05-436 / 05-836 / 17-334 / 17-734 / 19-534 / 19-734
Usable Privacy and Security

Spring 2025 - available online at https://canvas.cmu.edu/courses/44422

Mondays and Wednesdays 2-3:20 pm
Hamerschlag Hall HH B103

Professor Lorrie Cranor
pronouns: she/her (Feel free to address me as Professor Cranor, Dr. Cranor, or Lorrie)
lorrie@cmu.edu
http://lorrie.cranor.org/
Office hours: I don't have set office hours, but I do encourage you to contact me via email for in-person or Zoom appointments! I am usually available immediately after class and I can often arrange a meeting the same day or the next business day if you email me. Generally, I will schedule meetings between 8:30 am and 5 pm on weekdays in my office in CIC 2107.

Professor Yuvraj Agarwal
pronouns: he/him (Feel free to address me as Professor Agarwal, Dr. Agarwal, or Yuvraj)
yuvraj@cs.cmu.edu
https://www.synergylabs.org/yuvraj
Office hours:  Fridays 1pm - 2pm, TCS 327. 

Andrea ("Andy") Gallardo, teaching assistant
pronouns: she/her
agallar2@andrew.cmu.edu
Office hours:  Monday 9:00-10:00AM on Zoom
Andy's OH Zoom: https://cmu.zoom.us/j/94175336319?pwd=Fw4bx3NDaaO2xm1ZTTJByMeFfaUdPW.1 Meeting ID: 941 7533 6319
Passcode: 170903

Ben Weinshel, teaching assistant
pronouns: he/him
bweinshel@cmu.edu
Office hours:  Fridays 10am-11am in CIC 2214 (enter at main Cylab entrance on 2nd floor, then turn left and follow the hallway all the way to the end), or email for Zoom

Project consultant: Mandy Lanyon
pronouns: she/her
mandy@cmu.edu
Mandy will consult on projects and assist with IRB forms and human subject payments, please email her for assistance.  IRB reviews and Project funding

Email response times: We are generally available by email 9am-5pm Monday-Friday (Pittsburgh time) and respond quickly during those times. If you email after 5pm, or on the weekend, you might not get a response until the next working day.

We will be using Piazza for class discussion. Rather than emailing questions about the homework and exams to the professor and TA, we encourage you to post your questions on Piazza. You may also post links to relevant articles and papers in Piazza for your classmates to see. Use the Piazza menu in Canvas to access our class Piazza discussions.

Course Description

There is growing recognition that technology alone will not provide all of the solutions to security and privacy problems. Human factors play an essential role in these areas, and it is important for security and privacy experts to have an understanding of how people will interact with the systems they develop. This course is designed to introduce students to a variety of usability and user-interface problems related to privacy and security and to give them experience in understanding and designing studies aimed at helping to evaluate usability issues in security and privacy systems. The course is suitable both for students interested in privacy and security who would like to learn more about usability, as well as for students interested in usability who would like to learn more about security and privacy. All students will work in small teams on a group project throughout the semester. 

The course is open to all students who have at least some technical background (e.g. an undergraduate computer programming course). The 12-unit course numbers (17-734, 5-836, 19-734) are for PhD students and masters students (but open to undergrads). Students enrolled in these course numbers will be required to read and comment on a research paper each week in addition to the other assignments. The 9-unit course numbers (8-534, 5-436, 19-534) are for undergraduates and masters students. 

Course goals

• Gain an appreciation for the importance of usability within security and privacy
• Learn about current research in usable privacy and security
• Learn how to conduct usability studies
• Learn how to critically examine UPS studies 

How this course fits into various programs

This course counts as an elective in many undergraduate and graduate programs and can be used to fulfill some specific requirements -- check with your program. 

Privacy Engineering masters programs. This course is required for both the full-time and part-time Privacy Engineering masters programs. [CMU undergrads, this course will count towards a 5th year masters in privacy engineering, come to talk to Professor Cranor if you want to know more.]

Undergraduate Concentration in Security and Privacy. This course is part of the undergraduate concentration in security and privacy in both Computer Science and in Electrical & Computer Engineering. In particular, this courses satisfies the "Context Course Area" requirement of the concentration. 

Undergraduate minor in Information Security, Privacy, and Policy. This course is part of the Undergraduate Minor in Information Security, Privacy, and Policy for undergraduate students across the university who are interested in policy issues related to security and privacy. This course can satisfy the privacy elective or additional approved elective requirement.

Interested in learning more about usable privacy and security beyond this course?

Students in this course may also be interested in joining the CyLab Usable Privacy and Security Lab (CUPS) mailing list to get seminar announcements and discussion.

If you are interested in doing more usable privacy and security research after taking this course, please talk to the professors. The CUPS Lab often has opportunities for students to do research for course credit or pay, during the academic year and over the summer. We will also be looking for TAs for next year's version of this course.  In addition, the professors are happy to talk about graduate programs you might consider.

Course Schedule

See course schedule below. Note, schedule is subject to change. Canvas will have the most up-to-date version. Homework assignments will usually be posted on the day the previous assignment is due.

Lecture slides will be posted in the Files menu (see link on left)  following each lecture. 

Course Requirements and Grading

Your final grade in this course will be based on:

• 10% Class participation (3 absences dropped)
• 10% Quizzes (22 assigned, 3 lowest dropped)
• 30% Homework assignments (7+IRB training, all required, 100 points each)
  
  • 12-unit students only: Additional reading commentaries (12 assigned, 2 lowest dropped, 30 points each)
• 20% Exams (2)
• 30% Project (many components)

We have set up deadlines for all graded elements in the course and have set policies to help keep students accountable for meeting these deadlines and not getting behind. However, our goal is for everyone to do well in the course and we want to help you succeed. If you have been granted accommodations by the Office of Disability Resources that are relevant to this class, please bring those to our attention  as soon as possible. If a health or personal issue should arise during the semester that will prevent you from meeting deadlines or attending class for an extended period, please let us know so we can work out alternative deadlines or make other adjustments.

Regrade requests must be submitted within one week of as assignment being graded. Please refrain from requesting regrades unless you believe there is a major problem with the way your assignment was graded. Do not haggle with the TAs over the amount of partial credit awarded. We reserve the right to regrade the entire assignment (which may cause you to lose points) or deny all subsequent regrade requests from students who abuse the regrade mechanism.

See below for more information about how late work and deadline extensions will be handled for different assignment types.

Readings

Students are expected to complete the assigned reading prior to class so that they can participate fully in class discussions.

Where to find readings

Readings will be assigned from the following text (available for purchase from all the usual online book stores, and free of charge in ebook form via the CMU library):

• Research Methods in Human-Computer Interaction, 2nd edition. Jonathan Lazar, Jinjuan Heidi Feng, Harry Hochheiser, 2017.

Additional readings will be assigned from papers available online. In cases where a subscription is required for access, access should be available for free when you are coming from a CMU IP address (on campus or using CMU EZproxy or library VPN).

Quizzes

To verify that students have completed the assigned reading prior to class, students will be asked to take a 5-minute quiz on Canvas before class. The quizzes will cover major points of the readings, including methods, findings, high-level takeaways, and recommendations.  You are expected to do the quiz independently and not consult with other people or any materials other than the assigned readings. You are also not permitted to request information from an AI assistant or to use an AI assistant to help answer quiz questions.The quizzes for the week will be available on Canvas at least three days in advance and up to the start of class. You will have 5 minutes to take the quiz from the time you begin.

Your three lowest quiz grades will be dropped. Generally, makeup quizzes will not be offered except in the case of prolonged absence. If extenuating circumstances cause you to miss multiple quizzes, please contact us to arrange for accommodations.

Reading Commentaries

Students taking the 12-unit version of this course are expected to read and submit commentaries on one additional research paper that describes a user study each week, selected from the research papers listed under "additional readings" for the lectures that week (there are also additional readings listed that are news articles, videos, magazine articles or materials other than research papers: these do not count). When no additional readings are listed for a given lecture you may choose any research paper from the additional readings list for any of this course's lectures.

These reading commentaries should consist of a short summary (3-7 sentences),  a "highlight" (3-5 sentences) showcasing critical thinking about the study, and a completed UPS user study template (see links in reading commentary assignment). Please keep your reading commentaries short (but insightful) and make sure you also include a complete bibliographic citation for each paper. Commentaries should be submitted in PDF format via Canvas by the deadline specified.

9-unit students are encouraged to review some of the additional readings that they find interesting, but they need not submit commentaries.

Reading commentaries are due every Wednesday from the second week of classes through the second-to-last week of classes, excluding spring break (12 commentaries total).

Your two lowest reading commentary grades will be dropped. If you need an extension on a reading commentary, please submit an extension request via this form. Please submit this before the deadline (unless there is an emergency that makes this impossible). If you ask for multiple extensions (two in a row, or three total), we may reach out to discuss the situation further and explore possible solutions. You will not be penalized for requesting extensions, but we do not want work to pile up in a way that becomes unmanageable.

Homework

This course includes seven homework assignments. All homework is to be submitted in PDF format via Gradescope and is due at 2 pm on the due date, unless specified otherwise. 

No homework grades will be dropped. If you need an extension on a homework, please submit an extension request via this form. Please submit this before the homework deadline (unless there is an emergency that makes this impossible). If you ask for extensions on multiple homework assignments (two in a row, or three total) or you ask for more than three days total of homework extensions throughout the semester, we may reach out to discuss the situation further and explore possible solutions. You will not be penalized for requesting extensions, but we do not want work to pile up in a way that becomes unmanageable. Your extension requests will be automatically granted unless unreasonable. You will not receive a response. However, if your extension requests are excessive and you have not made us aware of extenuating circumstances, we may ask you not to submit any more for the rest of the semester.

Exams

We will hold two in-class exams that are weighted equally in your final grade. The second exam will be scheduled during the final exam period. These exams will be centered around designing experiments, interpreting results, and analyzing research claims related to usable privacy and security. In essence, performing well on these exams will require that you apply the skills you learn in this course, rather than remembering trivia. However, you will be expected to remember and understand key terms and definitions discussed in class. The best way to prepare for these exams is to critically read all of the assigned readings for the course and to be an engaged participant in class discussions throughout the semester. Then review the course slides prior to each exam. Example questions from past exams (without answers) will be made available to all students. You will be permitted to use course notes, readings, and other written materials during the exams, but you must not request, give, or receive help from your classmates or anyone other than the course instructor and TAs. You are also not permitted to request information from an AI assistant or to use an AI assistant to help answer exam questions.

In the event of an extenuating circumstance that prevents you from completing an exam as scheduled, please contact the instructor as soon as possible. Students who need disability-related exam accommodations should contact the instructor early in the semester to make arrangements.

Project

Students will work on semester projects in small groups that include students with a variety of areas of expertise. A choice of projects will be provided, and students will be given an opportunity to indicate their preferences before projects are assigned. Students who have their own ideas for projects should discuss them with the instructors early in the semester (No later than February 1). As part of the project students will:

• Return their project preference form by February 5 so that they can be assigned to a project team by February 10.
• Submit a brief project proposal with their team by February 26. Detailed instructions are in the  project proposal assignment.
• Complete an IRB application with all necessary attachments and submit it to IRB as early in the semester as possible, and no later than March 19. Include the professor, project consultant, and any mentors you are working with as co-PIs and send them a draft by March 12 to get their feedback.
• Design all questionnaires, scripts, scenarios, interview protocols, etc. necessary to carry out the user study.
• Develop any prototypes necessary to carry out the user study.
• Pilot test the user study protocol on at least two people (can be members of the class from other project groups) and refine it based on these tests.
• Submit a progress report by April 2. Detailed instructions are in the progress report assignment.
• Attend a meeting to get feedback on your progress report on April 7.
• Conduct a study using the revised protocol with at least 8 participants (or at least 30 if this is a survey). Optionally, you can conduct a larger study that would be likely to lead to publishable results. If your study has only 8 participants, likely this will be useful mostly as a pilot study and should be positioned as such in your paper.
• Give a final project presentation in class on April 21 or April 23 and submit the slides online on April 21. Instructions for final presentation may be adjusted based on number of project teams.
• Write a final project report and submit it by 11:59 pm on Friday, May 2. Detailed instructions are in the final project report assignment. Your final paper should be written using the SOUPS 2025 template in a style suitable for publication at a conference or workshop. The conference papers in the readings provide good examples of what a conference paper looks like and the style in which they are written. 
• Submit a peer/self evaluation on February 26, March 31, and May 5. Submitting these evaluations is required in order to receive your grade for this class.

The final paper will count for 80% of your project grade. The other project deliverables will collectively count for the remaining 20% of your project grade. If your project team is having trouble at any stage, please contact us for help!

Teams may request extensions on project deliverables as a group using this form and they will be granted automatically as long as they are reasonable (generally not more than about 3 days total for the entire project).

Students are encouraged to submit their project as a poster to the 2025 Symposium On Usable Privacy and Security, and/or as a full paper to another conference. A paper submission will likely require additional work after the end of the semester. To submit a poster will require submitting a 2-page abstract. We will provide funds for one student from each project team to attend the SOUPS conference if their paper or poster is accepted. In addition, the conference itself makes scholarships available for students to attend, so please apply for these if you want to attend!

Class participation

All students except those registered for the remote (B) sections are expected to regularly attend class in person, arrive on time, and participate in class activities and discussions. We will have lots of class activities, during which you will have an opportunity to register your participation if you are in the classroom. If you are a remote (section B) student we will provide this opportunity for you on Canvas.  If you are a section A student you will not be able to get class participation credit if you are not in the classroom at the time of the activity. 

Students my drop up to 3 class participation grades. Generally, there will not be any opportunity to make up missed class participation grades. However, students with extenuating circumstances leading to frequent absences should contact the instructor for possible accommodation.

Failure to actively participate in group work will adversely impact your class participation grade.

Remote students 

Remote students are those students who have been approved for remote attendance and registered for the B section of this course. Students at non-Pittsburgh CMU campuses are expected to attend synchronously over Zoom. Part-time remote students are strongly encouraged to attend synchronously over Zoom if their schedules permit but may alternatively watch the recorded course lectures within the same week of each course session.  Zoom links and recordings are available through the Zoom menu on Canvas. Remote students are expected to work on class activities either in the Zoom room or on their own and will be asked to submit evidence of their remote work for their class participation grade immediately after class (or later that week for part-time students).

All other students are expected to attend class in person unless they are ill, traveling, etc. In the event of an occasional absence, in-person students may attend class remotely or review recorded lectures. This should NOT be a regular occurrence (and in-person students will not be given the opportunity to receive class participation credit remotely except in exceptional circumstances).

The recorded lectures are available to all students as a study aid.

Group Work

This course involves a large group project as well as some homework assignments that may optionally be completed in a small group. It is important that all members of a group participate fully. If there are circumstances that are going to make your participation in a group difficult, please bring them to our attention as soon as possible. Once groups are setup, if your group is experiencing difficulties working together and would like assistance in working them out, please let us know.  Failure to participate fully in group work will impact your class participation grade.

Collaboration and Academic Integrity Policy

You are permitted to talk to the instructor, TA, or to anyone else about any of the homework assignments. Any assistance, though, must be limited to discussion of the problem and sketching general approaches to a solution. Each student must write out their own solutions to the homework unless collaboration is explicitly authorized as part of the assignment. Consulting another student's solution or a solution found on the Internet or generated by an AI tool is prohibited, and submitted solutions may not be copied from any source. These and any other form of collaboration on assignments constitute cheating. Any form of collaboration is strictly prohibited on the exams and quizzes and is considered cheating. If you have any question about whether some activity would constitute cheating, please ask.

You must cite any sources you use to prepare all homework and project-related assignments using an inline reference (number or author name and date in parentheses or a footnote) and an accompanying full citation (not just a URL). This includes papers, news articles, textbook chapters (including the assigned reading), videos, and any other sources that you quote or use ideas from. If you consult with any sort of AI assistant you must cite that as your source. You are permitted to use an AI assistant to gather or analyze information or to improve your writing for homework assignments and projects, but you should use it with exterme caution. You are NOT permitted to use an AI assistant in any way for quizzes and exams.

Cheating may result in failure of the course, and the university administration will be notified of all cheating incidents per the appropriate procedures. Simply stated, feel free to discuss problems with each other, but do not cheat. It is not worth it, and you will get caught. In addition to the above, please also review fully and carefully Carnegie Mellon University's policies regarding Academic Integrity at https://www.cmu.edu/policies/student-and-student-life/academic-integrity.html and https://www.cmu.edu/student-affairs/ocsi/students/.

Treat People With Respect

We are diverse in many ways, and this diversity is fundamental to building and maintaining an equitable and inclusive campus community. Diversity can refer to multiple ways that we identify ourselves, including but not limited to race, color, national origin, language, sex, disability, age, sexual orientation, gender identity, religion, creed, ancestry, belief, veteran status, or genetic information. Each of these diverse identities, along with many others not mentioned here, shape the perspectives our students, faculty, and staff bring to our campus. At CMU we work to promote diversity, equity and inclusion not only because diversity fuels excellence and innovation, but because we want to pursue justice. We acknowledge our imperfections while we also fully commit to the work, inside and outside of our classrooms, of building and sustaining a campus community that increasingly embraces these core values. Each of us is responsible for creating a safer, more inclusive environment. Please let us know ways to improve the effectiveness of the course for you personally or for other students or student groups.

Unfortunately, incidents of bias or discrimination do occur, whether intentional or unintentional. They contribute to creating an unwelcoming environment for individuals and groups at the university. Therefore, the university encourages anyone who experiences or observes unfair or hostile treatment on the basis of identity to speak out for justice and support, within the moment of the incident or after the incident has passed. The university has also setup channels for reporting bias incidents.

Take Care of Yourself and Ask for Help

Take care of yourself.  Do your best to maintain a healthy lifestyle this semester by eating well, exercising, avoiding drugs and alcohol, getting enough sleep and taking some time to relax. This will help you achieve your goals and cope with stress. All of us benefit from support during times of struggle. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is almost always helpful. If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. Counseling and Psychological Services (CaPS) is here to help: call 412-268-2922 and visit their website at http://www.cmu.edu/counseling/. Consider reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help. If you have questions about this or your coursework, or if there is anything else we can do to help you, please let us know. Thank you, and have a great semester!