University of Chicago SUPERgroup

Usable Security and Privacy (CMSC 23210 / CMSC 33210)

Spring 2017
Mondays & Wednesdays, 3:00-4:20, Ryerson 276

Course Staff

Blase Urblase@uchicago.eduRyerson 157Thursdays 1:00 - 2:00 & by appointment
Maria Hyun (TA)mhyun@uchicago.eduRyerson 254Wednesdays 1:00 - 2:00 & by appointment
Gushu Li (TA)ligushu@uchicago.eduRyerson 254Mondays 4:30 - 5:30 & by appointment
Hua Li (TA)hli5@uchicago.eduRyerson 375Fridays 3:00 - 4:00 & by appointment

Course Description

Regardless of how secure a system is in theory, failing to consider how humans actually use the system leads to disaster in practice. This course will examine how to design for security and privacy from a user-centered perspective by combining insights from computer systems, human-computer interaction (HCI), and public policy. We will introduce core security and privacy technologies, as well as HCI techniques for conducting robust user studies. Topics will include usable authentication, user-centered web security, anonymity software, privacy notices, security warnings, and data-driven privacy tools in domains ranging from social media to the Internet of Things. Students will complete weekly problem sets, as well as conduct novel research in a group capstone project. No prior experience in security, privacy, or HCI is required.

Logistics

• Syllabus (schedule and assignments)https://super.cs.uchicago.edu/usable17
• Piazza (announcements and discussion)https://piazza.com/uchicago/spring2017/cmsc23210cmsc33210/home

Readings and Textbooks

There is no required textbook for the course. Instead, all course readings will be (open access) articles linked from the schedule below. If you are interested in learning more about HCI methods, we recommend Research Methods in Human-Computer Interaction by Jonathan Lazar, Jinjuan Heidi Feng, Harry Hochheiser.

Course Requirements and Grading

• Group project40%
• Problem sets24%
• Midterm exams (2)20%
• Quizzes16%

Note that this class will have no final exam. Instead, final project presentations will be held on the last day of class.

CMSC 23210 vs. CMSC 33210

CMSC 33210 is a strict superset of CMSC 23210. In addition to meeting all requirements of CMSC 23210, students enrolled in CMSC 33210 will be assigned an average of one additional (more technical) reading each week. In addition, one problem set will require additional implementation exercises. Finally, a student enrolled in CMSC 33210 must contribute non-trivial implementation of a system or software tool for their group project.

Graduate students must enroll in CMSC 33210. Undergraduates may enroll in either. The only prerequisite for either version of the course is experience with computer programming at the level of the UChicago introductory sequence (e.g., 121-122-123, 151-152-154) or equivalent.

If you are an undergraduate, please note that CMSC 23210 counts as an elective within the CS major. It does not count for the programming languages and systems sequence. However, CMSC 33210 may count for the programming languages and systems sequence within the CS major, but you must file a petition for it to count in this way.

If you are a graduate student, CMSC 33210 counts as a systems elective, but not as a systems core course.

Problem Sets

All problem sets are due in printed form in class at 3:00 PM on the due date, unless specified otherwise on the schedule. Problem sets may not be submitted after 3:05 pm, and we do not accept late problem sets. Your single lowest problem set grade will be dropped from your problem set average.

CMSC 33210 students will be asked to submit a short summary (3-7 sentences) and a "highlight" for particular readings specified in each homework assignment. The highlight may be something you found particularly interesting or noteworthy, a question you would like to discuss in class, a point you disagree with, etc.

Readings and Quizzes

Students are expected to complete the assigned reading prior to class so that they can participate fully in class discussions. To verify that students have completed the assigned reading, each class will begin with a short quiz. The quizzes will cover major points of the readings, including methodological techniques, findings, high-level takeaways, and major recommendations the authors made. Your two lowest quiz grades will be dropped. Because your two lowest quiz grades will be dropped, you will not be excused from quizzes if you miss class due to travel (including interviews or conferences). If you have exceptional circumstances that will cause you to miss class more than twice, please discuss this with Blase in advance.

As discussed above, CMSC 33210 students will be assigned additional readings each week. In some cases, we will specify which extra reading(s) to do. Students are encouraged, but not required, to review any of the optional readings that they find interesting.

Midterms

We will hold two "midterms" during the course. The first will be a take-home midterm early in the course, while the second will be an in-class midterm late in the course. Both midterms will be centered around designing experiments, interpreting results, and analyzing research claims related to usable privacy and security. In essence, performing well on these exams will require that you apply the skills you learn in this course, rather than remembering trivia. The best way to prepare for these exams is to critically read all of the assigned papers for the course and to be an engaged participant in class discussions and in-class design assignments throughout the semester.

Project

Students will work on semester projects in small groups that include students with a variety of areas of expertise. A choice of projects will be provided, and students will be given an opportunity to indicate their preferences before project groups are assigned by the instructors. Students who have their own ideas for projects should discuss them with the instructors early in the semester. As part of the project students will:

  • Receive a project preference form on Wednesday, April 5th.
  • Return their project preference form by Monday, April 10th so that they can be assigned to a project team by Wednesday, April 12th.
  • Submit a brief project proposal (2 to 3 pages) by Monday, April 17th. The proposal should state your research questions; hypotheses (if any); general type of study (lab, online, interview, survey, etc.); overview of the types of questions and/or tasks, scenarios, etc. that will be included; quantitative metrics and/or qualitative analysis approach; number and type of study participants you plan to recruit and how you will recruit them; study design (between subjects, within subjects); equipment, software, other resources, and/or payments needed and preliminary budget.
  • Complete an ethics application with all necessary attachments and submit it to the course staff as early in the quarter as possible, and no later than Monday, May 1st.
  • Design all questionnaires, scripts, scenarios, interview protocols, etc. necessary to carry out the user study.
  • Develop any prototypes and software necessary to carry out the user study.
  • Pilot test the user study protocol on at least two people (can be members of the class from other project groups) and refine it based on these tests.
  • Submit a written progress report by Monday, May 8th. Your written progress report and presentation should describe your progress to date and any problems you have run into that you would like some advice on. Your written report should include your research questions and any hypotheses, draft related work section, study methodology, results and lessons learned from your initial pilot study (or any other data collection that you have done already), unresolved issues or challenges, and complete survey or interview questions, scripts, etc.
  • Give a brief (7-10 minutes) progress report presentation on Monday, May 8th or Wednesday, May 10th. Note that all groups must be prepared to present on May 8th, and the order of presentations will be assigned at that time.
  • Conduct a study using the revised protocol with at least 6 subjects (or more if this is not a lab study). Optionally, you can conduct a larger study that would be likely to lead to publishable results. If your study has only 6 subjects, most likely this will be useful mostly as a pilot study and should be positioned as such in your paper.
  • Give a 10-minute final project presentation in class on Wednesday, May 31st.
  • Write a paper including an abstract, introduction (including research questions), related work, methodology, results, discussion (or lessons learned), references, etc. and submit it by 11:59 PM on Wednesday, May 31st in electronic form. Please email a PDF version of your paper to all of the course staff. Your ethics application, survey forms, etc. should be included as appendices.

Students are encouraged to submit their project as a poster (deadline May 29th) to the 2017 Symposium On Usable Privacy and Security (SOUPS), and/or as a full paper to SOUPS 2018 or another conference. A paper submission will likely require additional work after the end of the semester. To submit a poster will only require submitting a 2-page abstract. Blase will provide funds for one student from each project team to attend the SOUPS conference if their paper or poster is accepted.

CMSC 33210 students are expected to play a leadership role in a project group that writes a project paper suitable for publication. Your final paper should be written in a style suitable for publication at a conference or workshop. The conference papers in the readings provide good examples of what a conference paper looks like and the style in which they are written. Papers should follow the SOUPS 2017 technical papers formatting instructions. However, your report for the class need not adhere to the SOUPS page limits and should not be a blind submission; please include the names of the authors for the purposes of the class project.

Copyright Policy

This course was based (with permission) on a course led by Lorrie Cranor (and co-taught by Blase) at Carnegie Mellon University. All teaching materials in this class, including course slides, homeworks, assignments, practice exams and quizzes, are copyrighted. Reproduction, redistribution and other rights solely belong to the instructor. In particular, it is not permissible to upload any or part of these materials to public or private websites without the instructor's explicit consent. Violating this copyright policy will be considered an academic integrity violation, with the consequences discussed above. Reading materials are also copyrighted by their respective publishers and cannot be reposted or distributed without prior authorization from the publisher.

Policies

The University of Chicago has formal policies related to academic honesty and plagiarism. We abide by these standards in this course. Depending on the severity of the offense, you risk being dismissed altogether from the course. All cases will be referred to the Dean of Students office, which may impose further penalties, including suspension and expulsion.

You are permitted to talk to the course staff and to your fellow students about any of the problem sets. Any assistance, though, must be limited to discussion of the problem and sketching general approaches to a solution. Each student must write out his or her own solutions to the problem sets. Consulting another student's solution is prohibited, and submitted solutions may not be copied from any source. These and any other form of collaboration on assignments constitute cheating.

No collaboration is permitted on quizzes or midterm exams. All work submitted for the project must properly cite ideas and work that are not those of the students in the group.

If you have any question about whether some activity would constitute cheating, please feel free to ask. Simply stated, feel free to discuss problems with each other, but do not cheat. It is not worth it, and you will get caught.

In addition, we expect all students to treat everyone else in the course with respect, following the norms of proper behavior by members of the University of Chicago community.

Wellness

If a personal emergency comes up that might impact your work in the class, please let Blase know so that the course staff can make appropriate arrangements.

University environments can sometimes be very overwhelming, and all of us benefit from support during times of struggle. You are not alone. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is often helpful. If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. The University of Chicago's counseling services are here to support you. Consider also reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help.

If you or someone you know is feeling suicidal or in danger of self-harm, call someone immediately, day or night:
• Student Counseling Urgent Care: (773)702-9800 or in person.
• National Suicide Prevention Lifeline: 1-800-273-8255

Schedule

01. Monday, May 27 [Lecture slides]

Introduction to Usable Security & Privacy

Due: Nothing

Required readings:

  • None

02. Wednesday, March 29 [Lecture slides]

Usable Encryption

Due: Nothing

Required readings:

Optional readings:

03. Monday, April 3 [Lecture slides]

Introduction to Security; Introduction to Privacy; Designing Privacy Tools

Due: Problem Set 1

Required readings:

Optional readings:

04. Wednesday, April 5 [Lecture slides]

Passwords; Authentication

Due: Nothing

Required readings:

Optional readings:

05. Monday, April 10 [Lecture slides]

Designing Robust and Ethical Experiments

Due: Problem Set 2 and project preference form

Required readings:

Optional readings:

06. Wednesday, April 12 [Lecture slides]

Designing Quantitative Studies; Security Warnings

Due: Nothing

Required readings:

Optional readings:

07. Monday, April 17 [Lecture slides]

Designing Surveys; Analyzing Quantitative Data; Privacy on Social Media

Due: Problem Set 3 and group project proposal (one per group)

Required readings:

Optional readings:

08. Wednesday, April 19 [Lecture slides]

Designing and Analyzing Qualitative Studies

Due: Nothing

Required readings:

Optional readings:

09. Monday, April 24 [Lecture slides]

Web Security and Privacy

Due: Take-home midterm

Required readings:

Optional readings:

10. Wednesday, April 26 [Lecture slides]

Anonymity Tools; Designing for Activists & Journalists

Due: Nothing

Required readings:

Optional readings:

11. Monday, May 1

Privacy Notice and Choice

Due: Problem Set 4 and project ethics application (one per group)

Required readings:

Optional readings:

12. Wednesday, May 3

Mobile Devices and the Internet of Things

Due: Nothing

Required readings:

Optional readings:

13. Monday, May 8

Project Status Presentations During Class

Due: Project status report (one per group)

Required readings:

14. Wednesday, May 10

Project Status Presentations During Class

Due: Nothing

Required readings:

  • None

15. Monday, May 15

Mental Models; User Education

Due: Problem Set 5

Required readings:

Optional readings:

16. Wednesday, May 17

Usability for Developers

Due: Nothing

Required readings:

Optional readings:

17. Monday, May 22

Second "Midterm" Exam During Class

Due: Nothing

18. Wednesday, May 24

Inclusive Security and Privacy

Due: Nothing

Required readings:

Optional readings:

19. Monday, May 29

No Class (Memorial Day)

20. Wednesday, May 31

Final Project Presentations During Class

Due: Final project presentations (before class), as well as final project report (11:59pm)