I330: Legal and Social Aspects of Security
INFO-I 400 / 590
Tuesday Thursday 4:00pm - 5:15pm
Info West 107
Course Description
This course examines that set of ethical and legal problems most tightly bound to the issues of information control. The interaction and technology changes, but the core issues have remained: privacy, intellectual property, Internet law, concepts of jurisdiction, speech anonymity versus accountability, and ethical decision making in the network environment.
Instructor
Prof. Kami VanieaInfo West 301
Office Hours: Tuesday 2-3pm
kvaniea@indiana
Assistant Instructor
Gianpaolo RussoSchedule
- 13/15 January
Discussion: Introduction to class and email security
Read for class: No reading for this week
News: News:
- 20/22 January
Discussion: Web tracking
Optional:Privacy Analysis for the Casual User with Bugnosis by David Martin in Security and Usability (Find on Canvas)Optional:The Reasoning Behind Web Cookies by Lou Montulli (aka the guy who invented the web cookie)Optional:Why blocking 3rd party cookies could be a bad thing by Lou MontulliOptional:The History of the Do Not Track Header by Christopher SoghoianNews: News: News:
Link from lecture: - 27/29 January
Discussion: Intro to Legal Aspects of Security
Read for class:Chapter 1 of Nothing to Hide by Daniel J. Solove (on Canvas)Read for class:Chapter 2 of Privacy, Information, and Technology by Daniel J. Solove and Paul M. Schwartz (on Canvas)Read for class:Katz v. United States in Privacy, Information, and Technology by Daniel J. Solove and Paul M. Schwartz (on Canvas)Read for class:Smith v. Maryland in Privacy, Information, and Technology by Daniel J. Solove and Paul M. Schwartz (on Canvas)News: Link from Lecture:
- 3/5 Febuary
Discussion: Policy and Regulation
Read for class:Records, Computers and the Rights of Citizens by Willis H. Ware (on Canvas)Read for class: Read for class:FTC complaint against Snapchat Inc. (Skim this, it will not appear on the quiz, but you will be asked to discuss some of the points in class.)Read for class:FTC complaint against Google Buzz (find on Canvas)Read for class: Read for class:FCC: Open Internet (aka Net Neutrality)
News: News:
- 10/12 Febuary
Discussion: Data Brokers
Read for class:FTC report on Data Brokers (Read the Executive Summary pages 9-17)Read for class:GAO report on Information Resellers (Read the overview on page 2, and the section entitled Several Laws Apply in Specific Circumstances to Consumer Data That Resellers Hold pages 11-19)Read for class:Smart, Useful, Scary, Creepy: Perceptions of Online Behavioral Advertising by Blase Ur, Pedro Giovanni Leon, Lorrie Faith Cranor, Richard Shay, Yang WangOptional: News: News: News:
- 17/19 Febuary
Discussion: Threat Modeling
Read for class:Privacy Policies and Practices: Inside the Organizational Maze by H. Jeff SmithRead for class:Chapter 8 in Security Engineering by Ross Anderson (find on canvas)Read for class:Chapter 10.2 in Security Engineering by Ross Anderson (find on canvas)Optional:The All-or-nothing fallacy in Nothing to Hide by Solove (find on canvas)Optional:
- 24/26 Febuary
Discussion: Psychology of Security
Read for class:The Psychology of Security by Ryan WestOptional:A Framework for Reasoning About the Human in the Loop by Lorrie F. CranorNews: News:
Grading
Exams | 50% |
Labs and Quizzes | 20% |
Participation | 15% |
Project | 15% |
Grades will be given out as follows:
A+ | 97% |
A | 93% |
A- | 90% |
B+ | 87% |
B | 83% |
B- | 80% |
C+ | 77% |
C | 73% |
C- | 70% |
D+ | 67% |
D | 63% |
Readings and Quizes
Students will be assigned readings every week which they are expected to do before class. These readings come from a variety of sources and will be provided via Canvas. There is no assigned book for this course. Quizzes will be administered each Tuesday to ensure students have been reading the material.Labs
There are two lab sections to the course, you must be signed up for one of them. Labs will involve hands-on activities designed to help you better understand the material. Labs are due at the beginning of class Tuesday.Project
The class project is a term paper where you will be analysing a public security breach from three angles: technical, legal, and social. The goal is to get an in-depth understanding of what a single security breach looks like, what causes it, and how the ramifications of the breach play out. There will be four milestones:
Summarize the breach
Pick a breach that you think is interesting and provide a high level summation of what happened. The goal of this milestone is to give the Professor and the AI a chance to comment on your choice and provide feedback.
Technical analysis
Provide a technical analysis of what happened. Describe whole attack at a high level. Select one technical aspect of the attack and describe the attacked technical component in detail. For example, in the attack on Target ActiveX is a likely way the attacker gained access, so you might provide a detailed description of what ActiveX is, how it relates to security, and how it might have played a role in this attack.
Legal/policy/regulatory analysis
Provide an analysis of the legal, policy, and regulatory impact of the breach. Provide summaries of the legal cases brought against the company, any regulations involved, what agencies investigated, and any industry certifications that the breach put in jeopardy. Select one of these and describe it in depth.
Social analysis
Provide an analysis of the human component of the breach. Most breaches have a human component somewhere. Even if no end user was involved, system administrators are people too and cannot do everything at once. What organizational pressures, or social limitations might have resulted in this breach? Unfortunately, human factors of security are rarely published in breach analysis.