Usable Security and Privacy (CS60081) Autumn 2020

All secure and privacy-preserving systems are ultimately used by humans, who might or might not understand the intended usage of these systems. In fact, often users are the “last line of defense” in securing a system and if the systems are not designed keeping user mental model and their background knowledge in mind, that can lead to system misuse and consequent security and privacy disasters. Thus, only designing secure and private systems are not enough, we need to design secure and private systems keeping usability in mind. In other words, we need to understand the user expectation from the systems and incorporate this understanding in system design.

This course will focus on how to design for security and privacy in systems using a user-centric view. We will combine concepts from computer systems, human computer interaction (HCI) and secure/private system design. We will introduce core security and privacy technologies, as well as HCI techniques for conducting robust user studies. The course will cover topics like passwords, definitions of privacy, usable encryption, authentication, privacy of archival data, usability of crypto libraries and privacy notices. See the course schedule for details.

Instructor


Mainack Mondal
mainack@cse.iitkgp.ac.in

TAs


Avirup Mukherjee
avimukh.250696@iitkgp.ac.in

Anju Punuru
anju.punuru@iitkgp.ac.in

Course Information

Credit (L-T-P)
 3-0-0
Background Knowledge
 Since this course deals with usability of systems, (naturally) you need to first know how systems work. We will assume some familiarity with some basic computer science / mathematics concepts.  We are providing a list of expected background knowledge below (this list is not complete, but should give you an idea about what basic background knowledge you need for this course).

  • Computer Networks and Operating systems basics (e.g., how does internet and web works )
  • Basics of security (what is symmetric/asymmetric encryption/decryption, hashing, access control lists)
  • Computer programming (preferably in python)
  • probability and statistics.
Lectures Scheduled lecture timings are:

Monday 3:00 pm - 4:55 pm
Tuesday 3:00 pm - 3:55 pm
Wednesday 8:00 pm - 9:30 pm (extra slot)

However, this semester we will conduct the course online with a mix of live lectures, pre-recorded course videos and online doubt clearing sessions. Please keep an eye on the Schedule page for the latest updates.  We will also use the Wednesday slot for things like viva, project discussion, project presentation etc.
Textbook No specific books; That said, we will post publicly available research papers/book excerpts that you need to read for following the class as well as for the quizzes/viva (will be added to the course schedule page ).
Coursework The coursework for all students consists of semi-regular quizzes/vivas and a term project (in groups of 2-3).
Communication We will update the course schedule regularly throughout the course.

Quizzes

  • Current plan is to both distribute and collect the regular quizzes via CSE Moodle. Please join the course there. Use the access code mentioned in class.  No regular quizzes, increased the weight on projects.

Live lectures / recordings

  • Note that you NEED TO join the Microsoft teams classroom titled "Usable Security and Privacy" for this course. We will also share the recordings (as well as recorded lectures) of the lectures via Microsoft Teams. We already added the students registered on ERP (as of 31/08) in Microsoft teams. Drop the instructors an email ASAP if you cannot access the Microsoft teams classroom.
  • Live lectures will be delivered via Zoom. We will use with the "live lectures" channel on Microsoft teams for live lecture related announcements (e.g., the zoom id/password). Please check that channel regularly.
  • We would announce doubt clearing sessions to complement the online recorded lecture sessions as we go. Please keep an eye on the schedule and Microsoft Teams channels.

General discussion

  • We'll use Microsoft Teams for general discussion and questions about course material.
  • You should already have the account username and password to log into Microsoft teams. If you cannot access the  Microsoft teams classroom titled "Usable Security and Privacy" please let the instructors know as soon as possible.
  • If you need to reach out to the instructors (e.g., pertaining to an illness or other events that might be impacting your performance in class), please send a private chat on MicrosoftTeams visible only to the instructors. Please use the Microsoft teams chatroom (and channels) to discuss publicly with your peers in real-time.
  • Please try to keep all course-related communication to Microsoft Teams rather than email.
Late policy The regular quizzes will be time bound and you can take and complete the quiz in the assigned time window (will be announced via Microsoft classroom). Moodle will not accept late submissions by design.

Of course, in exceptional circumstances related to personal emergencies, serious illness, wellness concerns, family emergencies, and similar, please make the course staff aware of your situation beforehand/as soon as possible and we will decide how to handle your case.

Course evaluation components [And timeline]


Weekly quizzes
(40%)
 		Starting from third week (15/09), every week on Tuesday at the time of the class (from 3:15 pm), we will take a time-bound quiz via Moodle. This quiz will be based on the lectures presented in last week as well as the "Required Readings and Videos" mentioned in the last week (in course schedule  page). We will drop two of the lowest marks of the quizzes while grading.
Viva/class test
(54%)
 		To test student's understanding we will also conduct in-person viva and time bound online class tests (total three). We will share the details in due course.
Term project
(46%)
 		Students will work on course projects in small groups of 2-3. We will provide a choice of projects. Students will be given an opportunity to indicate their preferences before project groups are assigned by the instructors.

Students who have their own ideas for projects (or already formed a group) should discuss them with the instructors within the first week (start with sending a mail).

The end goal of this project is to (i) teach you the principles of usable security and privacy hands-on (ii) create an academic research paper as an output of this course.

All reports should be written in ACM double column "sigconf" template. Check the template here. Feel free to use the overleaf link in that page. We will deduct marks if your report is not in ACM double column sigconf format. We encourage you to use LaTex. Each report should contain your name and Roll numbers. Furthermore, one report-upload per group in Moodle (by any of the group members) will suffice (submission by multiple people will only confuse the course-stuff and you will risk being evaluated by the submission of a random group member).

Here is a Timeline of as part of the project what will the students do:

  • [ACTION ITEM] Thursday, September 17th: Fill up  preferences for project topics by end of day (if you don't we will assign randomly).
  • Sunday, September 20th: Assigned to a project team.
  • [ACTION ITEM] Wednesday, September 23rd: Schedule a group-wise meeting with the instructor within that week to discuss your submitted idea.
  • [ACTION ITEM] Wednesday, September 30th: Submit a brief project proposal (2 to 3 pages) on Moodle. The proposal should state your research questions; hypotheses (if any); general type of study (large-scale measurement, lab, online, interview, survey, etc.); overview of the types of questions and/or tasks, scenarios, etc. that will be included; quantitative metrics and/or qualitative analysis approach; number and type of study participants you plan to recruit and how you will recruit them; study design (between subjects, within subjects); equipment, software, other resources.
  • [ACTION ITEM] Wednesday, October 7th: Schedule a group-wise meeting with the instructor within that week to discuss progress on creating the study instruments.
  • Design all questionnaires, scripts, scenarios, interview protocols, etc. necessary to carry out the user study.
  • Develop any prototypes and software necessary to carry out the user study.
  • Pilot test the user study protocol on at least two people (can be members of the class from other project groups) and refine it based on these tests.
  • [ACTION ITEM] Thursday, October 15th:  Submit an ethics committee approval application on Moodle for your project. Use the format given in the class (with all the additional materials).
  • [ACTION ITEM] Monday, October 19th: Give a brief (5 minute) progress status presentation. Your status presentation should describe your project's goals, highlight your progress to date, and note any problems you have run into that you would like some advice on. Also clearly describe the role of each group member in the project.
  • [ACTION ITEM] Sunday, November 1st: Submit a written progress report (improved version of your earlier progress report). Your written report should include your research questions and any hypotheses, draft related work section, study methodology, results and lessons learned from your initial pilot study (or any other data collection that you have done already), unresolved issues or challenges, and complete survey or interview questions, scripts, etc.
  • Conduct a study using the revised protocol with at least 5 participants (batch mates, classmates, friends and family). If your study has only 5 participants, most likely the results will be useful mostly as a pilot study and should be positioned as such in your final report.
  • [ACTION ITEM] Tuesday, November 3rd: Schedule a group-wise meeting with the instructor within that week to discuss the progress of your pilot study and possible analysis.
  • [ACTION ITEM] Tuesday, November 10th:  Give a 10-minute final project presentation. Clearly describe the role of each group member.
  • [ACTION ITEM] Tuesday, November 24th: Write a research paper including an abstract, introduction (including research questions), related work, methodology, results, discussion (or lessons learned), references, etc. and upload it on Moodle by 11:59 PM in electronic form. Your ethics application, survey forms, etc. should be included as appendices. Also include an accessible link to your code base (if any).

Honor code

You are permitted to talk to the course staff and to your fellow students about any of the problem sets. Any assistance, though, must be limited to discussion of the problem and sketching general approaches to a solution. Each student must write out his or her own solutions to the problem sets. Consulting another student's solution is prohibited, and submitted solutions may not be copied from any source. These and any other form of collaboration on assignments constitute cheating.

No collaboration is permitted on quizzes or assignments. All work submitted for the project must properly cite ideas and work that are not those of the students in the group. Simply stated, feel free to discuss problems with each other, but do not cheat. It is not worth it, and you will get caught. In that case, we will be forced to award you no marks for that assignment/quiz/project, take away 50% of your total final marks and you will risk deregistration.

Grading

Your course grade will be calculated as follows:
3 Viva/Class tests
 54% (18% each)
Term project 46%

Wellness

If a personal emergency comes up that might impact your work in the class, please let the instructors know via a private chat message (to all the course instructors) so that the course staff can make appropriate arrangements. We are going through unprecedented times and circumstances can sometimes be very overwhelming, and all of us benefit from support during times of struggle. You are not alone.

Copyright policy

This course was initially based (with permission) on a course co-taught by Mainack at University of Chicago. All teaching materials in this class, including course slides, homeworks, assignments, practice exams and quizzes, are copyrighted. Reproduction, redistribution and other rights solely belong to the instructor. In particular, it is not permissible to upload any or part of these materials to public or private websites without the instructor's explicit consent. Violating this copyright policy will be considered an academic integrity violation, with the consequences discussed above. Reading materials are also copyrighted by their respective publishers and cannot be reposted or distributed without prior authorization from the publisher.