University of Chicago SUPERgroup

Usable Security and Privacy (CMSC 23210 / CMSC 33210)

Spring 2019
Tuesdays & Thursdays, 11:00am - 12:20pm, Ryerson 251

Course Staff

Blase Urblase@uchicago.eduJCL 363By appointment
Weijia He (TA)hewj@uchicago.eduJCL 391By appointment

Course Description

Regardless of how secure a system is in theory, failing to consider how humans actually use the system leads to disaster in practice. This course will examine how to design for security and privacy from a user-centered perspective by combining insights from computer systems, human-computer interaction (HCI), and public policy. We will introduce core security and privacy technologies, as well as HCI techniques for conducting robust user studies. Topics will include usable authentication, user-centered web security, anonymity software, privacy notices, security warnings, and data-driven privacy tools in domains ranging from social media to the Internet of Things. Students will complete weekly problem sets, as well as conduct novel research in a group capstone project. No prior experience in security, privacy, or HCI is required.

Logistics

• Syllabus (schedule and assignments)https://super.cs.uchicago.edu/usable19
• Piazza (announcements and discussion)https://piazza.com/uchicago/spring2019/cmsc2321033210
• Canvas (assignment submission)https://canvas.uchicago.edu/courses/21983

Readings and Textbooks

There is no required textbook for the course. Instead, all course readings will be (open access) articles linked from the schedule below. If you are interested in learning more about HCI methods, we recommend Research Methods in Human-Computer Interaction by Jonathan Lazar, Jinjuan Heidi Feng, Harry Hochheiser (Older edition / Newer edition).

Course Requirements and Grading

• Group project40%
• Problem sets (5)25%
• Final exam15%
• Midterm exam10%
• Quizzes10%

CMSC 23210 vs. CMSC 33210

CMSC 33210 is a strict superset of CMSC 23210. In addition to meeting all requirements of CMSC 23210, students enrolled in CMSC 33210 will be assigned an average of one additional (more technical) reading each week. In addition, one problem set will require additional exercises. Finally, a student enrolled in CMSC 33210 must contribute non-trivial implementation of a system or software tool for their group project.

Graduate students must enroll in CMSC 33210. Undergraduates may enroll in either. The only prerequisite for either version of the course is experience with computer programming at the level of the UChicago introductory sequence (e.g., 121-122-123, 151-152-154) or equivalent.

If you are an undergraduate, please note that CMSC 23210 counts as an elective within the CS major. It does not count for the programming languages and systems sequence. However, CMSC 33210 may count for the programming languages and systems sequence within the CS major, but you must file a petition for it to count in this way.

If you are a graduate student, CMSC 33210 counts as a systems elective, but not as a systems core course.

Problem Sets

All problem sets are due on Canvas (see above) by 10:45 AM on the due date, unless specified otherwise on the schedule. We do not accept late problem sets.

CMSC 33210 students will be asked to submit a short summary (3-7 sentences) and a "highlight" for particular readings specified in each problem set. The highlight may be something you found particularly interesting or noteworthy, a question you would like to discuss in class, a point you disagree with, etc.

Readings and Quizzes

Students are expected to complete the assigned reading prior to class so that they can participate fully in class discussions. To verify that students have completed the assigned reading, each class will begin with a short quiz. The quizzes will cover major points of the readings, including methodological techniques, findings, high-level takeaways, and major recommendations the authors made. Your three lowest quiz grades will be dropped. Because your three lowest quiz grades will be dropped, you will not be excused from quizzes if you miss class due to travel (including interviews or conferences). If you have exceptional circumstances that will cause you to miss class more than three times, please discuss this with Blase in advance.

As discussed above, CMSC 33210 students will be assigned additional readings in some weeks, though these will not be on the quizzes (and instead will be part of problem sets). Students are encouraged, but not required, to review any of the optional readings that they find interesting.

Exams

We will hold two exams during the course. The first will be an in-class midterm on May 7th, while the second will be an in-class final on May 30th. Both exams will be centered around designing experiments, interpreting results, and analyzing research claims related to usable privacy and security. In essence, performing well on these exams will require that you apply the skills you learn in this course, rather than remembering trivia. The best way to prepare for these exams is to critically read all of the assigned papers for the course and to be an engaged participant in class discussions and in-class design assignments throughout the quarter.

Project

Students will work on course projects in small groups that include students with a variety of areas of expertise. A choice of projects will be provided, and students will be given an opportunity to indicate their preferences before project groups are assigned by the instructors. Students who have their own ideas for projects should discuss them with the instructors early in the quarter. As part of the project students will:

  • Receive a project preference form on Tuesday, April 9th Sunday, April 14th.
  • Return their project preference form by Thursday, April 11th Tuesday, April 16th so that they can be assigned to a project team by Friday, April 12th Wednesday, April 17th.
  • Submit a brief project proposal (2 to 3 pages) by Thursday, April 18th Monday, April 22nd. The proposal should state your research questions; hypotheses (if any); general type of study (lab, online, interview, survey, etc.); overview of the types of questions and/or tasks, scenarios, etc. that will be included; quantitative metrics and/or qualitative analysis approach; number and type of study participants you plan to recruit and how you will recruit them; study design (between subjects, within subjects); equipment, software, other resources, and/or payments needed and preliminary budget.
  • Meet with Blase and Weijia as a group on Thursday, April 18th or Friday, April 19th Tuesday, April 23rd or Wednesday, April 24th to discuss your project.
  • Design all questionnaires, scripts, scenarios, interview protocols, etc. necessary to carry out the user study.
  • Complete an ethics application with all necessary attachments and submit it on Piazza (shared with your group tag) no later than Thursday, April 25th at 11:59 PM Tuesday, April 30th at 10:45am.
  • Develop any prototypes and software necessary to carry out the user study.
  • Pilot test the user study protocol on at least two people (can be members of the class from other project groups) and refine it based on these tests.
  • Submit a written progress report by Thursday, May 9th. Your written report should include your research questions and any hypotheses, draft related work section, study methodology, results and lessons learned from your initial pilot study (or any other data collection that you have done already), unresolved issues or challenges, and complete survey or interview questions, scripts, etc.
  • Give a brief (5 minute) progress status presentation on Thursday, May 9th. Your status presentation should describe your project's goals, highlight your progress to date, and note any problems you have run into that you would like some advice on.
  • Conduct a study using the revised protocol with at least 6 subjects (or more if this is not a lab study). Optionally, you can conduct a larger study that would be likely to lead to publishable results. If your study has only 6 subjects, most likely this will be useful mostly as a pilot study and should be positioned as such in your paper.
  • Give a 10-minute final project presentation in the evening of Tuesday, June 4th (or another mutually agreeable time around then).
  • Write a paper including an abstract, introduction (including research questions), related work, methodology, results, discussion (or lessons learned), references, etc. and submit it by 11:59 PM on Friday, June 7th in electronic form. Please email a PDF version of your paper to Blase. Your ethics application, survey forms, etc. should be included as appendices.

CMSC 33210 students are expected to play a leadership role in a project group that writes a project paper suitable for publication. Your final paper should be written in a style suitable for publication at a conference or workshop. The conference papers in the readings provide good examples of what a conference paper looks like and the style in which they are written. Papers should follow the SOUPS 2019 technical papers formatting instructions. However, your report for the class need not adhere to the SOUPS page limits and should obviously not be a blind submission.

Copyright Policy

This course was initially based (with permission) on a course led by Lorrie Cranor (and co-taught by Blase) at Carnegie Mellon University. All teaching materials in this class, including course slides, homeworks, assignments, practice exams and quizzes, are copyrighted. Reproduction, redistribution and other rights solely belong to the instructor. In particular, it is not permissible to upload any or part of these materials to public or private websites without the instructor's explicit consent. Violating this copyright policy will be considered an academic integrity violation, with the consequences discussed above. Reading materials are also copyrighted by their respective publishers and cannot be reposted or distributed without prior authorization from the publisher.

Policies

The University of Chicago has formal policies related to academic honesty and plagiarism. We abide by these standards in this course. Depending on the severity of the offense, you risk being dismissed altogether from the course. All cases will be referred to the Dean of Students office, which may impose further penalties, including suspension and expulsion.

You are permitted to talk to the course staff and to your fellow students about any of the problem sets. Any assistance, though, must be limited to discussion of the problem and sketching general approaches to a solution. Each student must write out his or her own solutions to the problem sets. Consulting another student's solution is prohibited, and submitted solutions may not be copied from any source. These and any other form of collaboration on assignments constitute cheating.

No collaboration is permitted on quizzes or exams. All work submitted for the project must properly cite ideas and work that are not those of the students in the group.

If you have any question about whether some activity would constitute cheating, please feel free to ask. Simply stated, feel free to discuss problems with each other, but do not cheat. It is not worth it, and you will get caught.

In addition, we expect all students to treat everyone else in the course with respect, following the norms of proper behavior by members of the University of Chicago community.

Wellness

If a personal emergency comes up that might impact your work in the class, please let Blase know so that the course staff can make appropriate arrangements.

University environments can sometimes be very overwhelming, and all of us benefit from support during times of struggle. You are not alone. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is often helpful. If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. The University of Chicago's counseling services are here to support you. Consider also reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help.

If you or someone you know is feeling suicidal or in danger of self-harm, call someone immediately, day or night:
• Student Counseling Urgent Care: (773)702-9800 or in person.
• National Suicide Prevention Lifeline: 1-800-273-8255

Schedule

01. Tuesday, April 2 [Lecture slides]

Introduction to Usability

Due: Nothing

Required readings:

  • None

02. Thursday, April 4 [Lecture slides]

Usable Encryption

Due: Nothing

Required readings:

03. Tuesday, April 9 [Lecture slides]

Privacy

Due: Problem Set 1

Required readings:

04. Thursday, April 11 [Lecture slides]

Authentication

Due: Project preference form

Required readings:

05. Tuesday, April 16 [Lecture slides]

Social Engineering and Phishing; Designing Robust and Ethical Experiments; Field Studies

Due: Problem Set 2

Required readings:

06. Thursday, April 18 [Lecture slides]

Privacy on Social Media; Designing Surveys

Due: Nothing

Required readings:

07. Tuesday, April 23 [Lecture slides]

Security Warnings; Designing Quantitative Experiments

Due: Group project proposal (one per group) on Monday morning (4/22), Problem Set 3 on Tuesday morning (4/23)

Required readings:

08. Thursday, April 25 [Lecture slides]

Qualitative Studies; Designing for Children; Anonymity Tools

Due: Nothing

Required readings:

09. Tuesday, April 30 [Lecture slides]

Mobile Devices and Permissions Models

Due: Project ethics application (one per group) on Tuesday morning (4/30)

Required readings:

10. Thursday, May 2 [Lecture slides]

Web Security and Privacy; SSL/TLS/PKI; Online Tracking

Due: Problem Set 4

Required readings:

11. Tuesday, May 7

Midterm exam during class

Due: Nothing

12. Thursday, May 9

Project Status Presentations During Class

Due: Project status report and accompanying presentations (one per group)

Required readings:

13. Tuesday, May 14 [Lecture slides]

Mental Models; User Education; Qualitative Studies

Due: Nothing

Required readings:

14. Thursday, May 16 [Lecture slides]

The Internet of Things and Fairness in Machine Learning

Due: Problem Set 5 (problem 1) (Deadline extended to Sunday evening by request)

Required readings:

15. Tuesday, May 21 [Lecture slides]

Privacy Notice and Choice

Due: Nothing

Required readings:

16. Thursday, May 23 [Lecture slides]

Anonymity

Due: Problem Set 5 (remainder)

17. Tuesday, May 28 [Lecture slides]

Inclusive Security and Privacy

Due: Nothing

Required readings:

18. Thursday, May 30

Final exam during class

Due: Nothing

19. Tuesday, June 4

Usability for Developers

Due: Final project presentations (presentations themselves to be scheduled at night, by group)

Required readings: