Usable Security and Privacy (CMSC 23210 / CMSC 33210)
Mondays & Wednesdays, 1:30pm - 2:50pm, Eckhart 202
|• Blase Urfirstname.lastname@example.org||Ryerson 157||By appointment|
|• Mainack Mondalemail@example.com||Young 4th Floor||By appointment|
|• Weijia He (TA)||firstname.lastname@example.org||Young 4th Floor||By appointment|
|• Ahsan Pervaiz (TA)||email@example.com||Young 4th Floor||By appointment|
Regardless of how secure a system is in theory, failing to consider how humans actually use the system leads to disaster in practice. This course will examine how to design for security and privacy from a user-centered perspective by combining insights from computer systems, human-computer interaction (HCI), and public policy. We will introduce core security and privacy technologies, as well as HCI techniques for conducting robust user studies. Topics will include usable authentication, user-centered web security, anonymity software, privacy notices, security warnings, and data-driven privacy tools in domains ranging from social media to the Internet of Things. Students will complete weekly problem sets, as well as conduct novel research in a group capstone project. No prior experience in security, privacy, or HCI is required.
|• Syllabus (schedule and assignments)||https://super.cs.uchicago.edu/usable18|
|• Piazza (announcements and discussion)||https://piazza.com/uchicago/spring2018/cmsc23210cmsc33210/|
|• Canvas (assignment submission)||https://canvas.uchicago.edu/courses/15112 (23210) or https://canvas.uchicago.edu/courses/15157 (33210)|
Readings and Textbooks
There is no required textbook for the course. Instead, all course readings will be (open access) articles linked from the schedule below. If you are interested in learning more about HCI methods, we recommend Research Methods in Human-Computer Interaction by Jonathan Lazar, Jinjuan Heidi Feng, Harry Hochheiser.
Course Requirements and Grading
|• Group project||40%|
|• Problem sets (5)||25%|
|• Final exam||15%|
|• Midterm exam||10%|
CMSC 23210 vs. CMSC 33210
CMSC 33210 is a strict superset of CMSC 23210. In addition to meeting all requirements of CMSC 23210, students enrolled in CMSC 33210 will be assigned an average of one additional (more technical) reading each week. In addition, one problem set will require additional exercises. Finally, a student enrolled in CMSC 33210 must contribute non-trivial implementation of a system or software tool for their group project.
Graduate students must enroll in CMSC 33210. Undergraduates may enroll in either. The only prerequisite for either version of the course is experience with computer programming at the level of the UChicago introductory sequence (e.g., 121-122-123, 151-152-154) or equivalent.
If you are an undergraduate, please note that CMSC 23210 counts as an elective within the CS major. It does not count for the programming languages and systems sequence. However, CMSC 33210 may count for the programming languages and systems sequence within the CS major, but you must file a petition for it to count in this way.
If you are a graduate student, CMSC 33210 counts as a systems elective, but not as a systems core course.
All problem sets are due on UChicago Canvas by 1:00 PM on the due date, unless specified otherwise on the schedule. We do not accept late problem sets.
CMSC 33210 students will be asked to submit a short summary (3-7 sentences) and a "highlight" for particular readings specified in each problem set. The highlight may be something you found particularly interesting or noteworthy, a question you would like to discuss in class, a point you disagree with, etc.
Readings and Quizzes
Students are expected to complete the assigned reading prior to class so that they can participate fully in class discussions. To verify that students have completed the assigned reading, each class will begin with a short quiz. The quizzes will cover major points of the readings, including methodological techniques, findings, high-level takeaways, and major recommendations the authors made. Your two lowest quiz grades will be dropped. Because your two lowest quiz grades will be dropped, you will not be excused from quizzes if you miss class due to travel (including interviews or conferences). If you have exceptional circumstances that will cause you to miss class more than twice, please discuss this with Blase in advance.
As discussed above, CMSC 33210 students will be assigned additional readings in some weeks, though these will not be on the quizzes (and instead will be part of problem sets). Students are encouraged, but not required, to review any of the optional readings that they find interesting.
We will hold two exams during the course. The first will be a take-home midterm due on April 23rd, while the second will be an in-class final during the university final exam period. Both exams will be centered around designing experiments, interpreting results, and analyzing research claims related to usable privacy and security. In essence, performing well on these exams will require that you apply the skills you learn in this course, rather than remembering trivia. The best way to prepare for these exams is to critically read all of the assigned papers for the course and to be an engaged participant in class discussions and in-class design assignments throughout the quarter.
Students will work on course projects in small groups that include students with a variety of areas of expertise. A choice of projects will be provided, and students will be given an opportunity to indicate their preferences before project groups are assigned by the instructors. Students who have their own ideas for projects should discuss them with the instructors early in the quarter. As part of the project students will:
CMSC 33210 students are expected to play a leadership role in a project group that writes a project paper suitable for publication. Your final paper should be written in a style suitable for publication at a conference or workshop. The conference papers in the readings provide good examples of what a conference paper looks like and the style in which they are written. Papers should follow the SOUPS 2018 technical papers formatting instructions. However, your report for the class need not adhere to the SOUPS page limits and should obviously not be a blind submission.
This course was initially based (with permission) on a course led by Lorrie Cranor (and co-taught by Blase) at Carnegie Mellon University. All teaching materials in this class, including course slides, homeworks, assignments, practice exams and quizzes, are copyrighted. Reproduction, redistribution and other rights solely belong to the instructor. In particular, it is not permissible to upload any or part of these materials to public or private websites without the instructor's explicit consent. Violating this copyright policy will be considered an academic integrity violation, with the consequences discussed above. Reading materials are also copyrighted by their respective publishers and cannot be reposted or distributed without prior authorization from the publisher.
The University of Chicago has formal policies related to academic honesty and plagiarism. We abide by these standards in this course. Depending on the severity of the offense, you risk being dismissed altogether from the course. All cases will be referred to the Dean of Students office, which may impose further penalties, including suspension and expulsion.
You are permitted to talk to the course staff and to your fellow students about any of the problem sets. Any assistance, though, must be limited to discussion of the problem and sketching general approaches to a solution. Each student must write out his or her own solutions to the problem sets. Consulting another student's solution is prohibited, and submitted solutions may not be copied from any source. These and any other form of collaboration on assignments constitute cheating.
No collaboration is permitted on quizzes or exams. All work submitted for the project must properly cite ideas and work that are not those of the students in the group.
If you have any question about whether some activity would constitute cheating, please feel free to ask. Simply stated, feel free to discuss problems with each other, but do not cheat. It is not worth it, and you will get caught.
In addition, we expect all students to treat everyone else in the course with respect, following the norms of proper behavior by members of the University of Chicago community.
If a personal emergency comes up that might impact your work in the class, please let Blase know so that the course staff can make appropriate arrangements.
University environments can sometimes be very overwhelming, and all of us benefit from support during times of struggle. You are not alone. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is often helpful. If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. The University of Chicago's counseling services are here to support you. Consider also reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help.
If you or someone you know is feeling suicidal or in danger of self-harm, call someone immediately, day or night:
• Student Counseling Urgent Care: (773)702-9800 or in person.
• National Suicide Prevention Lifeline: 1-800-273-8255
01. Monday, March 26 [Lecture slides]
Introduction to Usable Security & Privacy; Usability
02. Wednesday, March 28 [Lecture slides]
03. Monday, April 2 [Lecture slides]
Introduction to the Underpinnings of Privacy and Security
Due: Problem Set 1
04. Wednesday, April 4 [Lecture slides]
Due: Project preference form
05. Monday, April 9 [Lecture slides]
Social Engineering and Phishing; Designing Robust and Ethical Experiments; Field Studies
Due: Problem Set 2
06. Wednesday, April 11 [Lecture slides]
Privacy on Social Media; Designing Surveys
Due: Group project proposal (one per group)
07. Monday, April 16 [Lecture slides]
Security Warnings; Designing Quantitative Experiments
Due: Problem Set 3
08. Wednesday, April 18 [Lecture slides]
The Internet of Things; Qualitative Studies
Due: Project ethics application (one per group) (No longer due on April 18th; Please submit on Canvas by Friday April 20th at 11:59pm)
09. Monday, April 23 [Lecture slides]
Mobile Devices and Permissions Models
Due: Take-home midterm
10. Wednesday, April 25
Project Status Presentations During Class
Due: Project status presentations (one per group)
11. Monday, April 30 [Lecture slides]
Privacy Notice and Choice
Due: Problem Set 4
12. Wednesday, May 2 [Lecture slides]
Web Security and Privacy; SSL/TLS/PKI; Online Tracking
13. Monday, May 7 [Lecture slides]
Anonymity Tools; Designing for Activists & Journalists
Due: Project status report (one per group)
14. Wednesday, May 9 [Lecture slides]
Fair and Transparent Machine Learning
15. Monday, May 14 [Lecture slides]
Mental Models; User Education
Due: Problem Set 5
16. Wednesday, May 16 [Lecture slides]
Inclusive Security and Privacy
17. Monday, May 21 [Lecture slides]
Retrospective Security and Privacy
18. Wednesday, May 23
Final Project Presentations During Class
Due: Final project presentations (before class)
19. Monday, May 28
No Class (Memorial Day)
20. Wednesday, May 30 [Lecture slides]
Usability for Developers
Wednesday, June 6th, 1:30p - 3:30p in Eckhart 202