry and in the Files menu (see link on left)  following each lecture. 

Course Requirements and Grading

Your final grade in this course will be based on:

• 20% Readings and Quizzes (22)
• 30% Homework (8)
• 20% Exams (2)
• 30% Project (many components)

We have setup deadlines for all graded elements in the course and have set policies to help keep students accountable for meeting these deadlines and not getting behind. However, our goal is for everyone to do well in the course and we want to help you succeed. If you have been granted accommodations relevant to this class, please bring those to the attention of the instructor as soon as possible. If a health or personal issue should arise during the semester that will prevent you from meeting deadlines or attending class, please let us know so we can work out alternative deadlines or make other adjustments. 

Readings and Quizzes

Students are expected to complete the assigned reading prior to class so that they can participate fully in class discussions. To verify that students have completed the assigned reading, students will be asked to take a 5-minute quiz on Canvas. The quizzes will cover major points of the readings, including methods, findings, high-level takeaways, and recommendations.  The quiz will be available starting 12 hours before class and ending 5 minutes after the start of class. You are expected to do the quiz independently and not consult with other people or any materials other than the assigned readings. Your single lowest quiz grade will be dropped.

In the event of an emergency situation that prevents you from completing the quiz during the window of time it is available, please contact the instructor as soon as possible.

Students taking the 12-unit version of this course are expected to do additional readings each week. In some cases, we will specify which extra reading(s) to do. In other cases, we will specify that students can choose from any of the additional readings for the week. All other students are encouraged to review some of the additional readings that they find interesting, but they need not submit summaries or highlights.

Readings will be assigned from the following text (available for purchase from all the usual online book stores, and free of charge in ebook form via the CMU library):

• Research Methods in Human-Computer Interaction, 2nd edition. Jonathan Lazar, Jinjuan Heidi Feng, Harry Hochheiser, 2017.

Additional readings will be assigned from papers available online or handed out in class. In cases where a subscription is required for access, access should be available for free when you are coming from a CMU IP address (on campus or via CMU EZproxy or library VPN).

Homework

This course includes eight homework assignments. All homework is to be submitted in PDF format via Canvas and is due at 2:20 pm on the due date, unless specified otherwise. Homework is considered one day late if it is submitted after 2:20 pm on the due date. You will be penalized 10% for every late day. Your single lowest homework grade will be dropped from your homework average. In extenuating circumstances, please contact the instructor to arrange for an extended deadline.

Students taking the 12-unit version of the course will be asked to submit a short summary (3-7 sentences) and a "highlight" for particular readings specified in each homework assignment. The highlight may be something you found particularly interesting or noteworthy, a question you would like to discuss in class, a point you disagree with, etc.

Exams

We will hold two in-class exams that are weighted equally in your final grade. These exams will be centered around designing experiments, interpreting results, and analyzing research claims related to usable privacy and security. In essence, performing well on these exams will require that you apply the skills you learn in this course, rather than remembering trivia. However, you will be expected to remember and understand key terms and definitions discussed in class. The best way to prepare for these exams is to critically read all of the assigned readings for the course and to be an engaged participant in class discussions throughout the semester. Then review the course slides prior to each exam. Example questions from past exams (without answers) will be made available to all students. You will be permitted to use course notes and other materials during the exams, but you must not request, give, or receive help from your classmates or anyone other than the course instructor and TA. Due to the condensed schedule in Spring 2021, the second exam will be held during the final exam period. 

In the event of an emergency situation that prevents you from completing the exam as scheduled, please contact the instructor as soon as possible. Students in distant time zones or who need exam accommodations should contact the instructor early in the semester to make arrangements.

Project

Students will work on semester projects in small groups that include students with a variety of areas of expertise. A choice of projects will be provided, and students will be given an opportunity to indicate their preferences before projects are assigned. Students who have their own ideas for projects should discuss them with the instructor early in the semester (February 17 or earlier). As part of the project students will:

• Return their project preference form by Wednesday, February 24 so that they can be assigned to a project team by Monday, March 1.
• Submit a brief project proposal by Wednesday, March 10. Detailed instructions are in the  project proposal assignment.
• Complete an IRB application with all necessary attachments and submit it to IRB as early in the semester as possible, and no later than March 24. Include the professor, TA, and any mentor you are working with as co-PIs and send them a draft by March 17 to get their feedback.
• Design all questionnaires, scripts, scenarios, interview protocols, etc. necessary to carry out the user study.
• Develop any prototypes necessary to carry out the user study.
• Pilot test the user study protocol on at least two people (can be members of the class from other project groups) and refine it based on these tests.
• Submit a progress report and slides by Monday, April 12. Detailed instructions are in the progress report assignment.
• Give a brief (7-10 minutes) progress report presentation on April 12 or April 14.
• Conduct a study using the revised protocol with at least 6 subjects (or at least 30 if this is a survey). Optionally, you can conduct a larger study that would be likely to lead to publishable results. If your study has only 6 subjects, likely this will be useful mostly as a pilot study and should be positioned as such in your paper.
• Give a final project presentation in class on May 3 or 5 and submit the slides online on May 3. Instructions for final presentation may be adjusted based on number of project teams.
• Write a final project report and submit it by 9 am on Monday, May 17. Detailed instructions are in the final project report assignment.
• Submit a peer evaluation by 10 am on May 17. Submitting a peer evaluation is required in order to receive your grade for this class.

The final paper will count for 80% of your project grade. The other project deliverables will collectively count for the remaining 20% of your project grade. If your project team is having trouble at any stage, please contact us for help!

Students are encouraged to submit their project as a poster to the 2021 Symposium On Usable Privacy and Security, and/or as a full paper to SOUPS 2022 or another conference. A paper submission will likely require additional work after the end of the semester. To submit a poster will require submitting a 2-page abstract. Professor Cranor will provide funds for one student from each project team to attend the SOUPS conference if their paper or poster is accepted. In addition, the conference itself makes scholarships available for students to attend, so please apply for these if you want to attend!

Students signed up for the 12-unit version of this course are expected to play a leadership role in a project group that writes a project paper suitable for publication. Your final paper should be written in a style suitable for publication at a conference or workshop. The conference papers in the readings provide good examples of what a conference paper looks like and the style in which they are written. 

Online Course Meetings and Group Work

This course is scheduled to meet online all semester. Recordings of lectures and automatically generated transcripts will be posted in Canvas (in the Zoom tab) and are for your use only; do not share them. Breakout rooms will not be recorded. Slides will be posted publicly.

We will do our best to make the course interesting and engaging in the online format, but it will require active participation from students. When we ask questions in class, please raise your hand or type comments in the chat to respond. When we go into breakout rooms, please actively engage with your classmates on the discussion topic. We do not require that students turn on their cameras during class, but we do encourage it, especially during class discussions. Feel free to use a virtual background to help protect your privacy and/or the privacy of others in your shared space. Please turn off your microphone when you are not speaking. Don't worry if others in your space appear on screen during class -- your pets are especially welcome during class, and you are invited to introduce them to us.

This semester we will try to start each class with a song, so come on time to hear the song of the day!

Students who are in time zones conducive to attending class synchronously are expected to do so as much as possible. If you are in a time zone where this is difficult or have other extenuating circumstances, please let us know as soon as possible and we will try to arrange for alternative ways for you to participate in interactive class activities. 

This course involves a large group project as well as some smaller group assignments. It is important that all members of a group participate fully. If there are circumstances that are going to make your participation in a group difficult, please bring them to our attention as soon as possible. Once groups are setup, if your group is experiencing difficulties working together and would like assistance in working them out, please let us know.

Collaboration Policy

You are permitted to talk to the instructor, TA, or to anyone else about any of the homework assignments. Any assistance, though, must be limited to discussion of the problem and sketching general approaches to a solution. Each student must write out their own solutions to the homework unless collaboration is explicitly authorized as part of the assignment. Consulting another student's solution or a solution found on the Internet is prohibited, and submitted solutions may not be copied from any source. These and any other form of collaboration on assignments constitute cheating. Any form of collaboration is strictly prohibited on the exams and quizzes and is considered cheating. If you have any question about whether some activity would constitute cheating, please ask.

Cheating will result in failure of the course, and the university administration will be notified per the appropriate procedures. Simply stated, feel free to discuss problems with each other, but do not cheat. It is not worth it, and you will get caught. In addition to the above, please also review fully and carefully Carnegie Mellon University's policies regarding Academic Integrity at https://www.cmu.edu/policies/student-and-student-life/academic-integrity.html and https://www.cmu.edu/student-affairs/ocsi/students/.

Treat People With Respect

We are diverse in many ways, and this diversity is fundamental to building and maintaining an equitable and inclusive campus community. Diversity can refer to multiple ways that we identify ourselves, including but not limited to race, color, national origin, language, sex, disability, age, sexual orientation, gender identity, religion, creed, ancestry, belief, veteran status, or genetic information. Each of these diverse identities, along with many others not mentioned here, shape the perspectives our students, faculty, and staff bring to our campus. At CMU we work to promote diversity, equity and inclusion not only because diversity fuels excellence and innovation, but because we want to pursue justice. We acknowledge our imperfections while we also fully commit to the work, inside and outside of our classrooms, of building and sustaining a campus community that increasingly embraces these core values. Each of us is responsible for creating a safer, more inclusive environment. Please let us know ways to improve the effectiveness of the course for you personally or for other students or student groups.

Unfortunately, incidents of bias or discrimination do occur, whether intentional or unintentional. They contribute to creating an unwelcoming environment for individuals and groups at the university. Therefore, the university encourages anyone who experiences or observes unfair or hostile treatment on the basis of identity to speak out for justice and support, within the moment of the incident or after the incident has passed. The university has also setup channels for reporting bias incidents.

Take Care of Yourself and Ask for Help

Take care of yourself.  Do your best to maintain a healthy lifestyle this semester by eating well, exercising, avoiding drugs and alcohol, getting enough sleep and taking some time to relax. This will help you achieve your goals and cope with stress. All of us benefit from support during times of struggle. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is almost always helpful. If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. Counseling and Psychological Services (CaPS) is here to help: call 412-268-2922 and visit their website athttp://www.cmu.edu/counseling/. Consider reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help. If you have questions about this or your coursework, or if there is anything else we can do to help you, please let us know. Thank you, and have a great semester!