8-533 / 8-733 / 19-608 / 95-818: Privacy Policy, Law, and Technology

MSIT-Privacy Engineering

Fall 2017: Pittsburgh: Monday and Wednesday 3–4:20 pm ET, GHC 4211; Kigali: Tuesday and Thursday 6–7:30 pm CAT, CMR C525

Instructors: Lujo Bauer and Rebecca Balebako

Teaching Assistants: Javed Ramjon (Pittsburgh) and Samuel Nzaramba (Kigali)

Course Description

This course focuses on policy issues related to privacy from the perspectives of governments, organizations, and individuals. We will begin with a historical and philosophical study of privacy and then explore recent public policy issues. We will examine the privacy protections provided by laws and regulations, as well as the way technology can be used to protect privacy. We will emphasize technology-related privacy concerns and mitigation, for example: social networks, smartphones, behavioral advertising (and tools to prevent targeted advertising and tracking), anonymous communication systems, big data, and drones.

This course is part of a three-course series of privacy courses offered as part of the MSIT-Privacy Engineering masters program. These courses may be taken in any order or simultaneously. Foundations of Privacy (offered in the Fall semester) offers more indepth coverage of technologies and algorithms used to reason about and protect privacy. Engineering Privacy in Software (offered in the Spring semester) focuses on the methods and tools needed to design systems for privacy.

This course is intended primarily for graduate students and advanced undergraduate students (juniors and seniors) with some technical background. Programming skills are not required. 8-733, 19-608, and 95-818 are 12-unit courses for Masters and PhD students. Students enrolled under these course numbers will have extra assignments and will be expected to do a project suitable for publication. 8-533 is a 9-unit course for undergraduate students. Masters students may register for any of the course numbers permitted by their program. This course will include a lot of reading, writing, and class discussion. Students will be able to tailor their assignments to their skills and interests, focusing more on programming or writing papers as they see fit. However, all students will be expected to do some writing and some technical work. A large emphasis will be placed on research and communication skills, which will be taught throughout the course.

Required Texts

Note: See next section about acquiring textbooks. We will discuss this during the first lecture; you need not order books before then. Any required readings will be provided in PDF form for the first several lectures.

Peter P. Swire and Kenesa Ahmad. Foundations of Information Privacy and Data Protection: A Survey of Global Concepts, Laws and Practices. IAPP: 2012.

J.C. Cannon. Privacy in Technology: Standards and Practices for Engineers and Security and IT Professionals. IAPP: 2014.

Order these books from the IAPP at https://privacyassociation.org/certify/get-started/cipt/.

All online papers are either publicly available for free, available through the CMU library for free, or available in a password-protected part of this website to students in this course. (The CMU library provides a VPN for off-campus and wireless access to library materials.)

Note on the IAPP certification exam:

The IAPP has historically offered CMU students a Student Certification Package that includes 1 year IAPP membership + textbooks + online training materials +practice exam + 1 Computer Based Test Exam for $140 per student.

Normally you would have to pay $50 for student membership, $550 to take the exam, over $100 for the books, and over $1000 for access to the online training materials and practice tests. So this is a good deal. If you are taking 8-533 / 8-733 / 19-608 / 95-818 Privacy Policy, Law and Technology you will need these books for class, so even if you don't plan to take the exam you might want to get the student package.

We will soon provide more information on how to sign up for the certification package.

Optional texts

Dave Eggers. The Circle. Knopf, 2013.


By the end of this course, students should:

Course Schedule (draft -- will change!)

This schedule is subject to change. The class web site will have the most up-to-date version of this calendar. Assignments will be finalized at least one week before due date or as announced in class.




Aug 28, 29


  • Introductions
  • Syllabus
  • Topics to be covered
  • Course preview picture tour

No required reading

Aug 30, 31

Conceptions of privacy

  • What is privacy? What does privacy mean to you?
  • How has privacy been conceptualized over time?

Required reading:

Optional reading

Sep 4, 5

No class

Sep 6, 7

Privacy harms

  • Types of privacy harms
  • Why does privacy matter?

Research and communication skills

Required reading:

Optional reading:

  • Daniel Solove, A Taxonomy of Privacy, University of Pennsylvania Law Review, Vol. 154, No. 3, p. 477, January 2006.

Sep 11, 12

Debate on the virtue of forgetting

Homework 1 discussion


Homework 1 due

Required reading:

Optional reading:

Sep 13, 14

Privacy economics, attitudes, and behavior

Research and communications skills

Required reading:

Optional reading:

Sep 18, 19

Fair information practices and privacy principles

Introduce course project

Research and communication skills

Required reading:

Optional reading:

Sep 20, 21

Privacy law overview

Homework 2 Discussion

Homework 2 due

Required reading:

  • Swire and Ahmad, Foundations of Information Privacy and Data Protection Chapters 2 and 3

Optional reading:

Sep 25, 26

Privacy regulation, self-regulation, and enforcement

Project selection form due before class

Required reading:

Optional reading:

Sep 27, 28

Privacy notice and choice



Required reading:

Optional reading:

Oct 2, 3

International Privacy Laws and Cultural Differences

Homework 3 discussion

Homework 3 due

Required reading:

Optional reading:

Oct 4, 5

Internet monitoring and web tracking

Required reading:

  • L. Cranor, M. Sleeper, and B. Ur. Chapter 5 Tracking and Surveillance. In Privacy Handbook for IT Professionals. 2013.
  • Swire and Ahmad, Foundations of Information Privacy and Data Protection Chapter 5
  • JC Cannon, Privacy in Technology, Chapter 6.3 through 6.6, pages 147-164.

Optional reading:

Oct 9, 10


The Platform for Privacy Preferences (P3P) and Do Not Track

One-paragraph project description due

Required reading:

Optional reading

Oct 11, 12

Homework 4 discussion

Delving further into privacy policies

Homework 4 due

Required reading:

Optional readings:

  • Any Sept. 27 optional readings you haven't already read

Oct 16, 17

Privacy on social networks

Required reading:

Optional reading:

Oct 18, 19

Location tracking

Required reading:

Optional reading:

Oct 23, 24


Midterm Review:

  • JC Cannon, Privacy in Technology, Chapters 2 and 3, pages 25-82.
  • Review all lecture notes

Oct 25, 26

Biometrics and facial recognition

Field trip to CMU biometrics lab after brief lecture

Homework 5 discussion

Homework 5 due

Required reading

Optional reading:

Oct 30, 31

Guest lecture: Lorrie Cranor

The FTC and consumer privacy

Project proposal due

Required reading

Nov 1, 2

Guest lecture: Bin Liu

Smartphone privacy concerns

Required reading:

Optional reading:

Project proposal due

Nov 6, 7

Government surveillance

Homework 6 discussion

Homework 6 due

Required reading:

Optional reading:

Nov 8, 9

Election day

Identity and anonymity

Required reading:

Optional reading:

Nov 13, 14

Data privacy and big data

Required reading:

Optional reading:

Nov 15, 16

Privacy engineering, privacy by design,  and privacy governance

Required reading:

  • Ann Cavoukian, Privacy by Design, 2009.
  • Sarah Spiekermann and Lorrie Faith Cranor. Engineering Privacy. IEEE Transactions on Software Engineering Vol. 35, No. 1, January/February, 2009, pp. 67-82.
  • JC Cannon, Privacy in Technology, Chapter 5.3 through 5.5, pages 129-136.

Optional reading:

Nov 20, 21


Midterm Review:

  • Chris Clifton, Chapter 4 Identity and Anonymity. In Privacy Handbook for IT Professionals. 2013.
  • JC Cannon, Privacy in Technology, Chapter 7, pages 183-210.
  • Review all lecture notes from beginning of semester

Nov 22, 23

Thanksgiving break, no class

Nov 27, 28

Guest Speaker: Zack Weinberg

Internet Censorship

Homework 7 due

Required reading:

Optional reading:

Nov 29, 30

Health and electronic records

Creating a research poster

Research and communications skills

Required reading:

Optional reading:

Dec 4, 5

Guest Speaker: Mahmood Sharif

Privacy in the age of face and voice recognition

Draft paper due

Required Reading

Optional Reading

  • Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K. Reiter. 2016. Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA, 1528-1540. DOI: https://doi.org/10.1145/2976749.2978392
  • Carlini, Nicholas, Pratyush Mishra, Tavish Vaidya, Yuankai Zhang, Micah Sherr, Clay Shields, David Wagner, and Wenchao Zhou. "Hidden voice commands." In 25th USENIX Security Symposium (USENIX Security 16), Austin, TX. 2016.

Dec 6, 7

Pittsburgh section: Poster fair
GHC 4405

No required reading


Final project due at noon

Course Requirements and Grading

Your final grade in this course will be based on:

You are expected to complete the reading assignments before the class session for which they were assigned. Class discussions will often be based on these assignments and you will not be able to participate fully if you have not done the reading. It is suggested that you write up summaries and highlights as you read each chapter or paper and bring them with you to class.

Quizzes at the beginning of each class will be based on the readings for that day. It is suggested that you arrive on time in order to complete the daily quiz with sufficient time.

All homework assignments must be typed and submitted electronically on Canvas by class on the day it is due. Every homework submission must include a properly formatted bibliography that includes all works you referred to as you prepared your homework. These works should be cited as appropriate in the text of your answers.

All homework is due at the beginning of class on the due date. You will lose 10% for turning in homework late (5 minutes or more after class has started) on the due date. You will lose an additional 10% for each late day after that. We reserve the right to take off additional points or refuse to accept late homework submitted after the answers have been discussed extensively in class. Reasonable extensions will be granted to students with excused absences or extenuating circumstances. Please contact me as soon as possible to arrange for an extension.

Cheating and plagiarism will not be tolerated. Students caught cheating or plagiarizing will receive no credit for the assignment on which cheating occurred. Additional actions -- including assigning the student a failing grade in the class or referring the case for disciplinary action -- may be taken at the discretion of the instructor. Please familiarize yourself with the CMU Policy on Academic Integrity.

Take care of yourself. Do your best to maintain a healthy lifestyle this semester by eating well, exercising, avoiding drugs and alcohol, getting enough sleep and taking some time to relax. This will help you achieve your goals and cope with stress.

All of us benefit from support during times of struggle. You are not alone. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is often helpful.

If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. Counseling and Psychological Services (CaPS) is here to help: call 412-268-2922 and visit their website at http://www.cmu.edu/counseling/. Consider reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help.