Usable Security and Privacy (CMSC 23210 / CMSC 33210)
Tuesdays & Thursdays, 11:00am - 12:20pm, Ryerson 251
|• Blase Uremail@example.com||JCL 363||By appointment|
|• Weijia He (TA)||firstname.lastname@example.org||JCL 391||By appointment|
Regardless of how secure a system is in theory, failing to consider how humans actually use the system leads to disaster in practice. This course will examine how to design for security and privacy from a user-centered perspective by combining insights from computer systems, human-computer interaction (HCI), and public policy. We will introduce core security and privacy technologies, as well as HCI techniques for conducting robust user studies. Topics will include usable authentication, user-centered web security, anonymity software, privacy notices, security warnings, and data-driven privacy tools in domains ranging from social media to the Internet of Things. Students will complete weekly problem sets, as well as conduct novel research in a group capstone project. No prior experience in security, privacy, or HCI is required.
|• Syllabus (schedule and assignments)||https://super.cs.uchicago.edu/usable19|
|• Piazza (announcements and discussion)||https://piazza.com/uchicago/spring2019/cmsc2321033210|
|• Canvas (assignment submission)||https://canvas.uchicago.edu/courses/21983|
Readings and Textbooks
There is no required textbook for the course. Instead, all course readings will be (open access) articles linked from the schedule below. If you are interested in learning more about HCI methods, we recommend Research Methods in Human-Computer Interaction by Jonathan Lazar, Jinjuan Heidi Feng, Harry Hochheiser (Older edition / Newer edition).
Course Requirements and Grading
|• Group project||40%|
|• Problem sets (5)||25%|
|• Final exam||15%|
|• Midterm exam||10%|
CMSC 23210 vs. CMSC 33210
CMSC 33210 is a strict superset of CMSC 23210. In addition to meeting all requirements of CMSC 23210, students enrolled in CMSC 33210 will be assigned an average of one additional (more technical) reading each week. In addition, one problem set will require additional exercises. Finally, a student enrolled in CMSC 33210 must contribute non-trivial implementation of a system or software tool for their group project.
Graduate students must enroll in CMSC 33210. Undergraduates may enroll in either. The only prerequisite for either version of the course is experience with computer programming at the level of the UChicago introductory sequence (e.g., 121-122-123, 151-152-154) or equivalent.
If you are an undergraduate, please note that CMSC 23210 counts as an elective within the CS major. It does not count for the programming languages and systems sequence. However, CMSC 33210 may count for the programming languages and systems sequence within the CS major, but you must file a petition for it to count in this way.
If you are a graduate student, CMSC 33210 counts as a systems elective, but not as a systems core course.
All problem sets are due on Canvas (see above) by 10:45 AM on the due date, unless specified otherwise on the schedule. We do not accept late problem sets.
CMSC 33210 students will be asked to submit a short summary (3-7 sentences) and a "highlight" for particular readings specified in each problem set. The highlight may be something you found particularly interesting or noteworthy, a question you would like to discuss in class, a point you disagree with, etc.
Readings and Quizzes
Students are expected to complete the assigned reading prior to class so that they can participate fully in class discussions. To verify that students have completed the assigned reading, each class will begin with a short quiz. The quizzes will cover major points of the readings, including methodological techniques, findings, high-level takeaways, and major recommendations the authors made. Your three lowest quiz grades will be dropped. Because your three lowest quiz grades will be dropped, you will not be excused from quizzes if you miss class due to travel (including interviews or conferences). If you have exceptional circumstances that will cause you to miss class more than three times, please discuss this with Blase in advance.
As discussed above, CMSC 33210 students will be assigned additional readings in some weeks, though these will not be on the quizzes (and instead will be part of problem sets). Students are encouraged, but not required, to review any of the optional readings that they find interesting.
We will hold two exams during the course. The first will be an in-class midterm on May 7th, while the second will be an in-class final on May 30th. Both exams will be centered around designing experiments, interpreting results, and analyzing research claims related to usable privacy and security. In essence, performing well on these exams will require that you apply the skills you learn in this course, rather than remembering trivia. The best way to prepare for these exams is to critically read all of the assigned papers for the course and to be an engaged participant in class discussions and in-class design assignments throughout the quarter.
Students will work on course projects in small groups that include students with a variety of areas of expertise. A choice of projects will be provided, and students will be given an opportunity to indicate their preferences before project groups are assigned by the instructors. Students who have their own ideas for projects should discuss them with the instructors early in the quarter. As part of the project students will:
CMSC 33210 students are expected to play a leadership role in a project group that writes a project paper suitable for publication. Your final paper should be written in a style suitable for publication at a conference or workshop. The conference papers in the readings provide good examples of what a conference paper looks like and the style in which they are written. Papers should follow the SOUPS 2019 technical papers formatting instructions. However, your report for the class need not adhere to the SOUPS page limits and should obviously not be a blind submission.
This course was initially based (with permission) on a course led by Lorrie Cranor (and co-taught by Blase) at Carnegie Mellon University. All teaching materials in this class, including course slides, homeworks, assignments, practice exams and quizzes, are copyrighted. Reproduction, redistribution and other rights solely belong to the instructor. In particular, it is not permissible to upload any or part of these materials to public or private websites without the instructor's explicit consent. Violating this copyright policy will be considered an academic integrity violation, with the consequences discussed above. Reading materials are also copyrighted by their respective publishers and cannot be reposted or distributed without prior authorization from the publisher.
The University of Chicago has formal policies related to academic honesty and plagiarism. We abide by these standards in this course. Depending on the severity of the offense, you risk being dismissed altogether from the course. All cases will be referred to the Dean of Students office, which may impose further penalties, including suspension and expulsion.
You are permitted to talk to the course staff and to your fellow students about any of the problem sets. Any assistance, though, must be limited to discussion of the problem and sketching general approaches to a solution. Each student must write out his or her own solutions to the problem sets. Consulting another student's solution is prohibited, and submitted solutions may not be copied from any source. These and any other form of collaboration on assignments constitute cheating.
No collaboration is permitted on quizzes or exams. All work submitted for the project must properly cite ideas and work that are not those of the students in the group.
If you have any question about whether some activity would constitute cheating, please feel free to ask. Simply stated, feel free to discuss problems with each other, but do not cheat. It is not worth it, and you will get caught.
In addition, we expect all students to treat everyone else in the course with respect, following the norms of proper behavior by members of the University of Chicago community.
If a personal emergency comes up that might impact your work in the class, please let Blase know so that the course staff can make appropriate arrangements.
University environments can sometimes be very overwhelming, and all of us benefit from support during times of struggle. You are not alone. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is often helpful. If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. The University of Chicago's counseling services are here to support you. Consider also reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help.
If you or someone you know is feeling suicidal or in danger of self-harm, call someone immediately, day or night:
• Student Counseling Urgent Care: (773)702-9800 or in person.
• National Suicide Prevention Lifeline: 1-800-273-8255
01. Tuesday, April 2 [Lecture slides]
Introduction to Usability
02. Thursday, April 4 [Lecture slides]
03. Tuesday, April 9 [Lecture slides]
Due: Problem Set 1
04. Thursday, April 11 [Lecture slides]
Due: Project preference form
05. Tuesday, April 16 [Lecture slides]
Social Engineering and Phishing; Designing Robust and Ethical Experiments; Field Studies
Due: Problem Set 2
06. Thursday, April 18 [Lecture slides]
Privacy on Social Media; Designing Surveys
07. Tuesday, April 23 [Lecture slides]
Security Warnings; Designing Quantitative Experiments
Due: Group project proposal (one per group) on Monday morning (4/22), Problem Set 3 on Tuesday morning (4/23)
08. Thursday, April 25 [Lecture slides]
Qualitative Studies; Designing for Children; Anonymity Tools
09. Tuesday, April 30 [Lecture slides]
Mobile Devices and Permissions Models
Due: Project ethics application (one per group) on Tuesday morning (4/30)
10. Thursday, May 2 [Lecture slides]
Web Security and Privacy; SSL/TLS/PKI; Online Tracking
Due: Problem Set 4
11. Tuesday, May 7
Midterm exam during class
12. Thursday, May 9
Project Status Presentations During Class
Due: Project status report and accompanying presentations (one per group)
13. Tuesday, May 14 [Lecture slides]
Mental Models; User Education; Qualitative Studies
14. Thursday, May 16 [Lecture slides]
The Internet of Things and Fairness in Machine Learning
Due: Problem Set 5 (problem 1) (Deadline extended to Sunday evening by request)
15. Tuesday, May 21 [Lecture slides]
Privacy Notice and Choice
16. Thursday, May 23 [Lecture slides]
17. Tuesday, May 28 [Lecture slides]
Inclusive Security and Privacy
18. Thursday, May 30
Final exam during class
19. Tuesday, June 4
Usability for Developers
Due: Final project presentations (presentations themselves to be scheduled at night, by group)