CSI660: Data Privacy - Spring 2017

1 Course

Title/Credits:: CSI 660: Data Privacy (3 Credits)
Semester:: Spring 2017
Time/Location:: Wednesdays 4:15pm–7:05pm, BA 223

2 Instructor

Instructor:: Amir Masoumzadeh
Email:: amasoumzadeh@albany.edu
Office Hours:: UAB 422, Mondays 4pm-6pm

3 Course Overview

Nowadays, huge volume of data about individuals is being collected both online (via websites, smartphone apps, etc.), and in physical world (via sensors, electronic health records, etc.) To what extent are users aware of such data collection practices and potential privacy risks? How can companies utilize the collected data without violating user privacy? How can we build techniques and technologies that would minimize such privacy risks?

This is a seminar course that explores both fundamental and recent research into data privacy issues and solutions. Instead of a lecture-oriented class, we will focus on reading and discussing research articles. You will also conduct a semester-long project. The topics that will be explored include (but are not limited to):

Basic information security and privacy concepts
Data aggregation and behavioral advertising
Privacy-preserving data mining
Privacy-preserving data publishing
Privacy in online social networks, mobile platforms, and location sharing services
Website privacy policies and practices
Anonymous communication

3.1 Learning Goals for Students

Students who complete this course will be able to

Understand the threats to user privacy and possible mitigation approaches
Analyze and inspect privacy requirements and properties for a given system/environment
Employ and develop privacy-preserving solutions

3.2 Readings

The course relies heavily on research papers and book chapters that are either freely available online or accessible using the university’s network. The schedule of readings is posted on the course's web page.

3.3 Announcements and Submissions

The course has a web page (http://masoumzadeh.net/courses/csi660-s17/) that includes a schedule of the readings and assignments. Please note that the schedule is tentative and will be updated during the semester. It is your responsibility to check the schedule regularly. Announcements, notes, and assignments will posted on Blackboard (https://blackboard.albany.edu/). You should also use Blackboard to submit your project-related assignments and to receive feedback. For paper summaries and peer feedback, we use CrowdGrader (http://www.crowdgrader.org/).

3.4 Prerequisites

Basic knowledge of information security (CSI 424/CSI 524) is helpful, but not required.

4 Assessment and Grading

Paper Summaries

You will be asked to provide short summaries for research papers that you read during the semester. The summaries are submitted on CrowdGrader and are due before the class for which the readings are assigned. Detailed instructions for preparing summaries will be posted on Blackboard.

Peer Feedback

As graduate students you are expected to be able to evaluate the work of your peers and provide constructive feedback. You will have 2 days after each class to read and provide feedback (based on a given score sheet) to few paper summaries that are randomly assigned to you.

Paper Presentation

You will choose few (typically 2) research papers from the schedule and prepare a 30-minute conference-style presentation for each. After your presentation, you are expected to engage the class in a productive discussion on the topic at hand. Other students are expected to actively engage during the presentations and the discussions afterwards.

Course Project

The course project includes research/design/implementation, a written component, and an oral presentation. The requirements and the schedule of deadlines will be posted on Blackboard.

Final Grade

Your final grade will be determined as a weighted average of the followings:

Class Participation and Presentation: 25%
Paper Summaries and Peer Feedback: 25%
Course Project: 50%

The numerical grade will be converted to a letter grade based on the following scale:

93–100% (A)	90–92% (A-)	87–89% (B+)	83–86% (B)	80–82% (B-)	77–79% (C+)
73–76% (C)	70–72% (C-)	67–69% (D+)	63–66% (D)	60–62% (D-)	0–59% (E)

5 Policies

Late Submissions: Late submission of assignments (reading summary, feedback, etc.) is not permitted.
Makeup Policy: There are generally no makeup opportunities for missed assignments except in extenuating circumstances.
Use of Electronic Devices: Computers or other electronic devices may be only used during class for note-taking or other class-related activities. You are not allowed to perform any unrelated task during class.
Academic Integrity: It is every student’s responsibility to become familiar with the standards of academic integrity at the University. Claims of ignorance, of unintentional error, or of academic or personal pressures are not sufficient reasons for violations of academic integrity (See http://www.albany.edu/studentconduct/standards_of_academic_integrity.php). Any incident of academic dishonesty can result in (i) no credit for the affected assignment, (ii) report to the appropriate University authorities (e.g., Dean of Graduate Studies), and/or (iii) a failing grade (E) for the course.
For all assignments and papers, make sure to do your own work, except where collaboration is explicitly permitted or required. Also, make sure that you properly cite any resource from which you borrow ideas and that you clearly distinguish them from your contributions.
Students with Disabilities: Reasonable accommodation will be provided for students with documented disabilities. If you believe you have a disability requiring accommodation in this class, please notify the Disability Resource Center (BA 120, 518-442-5490). That office will provide the course instructor with verification of your disability, and will recommend appropriate accommodations. In general, it is the student's responsibility to contact the instructor at least one week before the relevant assignment to make arrangements.

6 Schedule

Date	Topic/Readings
1/25/17	Course Overview
	Brief Intro to Information Security
	Readings:
	- S. Jajodia and T. Yu, “Basic Security Concepts,” in Secure Data Management in Decentralized Systems, T. Yu and S. Jajodia, Eds. Springer US, 2007, pp. 3–20.
2/1/17	Data Privacy Concepts
	Readings:
	- L. Sweeney, “k-anonymity: a model for protecting privacy,” Int’l Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, vol. 10, no. 5, pp. 557–570, 2002.
	- P. Samarati, “Protecting Respondents’ Identities in Microdata Release,” IEEE Transactions on Knowledge and Data Engineering, vol. 13, no. 6, pp. 1010–1027, 2001.
	- [Optional] S. Lederer, J. I. Hong, A. K. Dey, and J. A. Landay, “Personal Privacy through Understanding and Action: Five Pitfalls for Designers,” Carnegie Mellon University, Technical Report 74, 2004.
	- [Optional] H. Nissenbaum, “The Meaning of Anonymity in an Information Age,” The Information Society, vol. 15, no. 2, pp. 141–144, May 1999.
	- [Optional] D. J. Solove, “`I’ve Got Nothing to Hide’ and Other Misunderstandings of Privacy,” Social Science Research Network, Rochester, NY, SSRN Scholarly Paper ID 998565, Jul. 2007.
	- [Optional] OECD, “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,” 1980.
2/8/17
	Data De-Anonymization
	Readings:
	- A. Narayanan and V. Shmatikov, “Robust De-anonymization of Large Sparse Datasets,” in 2008 IEEE Symposium on Security and Privacy (sp 2008), 2008, pp. 111–125. [Presenter: Padmavathi]
	- A. Narayanan and V. Shmatikov, “De-anonymizing Social Networks,” in Security and Privacy, IEEE Symposium on, Oakland, CA, USA, 2009, pp. 173–187. [Presenter: Mahesh]
2/15/17
	Privacy in Online Social Networks
	Readings:
	- M. Johnson, S. Egelman, and S. M. Bellovin, “Facebook and privacy: it’s complicated,” in Proceedings of the Eighth Symposium on Usable Privacy and Security - SOUPS ’12, New York, New York, USA, 2012. [Presenter: Siddeshwar]
	- [Optional] R. Fogues, J. M. Such, A. Espinosa, and A. Garcia-fornes, “Open Challenges in Relationship-Based Privacy Mechanisms for Social Network Services,” International Journal of Human-Computer Interaction, vol. 31, no. 5, pp. 350–370, 2015.
	- [Optional] P. Anthonysamy, P. Greenwood, and A. Rashid, “Social Networking Privacy: Understanding the Disconnect from Policy to Controls,” Computer, vol. 46, no. 6, pp. 60–67, Jun. 2013.
	- [Optional] J. Bonneau and S. Preibusch, “The Privacy Jungle: On the Market for Data Protection in Social Networks,” in Economics of Information Security and Privacy, T. Moore, D. Pym, and C. Ioannidis, Eds. Boston, MA: Springer US, 2010, pp. 121–167.
2/22/17
	Web Tracking
	Readings:
	- F. Roesner, T. Kohno, and D. Wetherall, “Detecting and Defending Against Third-party Tracking on the Web,” in Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, Berkeley, CA, USA, 2012, pp. 12–12. [Presenter: Siddheshwar]
	- G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, and C. Diaz, “The Web Never Forgets: Persistent Tracking Mechanisms in the Wild,” in Proc. 2014 ACM SIGSAC Conference on Computer and Communications Security, 2014, pp. 674–689. [Presenter: Amir]
	- [Optional] J. R. Mayer and J. C. Mitchell, “Third-Party Web Tracking: Policy and Technology,” in 2012 IEEE Symposium on Security and Privacy, 2012, pp. 413–427.
3/1/17
	Privacy-Preserving Data Publication
	Readings:
	- A. Machanavajjhala, D. Kifer, J. Gehrke, and M. Venkitasubramaniam, “l-diversity: Privacy beyond k-anonymity,” ACM Transactions on Knowledge Discovery from Data, vol. 1, no. 1, 2007. [Presenter: Mahesh]
	- N. Li, T. Li, and S. Venkatasubramanian, “t-Closeness: Privacy Beyond k-Anonymity and l-Diversity,” in Data Engineering, 2007. ICDE 2007. IEEE 23rd International Conference on, Istanbul, Turkey, 2007, pp. 106–115. [Presenter: Amir]
3/8/17
	Differential Privacy
	Readings:
	- C. Dwork, “A Firm Foundation for Private Data Analysis,” Commun. ACM, vol. 54, no. 1, pp. 86–95, Jan. 2011. [Presenter: Amir]
	- F. McSherry and I. Mironov, “Differentially Private Recommender Systems: Building Privacy into the Netflix Prize Contenders,” in Proc. 15th ACM SIGKDD Int'l Conference on Knowledge Discovery and Data Mining, New York, NY, USA, 2009, pp. 627–636. [Presenter: Padmavathi]
	- [Optional] C. Dwork, “Differential privacy: A survey of results,” Theory and Applications of Models of Computation, pp. 1–19, 2008.
	- [Optional] A. Korolova, K. Kenthapadi, N. Mishra, and A. Ntoulas, “Releasing Search Queries and Clicks Privately,” in Proceedings of the 18th International Conference on World Wide Web, New York, NY, USA, 2009, pp. 171–180.
3/15/17	No class – Spring Break
3/22/17
	Privacy in Online Social Networks – continued
	- M. Mondal, Y. Liu, B. Viswanath, K. P. Gummadi, and A. Mislove, “Understanding and Specifying Social Access Control Lists,” presented at the Symposium On Usable Privacy and Security (SOUPS 2014), 2014, pp. 271–283. [Presenter: Amir]
	- J. Watson, H. R. Lipford, and A. Besmer, “Mapping User Preference to Privacy Default Settings,” ACM Trans. Comput.-Hum. Interact., vol. 22, no. 6, p. 32:1–32:20, Nov. 2015. [Presenter: Padmavathi]
	- [Optional] A. Masoumzadeh, “Inferring Unknown Privacy Control Policies in a Social Networking System,” in Proc. 14th ACM Workshop on Privacy in the Electronic Society (WPES ’15), 2015, pp. 21–25.
	- [Optional] A. Masoumzadeh and J. Joshi, “Privacy Settings in Social Networking Systems: What You Cannot Control,” in Proc. 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013), 2013, pp. 149–154.
3/29/17	Project Mid-Term Updates
4/5/17
	Privacy in Mobile Apps
	Readings:
	- A. Bianchi, J. Corbetta, L. Invernizzi, Y. Fratantonio, C. Kruegel, and G. Vigna, “What the App is That? Deception and Countermeasures in the Android User Interface,” in 2015 IEEE Symposium on Security and Privacy, 2015, pp. 931–948. [Presenter: Amir]
	- Y. Fratantonio et al., “On the Security and Engineering Implications of Finer-Grained Access Controls for Android Developers and Users,” in Detection of Intrusions and Malware, and Vulnerability Assessment, 2015, pp. 282–303. [Presenter: Siddheshwar]
	- [Optional] P. Hornyack et al., “These aren’t the droids you’re looking for: retrofitting android to protect data from imperious applications,” in Proc. 18th ACM conference on Computer and Communications Security - CCS ’11, 2011, pp. 639–652.
	- [Optional] W. Yang, X. Xiao, B. Andow, S. Li, T. Xie, and W. Enck, “AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context,” in 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, 2015, vol. 1, pp. 303–313.
	- [Optional] P. G. Kelley, L. F. Cranor, and N. Sadeh, “Privacy as part of the app decision-making process,” in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems - CHI ’13, New York, New York, USA, 2013, pp. 3393–3402.
	- [Optional] A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner, “Android Permissions: User Attention, Comprehension, and Behavior,” in Proceedings of the Eighth Symposium on Usable Privacy and Security, New York, NY, USA, 2012, p. 3:1–3:14.
4/12/17
	Privacy in Personalization and Advertisement
	Readings:
	- M. Hardt and S. Nath, “Privacy-aware Personalization for Mobile Advertising,” in Proceedings of the 2012 ACM Conference on Computer and Communications Security, New York, NY, USA, 2012, pp. 662–673. [Presenter: Mahesh]
	- A. Korolova, “Privacy Violations Using Microtargeted Ads: A Case Study,” in 2010 IEEE International Conference on Data Mining Workshops, 2010, pp. 474–482. [Presenter: Amir]
	- [Optional] S. Shekhar, M. Dietz, and D. S. Wallach, “AdSplit: Separating Smartphone Advertising from Applications,” in USENIX Security Symposium, 2012, vol. 2012.
	- [Optional] E. Toch, Y. Wang, and L. F. Cranor, “Personalization and privacy: a survey of privacy risks and remedies in personalization-based systems,” User Model User-Adap Inter, vol. 22, no. 1–2, pp. 203–220, Mar. 2012.
4/19/17
	Privacy Policies
	Readings:
	- A. M. McDonald, R. W. Reeder, P. G. Kelley, and L. F. Cranor, “A Comparative Study of Online Privacy Policies and Formats,” in Privacy Enhancing Technologies, I. Goldberg and M. J. Atallah, Eds. Springer Berlin Heidelberg, 2009, pp. 37–55. [Presenter: Amir]
	- P. G. Kelley, L. Cesca, J. Bresee, and L. F. Cranor, “Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach,” in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, New York, NY, USA, 2010, pp. 1573–1582. [Presenter: Padmavathi]
4/26/17
	Privacy in Location-Sharing
	Readings:
	- R. Shokri, G. Theodorakopoulos, J. Y. L. Boudec, and J. P. Hubaux, “Quantifying Location Privacy,” in 2011 IEEE Symposium on Security and Privacy, 2011, pp. 247–262. [Presenter: Amir]
	- K. Fawaz and K. G. Shin, “Location Privacy Protection for Smartphone Users,” in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security - CCS ’14, New York, New York, USA, 2014, pp. 239–250. [Presenter: Siddheshwar]
	- [Optional] A. G. Divanis, P. Kalnis, and V. S. Verykios, “Providing K-Anonymity in location based services,” SIGKDD Explor. Newsl., vol. 12, pp. 3–10, 2010.
5/3/17
	Anonymous Communication
	Readings:
	- H. Mohajeri Moghaddam, B. Li, M. Derakhshani, and I. Goldberg, “SkypeMorph: Protocol Obfuscation for Tor Bridges,” in Proceedings of the 2012 ACM Conference on Computer and Communications Security, New York, NY, USA, 2012, pp. 97–108. [Presenter: Amir]
	- A. Houmansadr, C. Brubaker, and V. Shmatikov, “The Parrot Is Dead: Observing Unobservable Network Communications,” in 2013 IEEE Symposium on Security and Privacy (SP), 2013, pp. 65–79. [Presenter: Mahesh]
	- [Optional] R. Dingledine, N. Mathewson, and P. Syverson, “Tor: The second-generation onion router,” in Proceedings of the 13th USENIX Security Symposium (USENIX ’04), 2004.
	- [Optional] N. Borisov, I. Goldberg, and E. Brewer, “Off-the-record communication, or, why not to use PGP,” in Proceedings of the 2004 ACM workshop on Privacy in the electronic society, 2004, pp. 77–84.

5/10/17	Project Presentations