DHP P237M/CS150-09: Privacy in the Digital Age
Course Requirements and Grading:
You will have three written assignments and one group presentation. Two of the writing assignments will be three-page briefing papers; the third will be longer (10 pages) and will be written in conjunction with a group presentation for the final day of the module. Though the project and presentation will be a group effort, the paper itself should be done individually.
In addition to the week's reading, you are all required to send me a discussion question based on the week's reading. This should be a discussion question salient to the reading, and should focus on important issues that need discussion. This assignment is for weeks 2-6, and is due by 10 pm on Monday evenings.
- Two three-page papers: 10% of grade each.
- Group presentation: 20%.
- Ten-page paper: 40%.
- Class participation: 20%.
Class participation matters in your grade; I'll expect you to attend all classes in this six-week course.
Note that there are no late assignments. Six-week modules are short; you haven't time to do things late. Any assignment not handed in at the beginning of the class in which it was due will not be accepted, and you will receive a "0" for that particular effort.
The course has lots of readings and no exams---but class participation counts 20% of your grade. Do the reading before class, think about what you've read, and come in informed and ready to discuss the issues.
I like to grade papers with a pen in my hand and paper rustling. So please hand in your papers in hard copy as well as sending me an electronic copy. Papers are due at the beginning of class. There are no exceptions to that rule.
Writing well is important in virtually any career you might have, and I expect clear, careful writing in all assignments. Writing well involves thinking clearly, organizing your thoughts, and then expressing them clearly. Although two of the papers for this course are just three pages, don't be fooled by the short length of the assignments. Such brevity means you must work hard to get important ideas into a small amount of space (and please use 12 point fonts). Woodrow Wilson is said to have responded when asked how long it would take to write a speech, "That depends on the length of the speech. If it is a ten-minute speech it takes me all of two weeks to prepare it; if it is a half-hour speech it takes me a week; if I can talk as long as I want to, it requires no preparation at all. I am ready now." That's exactly right. Think hard, write down your ideas, and then express them succinctly.
My personal favorite book on writing is the decades-old Strunk and White, Elements of Style. If you need more help on writing, take advantage of the Tufts Writing Center.
January 23: Introduction: threats to privacy and the special case of communications
- Setting context: what is privacy?
- Is privacy a fundamental human right?
- How are we identified?
January 30: Methods of tracking and de-identification
- Breaking users' privacy: packet sniffing.
- First-party data collection; third-party data collection: how ad networks work; surveillance by ISPs.
- Tracking users: cookie tracking, ads.
- Understanding privacy threat models.
(Note that the first week's set of readings is particularly long, as it has readings coalescing the discussion of the first class and providing background for the second class. If you haven't time to read everything before the second class, please read the papers for that class first, then play catch up on the papers by the third class.)
Papers for "Threats to privacy":
- Brandeis and Warren, The Right to Privacy, Harvard Law Review, 1890.
- Judith DeCew, Views on the Value and Meaning of Privacy, Stanford Encyclopedia of Philosophy, Spring 2015.
- Daniel Solove, 'I've Got Nothing to Hide' and Other Misunderstandings of Privacy, San Diego Law Review, Vol. 44, p. 745, 2007.
- The CCG Blog, The Indian Supreme Court on the Right to Privacy: 63 Years of Progress
Papers for "Methods of Tracking and De-Identification":
- James Wayman, Biometrics in Identity Management Systems, IEEE Security and Privacy, March/April 2008.
- Paul Ohm, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization, UCLA Law Review, 2010.
- Arvind Narayanan and Vitaly Shmatikov, Myths and Fallacies of "Personally Identifiable Information", Communications of the ACM, June 2010.
- Kathleen Benitez and Bradley Malin, Evaluating Re-identification Risks with Respect to the HIPAA Privacy Rule, Journal of the American Medical Informatics Association, March 1, 2010.
- Recommended: Sissela Bok, Secrets: On the Ethics of Concealment and Revelation, Vintage Press, 1989.
Assignment: View "The Lives of Others" or read Timothy Garton Ash, "The File: A Personal History." Write a three-page briefing document for an EU data privacy commissioner describing how modern communications technologies change the abilities to conduct the type of surveillance shown in "The Lives of Others" or "The File." Due at the beginning of class.
February 6: The Special Case of Communications
- Communications content and metadata: legal protections, changes the Internet brings to the distinctions.
- Wiretap law.
- How IP comms create multiple complications.
- Brandeis dissent, Olmstead v. United States 477 U.S. 238 (1928).
- Katz v. United States, 339 U.S. 347 (1967).
- Smith v. Maryland 442 U.S. 735 (1979).
- National Research Council, Bulk Collection of Signals Intelligence: Technical Options, 2015. Read 3.1-3.3.
- Ewan MacAskill, Julian Borger, Nick Hopkins, Nick Davies, and James Ball, GCHQ: Mastering the Internet, The Guardian, July 21, 2013.
February 13: Privacy protections: technical and otherwise
- Encryption (quick overview); Tor; Differential privacy; Privacy policies.
- Whitfield Diffie and Susan Landau, Privacy on the Line: The Politics of Wiretapping and Encryption, MIT Press, rev. ed. 2007, pp. 11-47.
- Sven Herpig and Stefan Heumann, Germany's Crypto Past and Hacking future, Lawfareblog, April 13, 2017.
- Jonathan Mayer, Patrick Mutchler, and John Mitchell, Evaluating the privacy properties of telephone metadata, Proceedings of the National Academies of Sciences, Vol. 113, No. 20, May 17, 2016.
- About Tor.
February 20: Legal protections for privacy
- Fair Information Practices; implementation: Sector-specific laws (Fair Credit Reporting Act, GINA).
- Data commissioners, and data protection in a globalized economy and a cloud infrastructure; Right to be Forgotten, GDPR.
- Impact of ex ante regulation on innovation.
- United Nations, Universal Declaration of Human Rights, 1948.
- Robert Gellman, Fair Information Practices: A Basic History, Version 2.18, April, 10, 2017.
- Kenneth Bamberger and Deirdre Mulligan, Privacy on the Books and on the Ground, pp. 249-251.
- Kenneth Bamberger and Deirdre Mulligan, Privacy in Europe: Initial Data on Governance Choices and Corporate Practices, Parts IV A 1 and 2a, B 1 and 2a, and C 1 and 2a.
- EU Court of Human Rights, Fact Sheet on the 'Right to be Forgotten' ruling (C-131/12).
- Cedric Burton, Laura De Boel, Christopher Kuner, Anna Paterki, Sarah Cadiot, and Sara G. Hoffman, The Final European Union General Data Protection Regulation, Bloomberg News, February 12, 2016.
- Useful background: Marc Rotenberg, On International Privacy: A Path Forward for the US and Europe, Harvard International Review, June 15, 2014.
Assignment: The Secretary of State is considering funding a project supporting development of the Tor browser (www.torproject.org). The Department of Justice opposes such a move, but the UN and various human rights organizations are strongly in favor. Install a Tor browser and use it for at least half your browsing during the week. Write a two-page evaluation for a senior official in the Department of State describing the tradeoffs in using a Tor browser versus using a standard browser. Discuss which types of users interesting to State will be likely to use Tor. Make a recommendation whether the ministry should fund Tor's development and why that would or would not be in the nation's interest. Note: you are free to choose a country other than the United States for this exercise. Due at the beginning of class.
IMPORTANT NOTE: February 22 is a Monday schedule for Tufts AS&E students and a DC trip day for Fletcher students. Because of this, there is no class on February 22.
February 27: Government threats to privacy
- Snowden disclosures.
- Hacking Team and Citizen Lab studies.
- Iceland genome database.
- India biometric authentication.
- China and the Surveillance State
- Susan Landau, Making Sense of Snowden: What's Significant in The NSA Surveillance Revelations, IEEE Security & Privacy, July/August 2013.
- National Research Council, Bulk Collection of Signals Intelligence: Technical Options, Executive Summary.
- Bill Marczak and John Scott-Railton, Keep Calm and (Don't) Enable Macros: A New Threat Actor Targets UAE Dissidents, Citizen Lab, 2016.
- Josh Chin, Clement Burge,Twelve Days in Xinjiang: How China's Surveillance State Overwhelms Daily Life, Wall Street Journal, December 20, 2017.
- Jeremy Page, Eva Dou, In Sign of Resistance, Chinese Balk at Using Apps to Snitch on Neighbors, Wall Street Journal, December 29, 2017.
- Alyssa Abkowitz, The Internet Tightens: Popular Chinese WeChat App to Become Official ID, Wall Street Journal, January 1, 2018.
March 6: Student presentations
The class will be divided into groups of three students who will prepare a presentation on a technology that raises a privacy issue. Presentations will be twelve minutes long, to be followed by a four minute Q&A. The presention should cover the following issues:
- What is the technology?
- What privacy issues does it raise?
- How are these being handled?
The presentation will be a group effort, and grading will be assigned partially on a group level and partially on an individual basis. I will ask each group to provide me with a brief memo describing how each member contributed to the group effort. In addition, each student will write a paper (of up to ten pages) discussing what and how privacy protections can be instituted in that situation. The paper should discuss, with clarity and precision, what the barriers are to adopting privacy-enhancing solutions, and the likelihood of such solutions being implemented.
List of possible topics:
- Internet of Things.
- Smart Meters.
- Inter-Vehicle Communication.
- Regulation of surveillance technologies.
- Open sourcing of citizen-supplied data (e.g., London Transport Information).
- Regulation of private-sector data aggregators.
- The failure of P3P.
- Genomic testing by private parties (e.g., 23andMe).
- India's proposed Data Protection Framework.
- A topic of your choice—this must be approved by me by February 6.
The syllabus page shows a table-oriented view of the course schedule, and the basics of course grading. You can add any other comments, notes, or thoughts you have about the course structure, course policies or anything else.
To add some comments, click the "Edit" link at the top.