Usable Security and Privacy (CS60081) Autumn 2021

All secure and privacy-preserving systems are ultimately used by humans, who might or might not understand the intended usage of these systems. In fact, often users are the “last line of defense” in securing a system and if the systems are not designed keeping user mental model and their background knowledge in mind, that can lead to system misuse and consequent security and privacy disasters. Thus, only designing secure and private systems are not enough, we need to design secure and private systems keeping usability in mind. In other words, we need to understand the user expectation from the systems and incorporate this understanding in system design.

This course will focus on how to design for security and privacy in systems using a user-centric view. We will combine concepts from computer systems, human computer interaction (HCI) and secure/private system design. We will introduce core security and privacy technologies, as well as HCI techniques for conducting robust user studies. The course will cover topics like passwords, definitions of privacy, usable encryption, authentication, privacy of archival data, usability of crypto libraries and privacy notices. See the course schedule for details.

Instructor

Mainack Mondal
mainack@cse.iitkgp.ac.in

TAs

Shivam Kumar Jha
code@thealphadollar.me

Naimesh Pramanik
naimeshriju111@gmail.com

Course Information

Credit (L-T-P)	3-0-0
Background Knowledge	Since this course deals with usability of systems, (naturally) you need to first know how systems work. We will assume some familiarity with some basic computer science / mathematics concepts. We are providing a list of expected background knowledge below (this list is not complete, but should give you an idea about what basic background knowledge you need for this course). Computer Networks and Operating systems basics (e.g., how does internet and web works ) Basics of security (what is symmetric/asymmetric encryption/decryption, hashing, access control lists) Computer programming (preferably in python) probability and statistics.
Lectures	Scheduled lecture timings are: Monday 3:00 pm - 4:55 pm Tuesday 3:00 pm - 3:55 pm In this semester we will conduct the course online with a mix of live lectures, pre-recorded course videos and online doubt clearing sessions. Please keep an eye on the Schedule page for the latest updates.
Textbook	No specific books; That said, we will post publicly available research papers/book excerpts that you need to read for following the class as well as for the quizzes/viva (will be added to the course schedule page ).
Coursework	The coursework for all students consists of three tests and a project (in groups of 2-3). We will use CSE Moodle for submission of tests and assignments this course. The code for joining CSE moodle will be given in the class.
Communication	We will update the course schedule regularly throughout the course. Live lectures / recordings Note that you NEED TO join the Microsoft teams classroom titled "Usable Security and Privacy 2021 (CS60081)" for this course. We will also share the recordings (as well as recorded lectures) of the lectures via Microsoft Teams. Drop the instructors an email ASAP if you cannot access the Microsoft teams classroom. Live lectures will be delivered via Zoom. We will use with the "live lectures" channel on Microsoft teams for live lecture related announcements (e.g., the zoom id/password). Please check that channel regularly. We would announce doubt clearing sessions to complement the online recorded lecture sessions as we go. Please keep an eye on the schedule and Microsoft Teams channels. General discussion We'll use Microsoft Teams for general discussion and questions about course material. You should already have the account username and password to log into Microsoft teams. If you cannot access the Microsoft teams classroom titled "Usable Security and Privacy 2021 (CS60081)" please let the instructors know as soon as possible. If you need to reach out to the instructors (e.g., pertaining to an illness or other events that might be impacting your performance in class), please send a private chat on Microsoft Teams visible only to the instructors. Please use the Microsoft teams chatroom (and channels) to discuss publicly with your peers in real-time. Please try to keep all course-related communication to Microsoft Teams rather than email.
Late policy	You need to strictly adhere to the deadlines for the submissions (e.g., reports, test scripts etc.) announced for this course in MS teams, or by design Moodle will not accept it. Of course, in exceptional circumstances related to personal emergencies, serious illness, wellness concerns, family emergencies, and similar, please make the course staff aware of your situation beforehand/as soon as possible and we will decide how to handle your case.

Course evaluation components

Viva/class test
(60%)

To test student's understanding we will also conduct in-person viva and time bound online class tests (total three). We will share the details in due course.

Term project + One assignment
(40%)

Students will work on course projects in small groups of 2-3. We will provide a choice of projects. Students will be given an opportunity to indicate their preferences before project groups are assigned by the instructors.

Students who have their own ideas for projects (or already formed a group) should discuss them with the instructors within the first week (start with sending a mail).

The end goal of this project is to teach you the principles of usable security and privacy hands-on

All reports should be written in ACM double column "sigconf" template. Check the latex/word templates here. Feel free to use the overleaf link in that page. We will deduct marks if your report is not in ACM double column sigconf format. You can use LaTex and MS Word. Each report should contain your name and Roll numbers. Furthermore, one report-upload per group in Moodle (by any of the group members) will suffice (submission by multiple people will confuse the course-stuff and you will risk being evaluated by the submission of a random group member).

Here are parts of the project for the students. Note that each one of these steps involve knowledge acquired from the course to give your a hands on experience. We will decide on specific deadlines for each of them:

Create group and pick your project topic (from a set of topics we will give or come up with your own).
Meet with the instructor and TAs to develop idea about the project direction.
Submit a report specifying:

your privacy and security-centric research questions;
research hypotheses for your proposed project (if any);
general type of study (large-scale measurement, lab, online, interview, survey, etc.);
overview of the types of questions and/or tasks, scenarios, etc. that will be included;
quantitative metrics and/or qualitative analysis approach;
number and type of study participants you plan to recruit
how you will recruit them in a practical deployment;
study design (between subjects, within subjects);
equipment, software, other resources.

Design questionnaires, scripts, scenarios, interview protocols (whichever necessary) to carry out the user study.

Develop any prototypes and software necessary to carry out the user study.

Submit an ethics committee approval application.

Conduct a study using your developed study protocol with at least 5 participants (batch mates, classmates, friends and family). The results will be useful mostly as a pilot study and should be positioned as such in your final report.

Give a final presentation and submit a final report of at least 3 pages

The final report should be built upon your earlier report and include the results from piloting.
You should also include final questionnaires, scripts, scenarios, interview protocols, any prototypes and software, ethics committee approval applications with this report for final evaluation.

Honor code

You are permitted to talk to the course staff and to your fellow students about any of the problem sets. Any assistance, though, must be limited to discussion of the problem and sketching general approaches to a solution. Each student must write out his or her own solutions to the problem sets. Consulting another student's solution is prohibited, and submitted solutions may not be copied from any source. These and any other form of collaboration on assignments constitute cheating.

No collaboration is permitted on quizzes or assignments. All work submitted for the project must properly cite ideas and work that are not those of the students in the group. Simply stated, feel free to discuss problems with each other, but do not cheat. It is not worth it, and you will get caught. In that case, we will be forced to award you no marks for that assignment/quiz/project, take away 50% of your total final marks and you will risk deregistration.

Grading

Your course grade will be calculated as follows:

3 Viva/tests	60%
Term project + One assignment	40%

Wellness

If a personal emergency comes up that might impact your work in the class, please let the instructors know via a private chat message (to all the course instructors) so that the course staff can make appropriate arrangements. We are going through unprecedented times and circumstances can sometimes be very overwhelming, and all of us benefit from support during times of struggle. You are not alone.

Copyright policy

This course was initially based (with permission) on a course co-taught by Mainack at University of Chicago. All teaching materials in this class, including course slides, homeworks, assignments, practice exams and quizzes, are copyrighted. Reproduction, redistribution and other rights solely belong to the instructor. In particular, it is not permissible to upload any or part of these materials to public or private websites without the instructor's explicit consent. Violating this copyright policy will be considered an academic integrity violation, with the consequences discussed above. Reading materials are also copyrighted by their respective publishers and cannot be reposted or distributed without prior authorization from the publisher.