Course Syllabus

January 22: Introduction

• Setting context: what is privacy?;
• Is privacy a fundamental human right?; and
• A brief overview of Internet architecture.

Readings: None.

 

January 28: Web protocols, cookies, methods of tracking, packet-tracing demo. 

• How are we identified?; and
• Tracking users: packet tracing, ads.

Readings:

• Brandeis and Warren, The Right to Privacy, Harvard Law Review, 1890.
• Daniel Solove, ‘‘I’ve Got Nothing to Hide' and Other Misunderstandings of Privacy, San Diego Law Review, Vol. 44 (2007), pp. 745-751.
• Judith DeCew, Views on the Value and Meaning of Privacy, Stanford Encyclopedia of Philosophy, Spring 2015.
• For those for whom TCP/IP and computer networking are new material, also read: Susan Landau, Surveillance or Security? The Risks Posed by New Wiretapping Technologies, MIT Press, 2011, chapter 2.
• Julia Angwin, Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance, Times Books, 2014, chapter 5.
• Jonathan Mayer and John Mitchell, Third Party Web-Tracking: Policy and Technology, IEEE Security and Privacy, 2012.

 

Assignment: View the film The Lives of Others or read Timothy Garton Ash’s The File. Write a three-page briefing document (maximum 1500 words) for an EU data privacy commissioner describing how modern communications technologies change the abilities to conduct the type of surveillance shown in The Lives of Others or The File. If you do not know how to write a briefing document, see Eoin Young and Lisa Quinn, The Policy Brief. Your paper in hard copy is due at the beginning of class; please also send me an electronic version. The paper is due at the beginning of class on January 28.  Important note: Most briefing documents do not contain citations. This is an academic course, and I am asking you to include this information. Please place the citations at the end of the paper; citations are not included the word count.

 

 

February 4: The development of legal protections for privacy

• Law, regulation, and limitations.

 

Readings:

• United Nations, Universal Declaration of Human Rights, 1948.
• Robert Gellman, Fair Information Practices: A Basic History, Version 2.18, April, 10, 2017.
• Kenneth Bamberger and Deirdre Mulligan, Privacy on the Books and on the Ground, pp. 249-251.
• Kenneth Bamberger and Deirdre Mulligan, Privacy in Europe: Initial Data on Governance Choices and Corporate Practices, Parts IV A 1 and 2a, B 1 and 2a, and C 1 and 2a.
• Milbank Tweed Forum features a Conversation with FTC Commissioner Julie Brill, March 3, 2014, view from minutes 3:00 to 25:00.
• Office of the United Nations High Commissioner for Human Rights, The Right to Privacy in the Digital Age, August 3, 2018.
• James Waldo, Herbert Lin, and Lynette Millett, eds., Engaging Privacy and Information Technology in a Digital Age, National Research Council, 2007, Appendix B.
• Chinmayi Arun, The Implications of India’s Right to Privacy Decision, Council on Foreign Relations, September 13, 2017.
• Tiffany Li, China’s Influence on Digital Privacy Could be Global, Washington Post, August 7, 2018.
• Jeremy Page, Eva Dou, In Sign of Resistance, Chinese Balk at Using Apps to Snitch on Neighbors, Wall Street Journal, December 29, 2017.
• Cameron Kerry, Why Protecting Privacy is a Losing Game Today—and How to Change the Game, July 12, 2018.

Lab: This lab will examine cookies, including ability to delete, how quickly they reappear, and use, impact of using a cookie blocker. To be completed by class on February 4.

 

February 11: Communications interception: what the law says

Readings:

• Olmstead v. United States 277 US 438 (1928), opinion of the Court and Brandeis dissent.
• Katz v. United States 389 US 347 (1967), opinion of the court, Harlan concurrence.
• Smith v. Maryland, 442 U.S. 735 (1979).
• Elizabeth Bazan, The Foreign Intelligence Surveillance Act: An Overview of the Statutory Framework and Recent Judicial Decisions, CRS Report for Congress, September 22, 2004, pp. 4-38.
• Lloyd Firth, Wiretaps: The Forbidden Fruit, February 4, 2016,
• Paul Bernal, How the UK Passed the Most Undemocratic Law in Democratic History, The Conversation, November 23, 2016.
• Asaf Lubin, “We Only Spy on Foreigners": The Myth of a Universal Right to Privacy and the Practice of Foreign Mass Surveillance, Chicago Journal of International Law, Vol. 18, No. 2 (2018).

Lab: We're watching you; exploring the records at Tufts. To be completed by class on February 11.

 

February 20:  Searching metadata; searching electronic devices

• The law, practice, and value of such searches;
• The special case of location information; and
• The changing evidentiary value of mobile devices.

Readings:

• Citizen Lab, The Many Identifiers in Our Pockets: A Primer on Mobile Privacy and Security, May 21, 2015.
• Riley v. California, 134 US 2473 (2014), Opinion of the Court.
• Moy, I used to track cell phone location information for prosecutors. My experience illustrates the overwhelming need for better technical resources for defense attorneys, November 28, 2017.
• Carpenter v. United States, 585 US XXX (2018), Opinion of the Court.
• Committee on Responding to Section 5(d) of Presidential Policy Directive 28: The Feasibility of Software to Provide Alternatives to Bulk Signals Intelligence Collection; Computer Science and Telecommunications Board; Division on Engineering and Physical Sciences; National Research Council, Bulk Collection of Signals Intelligence: Technical Options, 2015, Chapters 1-4.
• US. v. Jones, 132 US 945 (2012), Syllabus and Sotomayor concurrence.
• Jonathan Mayer, Patrick Mutchler, and John C. Mitchell, Evaluating the Privacy Properties of Telephone Metadata, Proceedings of the National Academy of Sciences May 17, 2016.

 

February 25: Surveillance Technologies and the Government

• CCTV, IoT, and drones;
• Other forms of government surveillance.

Readings:

• Angela Sasse, Not Seeing the Crime for the Cameras, Communications of the ACM, February 2010.
• Ki Mae Heussner, Big Brother: Are Surveillance Cameras Worth It?, ABC News, May 7, 2010,
• Jan Henrik Ziegeldorf, Oscar Garcia Morchon, and Klaus Wehrle, Privacy in the Internet of Things: Threats and Challenges, Security and Communication Networks, June 10, 2013.
• Caron et al., The Internet of Things and Its Impact on Individual Privacy: An Australian Perspective, Computer Law and Security Review, February 2016.
• Jennifer Lynch, Are Drones Watching You?, EFF, January 10, 2012.
• Herd of cows help Florida police corner a fleeing suspect—video, The Guardian, August 8, 2018.
• Josh Chin, Clement Burge, Twelve Days in Xinjiang: How China's Surveillance State Overwhelms Daily Life, Wall Street Journal, December 20, 2017.

Lab: Pulling data off phone apps to reconstruct user activity. To be completed by class on February 25.

 

March 4: Online Social Networks, apps, and data

• What they can learn;
• How they can use it;
• Privacy v. usability.

Readings:

• Alex Hern, Cambridge Analytica: How Did It Turn Clicks Into Votes?, The Guardian, May 6, 2018.
• Pedro G. Leon, Blase Ur, Rebecca Balebako, Lorrie Faith Cranor, Richard Shay, and Yang Wang, Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising, Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2012.
• Maritza Johnson, Serge Egelman, and Steven M. Bellovin, Facebook and Privacy: It's Complicated, Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012.
• Hang Do Thi Duc, Public by Default, 2018.
• Andres Arrieta, iOS 11’s Misleading “Off-ish Setting for Bluetooth and Wi-Fi Security, October 4, 2017.
• Giridhari Venkatadri, Athanasios Andreou,  Yabing Liu, Alan Mislove, Krishna P. Gummadi, Patrick Loiseau, Oana Goga, Privacy Risks with Facebook’s PII-based Targeting: Auditing a Data Broker’s Advertising Interface, IEEE Security and Privacy.

Lab: Managing privacy protections. To be completed by class on March 4.

 

March 11: Where in the World: what happens when data can be stored anywhere

• Architectures;
• MLAT;
• CLOUD Act;
• Right to be Forgotten.

Readings:

• Jennifer Daskal, Microsoft Ireland, the CLOUD Act, and International Lawmaking 2.0, Stanford Legal Review, May 2018.
• EU Court of Human Rights, Fact Sheet on the 'Right to be Forgotten' ruling, (C-131/12).
• GDPR reading TBD.
• Deloitte, Privacy in Paramount: Personal Data Protection in Africa, 2017, pp. 5-8.

 

March 25:  Privacy tools: cryptography

• How cryptography works (private- and public-key cryptography, forward secrecy);
• The Crypto Wars.

Readings:

• Whitfield Diffie and Susan Landau, Privacy on the Line: The Politics of Wiretapping and Encryption, MIT Press, rev. ed. 2007, pp. 11-47.
• Sven Herpig and Stefan Heumann, Germany's Crypto Past and Hacking future, Lawfareblog, April 13, 2017.

 

 

April 1:  Privacy tools: Tor, Signal, WhatsApp, k-anonymity, differential privacy.   

Readings:

• About Tor.
• Charlie Cabot, An Introduction to Differential Privacy, January 22, 2017. Note: this article assumes more mathematics background than some of you will have. Please try to read the full article. Take your time reading. It’s okay if you don’t understand the entire article, but nonetheless persevere and read to the end.

Lab: Investigate some privacy tools (Brave, Signal). To be completed by class on April 1.

Assignment: The Secretary of State of Country X is considering funding a project supporting development of the Tor browser (www.torproject.org). The Ministry of Justice opposes such a move, but the UN and various human rights organizations are strongly in favor. Install a Tor browser and use it for at least half your browsing during the week. Write a policy brief (1500 words maximum) for a senior official in the Ministry of State describing the tradeoffs in using a Tor browser versus using a standard browser. Discuss which types of users interesting to State will be likely to use Tor. Make a recommendation whether the ministry should fund Tor's development and why that would or would not be in the nation's interest. Reminder: Make clear at the beginning of the document which nation you are focusing on. As with the previous paper, include citations; these are not part of the word count. Important note: Most briefing documents do not contain citations. This is an academic course, and I am asking you to include this information. Please place the citations at the end of the paper; citations are not included the word count.

 

April 8: Big Data, Re-identification, and Anonymity

Readings:

• Paul Ohm, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization, UCLA Law Review, 2008.
• Peter Eckersley, How unique is your web browser?, Privacy Enhancing Technologies Symposium (PETS), 2010.
• Yves-Alexandre de Montjoye, Laura Radaelli, Vivek Kumar Singh, and Alexander Pentland, Unique in the shopping mall: On the reidentifiability of credit card metadata Science, January 30, 2015, 536-539.
• Boris Lubarsky, Re-identification of ‘Anonymized’ Data, Georgetown Law Technology Review, April 2017.
• Omer Tene and Jules Polonetsky, Big Data for All: Privacy and User Control in the Age of Analytics, Northwestern Journal of Technology and Intellectual Property, Vol. 11, No. 5 (2013).
• Executive Office of the President, Big Data: Seizing Opportunities, Preserving Values, 2014, pp. 58-68.
• Footnote 14 of Summary of the HIPAA Privacy Rule.

 

 

April 22:  Identity

• Biometrics;
• Identity management; and
• other forms of online identity.

Readings:

• James Wayman, Biometrics in Identity Managements Systems, IEEE Security and Privacy, March/April 2008.
• National Research Council, Biometric Recognition: Challenges and Opportunities, 2010.
• Jonathan Weinberg, Law and Technology: Biometric Identity, Communications of the ACM, Vol. 59, No. 1 (2016), pp. 30-32.
• Reetika Khera, These digital IDs cost people their privacy—and their lives, Washington Post, August 9, 2018.
• National Research Council, IDs --- Not That Easy, 2002. Read pp. 5-33. You can download a pdf for free from the site.
• Eve Maler and Drummond Reed, The Venn of Identity: Options and Issues in Federated Identity Management, IEEE Security and Privacy, Vol. 8, Number 2 (March/April 2008).
• National Institute of Standards and Technology, Enhancing Online Privacy.
• Alyssa Abkowitz, The Internet Tightens: Popular Chinese WeChat App to Become Official ID, Wall Street Journal, January 1, 2018.
• Arvind Narayanan, Solan Barocas, Vincent Toubiana, Helen Nissenbaum, and Dan Boneh, A Critical Look at Decentralized Personal Architectures, February 2012.

 

April 29:  Student presentations