The Technology of Privacy Wintersession 2013 Paul Ohm

carpentergambrinousΑσφάλεια

3 Δεκ 2013 (πριν από 4 χρόνια και 29 μέρες)

113 εμφανίσεις

1


The Technology of Privacy

Winters
ession 2013


Paul Ohm


Syllabus

Version 0.9


Course Description




Information Privacy
is
one of the most pressing and debated topics in law and policy

today
.
Policymakers, scholars, advocates, and
industry

representatives
are
locked in
heated, escalating
debates about
the
growing
spread of
tracking and surveillance in society
.

Most of
this
debate
has been
spurred by the breakneck pace of
changes to
technology, and
particularly of
changes to
Intern
et and mobile technology.

F
uture lawyers interested in
practicing information privacy law or technology policy
more broadly defined
need to
understand the past, present, and likely future of the technology of privacy.


This

course embraces several innovations

not found in
a typical
law school course
:

It
is offered during the one
-
week wintersession in January, the
last week of the winter break.

Students will
be expected to
engage
the technology
thoroughly, not at arm

s length.

Some of
the class sessions will take place in a computer l
ab, with every student
directly controlling
cutting
-
ed
ge technologies of privacy and privacy invasion, such as tools for encryption,
wiretapping, onion routing,
facial recognition, and more.

The capstone of the class will be
attendance and participation fr
om the audience at a full
-
day conference including many of
the nation’s
leading
scholars of information privacy.


There are no prerequisites for the course.
Students of any technical ability and
background (including no technical ability or background) are

welcome to enroll, but
students with some familiarity with computer and network technology will
likely
find the
material easier to master.


Class Times and Office Hours



The class will meet every day from Monday to Thursday from
9:00 AM


11:20 A
M
either

in Room
306
or in the first floor computer lab in the ATLAS building.
The first class
will be in Wolf 306.
On Friday, every student is required to attend a conference to be held
on the “Technology of Privacy” in the law school courtroom, from 9:
15

AM


5:
00 PM.

Attendance at the full conference is mandatory.

I will be available for office hours each day
for one hour following class
in

my office

(
Room 433
)

or at any other time by appointment. I
can also be reached via e
-
mail at paul.ohm@colorado.edu.


Cour
se Expectations



Themes.

In four class meetings, we cannot even scratch the surface of this vast topic.

This course will focus on depth over breadth, focusing in particular in 201
3

on three major
developments: (1)
the
crypto

wars of the late 90’s
; (2) web

tracking and do not track; (3) big
data.

We will pay special attention
to

topic #2, do not track, which will also figure
prominently in the Friday conference.

On Thursday, we will spend one hour
debating
Do
Not Track in which student
s might be asked to
p
lay a role in the contemporary debate.


2


Grading.

Grades for the course will be based primarily on a final project due one
week after the last day of class. In other words, the final project is due Friday, January 18,
2013
, by 11:59

PM
. In addition, part of

the final grade will depend on the level of
preparation and participation
each student

exhibits

during

two in
-
week activities:

the
Thursday in
-
class Do Not Track debate/discussion and the Friday conference. Finally,
general
participation is an important p
art of the final grade. Taking each of these three
categories in turn:




Final Project.

Most of the grade for the course will be based on a final
research project. Students are given the choice between a traditional law school assignment
or a more novel a
lternative.


The traditional assignment is a research paper. The paper should examine a single
collision between evolving technology and privacy law, one that is either raging today or
looming in the near future. Some examples are the collision of COPPA an
d mobile apps;
facial recognition and the fourth amendment; WiFi and wiretapping; Big Data and the
Privacy Act.
Many papers are likely to be drawn from the topics discussed in the assigned
reading, but students are encouraged to do independent research out
side the assignments
to find other interesting topics at the intersection of technology and privacy.

Papers should
cover at least the following

three things: a discussion of the evolution
of technology and how it is placing pressure on the law; a doctrina
l legal analysis of how
current law will respond; and a policy prescription about what to do to resolve the conflict.
These papers should be at least ten pages long (typical, reasonable font and margins,
double
-
spaced). Grades will be based on an assessmen
t of each student’s ability to describe
technology accurately, persuasiveness of the argument, accuracy of the legal analysis, and
writing proficiency.

As an alternative, students are encouraged to embrace the same kind of innovative,
nontraditional
-
law
-
sc
hool thinking that forms the basis for the course as they design their
final projects. For example, students are encouraged to develop computer programs or
information visualizations in lieu of a traditional research paper, although research papers
are acc
eptable as well. Given the novelty of this approach, it is difficult to specify in
advance a minimum quantity of work expected for the final project. The rough guideline is
that the work conducted must be comparable to at least the work required for a ten
page
(typical, reasonable font and margins, double
-
spaced) research paper. The nature and scope
of all final projects must be pre
-
approved by the Professor, no later than Thursday, at the
end of the day.



In
-
Class Assignment Activities.

In addition to the

general participation
grade, students will be assessed
by

how well
they prepare
for
and participate in two
activities during the week.
First, on Thursday, we will discuss the Do Not Track proposal
currently put before the W3C. This in
-
class activity may t
ake the form of a discussion or
possibly even a formal moot
-
style debate.
Students may be asked to prepare a short written
assignment, due Thursday.

Second, every student must submit in writing two or more questions they might ask
of the panelists at Frida
y’s conference before the start of the conference.

Positive
performance and participation in these activities can raise a final grade up to five points
above the grade given to the final research project. Negative performance can lower a final
grade up to
five points.


3



Participation.

I expect you to be prepared to talk every class and will call on
you without prior notice. If, however, you are unable to prepare for class on a particular
day for whatever reason, please attend anyway. Send me an e
-
mail at
least one hour before
we begin or leave me a note on the podium at the front of the room before class starts and I
will not call on you that day. You may use this “pass”
option only once
during the
week
unless you talk to me in advance about your situatio
n. If you do not leave me a note but are
unprepared or absent when I call on you, your grade will be negatively affected.

Positive
class participation can raise a final grade up to five points above the grade given to the final
research project. Negative
participation can lower a final grade up to five points.


Course Materials



Required Text.

All readings for the course will be posted to the course website.
Materials for a particular day be posted
no less than

twenty
-
four hours prior to
the start of
each

class
, and students are responsible
for
consulting the website before beginning the
reading for every class.


Course Website.

Our course website is at
http://paulohm.com/classes/
techpriv
13
.
Here, you will find
reading assignments, important announcements
,
and links to other
resources. The top part of the website will list “Latest Changes to the Site” which can be
scanned to see what is important and new. Students are advised to consult the website
before every class, particularly when a class is missed.

I do not use TWEN.


4


General Outline


The following table lists the planned topics of discussion for each day and the location of
each class. All readings are available on the class website.


Day

Topics

Location

Comments

Monday

The relationship between
technological change and
policy.


Cryptography.


Battles from the Crypto Wars:
CALEA, Clipper, ITAR, and
Bitcoin

Wolf 306


Tuesday

Lab Class


How the Internet works.


Tracking Behavior online.


Online Behavioral Advertising
and Do Not Track.


Tracking co
untermeasures.

ATLAS 1st
Floor
Computer Lab


Wednesday

Lab Class


Big Data


Location tracking


Mobile and apps


Facial recognition

ATLAS 1st
Floor
Computer Lab


Thursday

How do we resolve conflicts
between law, policy, and
technology?


In
-
Class Do Not Tr
ack
debate
/discussion
.

Wolf 306

Topics for final project due

by 5:00 PM
.


Must be prepared for
debate
/discussion
.


Possible short written
assignment.

Friday

Conference: The Technology of
Privacy

Wittemyer
Courtroom

Submit two or more
questions to ask pane
lists
by 9:15 AM
.

Friday +
one week
(1/18/2013)



Final papers/projects due
by 11:59 PM.

5


Directions to the ATLAS Building


The ATLAS Building is in the center of campus, adjacent to the art museum and not far
from the UMC.

The building is marked on this
partial campus map:




The building’s distinctive tower makes it easy to recognize:



6



The topics and tentative reading are as follows:


Monday, January
7

Topic:
Introduction to
the Technology of
Information Privacy
: The History of Technology
and Privacy

Location: Law School

Tentative Readings:


Excerpt fr
om Solove & Schwartz
, Information Privacy Law

Excerpt from Steven Levy, Crypto

Excerpt from
Alma Whitten, Why Johnny Can’t Encrypt

Excerpt from Michael Froomkin,
The Metaphor is the Key, 143 U. Penn.L. Rev. 709
(1995).


Lesson Plan:

In Class, typical law s
chool discussion.

Have everybody master logic of public key encryption.

Detail the crypto wars and discuss Clipper Chip proposal
.

Model debate over crypto.

Talk about decade since.

Toward end,
tie this to broader themes about tech policy.


Tuesday, January

8


Topic

Citation, URL

True Internet
basics

Clever video:
http://www.flixxy.com/how
-
the
-
internet
-
works.htm

(Less shady looking container presentation:
http://worldsciencefestival.com/videos/there_and_back_again_a_packets_tal
e
)


Basic
Internet
Overview (IP
addresses,
log files)

Russ Smith, IP Address: Your Internet Identity, March 29, 1997,
http://www.ntia.doc.gov/legacy/ntiahome/privacy/files/smith.htm

(good but
really old)

Cookies
Overview /
Ad Tracking

Julia Angwin, The Web’s New Gold Mine: Your Secrets,
t
ALL
S
T
.

J.
, Jul
y
30, 2010,
http://online.wsj.com/article/SB1000142405274870394090457539507351298
9404.html

Profiling

Emily Steel, A Web Pioneer Profiles Users by Name,
W
ALL
S
T
.

J.
, Oct. 24,
2010,
http://online.wsj.com/article/SB1000142405270230441050457556024325941
6072.html

(
describing

RapLeaf)

Non
-
Cookie
Tracking:
Flash
Cookies

http:
//papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862

Non
-
Cookie
https://panopticlick.eff.org/

7


Tracking:
Fingerprintin
g

Wireshark
Demo (A
little over
-
detailed

just skim)

http://www.ipprimer.com/packets.cfm


Reading web
server log
files

http://www.loganalyzer.net/log
-
analysis
-
tutorial/log
-
file
-
sample
-
explain.html

TO
R

https://ssd.eff.org/tech/tor

VPN


Opting out of
OBA

BlueKai Registry,
http://www.bluekai.com/registry/


Taco

SSL


Phorm/Nebu
Ad

Excerpt from
Paul Ohm, The Ri
se and Fall of Invasive ISP Surveillance,
2009
U.

I
LL
.

L.

R
EV
.

1417 (2009).

Generally

Dave Clark et al., Tussle Spaces

(Thursday)

Controlling
the Web

Zittrain, Internet Points of Control

(Another class)


Felten, Great Firewall

(Another class)

DNT

Jeff
Blagdon, Do Not Track: An Uncertain Future for the Web’s Most
Ambitious Privacy Initiative,
T
HE
V
ERGE
, Oct. 12, 2012,
http://www.theverge.com/2012/10/12/3485590/do
-
not
-
track
-
explained

Business of
OBA

Natasha Singer,
Your Online Attention, Bought in an Ins
tant
,
N.Y.

T
IMES
,
Nov. 17, 2012, at BU1.


Possible Lesson Plan:


Three stations: Users, Middle of the Wire, Endpoint surveillance


Topic: The Internet: Cookies, Packet Sniffing,
and Tracking

(Lab Class)

Location: ATLAS

Tentative Readings:

<Basic Primer on

the Internet>

Excerpt from Dan Solove, The Digital Person

Excerpt from Julia Angwin, What They Know series


Lesson Plan

First
Lab Class.

Lab exercises:

1.

Log files.

2.

Cookies / Ghostery.

3.

Ad networks and opt
-
out choices.

4.

Fingerprinting and
Panopticlicks
.

5.

Mobil
e

tracking: UDIDs and geolocation.

8


6.

Other advertising counter
-
measures.

7.

TOR

8.

Wireshark

Themes to hit

(should find one reading about each)
:

Monetization.

Opt
-
in vs. Opt
-
out.

The arms race between trackers and blockers
.

Self
-
regulation vs. Regulation
.


Wednesd
ay, January 9

Topic: Big Data, Mobile Issues, and Facial Recognition

Location: ATLAS

Tentative Readings:


Paul Ohm, Broken Promises of Privacy


Felix Wu, <reidentification>


Jane Yakowitz, The Tragedy of the Data Commons


Alessandro Acquisti, <Facial Recog
nition Study>


Charles Duhigg, How Companies Learn Your Secrets, N.Y. Times, Feb. 16, 2012


Lesson Plan

Second Lab Class.

Lab Exercises:

1.

Deidentification/Reidentification.

2.

Netflix Prize

3.

Facial Recognition

4.

GPS tracking

(Google Maps and WiFi routers?)

Themes

(find one reading about each)

Case study of deidentification.

Balancing costs and benefits
.

Predicting the future.


Thursday, January 10

Topic: Solutions? Privacy by Design, Do Not Track, and the Right to be Forgotten

Location: Law School

Tentative Readin
gs:


Ann Cavoukian, Principles of Privacy by Design


Excerpts from FTC Final Report on Privacy


Excerpts from W3C paper on Do Not Track


Various blog posts and commentary on Do Not Track


Excerpt from Bamberger & Mulligan, <CPO Article>


Lesson Plan

In
-
Cl
ass

Debate Do Not Track
, with assigned roles

Talk about rise of the CPO / Professionalization

/ Job market

Comparative: EU vs. US

vs. Canada


Friday, January 11

Topic: Conference on the Technology of Privacy

9


Location:
Law School Courtroom (Must attend enti
re conference, 9:00 AM


5:00 PM)

Tentative Readings:


Must skim al
l papers submitted by panelists and be prepared to ask questions.