Course Syllabus
Privacy & Security Lab (P&SL)
Info 290 LEC 005 / Law 276.31 sec. 1
Class Number (formerly Course Control Number) (Non-1Ls): 34000
Units: 4
Meeting Time: TuTh 11:00AM-12:30PM
Meeting Location
Classroom: 205 South Hall
Lab: Tollman Computer Facility (TCF) Tollman Hall Room 1535
Description
There is a burgeoning market for technologists and lawyers who can understand the application and implementation of privacy and security rules to network connected services. Privacy and Security Lab is a new course designed to promote the development of such “privacy technologists.” Students will meet twice a week, once in discussion, and the second time in a computer lab to gain hands-on skills in privacy and security analysis. The course will explore the concepts, regulations, technologies, and business practices in privacy and security, including how different definitions of “privacy” may shape technical implementation of information-intensive services; the nature of privacy and security enhancing services; and how one might technically evaluate the privacy and security claims made by service providers. There are no prerequisites and enrollment is open to law students to encourage cross-disciplinary exchanges.
Assessment
Your grade will be based on two, short individual writing assignments (30%), your group project (50%), and your classroom participation (20%). Here is a good template Links to an external site. to use for your assignments.
- Short writing assignment: describe a technology to a lay audience (1,000 words max)
- Short writing assignment: describe how a technology could be designed to be more protective of privacy or security (1,000 words max)(you may use the same technology as assignment 1)
- Group project
Some suggested group topics to get the conversation flowing:
- A comparison of EU and US-directed web services (perhaps most interesting to compare the same company’s website in the two jurisdictions)
- A comparison of web sites from US and EU IP addresses
- An analysis, possibly comparative, of a browser privacy plugin
- Privacy forensics on an IoT device (we have a budget to buy devices)
- Net neutrality – data collection relevant to possible changes
- Analysis of a payment system
- SB 27 “Shine the Light Law” Compliance
- Europeans: Make an access request for your data—particularly interesting would be one of these personality analytics firms such as Cambridge Analytica.
- Analysis of Consumers Union’s Digital Protocol
- Creation of a browser extension that elucidates a privacy or security issue
- Could be simple, such as computer vision tags https://github.com/ageitgey/show-facebook-computer-vision-tags Links to an external site.
APM-015 Part II statement
This course will deal with material concerning current events and exploration of government actions and their possible consequences. Class discussion will feature such material.
Course Readings
Luckily most of our readings will be in the public domain, and there is no appropriate textbook for our course. Some readings will be behind paywalls. In order to get the readings at no cost, you will have to use the Berkeley Library VPN or the Library Proxy. These tools enable you to obtain all UCB-subscribed journals and books from your home computer. If you have problems, see your helpdesk.
| Date | Location | Topic | Readings |
| 1/10/17 | 205 South Hall | Overview of the course; introduction to ECPA and CFAA | California Penal Code §§ 630, 631, 632, 635, 637, and 637.7 Links to an external site. |
| CRS, Privacy: An Overview of the Electronic Communications Privacy Act (ECPA) (Oct. 2012) pp 1–24, https://fas.org/sgp/crs/misc/R41733.pdf Links to an external site. | |||
| Charles Doyle, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws, CRS Report, Oct. 2014, pages: summary, 1–2, 14–25, http://fas.org/sgp/crs/misc/97-1025.pdf Links to an external site. | |||
| 1/12/17 | Boalt 123 | CFAA continued; DMCA and research | 17 USC 1201, Circumvention of copyright protection systems Links to an external site.. |
| Letter from Matthew J. Oppenheim, Senior Vice President, Business and Legal Affairs, Recording Industry Association of America, to Professor Edward Felten, Department of Computer Science, Princeton University, Apr. 9, 2001, https://w2.eff.org/IP/DMCA/Felten_v_RIAA/20010409_riaa_sdmi_letter.html Links to an external site. | |||
| Cybersecurity Research: Addressing the Legal Barriers and Disincentives (Sept. 2015) p. 1–17, https://www.ischool.berkeley.edu/files/cybersec-research-nsf-workshop.pdf | |||
| Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies, pp. 65944–65946, 65955–65956 (Oct. 28, 2015). https://www.gpo.gov/fdsys/pkg/FR-2015-10-28/pdf/2015-27212.pdf Links to an external site. | |||
| 1/17/17 | 205 South Hall | Introduction to the course; what are the professional ethics of privacy and security research | UC Berkeley, Computer Use Policy, n.d., https://security.berkeley.edu/computer-use-policy |
| David Dittrich, Michael Bailey, Sven Dietrich, Towards Community Standards for Ethical Behavior in Computer Security Research (2009), https://staff.washington.edu/dittrich/papers/dbd2009tr1-20090925-1133.pdf Links to an external site. | |||
| Google Security Blog, Rebooting Responsible Disclosure: a focus on protecting end users (Jul. 2010), https://security.googleblog.com/2010/07/rebooting-responsible-disclosure-focus.html Links to an external site. | |||
| SANS, The GIAC (Global Information Assurance Certification) Code of Ethics, n.d. http://digital-forensics.sans.org/certification/ethics Links to an external site. | |||
| Digital Forensics Certification Board, Code of Ethics and Standards of Professional Conduct (2008), https://www.dfcb.org/DFCB_DFCB_Code_of_Ethics_and_Standards_of_Professional_Conduct_Version_1.1_Dec08.pdf Links to an external site. | |||
| Association for Computing Machinery, ACM Code of Ethics and Professional Conduct (1992), http://www.acm.org/about-acm/acm-code-of-ethics-and-professional-conduct Links to an external site. | |||
| EC Council, Code of Ethics for Certified Ethical Hacker (nd), https://www.eccouncil.org/code-of-ethics/ Links to an external site. | |||
| Geoffrey MacDougall and Maria Rerecich, Evaluating Products and Services for Privacy, Security and Data Practices, Jan 2017, https://www.ftc.gov/system/files/documents/public_comments/2016/10/00049-129157.pdf Links to an external site. Also see http://digitalprotocol.org/ Links to an external site. | |||
| 1/19/17 | TCF, 1535 Tollman | Introduction to the lab | Lab worksheet Download worksheet. |
| Linoxide, Linux Command Cheat Sheet (2014), http://linoxide.com/linux-command/linux-commands-cheat-sheet/ Links to an external site. | |||
| Oracle, Virtualbox User Manual, Chap. 1, https://www.virtualbox.org/manual/ Links to an external site. | |||
| 1/24/17 | Class Cancelled - but see readings | Use your time this week to 1) develop your group project, and 2) work on your first writing assignment, 3) get ahead on next week's reading, which is dense | |
| 1/26/17 | Class Cancelled - but see readings | ||
| 1/31/17 | 205 South Hall | What "Privacy?" | Bert-Jaap Koops et al. A Typology of Privacy, ___ University of Pennsylvania Journal of International Law ___ (Forthcoming 2017) https://ssrn.com/abstract=2754043 Links to an external site. |
| Optional: Daniel J. Solove, 'I've Got Nothing to Hide' and Other Misunderstandings of Privacy, 44 San Diego Law Review 745 (2007),: https://ssrn.com/abstract=998565 Links to an external site. | |||
| 2/2/17 | 205 South Hall | Web Tracking | Jonathan R. Mayer & John C. Mitchell, Third-Party Web Tracking: Policy and Technology, 2012 IEEE Symposium on Security and Privacy. http://ieeexplore.ieee.org/document/6234427/ Links to an external site. |
| Hoofnagle et al., Behavioral Advertising: The Offer You Cannot Refuse, 6 Harvard Law & Policy Review 273 (2012), http://harvardlpr.com/wp-content/uploads/2013/06/Behavioral-Advertising-Hoofnagle-et-al.pdf Links to an external site. | |||
| Rebecca Balebako et al., Measuring the effectiveness of privacy tools for limiting behavioral advertising, Web 2.0 Workshop on Security and Privacy (2012), http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.306.9415 Links to an external site. | |||
| Optional: Güne_ Acar et al, The Web Never Forgets: Persistent Tracking Mechanisms in the Wild, CCS’14, November 3–7, 2014, http://filelifter.de/assets/plugindata/poola/thewebneverforgets.pdf Links to an external site. | |||
| 2/7/17 | Class Cancelled | The lab is reserved for us, so feel free to use this time to meet with your team. | |
| 2/9/17 | TCF, 1535 Tollman | Web Tracking Lab |
Lab 2 worksheet Download worksheet. Lou Montulli, The reasoning behind Web Cookies (2013), http://www.montulli-blog.com/2013/05/the-reasoning-behind-web-cookies.html Links to an external site. |
| AboutCookies.org, Cookies: Frequently Asked Questions, n.d., http://www.aboutcookies.org/cookie-faq/ Links to an external site. | |||
| Written assignment 1 due | |||
| 2/14/17 | 205 South Hall | Application Programming Interfaces (APIs) and Privacy (Nathan Good) | Noah Veltman, Web APIs for non-programmers, School of Data, Nov. 18, 2013, http://schoolofdata.org/2013/11/18/web-apis-for-non-programmers/ Links to an external site. |
| Aldo Cortesi, Skout: a devastating privacy vulnerability, May 31, 2013, https://corte.si/posts/security/skout/index.html Links to an external site. | |||
| Skim this list of easy-to-use APIs that do not require authentication. Terence Eden, Easy APIs Without Authentication (2016), https://shkspr.mobi/blog/2016/05/easy-apis-without-authentication/ Links to an external site. | |||
| 2/16/17 | 205 South Hall |
mitmproxy (Chris Hoofnagle)
|
Paul Ohm, An Internet X-Ray Machine for the Masses, JOTWELL (June 12, 2015) (reviewing Aldo Cortesi, et al., mitmproxy), http://cyber.jotwell.com/an-internet-x-ray-machine-for-the-masses/ Links to an external site.. Günes, Acar et al., Facebook Tracking Through Social Plug-Ins, Mar. 27, 2015, https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf |
| 2/21/17 | TCF, 1535 Tollman | APIs & Privacy Lab (Nathan Good) | |
| 2/23/17 | TCF, 1535 Tollman | mitmproxy Lab (Nathan Good) | Philipp C. Heckel, How To: Use mitmproxy to read and modify HTTPS traffic, Jul. 1, 2003, https://blog.heckel.xyz/2013/07/01/how-to-use-mitmproxy-to-read-and-modify-https-traffic-of-your-phone/ Links to an external site. |
| mitmproxy is built into our Kali Linux VMs. Have this cheat sheet on hand in class: Kali, mitmproxy Package Description, n.d., http://tools.kali.org/sniffingspoofing/mitmproxy Links to an external site. | |||
| 2/28/17 | 205 South Hall | The GDPR's Privacy by Design Potential | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) , articles 25, 28, 30, 32, 35-39, and recitals 74-78, 80-84, 89-94, 97 (the recitals are the numbered sections under "Whereas," in the US, you might call these legislative findings), http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679 Links to an external site. |
| Sarah Spiekermann and Lorrie Cranor, Engineering Privacy, 35(1) IEEE Transactions on Software Engineering (2009), https://ssrn.com/abstract=1085333 Links to an external site.. | |||
| 3/2/17 | 205 South Hall | Project Workshop 1 | |
| 3/7/17 | 205 South Hall | Serge Egelman: Android Permissions | Wijesekera et al., Android Permissions Remystified: A Field Study on Contextual Integrity, SEC 2015, http://guanotronic.com/~serge/papers/sec15.pdf Links to an external site. |
| Egelman et al., You’ve Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings, http://www.guanotronic.com/~serge/papers/warned.pdf Links to an external site. | |||
| Helen Nissenbaum, A Contextual Approach to Privacy Online, 140(4) Daedalus 32 (Fall 2011), http://www.mitpressjournals.org/doi/pdf/10.1162/DAED_a_00113 Links to an external site. | |||
| 3/9/17 | 205 South Hall | Jonthan Jaffe Privacy Consulting Discussion | No readings |
| 3/9/17 | Law School TBD | Makeup: FTC FinTech Forum | |
| 3/14/17 | 205 South Hall | Jonthan Jaffe Privacy Consulting Lab | Be sure to read the maturity exercise notes (handed out on 3/9). |
| Skim the AICPA's Generally Accepted Privacy Principles Download Generally Accepted Privacy Principles (2009). | |||
| 3/16/17 | 205 South Hall | Serge Egelman: Haystak Lab | Irwin Reyes, Monkey business in children’s apps Links to an external site., The ICSI Haystack Project Blog, January 12, 2017 |
| Chris Jay Hoofnagle, Children's Privacy Download Children's Privacy, from FTC Privacy Law and Policy (2016). | |||
| Written assignment 2 due | |||
| 3/21/17 | 205 South Hall | Privacy Dialogues: Human Computer Interaction Can Inform Privacy Analysis (Jennifer King) | Harry Brignull, Dark Patterns: inside the interfaces designed to trick you, Verge (2013), http://www.theverge.com/2013/8/29/4640308/dark-patterns-inside-the-interfaces-designed-to-trick-you Links to an external site. |
| Expert Report of Jennifer King Download Expert Report of Jennifer King, FTC v. Amazon.com, No. 2:14-CV-01038, Dec. 15, 2015 | |||
| Expert Report of Professor Andrew L. Sears Download Expert Report of Professor Andrew L. Sears, FTC v. Amazon.com, No. 2:14-CV-01038, Dec. 15, 2015 | |||
| 3/23/17 | 205 South | Dialogues Lab | Post examples of Darkpatters. In class we will do the worst design exercise. |
| 3/24/17 | East Palo Alto Four Seasons & Webcast & Web Archive | Makeup: BCLT Privacy Law Forum Silicon Valley | This event is at the Four Seasons Hotel in Palo Alto. 150-200 practitioners attend--it is a wonderful place to network! If you cannot attend in person, please watch the webcast or archived video: https://www.law.berkeley.edu/research/bclt/upcoming-events/6th-annual-bclt-privacy-law-forum-silicon-valley/ |
| 4/4/17 | 205 South Hall | Privacy Policies |
California Business and Professions Code § 22575–22579, Internet Privacy Requirements, http://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=BPC&division=8.&title=&part=&chapter=22.&article= Links to an external site. |
| Reidenberg et al., Disagreeable Privacy Policies: Mismatches Between Meaning and Users' Understanding, 30(1) Berkeley Technology Law Journal 39 (2015), pages 39–53; 83–85; 87–88, http://btlj.org/2015/10/disagreeable-privacy-policies/ Links to an external site. | |||
| Leon et al., Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens, WPES 2010, http://dl.acm.org/citation.cfm?id=1866932 Links to an external site. | |||
| 4/6/17 | 205 South Hall | Privacy Policy Lab |
24 hours before lab, please do two things:
|
| 4/11/17 | 205 South Hall | De-identification | Simson L. Garfinkel, De-Identification of Personal Information, NISTIR 8053 (Oct. 2015), http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf Links to an external site. |
| 4/13/17 | 205 South Hall | Lab time for team projects | |
| 4/18/17 | 205 South Hall | Hold for Student Presentations |
Tuesday
|
| 4/20/17 | 205 South Hall | Hold for Student Presentations | Thursday (15 mins each)
|
| 4/25/17 | ECPA & CFAA |
Presentations From Last week
Plus California Penal Code §§ 630, 631, 632, 635, 637, and 637.7, available at https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=PEN&division=&title=15.&part=1.&chapter=1.5.&article= Links to an external site. |
|
| CRS, Privacy: An Overview of the Electronic Communications Privacy Act (ECPA) (Oct. 2012) pp 1–34, https://fas.org/sgp/crs/misc/R41733.pdf Links to an external site. | |||
| Charles Doyle, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws, CRS Report, Oct. 2014, pages: summary, 1–2, 14–25, https://fas.org/sgp/crs/misc/97-1025.pdf Links to an external site. | |||
| 4/27/17 | DMCA & Research | 17 USC 1201, Circumvention of copyright protection systems, https://www.gpo.gov/fdsys/granule/USCODE-2011-title17/USCODE-2011-title17-chap12-sec1201 Links to an external site. | |
| Letter from Matthew J. Oppenheim, Senior Vice President, Business and Legal Affairs, Recording Industry Association of America, to Professor Edward Felten, Department of Computer Science, Princeton University, Apr. 9, 2001, https://w2.eff.org/IP/DMCA/Felten_v_RIAA/20010409_riaa_sdmi_letter.html Links to an external site. | |||
| Cybersecurity Research: Addressing the Legal Barriers and Disincentives (Sept. 2015) p. 1–17, https://www.ischool.berkeley.edu/files/cybersec-research-nsf-workshop.pdf | |||
| Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies, pp. 65944– 65955–65956 (Oct. 28, 2015). https://www.gpo.gov/fdsys/pkg/FR-2015-10-28/pdf/2015-27212.pdf Links to an external site. |
Course Summary:
| Date | Details | Due |
|---|---|---|
| Tue Jan 10, 2017 | Calendar Event P&S Lab - Law Students Only | 11am to 12:30pm |
| Thu Jan 12, 2017 | Calendar Event P&S Lab - Law Students Only | 11am to 12:30pm |
| Tue Jan 17, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Thu Jan 19, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Tue Jan 24, 2017 | Calendar Event P&S Lab - Class Cancelled | 11am to 12:30pm |
| Thu Jan 26, 2017 | Calendar Event P&S Lab - Class Cancelled | 11am to 12:30pm |
| Tue Jan 31, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Thu Feb 2, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Tue Feb 7, 2017 | Calendar Event P&S Lab - Class Cancelled | 11am to 12:30pm |
| Thu Feb 9, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Tue Feb 14, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Thu Feb 16, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Tue Feb 21, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Thu Feb 23, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Tue Feb 28, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Thu Mar 2, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Tue Mar 7, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Thu Mar 9, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Tue Mar 14, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Thu Mar 16, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Tue Mar 21, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Thu Mar 23, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Tue Apr 4, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Thu Apr 6, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Tue Apr 11, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Thu Apr 13, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Tue Apr 18, 2017 | Calendar Event P&S Lab | 11am to 12:30pm |
| Thu Apr 20, 2017 | Calendar Event P&S Lab - Last Day for Law Students | 11am to 12:30pm |
| Tue Apr 25, 2017 | Calendar Event P&S Lab - Grad/Undergrad Only | 11am to 12:30pm |
| Thu Apr 27, 2017 | Calendar Event P&S Lab - Grad/Undergrad Only | 11am to 12:30pm |