Carnegie Mellon University

Current Topics in Privacy Seminar

The Current Topics in Privacy Seminar is a three-credit course (17-702) taught in the Fall and Spring semesters. Members of the university community are invited to participate in the seminar even if they are not enrolled in the course. In this seminar course students will discuss recent papers and current public policy issues related to privacy. Privacy professionals from industry, government, and non-profits will deliver several guest lectures each semester. 

Members of the CMU community interested in receiving notifications about the seminars each week should contact the course instructor to request to be added to the email list. 

Instructors:  Hana Habib and Norman Sadeh

Time and location: Tuesdays, 12:30-1:50 PM.  All seminars will be held in Hamburg Hall, 1002 and will be available via Zoom.

01/17/23 - Introduction - Hana Habib and Norman Sadeh, Guest Speaker: Eric Zeng (CMU, CyLab)

01/24/23 - Hana Habib

Abstract:

Notice and choice has dominated the discourse on consumer privacy protection and is the foundation of existing privacy regulation in the United States. Under this paradigm, companies disclose their data handling practices to consumers, who in turn are expected to make decisions according to their privacy preferences. As such, many companies have incorporated consent notices and other privacy choices into their web interfaces. The notice and choice model presents several challenges for providing effective consumer privacy protection, one of which is related to the usability of privacy choice mechanisms. The design of consent and privacy choice interfaces can significantly affect consumer choices and their privacy outcomes. This talk will highlight usability issues related to existing privacy choice mechanisms, as well as provide guidance for conducting usability evaluations of such interactions.

01/31/23 - Shomir Wilson (Penn State)

Title: Natural Language Processing for Privacy and Social Good
Abstract: Internet users care about their privacy, but persistent gaps exist in their understanding of companies' data practices, and more generally, how data about them can be collected and used. I will describe a trajectory of research to automatically extract information from the text of websites' and apps' posted privacy policies and to present it to consumers, regulators, and privacy researchers in ways that better respond to their needs. A recent part of this work is PrivaSeer (https://privaseer.ist.psu.edu/) a search engine and corpus that together make a collection of over 1M website privacy policies available and explorable for privacy stakeholders. I will also describe several other projects to apply natural language processing (NLP) to problems in privacy. I will conclude with some thoughts on the potential for NLP to help with a broad set of problems involving large volumes of legal text and the ability of consumers to make informed decisions.

02/07/23 - Cameron Boozarjomehri (Mozilla)

Title: Privacy Engineer In Practice

Abstract: A case study of the many stakeholders and partners a privacy engineer will need to collaborate with to be successful. This presentation is an examination of how privacy engineering allows organizations to develop well rounded features that serve the customers and the organization. More importantly, it highlights the balance of technical, legal, and regulatory knowledge needed to be successful.

02/15/23 (in place of 2/14 seminar)- Joint CyLab/S3D Seminar with Helen Nissenbaum (Cornell Tech)

02/21/23 - Yixin Zou (Max Planck Institute for Security and Privacy)

Title: Do Notice and Choice Work? A Close Look at Data Breaches
Abstract: Data breaches put affected consumers at risk of cybercrime from account compromises to identity theft. Data breach notification laws require companies to notify affected consumers of possible risks and recommended actions. I will discuss a series of studies that examine data breach notifications from complementary perspectives: (1) empirical studies with consumers on their reactions after being affected by data breaches; (2) content analysis of breach notifications sent by companies to identify usability issues; and (3) a controlled experiment on nudges that encourage affected consumers to change breached passwords. I will conclude with a reflection on how notices and choices are necessary but insufficient for protecting consumers against the aftermath of data breaches, and how we can draw insights from research to inform technical and policy interventions that strengthen consumer protection in this space.

02/28/23 - Alessandro Acquisti (CMU, Heinz College)

Title: Who Benefits from the Data Economy

Abstract: He will discuss recent and ongoing work that aims at understanding benefits allocation in a data economy. First, he will review works that attempt to estimate how the economic value extracted from consumer data is allocated to different stakeholders, and the way privacy protection can influence those allocations. Next, he will focus on two studies: an investigation of the impact that the application of differential privacy to U.S. Census data can have on the allocation of Title I funding; and an online experiment on the impact of behaviorally targeted advertising on consumer welfare.

03/14/23 - CHI Speakers

03/21/23 - Cara Bloom (MITRE)

Title: Privacy Threat Modeling & MITRE PANOPTIC™

Abstract

Threat modeling is a process which can be used to understand potential attacks or adversaries and is essential for holistic risk modeling. As privacy moves from a compliance-based to a risk-based orientation, threat-informed defense will be crucial for privacy management as it has already become for cybersecurity management. Yet, privacy lacks a shared threat language and commonly used threat model. This talk will overview the domain of privacy threat modeling in the context of risk modeling, and present one effort to fill the privacy threat modeling gap: the Pattern & Action Nomenclature Of Privacy Threats In Context (PANOPTIC). PANOPTIC is a data-driven, threat agent-agnostic, attack-oriented taxonomy that breaks individual privacy attacks down into their constituent parts, and can be used for privacy threat assessments, risk modeling, and red teaming.

03/28/23 - Jennifer Urban (Berkeley Center for Law and Technology)

Title: “The CCPA and the CPPA: California as a Vanguard for Consumer Privacy”

Abstract: Americans face unprecedented threats to their personal privacy. Today, data collection on a massive scale fuels new methods for monitoring and monetizing consumers’ behavior. Our personal information feeds algorithms that decide everything from what ads we see to life-changing credit, housing, and hiring evaluations. In recent years, multiple states have moved to address these threats and protect their residents’ privacy. In California, the California Consumer Privacy Act of 2018, gives residents have important privacy protections—protections expanded by California voters themselves in a  2020 ballot initiative. In addition to creating further consumer rights, the initiative also created the California Privacy Protection Agency, the first data protection authority in the United States. What is the nature of these developments, and what do they mean for Californians and others? This talk will discuss California’s protections and place them in the broader context of rapid growth in data collection and use and responses by lawmakers, regulators, and data subjects.

04/04/23 - Divya Sharma (Google)

04/11/23 - Ellen Nadeau (Cruise)

04/18/23 - Sebastian Zimmeck (Wesleyan University)

04/25/23 - Darya Pilram (SEI)