Course Syllabus
Privacy & Security Lab (P&SL)
Info 290 LEC 003 (CCN 41237) / Law 276.31 sec. 1 (CCN 40828)
GSI: Lily Lin (office hours Tu 10AM, Co-lab South Hall 110)
Chris Hoofnagle (office hours W 10 AM, South 212)
Units: 4
Meeting Time: TuTh 11:20AM-12:50PM
Meeting Location
Classroom: TBD, check course schedule below
Lab: Tolman Computing Facility (TCF), 1535 Tolman Hall
Description
There is a burgeoning market for technologists and lawyers who can understand the application and implementation of privacy and security rules to network connected services. Privacy and Security Lab is a new course designed to promote the development of such “privacy technologists.” Students will meet twice a week, once in discussion, and the second time in a computer lab to gain hands-on skills in privacy and security analysis. The course will explore the concepts, regulations, technologies, and business practices in privacy and security, including how different definitions of “privacy” may shape technical implementation of information-intensive services; the nature of privacy and security enhancing services; and how one might technically evaluate the privacy and security claims made by service providers. There are no prerequisites and enrollment is open to law students to encourage cross-disciplinary exchanges.
Assessment
Your grade will be based on two, short individual writing assignments (30%), your group project (50%), and your classroom participation (20%). Here is a good template to use for your assignments.
- Short writing assignment: describe a technology to a lay audience (1,000 words max)
- Short writing assignment: describe how a technology could be designed to be more protective of privacy or security (1,000 words max)(you may use the same technology as assignment 1)
- Group project
Some suggested group topics to get the conversation flowing:
- An analysis of a service in light of the GDPR's privacy-by-design and by-default mandate.
- A comparison of EU and US-directed web services (perhaps most interesting to compare the same company’s website in the two jurisdictions)
- An assessment of the risk of IoT botnets from Mirai-like attacks (that is, a survey of IoT devices to see whether they have hardcoded passwords, or easily-guessable default passwords)
- A comparison of web sites from US and EU IP addresses
- A privacy/security analysis of the recently-emerged "credit lock" packages
- An analysis, possibly comparative, of a browser privacy plugin
- Privacy forensics on an IoT device (we have a budget to buy devices)
- There has been a proliferation of in-person tracking technologies (audio beacons, IMSI catchers, and so on). A project could design an app/device to detect these tracking technologies.
- Net neutrality – data collection relevant to possible changes
- Analysis of a payment system
- SB 27 “Shine the Light Law” Compliance
- Europeans: Make an access request for your data—particularly interesting would be one of these personality analytics firms such as Cambridge Analytica.
- Analysis of Consumers Union’s Digital Protocol
- Creation of a browser extension that elucidates a privacy or security issue
- Could be simple, such as computer vision tags https://github.com/ageitgey/show-facebook-computer-vision-tags
APM-015 Part II statement
This course will deal with material concerning current events and exploration of government actions and their possible consequences. Class discussion will feature such material.
Course Readings
Luckily most of our readings will be in the public domain, and there is no appropriate textbook for our course. Some readings will be behind paywalls. In order to get the readings at no cost, you will have to use the Berkeley Library VPN or the Library Proxy. These tools enable you to obtain all UCB-subscribed journals and books from your home computer. If you have problems, see your helpdesk.
Tech Cred
If you are feeling at sea with tech, you might explore the relevant courses on lynda.com. UCB has a site license, so you can watch as many as you'd like :) For instance:
- Ethical Hacking: Pen Testing: https://www.lynda.com/Security-tutorials/Ethical-Hacking-Penetration-Testing/529366-2.html
- Python Pen Testing: https://www.lynda.com/Python-tutorials/Learning-Python-Web-Penetration-Testing/521198-2.html
- Search for "ethical hacking" or "cybersecurity" for many more, filter by "course" and "beginner."
The quality of these videos vary, but some are excellent.
To log in, you need to use this link and your calnet: https://hr.berkeley.edu/development/learning/online-learning
Spring 2018
| Date | Location | Topic | Readings |
| Tues Jan 9 | 123 Boalt Hall | Law students only: Overview of the course; introduction to ECPA and CFAA | California Penal Code §§ 630, 631, 632, 635, 637, and 637.7 |
| CRS, Privacy: An Overview of the Electronic Communications Privacy Act (ECPA) (Oct. 2012) pp 1–24, https://fas.org/sgp/crs/misc/R41733.pdf | |||
| Charles Doyle, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws, CRS Report, Oct. 2014, pages: summary, 1–2, 14–25, http://fas.org/sgp/crs/misc/97-1025.pdf | |||
| Thurs Jan 11 | 107 South Hall | Law students only: CFAA continued; DMCA and research | 17 USC 1201, Circumvention of copyright protection systems. |
| Letter from Matthew J. Oppenheim, Senior Vice President, Business and Legal Affairs, Recording Industry Association of America, to Professor Edward Felten, Department of Computer Science, Princeton University, Apr. 9, 2001, https://w2.eff.org/IP/DMCA/Felten_v_RIAA/20010409_riaa_sdmi_letter.html | |||
| Cybersecurity Research: Addressing the Legal Barriers and Disincentives (Sept. 2015) p. 1–17, https://www.ischool.berkeley.edu/files/cybersec-research-nsf-workshop.pdf | |||
| Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies, pp. 65944–65946, 65955–65956 (Oct. 28, 2015). https://www.gpo.gov/fdsys/pkg/FR-2015-10-28/pdf/2015-27212.pdf | |||
| Tues Jan 16 | 210 South Hall | Introduction to the course; what are the professional ethics of privacy and security research | UC Berkeley, Computer Use Policy, n.d., https://security.berkeley.edu/computer-use-policy |
| David Dittrich, Michael Bailey, Sven Dietrich, Towards Community Standards for Ethical Behavior in Computer Security Research (2009), https://staff.washington.edu/dittrich/papers/dbd2009tr1-20090925-1133.pdf | |||
| Google Security Blog, Rebooting Responsible Disclosure: a focus on protecting end users (Jul. 2010), https://security.googleblog.com/2010/07/rebooting-responsible-disclosure-focus.html | |||
| SANS, The GIAC (Global Information Assurance Certification) Code of Ethics, n.d. http://digital-forensics.sans.org/certification/ethics | |||
| Digital Forensics Certification Board, Code of Ethics and Standards of Professional Conduct (2008), https://www.dfcb.org/DFCB_DFCB_Code_of_Ethics_and_Standards_of_Professional_Conduct_Version_1.1_Dec08.pdf | |||
| Association for Computing Machinery, ACM Code of Ethics and Professional Conduct (1992), http://www.acm.org/about-acm/acm-code-of-ethics-and-professional-conduct | |||
| EC Council, Code of Ethics for Certified Ethical Hacker (nd), https://www.eccouncil.org/code-of-ethics/ | |||
| Geoffrey MacDougall and Maria Rerecich, Evaluating Products and Services for Privacy, Security and Data Practices, Jan 2017, https://www.ftc.gov/system/files/documents/public_comments/2016/10/00049-129157.pdf Also see http://digitalprotocol.org/ | |||
| Thurs Jan 18 | TCF | Introduction to the lab | Lab worksheet (Chris will hand out on paper, as it has passwords). |
| Linoxide, Linux Command Cheat Sheet (2014), http://linoxide.com/linux-command/linux-commands-cheat-sheet/ | |||
| Oracle, Virtualbox User Manual, Chap. 1, https://www.virtualbox.org/manual/ | |||
| Tues Jan 23 | 210 South Hall | Web Tracking | Jonathan R. Mayer & John C. Mitchell, Third-Party Web Tracking: Policy and Technology, 2012 IEEE Symposium on Security and Privacy. http://ieeexplore.ieee.org/document/6234427/ |
| Hoofnagle et al., Behavioral Advertising: The Offer You Cannot Refuse, 6 Harvard Law & Policy Review 273 (2012), http://harvardlpr.com/wp-content/uploads/2013/06/Behavioral-Advertising-Hoofnagle-et-al.pdf | |||
| Rebecca Balebako et al., Measuring the effectiveness of privacy tools for limiting behavioral advertising, Web 2.0 Workshop on Security and Privacy (2012), http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.306.9415 | |||
| Optional: Günes Acar et al, The Web Never Forgets: Persistent Tracking Mechanisms in the Wild, CCS’14, November 3–7, 2014, https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf | |||
| Thurs Jan 25 | TCF | Web Tracking Lab |
Lab 2 worksheet (Chris will hand out in class) Lou Montulli, The reasoning behind Web Cookies (2013), Montulli_cookies.pdf |
| AboutCookies.org, Cookies: Frequently Asked Questions, n.d., http://www.aboutcookies.org/cookie-faq/ | |||
| Tues Jan 30 | 210 South Hall | What "Privacy?" | Bert-Jaap Koops et al. A Typology of Privacy, ___ University of Pennsylvania Journal of International Law ___ (Forthcoming 2017) https://ssrn.com/abstract=2754043 |
| Optional: Daniel J. Solove, 'I've Got Nothing to Hide' and Other Misunderstandings of Privacy, 44 San Diego Law Review 745 (2007),: https://ssrn.com/abstract=998565 | |||
| Written assignment 1 due | |||
| Thurs Feb 1 | Boalt Hall Room 141 | Team Workshop 1 | |
| Tues Feb 6 | 210 South Hall | Team Work Session | Class is cancelled, but you are encouraged to work with your teams. Lily Lin will be available in 210 South Hall to consult on projects. |
| Thurs Feb 8 | 105 Boalt Hall | Application Programming Interfaces (APIs) and Privacy | Noah Veltman, Web APIs for non-programmers, School of Data, Nov. 18, 2013, http://schoolofdata.org/2013/11/18/web-apis-for-non-programmers/ |
| Aldo Cortesi, Skout: a devastating privacy vulnerability, May 31, 2013, https://corte.si/posts/security/skout/index.html | |||
| Skim this list of easy-to-use APIs that do not require authentication. Terence Eden, Easy APIs Without Authentication (2016), https://shkspr.mobi/blog/2016/05/easy-apis-without-authentication/ | |||
| Tues Feb 13 | 210 South Hall |
mitmproxy |
Paul Ohm, An Internet X-Ray Machine for the Masses, JOTWELL (June 12, 2015) (reviewing Aldo Cortesi, et al., mitmproxy), http://cyber.jotwell.com/an-internet-x-ray-machine-for-the-masses/. Günes, Acar et al., Facebook Tracking Through Social Plug-Ins, Mar. 27, 2015, https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf |
| Thurs Feb 15 | TCF |
API Lab
|
|
| Tues Feb 20 | TCF | mitmproxy Lab (Nathan Good)(confirmed) | Philipp C. Heckel, How To: Use mitmproxy to read and modify HTTPS traffic, Jul. 1, 2003, https://blog.heckel.xyz/2013/07/01/how-to-use-mitmproxy-to-read-and-modify-https-traffic-of-your-phone/ |
| mitmproxy is built into our Kali Linux VMs. Have this cheat sheet on hand in class: Kali, mitmproxy Package Description, n.d., http://tools.kali.org/sniffingspoofing/mitmproxy | |||
| Thurs Feb 22 | 244 Boalt Hall | Team Workshop 2 | |
| Tues Feb 27 | 210 South Hall | The GDPR's Privacy by Design Potential | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) , articles 25, 28, 30, 32, 35-39, and recitals 74-78, 80-84, 89-94, 97 (the recitals are the numbered sections under "Whereas," in the US, you might call these legislative findings), http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679 |
| Sarah Spiekermann and Lorrie Cranor, Engineering Privacy, 35(1) IEEE Transactions on Software Engineering (2009), https://ssrn.com/abstract=1085333. | |||
| Thurs Mar 1 | 111 Boalt Hall | Android Permissions with Serge Egelman (confirmed) | Wijesekera et al., Android Permissions Remystified: A Field Study on Contextual Integrity, SEC 2015, http://guanotronic.com/~serge/papers/sec15.pdf |
| Egelman et al., You’ve Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings, http://www.guanotronic.com/~serge/papers/warned.pdf | |||
| Helen Nissenbaum, A Contextual Approach to Privacy Online, 140(4) Daedalus 32 (Fall 2011), http://www.mitpressjournals.org/doi/pdf/10.1162/DAED_a_00113 | |||
| Tues Mar 6 | 210 South Hall | Android Permission/Haystack Lab with Serge Egelman (confirmed) | Irwin Reyes, Monkey business in children’s apps, The ICSI Haystack Project Blog, January 12, 2017 |
| Chris Jay Hoofnagle, Children's Privacy, from FTC Privacy Law and Policy (2016). | |||
| Thurs Mar 8 | TCF | Anonymous Data and Discrimination | We will distribute a private URL for Thursday's lab and use the lab computers to complete it. There are no readings. |
| Tues Mar 13 | 210 South | Reidentification | Simson L. Garfinkel, De-Identification of Personal Information, NISTIR 8053 (Oct. 2015), http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf |
| Thurs Mar 15 | TCF | Reidentification Lab |
There are no readings. If you want to get a head start on the workbook, click here: http://datahub.berkeley.edu/user-redirect/interact?account=ds-modules&repo=INFO-290&branch=master&path=batman_lab/DareDevil%20Demo.ipynb Written assignment 2 due |
| Tues Mar 20 | 210 South Hall | Privacy Dialogues: Human Computer Interaction Can Inform Privacy Analysis | Harry Brignull, Dark Patterns: inside the interfaces designed to trick you, Verge (2013), http://www.theverge.com/2013/8/29/4640308/dark-patterns-inside-the-interfaces-designed-to-trick-you |
| Expert Report of Jennifer King, FTC v. Amazon.com, No. 2:14-CV-01038, Dec. 15, 2015 | |||
| Expert Report of Professor Andrew L. Sears, FTC v. Amazon.com, No. 2:14-CV-01038, Dec. 15, 2015 | |||
| Thurs Mar 22 | Boalt Hall 244 | Dialogues Lab & Guest Speaker: Professor Ed Felten |
Narayanan, Arvind, Joanna Huey, and Edward W. Felten. "A precautionary approach to big data privacy." Data protection on the move. Springer, Dordrecht, 2016. 357-385, http://randomwalker.info/publications/precautionary.pdf Post examples of Darkpatters. In class we will do the worst design exercise. |
| Fri Mar 23 | East Palo Alto Four Seasons & Webcast & Web Archive | Makeup: BCLT Privacy Law Forum Silicon Valley | This event is at the Four Seasons Hotel in Palo Alto. 150-200 practitioners attend--it is a wonderful place to network! If you cannot attend in person, please watch the webcast or archived video: https://www.law.berkeley.edu/bclt-privacy-law-forum/ |
| Tues Apr 3 | 210 South Hall | Privacy Policies |
California Business and Professions Code § 22575–22579, Internet Privacy Requirements, http://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=BPC&division=8.&title=&part=&chapter=22.&article= |
| Reidenberg et al., Disagreeable Privacy Policies: Mismatches Between Meaning and Users' Understanding, 30(1) Berkeley Technology Law Journal 39 (2015), pages 39–53; 83–85; 87–88, http://btlj.org/2015/10/disagreeable-privacy-policies/ | |||
| Leon et al., Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens, WPES 2010, http://dl.acm.org/citation.cfm?id=1866932 | |||
| Thurs Apr 5 | 244 Boalt Hall | Privacy Policy Lab |
24 hours before lab, please do two things:
|
| Tues Apr 10 | 210 South Hall | The Privacy Engineer |
Discussion with BvR--a privacy & security engineer at an unnamed SV technology firm. Please read:
|
| Thurs Apr 12 | No Class | Chris in Amsterdam--please use this time to get ready for your presentation. | |
| Tues Apr 17 | 210 South Hall | Hold for Student Presentations |
|
| Thurs Apr 19 | 244 Boalt Hall | Hold for Student Presentations |
Course evalutions: |
| Tues Apr 24 | 210 South Hall | ECPA & CFAA |
California Penal Code §§ 630, 631, 632, 635, 637, and 637.7, available at https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=PEN&division=&title=15.&part=1.&chapter=1.5.&article= |
| CRS, Privacy: An Overview of the Electronic Communications Privacy Act (ECPA) (Oct. 2012) pp 1–34, https://fas.org/sgp/crs/misc/R41733.pdf | |||
| Charles Doyle, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws, CRS Report, Oct. 2014, pages: summary, 1–2, 14–25, https://fas.org/sgp/crs/misc/97-1025.pdf | |||
| Thurs Apr 26 | TBD | DMCA & Research | 17 USC 1201, Circumvention of copyright protection systems, https://www.gpo.gov/fdsys/granule/USCODE-2011-title17/USCODE-2011-title17-chap12-sec1201 |
| Letter from Matthew J. Oppenheim, Senior Vice President, Business and Legal Affairs, Recording Industry Association of America, to Professor Edward Felten, Department of Computer Science, Princeton University, Apr. 9, 2001, https://w2.eff.org/IP/DMCA/Felten_v_RIAA/20010409_riaa_sdmi_letter.html | |||
| Cybersecurity Research: Addressing the Legal Barriers and Disincentives (Sept. 2015) p. 1–17, https://www.ischool.berkeley.edu/files/cybersec-research-nsf-workshop.pdf | |||
| Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies, pp. 65944– 65955–65956 (Oct. 28, 2015). https://www.gpo.gov/fdsys/pkg/FR-2015-10-28/pdf/2015-27212.pdf |
Course Summary:
| Date | Details | Due |
|---|---|---|