05-436 / 05-836 / 17-334 / 17-734 / 19-534 / 19-734
Usable Privacy and Security

Spring 2022: Mondays and Wednesdays 1:25 pm-2:45 pm
Doherty Hall 1211  NSH 1305

The course will meet only online via Zoom January 19-26. See the Zoom menu for connection details. You must connect using your CMU Zoom account.

Professor Lorrie Cranor
pronouns: she/her (Feel free to address me as Professor Cranor, Dr. Cranor, or Lorrie)
lorrie@cmu.edu
http://lorrie.cranor.org/
Office hours: By appointment

Sarah Pearman, head teaching assistant
pronouns: she/her (I prefer to just be called Sarah, but if you are more comfortable using titles, Ms. Pearman is okay too)
spearman@cmu.edu
Office hours: By appointment, and usually available to answer questions after class

Teaching assistants: Chris Choy, Isha Hans, Jimmy Ray

Email response times: We are generally available by email 9am-5pm Monday-Friday (Pittsburgh time) and respond quickly during those times. If you email after 5pm, or on the weekend, you might not get a response until the next working day.

Office hours: We don't have set office hours, but we do encourage you to contact us for appointments! We can often arrange a meeting the same day you contact us if you email before 5pm on weekdays. In addition, we are usually available to answer questions immediately after class on Wednesdays. 

We will be using Piazza for class discussion. Rather than emailing questions about the homework and exams to the professor and TA, we encourage you to post your questions on Piazza. You may also post links to relevant articles and papers in Piazza for your classmates to see. Find our class page at:  piazza.com/cmu/spring2022/054360583617334177341953419734

We also have a class Slack. This is optional to join, and Piazza and email will still be preferable for any important questions directed at the instructor or TAs. However, this is a great place to discuss things with other students, post interesting links about topics relevant to the class, find group members for group homeworks, and so forth. You can join using this link: https://join.slack.com/t/ups2022/signup 

Course Description

There is growing recognition that technology alone will not provide all of the solutions to security and privacy problems. Human factors play an essential role in these areas, and it is important for security and privacy experts to have an understanding of how people will interact with the systems they develop. This course is designed to introduce students to a variety of usability and user-interface problems related to privacy and security and to give them experience in understanding and designing studies aimed at helping to evaluate usability issues in security and privacy systems. The course is suitable both for students interested in privacy and security who would like to learn more about usability, as well as for students interested in usability who would like to learn more about security and privacy. All students will work in small teams on a group project throughout the semester. 

The course is open to all students who have at least some technical background (e.g. an undergraduate computer programming course). The 12-unit course numbers (17-734, 5-836, 19-734) are for PhD students and masters students. Students enrolled in these course numbers will be required to read and comment on a research paper each week in addition to the other assignments. The 9-unit course numbers (8-534, 5-436, 19-534) are for undergraduates and masters students. 

Course goals

• Gain an appreciation for the importance of usability within security and privacy
• Learn about current research in usable privacy and security
• Learn how to conduct usability studies
• Learn how to critically examine UPS studies 

How this course fits into various programs

This course is required for the Privacy Engineering masters program. It can count as an elective in many other undergraduate and graduate programs.

Undergraduate Concentration in Security and Privacy. This course is part of the undergraduate concentration in security and privacy in both Computer Science and in Electrical & Computer Engineering. In particular, this courses satisfies the "Context Course Area" requirement of the concentration. 

Undergraduate minor in Information Security, Privacy, and Policy. This course is part of the Undergraduate Minor in Information Security, Privacy, and Policy for undergraduate students across the university who are interested in policy issues related to security and privacy. This course can satisfy the privacy elective or additional approved elective requirement.

Interested in learning more about usable privacy and security beyond this course?

Students in this course may also be interested in joining the CyLab Usable Privacy and Security Lab (CUPS) mailing list to get seminar announcements and discussion.

If you are interested in doing more usable privacy and security research after taking this course, please talk to the professor. The CUPS Lab often has opportunities for students to do research for course credit or pay, during the academic year and over the summer. In addition, the professor is happy to talk about graduate programs you might consider.

Course Schedule

See course schedule below. Note, schedule is subject to change. Canvas will have the most up-to-date version. Homework assignments will usually be posted on the day the previous assignment is due.

Lecture slides will be posted in the Files menu (see link on left)  following each lecture. 

Course Requirements and Grading

Your final grade in this course will be based on:

• 20% Quizzes (22 assigned, 3 lowest dropped)
• 30% Homework assignments (8, all required)
  
  • 12-unit students only: Additional reading commentaries (12 assigned, 2 lowest dropped)
• 20% Exams (2)
• 30% Project (many components)

We have set up deadlines for all graded elements in the course and have set policies to help keep students accountable for meeting these deadlines and not getting behind. However, our goal is for everyone to do well in the course and we want to help you succeed. If you have been granted accommodations by the Office of Disability Resources that are relevant to this class, please bring those to the attention of the instructor as soon as possible. If a health or personal issue should arise during the semester that will prevent you from meeting deadlines or attending class for an extended period, please let us know so we can work out alternative deadlines or make other adjustments.

See below for more information about how late work and deadline extensions will be handled for different assignment types.

Readings

Students are expected to complete the assigned reading prior to class so that they can participate fully in class discussions.

Where to find readings

Readings will be assigned from the following text (available for purchase from all the usual online book stores, and free of charge in ebook form via the CMU library):

• Research Methods in Human-Computer Interaction, 2nd edition. Jonathan Lazar, Jinjuan Heidi Feng, Harry Hochheiser, 2017.

Additional readings will be assigned from papers available online. In cases where a subscription is required for access, access should be available for free when you are coming from a CMU IP address (on campus or using CMU EZproxy or library VPN).

Quizzes

To verify that students have completed the assigned reading, students will be asked to take a 5-minute quiz on Canvas prior to each class. The quizzes will cover major points of the readings, including methods, findings, high-level takeaways, and recommendations.  They must be completed by the start of class (1:25pm). The quizzes generally have a 5-minute time limit unless otherwise indicated. You are expected to do the quiz independently and not consult with other people or any materials other than the assigned readings. The quizzes for the week will become available on Canvas at the start of the week (Sunday 12:00am).

Late Policy for Quizzes

Your three lowest quiz grades will be dropped. We generally will not allow extensions or makeups on quizzes. However, should an emergency arise that causes you to miss multiple quizzes, please reach out to us to discuss possible accommodation.

Reading Commentaries

Students taking the 12-unit version of this course are expected to read and submit commentaries on one additional research paper that describes a user study each week, selected from the research papers listed under "additional readings" for the lectures that week (occasionally there are additional readings listed that are news articles, videos, or materials other than research papers: these do not count). When no additional readings are listed for a given lecture you may choose any research paper from the additional readings list for any of this course's lectures.

These reading commentaries should consist of a short summary (3-7 sentences),  a "highlight" (3-5 sentences) showcasing critical thinking about the study, and a completed UPS user study template. Please keep your reading commentaries short (but insightful) and make sure you also include a complete bibliographic citation for each paper. Commentaries should be submitted in PDF format via Canvas by the deadline specified.

9-unit students are encouraged to review some of the additional readings that they find interesting, but they need not submit commentaries.

Late Policy for Reading Commentaries

We will drop your two lowest reading commentary grades. We generally will not allow extensions or makeups on reading commentaries. However, if you have extenuating circumstances that will cause you to be unable to turn in multiple reading commentaries on time, please reach out to discuss possible accommodation.

Homework

This course includes eight homework assignments. All homework is to be submitted in PDF format via Gradescope and is due at 1:25 pm on the due date, unless specified otherwise.

Late Policy for Homeworks 1-8

Homework is considered one day late if it is submitted after 1:25 pm on the due date. You will be penalized 10% for every late day if you have not requested an extension before the deadline. If you need an extension on a homework, please submit an extension request via this form. Please submit this before the homework deadline (unless there is an emergency that makes this impossible).

If you ask for extensions on multiple homeworks (two in a row, or three total), we may reach out to discuss the situation further and explore possible solutions. You will not be penalized for requesting extensions, but we do not want work to pile up in a way that becomes unmanageable.

Exams

We will hold two in-class exams that are weighted equally in your final grade. The second exam will be scheduled during the final exam period. These exams will be centered around designing experiments, interpreting results, and analyzing research claims related to usable privacy and security. In essence, performing well on these exams will require that you apply the skills you learn in this course, rather than remembering trivia. However, you will be expected to remember and understand key terms and definitions discussed in class. The best way to prepare for these exams is to critically read all of the assigned readings for the course and to be an engaged participant in class discussions throughout the semester. Then review the course slides prior to each exam. Example questions from past exams (without answers) will be made available to all students. You will be permitted to use course notes and other materials during the exams, but you must not request, give, or receive help from your classmates or anyone other than the course instructor and TAs. 

In the event of an extenuating circumstance that prevents you from completing an exam as scheduled, please contact the instructor as soon as possible. Students who need disability-related exam accommodations should contact the instructor early in the semester to make arrangements.

Project

Students will work on semester projects in small groups that include students with a variety of areas of expertise. A choice of projects will be provided, and students will be given an opportunity to indicate their preferences before projects are assigned. Students who have their own ideas for projects should discuss them with the instructor early in the semester (February 1 or earlier). As part of the project students will:

• Return their project preference form by February 14 so that they can be assigned to a project team by February 16.
• Submit a brief project proposal with their team by February 28. Detailed instructions are in the  project proposal assignment.
• Complete an IRB application with all necessary attachments and submit it to IRB as early in the semester as possible, and no later than March 21. Include the professor, head TA, and any mentor you are working with as co-PIs and send them a draft by March 14 to get their feedback.
• Design all questionnaires, scripts, scenarios, interview protocols, etc. necessary to carry out the user study.
• Develop any prototypes necessary to carry out the user study.
• Pilot test the user study protocol on at least two people (can be members of the class from other project groups) and refine it based on these tests.
• Submit a progress report and slides by April 4. Detailed instructions are in the progress report assignment.
• Give a brief (7-10 minutes) progress report presentation on April 4 or April 6. Further instructions on length and format will be provided.
• Conduct a study using the revised protocol with at least 6 subjects (or at least 30 if this is a survey). Optionally, you can conduct a larger study that would be likely to lead to publishable results. If your study has only 6 subjects, likely this will be useful mostly as a pilot study and should be positioned as such in your paper.
• Give a final project presentation in class on April 25 or April 27 and submit the slides online on April 25. Instructions for final presentation may be adjusted based on number of project teams.
• Write a final project report and submit it by 9 am on Monday, May 9. Detailed instructions are in the final project report assignment. Your final paper should be written in a style suitable for publication at a conference or workshop. The conference papers in the readings provide good examples of what a conference paper looks like and the style in which they are written. 
• Submit a peer/self evaluation on March 2, April 4, and May 9. Submitting these evaluations is required in order to receive your grade for this class.

The final paper will count for 80% of your project grade. The other project deliverables will collectively count for the remaining 20% of your project grade. If your project team is having trouble at any stage, please contact us for help!

Students are encouraged to submit their project as a poster to the 2022 Symposium On Usable Privacy and Security, and/or as a full paper to SOUPS 2022 or another conference. A paper submission will likely require additional work after the end of the semester. To submit a poster will require submitting a 2-page abstract. Professor Cranor will provide funds for one student from each project team to attend the SOUPS conference if their paper or poster is accepted. In addition, the conference itself makes scholarships available for students to attend, so please apply for these if you want to attend!

Online and Hybrid Course Meetings 

This course is scheduled to meet in person all semester beginning January 31 (although may revert to online-only if/when the university's COVID posture changes). However, to accommodate a larger number of students and for the convenience of students who are unable to attend class in person, the course will be available in a hybrid format and students will be able to participate remotely via Zoom. Recordings of lectures and automatically generated transcripts will be posted in Canvas (in the Zoom tab) and are for your use only; do not share them. Breakout rooms will not be recorded. Slides will be posted publicly.

At the beginning of the semester we will place students into one of the following categories based on their preferences:

• Fully remote - These students will attend remotely throughout the semester
• Monday remote - These students will attend remotely on Mondays and in person on Wednesdays
• Wednesday remote - These students will attend remotely on Wednesdays and in person on Mondays
• Rotating remote - These students will be assigned to attend remotely approximately once every four course sessions

On days you are supposed to be in the classroom, please make an effort to show up if you are healthy and not in quarantine. If you decide you would rather be fully remote, please let us know. If there is a particular day you would really like to be in class and you are assigned to be remote, please try to find someone to trade with (you can ask on Piazza).

Students participating remotely are strongly encouraged to attend class synchronously via Zoom (i.e. participate in the class in real time as it happens). If you are a student in a part-time degree program, in a time zone where attending synchronously is difficult, or have other extenuating circumstances, please let us know as soon as possible and we will arrange for alternative ways for you to participate in interactive class activities. 

We will do our best to make the course interesting and engaging for those participating online, but it will require active participation from students. When we ask questions in class, please raise your hand or type comments in the chat to respond. When we go into breakout rooms, please actively engage with your classmates on the discussion topic. We do not require that students turn on their cameras during class, but we do strongly encourage it, especially during class discussions. Feel free to use a virtual background to help protect your privacy and/or the privacy of others in your shared space. Please turn off your microphone when you are not speaking. Don't worry if others in your space appear on screen during class -- your pets are especially welcome during class, and you are invited to introduce them to us.

This semester we will try to start each class with a song, so come on time to hear the song of the day as we get ready for class!

Group Work

This course involves a large group project as well as some smaller group homework assignments. It is important that all members of a group participate fully. If there are circumstances that are going to make your participation in a group difficult, please bring them to our attention as soon as possible. Once groups are setup, if your group is experiencing difficulties working together and would like assistance in working them out, please let us know. 

Collaboration Policy

You are permitted to talk to the instructor, TA, or to anyone else about any of the homework assignments. Any assistance, though, must be limited to discussion of the problem and sketching general approaches to a solution. Each student must write out their own solutions to the homework unless collaboration is explicitly authorized as part of the assignment. Consulting another student's solution or a solution found on the Internet is prohibited, and submitted solutions may not be copied from any source. These and any other form of collaboration on assignments constitute cheating. Any form of collaboration is strictly prohibited on the exams and quizzes and is considered cheating. If you have any question about whether some activity would constitute cheating, please ask.

Cheating may result in failure of the course, and the university administration will be notified of all cheating incidents per the appropriate procedures. Simply stated, feel free to discuss problems with each other, but do not cheat. It is not worth it, and you will get caught. In addition to the above, please also review fully and carefully Carnegie Mellon University's policies regarding Academic Integrity at https://www.cmu.edu/policies/student-and-student-life/academic-integrity.html and https://www.cmu.edu/student-affairs/ocsi/students/.

Treat People With Respect

We are diverse in many ways, and this diversity is fundamental to building and maintaining an equitable and inclusive campus community. Diversity can refer to multiple ways that we identify ourselves, including but not limited to race, color, national origin, language, sex, disability, age, sexual orientation, gender identity, religion, creed, ancestry, belief, veteran status, or genetic information. Each of these diverse identities, along with many others not mentioned here, shape the perspectives our students, faculty, and staff bring to our campus. At CMU we work to promote diversity, equity and inclusion not only because diversity fuels excellence and innovation, but because we want to pursue justice. We acknowledge our imperfections while we also fully commit to the work, inside and outside of our classrooms, of building and sustaining a campus community that increasingly embraces these core values. Each of us is responsible for creating a safer, more inclusive environment. Please let us know ways to improve the effectiveness of the course for you personally or for other students or student groups.

Unfortunately, incidents of bias or discrimination do occur, whether intentional or unintentional. They contribute to creating an unwelcoming environment for individuals and groups at the university. Therefore, the university encourages anyone who experiences or observes unfair or hostile treatment on the basis of identity to speak out for justice and support, within the moment of the incident or after the incident has passed. The university has also setup channels for reporting bias incidents.

Take Care of Yourself and Ask for Help

Take care of yourself.  Do your best to maintain a healthy lifestyle this semester by eating well, exercising, avoiding drugs and alcohol, getting enough sleep and taking some time to relax. This will help you achieve your goals and cope with stress. All of us benefit from support during times of struggle. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is almost always helpful. If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. Counseling and Psychological Services (CaPS) is here to help: call 412-268-2922 and visit their website at http://www.cmu.edu/counseling/. Consider reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help. If you have questions about this or your coursework, or if there is anything else we can do to help you, please let us know. Thank you, and have a great semester!