Georgia Institute of Technology

Privacy Technology, Policy, and Law
Spring 2013


These topics and schedule are subject to change. Any changes will be announced in class, via T-Square, via email, and reflected on this syllabus.

Week 1: Introduction to Privacy, Technology, Policy and Law

January 8

Introduction to the class, discussion of the syllabus, and student survey.

January 10

Required Reading:

[ACM] Code of Ethics, Association for Computing Machinery. <URL>

[USACMa] USACM Policy Recommendations on Privacy, USACM Policy Brief, June 2006. <URL>

[SA08] Eugene H. Spafford and Annie I. Antón. "The Balance of Privacy and Security," Controversies in Science and Technology, Vol II, ed, by Daniel Lee Kleinman, Karen A. Cloud-Hansen, Christina Matta, and Jo Handelsman, pub. MaryAnn Liebert, Inc, NYC, NY, pp. 152-16, 2008. <URL>

Recommended, but not required, Readings:

[WB90] S.D. Warren and L.D. Brandeis. "The Right to Privacy," Harvard Law Review, December 15, 1890. <URL>

[TPA74] The Privacy Act of 1974, 5 U.S.C. § 552a, 1974. <URL>

We will not meet for class on January 10th. Both instructors will be traveling to the Silicon Flatirons Conference on privacy. This YouTube video is required viewing in lieu of our previously scheduled class.

Week 2: Defining Privacy

January 15: Guest Lecturer – Peter P. Swire, C. William O'Neil Professor of Law in Judicial Administration

Required Reading:

Natasha Singer, "Mediator Joins Contentious Effort to Add a ‘Do Not Track’ Option to Web Browsing," New York Times, November 28, 2012. <URL>

[Coo08a] A. Cooper. "What Your Broadband Provider Knows About Your Web Use: Deep Packet Inspection and Communications Laws and Policies," Statement of Alissa Cooper Before the House Committee on Energy and Commerce, Subcommittee on Telecommunications and the Internet, July 17, 2008. (16 pages, with 13 page Appendix which is not required reading. However, students should familiarize themselves with the material in the Appendix.) <URL>

Optional Reading:

The W3C's Website for the Do Not Track committee

[SA08] P. P. Swire and A. I. Antón. "Online behavioral advertising: Moving the discussion forward to possible self-regulatory principles.", Testimony to the FTC, April 10 2008. <URL>

January 17

Required Reading:

[BC01] M.S. Blumenthal and D.D. Clark. "Rethinking the Design of the Internet: The End-to-End Arguments vs. the Brave New World," ACM Transactions on Internet Technology, 1(1), pp. 70-109, August 2001. (40 pages) <URL>

[Har04] J. Harper. "Understanding Privacy––and the Real Threats to It," Cato Institute Policy Analysis, No. 520, August 4, 2004. (20 pages) <URL>

Week 3: Behavioral Advertising and Tracking Technologies

January 22

Required Reading:

[MA10] Aaron K. Massey and Annie I. Antón. "Behavioral Advertising Ethics," Information Assurance and Security Ethics in Complex Systems: Interdisciplinary Perspectives, Dr. Melissa Dark, ed., 2010. (22 pages) <URL>

January 24

Required Reading:

[YLW09] J. Yan, N. Liu, G. Wang, W. Zhang, Y. Jiang, and Z. Chen. "How much can behavioral targeting help online advertising?" In WWW ’09: Proceedings of the 18th International Conference on World Wide Web, pages 261–270, New York, NY, USA, 2009. ACM. <URL>

Optional Reading:

[Ng09] Heather Osborn Ng. "Targeting Bad Behavior: Why Federal Regulators Must Treat Online Behavioral Marketing as Spyware." Hastings Communications and Entertainment Law Journal. 2009. <Available on T-Square>

[MM12] J. Mayer and J. Mitchell. "Third-party web tracking: Policy and technology." In Security and Privacy (SP), 2012 IEEE Symposium on, pages 413 –427, may 2012. <URL>

[Coo08b] A. Cooper. "A Survey of Query Log Privacy-Enhancing Techniques from a Policy Perspective," ACM Transactions on the Web, 2(4), pp. 1-27, October 2008. (27 pages) <URL>

Week 4: HIPAA

January 29: Guest Lecturer – Peter P. Swire, C. William O'Neil Professor of Law in Judicial Administration

Required Reading:

[MAS11] J. Maxwell, A. Anton, and P. Swire. "A legal cross-references taxonomy for identifying conflicting software requirements." In Requirements Engineering Conference (RE), 2011 19th IEEE International, pages 197 –206, 29 2011 Sept. 2 2011. <URL>

January 31

Required Reading:

[BA08] T. Breaux and A. Anton. "Analyzing regulatory rules for privacy and security requirements." IEEE Transactions on Software Engineering, 34(1):5–20, Jan. 2008. <URL>

[MSO11] A. Massey, B. Smith, P. Otto, and A. Anton. "Assessing the accuracy of legal implementation readiness decisions." In Requirements Engineering Conference (RE), 2011 19th IEEE International, pages 207 –216, 29 2011-sept. 2 2011. <URL>

Week 5: Privacy Compliance

February 5

Required Reading:

[OAB07] Paul Otto, Annie I. Antón & David Baumer. "The ChoicePoint Dilemma: How Data Brokers Should Handle the Privacy of Personal Information," IEEE Security & Privacy Magazine, 5(5), pp. 15-23, Sept.-Oct. 2007. (9 pages) <URL>

[OA07] P. N. Otto and A. I. Antón, “Addressing Legal Requirements in Requirements Engineering,” Requirements Engineering Conference, 2007. 15th IEEE International, pp. 5–14, 15-19 Oct. 2007. (10 pages) <URL>

February 7

Required Reading:

[BAB08] T. D. Breaux, A. I. Anton, K. Boucher, and M. Dorfman, "Legal requirements, compliance and practice: An industry case study in accessibility," in Proceedings of the 16th IEEE International Requirements Engineering Conference (RE08), Barcelona, Spain, pp. 43-52, IEEE Society Press, September 2008. (10 pages) <URL>

Week 6: Identity

February 12

Required Reading:

[SB08] P.P. Swire and C.Q. Butts. "The ID Divide: Addressing the Challenges of Identification and Authentication in American Society," Center for American Progress, Washington, DC, pp. 1-41, June 2008. (46 pages) <URL>

[Har08b] J. Harper. "Electronic Employment Eligibility Verification: Franz Kafka's Solution to Illegal Immigration," Cato Institute Policy Analysis, No. 612, pp. 1-22, March 5, 2008. (24 pages) <URL>

February 14

Required Reading:

[Sol01] D.J. Solove, "Privacy and Power: Computer Databases and Metaphors for Information Privacy," Stanford Law Review, Vol. 53, pp. 1393-1462, July 2001. [NOTE: Skip Parts 1 and 2. Just read from Part 3 to the end.] (48 pages for the required sections) <URL>

Week 7: Anonymity and Re-Identification

February 19

Required Reading:

[NS09] A. Narayanan and V. Shmatikov. "De-anonymizing social networks." In Security and Privacy, 2009 30th IEEE Symposium on, pages 173–187, May 2009. <URL>

[Ohm10] Ohm, Paul, "Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization", UCLA Law Review, Vol. 57, p. 1701, 2010. <URL>

February 21

Required Reading:

[Swe02] L. Sweeney, "K-Anonymity: A Model for Protecting Privacy," International Journal on Uncertainty, Fuzziness and Knowledge-Based Systems, 10(5), pp. 557-570, October 2002. (14 pages) <URL>

[EJA11] K. El Emam, E. Jonker, L. Arbuckle, and B. Malin. "A systematic review of re-identification attacks on health data." PLoS ONE, 6(12):e28071, 12 2011. <URL>

Week 8: Differential Privacy and Privacy Harms

February 26

Required Reading:

[Dwo06] C. Dwork. "Differential privacy." In M. Bugliesi, B. Preneel, V. Sassone, and I. Wegener, editors, Automata, Languages and Programming, volume 4052 of Lecture Notes in Computer Science, pages 1–12. Springer Berlin Heidelberg, 2006. <URL>

[CK12] Chin, Andrew and Klinefelter, Anne, "Differential Privacy as a Response to the Reidentification Threat: The Facebook Advertiser Case Study", North Carolina Law Review, Vol. 90, No. 5, 2012. <URL>

February 28

Required Reading:

[Cal11] R. Calo. "The Boundaries of Privacy Harm.", Indiana Law Journal, 86(3), 2011. <URL>

[Sol06] D.J. Solove. "A Taxonomy of Privacy," University of Pennsylvania Law Review, 154(3), pp. 477-560, January 2006. [NOTE: Read all subsections of Parts A and B as well as subsections C2, C3, and C4.] (54 pages for the required sections) <URL>

Week 9: Foreign Intelligence, Wiretapping, and Communication

March 5

Required Reading:

[BBD07] S.M. Bellovin, M. Blaze, W. Diffie, S. Landau, P.G. Neumann and J. Rexford. "Risking Communications Security: Potential Hazards of the Protect America Act," IEEE Security & Privacy, pp. 24-33, January-February 2008. (10 pages) <URL>

[Sch09] Schwartz, Paul M., "Warrantless Wiretapping, FISA Reform, and the Lessons of Public Liberty: A Comment on Holmes' Jorde Lecture", California Law Review, Vol. 97, No. 407, 2009 <URL>

Optional Reading:

[Swi04] P. Swire. "The System of Foreign Intelligence Surveillance Law," George Washington Law Review, Vol. 72, pp. 2-104, 2004. (104 pages double-spaced) <URL>

March 7

Required Reading:

[EPIC] The USA PATRIOT Act, Electronic Privacy Information Center, Washington, DC. (17 pages if printed) <URL>

[EFF03] EFF Analysis of the Provisions of the USA PATRIOT Act That Relate to Online Activities, October 2003. (7 pages if printed) <URL>

[Ker03] O.S. Kerr. "Internet Surveillance Law After the USA PATRIOT Act: The Big Brother That Isn't," Northwestern University Law Review, Vol. 97, 2003. (69 pages) <URL>

Week 10: Privacy Policies & Privacy and Cybersecurity

March 12

Required Reading:

[CGA06] K.I. Reay,  P. Beatty, S. Dick and  J. Miller, "A Survey and Analysis of the P3P Protocol's Agents, Adoption, Maintenance, and Future",IEEE Transactions on Dependable and Secure Computing, 4(2), pp. 151 - 164. (14 pages) <URL>

[MC08] Aleecia McDonald and Lorrie Cranor. "The Cost of Reading Privacy Policies." I/S: A Journal of Law and Policy for the Information Society, 2008. <URL>

March 14

Required Reading:

[LBM12] C. Landwehr, D. Boneh, J. Mitchell, S. Bellovin, S. Landau, and M. Lesk. "Privacy and cybersecurity: The next 100 years." Proceedings of the IEEE, Special Centennial Issue:1659-1673, 13 2012. <URL>


March 19 & 21

Week 12: Encryption

March 26

Required Reading:

[USACMc] Encryption, USACM Policy Brief, Washington, DC. (2 pages printed) <URL>

[Sog09] Soghoian, Christopher, "Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era", 8 J. on Telecomm. and High Tech. L. 359, 2009. <URL>

March 28 – In lieu of meeting for class, we will attend the GT Cyber Security Symposium.

Please register to attend the GT Cyber Security Symposium!

Required Reading:

[Cha92] D. Chaum. "Achieving Electronic Privacy," Scientific American, pp. 96-101, August 1992. (9 pages) <URL>

[Bla94] Matt Blaze. "Protocol Failure in the Escrowed Encryption Standard", Second Annual ACM Conference on Computer and Communications Security, 1994. <URL>

Optional Reading:

[SWP00] D.X. Song, D. Wagner and A. Perrig. "Practical Techniques for Searches on Encrypted Data," IEEE Symposium on Security and Privacy, pp. 44-55, 2000. (12 pages) <URL>

[Pin02] B. Pinkas. "Cryptographic Techniques for Privacy-Preserving Data Mining," ACM SIGKDD Explorations Newsletter, 4(2), pp. 12-19, December 2002. (8 pages) <URL>

Week 13: The Fourth Amendment and Technology

April 2

Required Reading:

[Ker10] O. S. Kerr. "Applying the Fourth Amendment to the Internet: A General Approach." Stanford Law Review, 62(4):1005–1050, 2010. <URL>

[Har08] J. Harper. "Reforming Fourth Ammendment Privacy Doctrine." American University Law Review, 57:1381, 2008. <URL>

April 4

Required Reading:

United States v. Jones, 132 S.Ct. 945, 565 U.S. <URL>

City of Ontario, California, et al. v. Quon, et al., 130 S.Ct. 2619, 560 U.S. <URL>

Week 14: Social Networks

April 9

Required Reading:

[GA05] R. Gross and A. Acquisti. "Information Revelation and Privacy in Online Social Networks," Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society, pp. 71-80, 2005. (10 pages) <URL>

[AG09] Alessandro Acquisti and Ralph Gross. "Predicting Social Security Numbers from Public Data," Proceedings of the National Academy of Science, 106(27), 10975-10980, 2009. <URL>

April 11

Required Reading:

[Gri09] J. Grimmelmann, "Saving Facebook," Iowa Law Review, Vol. 95, No. 4, May 2009. (52 pages) <URL>

[MJB11] Michelle Madejski, Maritza Johnson and Steven Bellovin, "The Failure of Online Social Network Privacy Settings", Future of Privacy Forum Privacy Papers for Policy Makers, 2011. <URL>

Optional Reading:

[NHP11] M. Netter, S. Herbst, and G. Pernul. "Analyzing Privacy in Social Networks–An Interdisciplinary Approach." In Privacy, Security, Risk and Trust, 2011 IEEE Third International Conference on Social Computing, pages 1327 –1334, Oct. 2011. <URL>

Week 15: Privacy by Design

April 16

Required Reading:

[GTD11] Gürses, S., Troncoso, C., and Diaz, C. "Engineering Privacy by Design." Science Vol. 317, pp. 1178-9. 2011. <URL>

[RG12] I. Rubinstein, N. Good, "Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents." Berkeley Technology Law Jounral, Forthcoming. <URL>

April 18

Required Reading:

[Cav11] A. Cavoukian. "Privacy by Design in Law, Policy and Practice: A White Paper for Regulators, Decision-makers and Policy-makers." Office of the Information Privacy Commissioner, Ontario, Canada, 2011. <URL>

[SC08] S. Spiekermann and L. F. Cranor. "Engineering Privacy." IEEE Transactions on Software Engineering, 99(1), 2008. <URL>

Week 16: Flex Days

April 23 & 25

We will likely have guest speakers throughout the semester, so we need some flex days to ensure that everything is covered.