Usable Security and Privacy (CMSC 23210 / CMSC 33210)
Mondays & Wednesdays, 3:00-4:20, Ryerson 276
|• Blase Ur
|Thursdays 1:00 - 2:00 & by appointment
|• Maria Hyun (TA)
|Wednesdays 1:00 - 2:00 & by appointment
|• Gushu Li (TA)
|Mondays 4:30 - 5:30 & by appointment
|• Hua Li (TA)
|Fridays 3:00 - 4:00 & by appointment
Regardless of how secure a system is in theory, failing to consider how humans actually use the system leads to disaster in practice. This course will examine how to design for security and privacy from a user-centered perspective by combining insights from computer systems, human-computer interaction (HCI), and public policy. We will introduce core security and privacy technologies, as well as HCI techniques for conducting robust user studies. Topics will include usable authentication, user-centered web security, anonymity software, privacy notices, security warnings, and data-driven privacy tools in domains ranging from social media to the Internet of Things. Students will complete weekly problem sets, as well as conduct novel research in a group capstone project. No prior experience in security, privacy, or HCI is required.
|• Syllabus (schedule and assignments)
|• Piazza (announcements and discussion)
Readings and Textbooks
There is no required textbook for the course. Instead, all course readings will be (open access) articles linked from the schedule below. If you are interested in learning more about HCI methods, we recommend Research Methods in Human-Computer Interaction by Jonathan Lazar, Jinjuan Heidi Feng, Harry Hochheiser.
Course Requirements and Grading
|• Group project
|• Problem sets
|• Midterm exams (2)
Note that this class will have no final exam. Instead, final project presentations will be held on the last day of class.
CMSC 23210 vs. CMSC 33210
CMSC 33210 is a strict superset of CMSC 23210. In addition to meeting all requirements of CMSC 23210, students enrolled in CMSC 33210 will be assigned an average of one additional (more technical) reading each week. In addition, one problem set will require additional implementation exercises. Finally, a student enrolled in CMSC 33210 must contribute non-trivial implementation of a system or software tool for their group project.
Graduate students must enroll in CMSC 33210. Undergraduates may enroll in either. The only prerequisite for either version of the course is experience with computer programming at the level of the UChicago introductory sequence (e.g., 121-122-123, 151-152-154) or equivalent.
If you are an undergraduate, please note that CMSC 23210 counts as an elective within the CS major. It does not count for the programming languages and systems sequence. However, CMSC 33210 may count for the programming languages and systems sequence within the CS major, but you must file a petition for it to count in this way.
If you are a graduate student, CMSC 33210 counts as a systems elective, but not as a systems core course.
All problem sets are due in printed form in class at 3:00 PM on the due date, unless specified otherwise on the schedule. Problem sets may not be submitted after 3:05 pm, and we do not accept late problem sets. Your single lowest problem set grade will be dropped from your problem set average.
CMSC 33210 students will be asked to submit a short summary (3-7 sentences) and a "highlight" for particular readings specified in each homework assignment. The highlight may be something you found particularly interesting or noteworthy, a question you would like to discuss in class, a point you disagree with, etc.
Readings and Quizzes
Students are expected to complete the assigned reading prior to class so that they can participate fully in class discussions. To verify that students have completed the assigned reading, each class will begin with a short quiz. The quizzes will cover major points of the readings, including methodological techniques, findings, high-level takeaways, and major recommendations the authors made. Your two lowest quiz grades will be dropped. Because your two lowest quiz grades will be dropped, you will not be excused from quizzes if you miss class due to travel (including interviews or conferences). If you have exceptional circumstances that will cause you to miss class more than twice, please discuss this with Blase in advance.
As discussed above, CMSC 33210 students will be assigned additional readings each week. In some cases, we will specify which extra reading(s) to do. Students are encouraged, but not required, to review any of the optional readings that they find interesting.
We will hold two "midterms" during the course. The first will be a take-home midterm early in the course, while the second will be an in-class midterm late in the course. Both midterms will be centered around designing experiments, interpreting results, and analyzing research claims related to usable privacy and security. In essence, performing well on these exams will require that you apply the skills you learn in this course, rather than remembering trivia. The best way to prepare for these exams is to critically read all of the assigned papers for the course and to be an engaged participant in class discussions and in-class design assignments throughout the semester.
Students will work on semester projects in small groups that include students with a variety of areas of expertise. A choice of projects will be provided, and students will be given an opportunity to indicate their preferences before project groups are assigned by the instructors. Students who have their own ideas for projects should discuss them with the instructors early in the semester. As part of the project students will:
Students are encouraged to submit their project as a poster (deadline May 29th) to the 2017 Symposium On Usable Privacy and Security (SOUPS), and/or as a full paper to SOUPS 2018 or another conference. A paper submission will likely require additional work after the end of the semester. To submit a poster will only require submitting a 2-page abstract. Blase will provide funds for one student from each project team to attend the SOUPS conference if their paper or poster is accepted.
CMSC 33210 students are expected to play a leadership role in a project group that writes a project paper suitable for publication. Your final paper should be written in a style suitable for publication at a conference or workshop. The conference papers in the readings provide good examples of what a conference paper looks like and the style in which they are written. Papers should follow the SOUPS 2017 technical papers formatting instructions. However, your report for the class need not adhere to the SOUPS page limits and should not be a blind submission; please include the names of the authors for the purposes of the class project.
This course was based (with permission) on a course led by Lorrie Cranor (and co-taught by Blase) at Carnegie Mellon University. All teaching materials in this class, including course slides, homeworks, assignments, practice exams and quizzes, are copyrighted. Reproduction, redistribution and other rights solely belong to the instructor. In particular, it is not permissible to upload any or part of these materials to public or private websites without the instructor's explicit consent. Violating this copyright policy will be considered an academic integrity violation, with the consequences discussed above. Reading materials are also copyrighted by their respective publishers and cannot be reposted or distributed without prior authorization from the publisher.
The University of Chicago has formal policies related to academic honesty and plagiarism. We abide by these standards in this course. Depending on the severity of the offense, you risk being dismissed altogether from the course. All cases will be referred to the Dean of Students office, which may impose further penalties, including suspension and expulsion.
You are permitted to talk to the course staff and to your fellow students about any of the problem sets. Any assistance, though, must be limited to discussion of the problem and sketching general approaches to a solution. Each student must write out his or her own solutions to the problem sets. Consulting another student's solution is prohibited, and submitted solutions may not be copied from any source. These and any other form of collaboration on assignments constitute cheating.
No collaboration is permitted on quizzes or midterm exams. All work submitted for the project must properly cite ideas and work that are not those of the students in the group.
If you have any question about whether some activity would constitute cheating, please feel free to ask. Simply stated, feel free to discuss problems with each other, but do not cheat. It is not worth it, and you will get caught.
In addition, we expect all students to treat everyone else in the course with respect, following the norms of proper behavior by members of the University of Chicago community.
If a personal emergency comes up that might impact your work in the class, please let Blase know so that the course staff can make appropriate arrangements.
University environments can sometimes be very overwhelming, and all of us benefit from support during times of struggle. You are not alone. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is often helpful. If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. The University of Chicago's counseling services are here to support you. Consider also reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help.
If you or someone you know is feeling suicidal or in danger of self-harm, call someone immediately, day or night:
• Student Counseling Urgent Care: (773)702-9800 or in person.
• National Suicide Prevention Lifeline: 1-800-273-8255
01. Monday, May 27 [Lecture slides]
Introduction to Usable Security & Privacy
02. Wednesday, March 29 [Lecture slides]
03. Monday, April 3 [Lecture slides]
Introduction to Security; Introduction to Privacy; Designing Privacy Tools
Due: Problem Set 1
04. Wednesday, April 5 [Lecture slides]
05. Monday, April 10 [Lecture slides]
Designing Robust and Ethical Experiments
Due: Problem Set 2 and project preference form
06. Wednesday, April 12 [Lecture slides]
Designing Quantitative Studies; Security Warnings
07. Monday, April 17 [Lecture slides]
Designing Surveys; Analyzing Quantitative Data; Privacy on Social Media
Due: Problem Set 3 and group project proposal (one per group)
08. Wednesday, April 19 [Lecture slides]
Designing and Analyzing Qualitative Studies
09. Monday, April 24 [Lecture slides]
Web Security and Privacy
Due: Take-home midterm
10. Wednesday, April 26 [Lecture slides]
Anonymity Tools; Designing for Activists & Journalists
11. Monday, May 1 [Lecture slides]
Privacy Notice and Choice
12. Wednesday, May 3 [Lecture slides]
Mobile Devices and the Internet of Things
13. Monday, May 8
Project Status Presentations During Class
Due: Project status report (one per group)
14. Wednesday, May 10
Project Status Presentations During Class
15. Monday, May 15 [Lecture slides]
Mental Models; User Education
Due: Problem Set 5
16. Wednesday, May 17 [Lecture slides]
Usability for Developers
17. Monday, May 22
Second "Midterm" Exam During Class
18. Wednesday, May 24
Inclusive Security and Privacy
19. Monday, May 29
No Class (Memorial Day)
20. Wednesday, May 31
Final Project Presentations During Class
Due: Final project presentations (before class), as well as final project report (11:59pm)