COMP 555 - Information Privacy

Offered by Martin Robillard in the McGill School of Computer Science in Winter 2024 (4 credits). Mondays and Wednesdays 10:00-11:30 in Adams 211.

Overview

The pervasive collection of personal information by end-user and infrastructure software creates important implications for most stakeholders of software systems, including users, administrators, developers, and vendors. Engineering privacy in software requires both technical know-how and knowledge of regulatory standards and practices. As evidenced by the daily reporting of software vulnerabilities and privacy breaches, much remains to be done to improve the standards or privacy protection in software. This course will provide students with the knowledge and experience necessary to make informed privacy-related decisions both as software users and developers.

Course Topics

Privacy threats, privacy requirements, regulatory frameworks, privacy-enhancing technologies.

Learning Outcomes

After this course, students should be able to...

Name, describe and explain: The important concepts of privacy in software, the privacy threats, the technical controls used to implement privacy protection, and the regulatory frameworks related to information privacy in software.
Evaluate: The privacy protection levels of different software systems, and potential solutions for implementing and improving privacy protection in software.
Apply: the concepts covered in the course in the development of a privacy-respecting software application.

Target Audience and Required Background

This advanced course targets senior undergraduate students majoring in computer science or software engineering, and graduate students focusing on applied computing topics.

The official prerequisite is to have completed COMP 303. However, the course is ideally suited for students who have completed at least two more software-related course at the 300-level or above, and have relevant practical development experience. For graduate students who come from other institutions, equivalent courses are fine. The course work requires the ability and willingness to independently experiment with a diverse set of software technologies and tools.

Reference Material

Jaap-Henk Hoepman. Privacy is Hard and Seven Other Myths: Achieving Privacy Through Careful Design. MIT Press, 2021. Available from the Paragraph Bookstore.

The course involves a heavy reading component and additional reading will be required during the term. References will be provided with the detailed course schedule.

Course Work and Evaluation

Most lectures will be dedicated to active learning and involve the completion of in-class activities such as: synthesizing data breach reports, comparing privacy policies, searching vulnerability databases.

In-class group activities: 20%. Students will be asked to complete a task in a small group, and the outcome of the task will be rated for basic quality attributes.
Quizzes: 15%. These quizzes will be scheduled at the beginning of some lectures to test the students' knowledge of the assigned reading.
Attendance/Participation: 5%. Punctual attendance and meaningful participation during discussions.
Midterm: 20%. The midterm will cover the readings and the outcome of the in-class activities.
Project: 40%. In groups, students will research a privacy issue, develop a prototype solution by following the principles of privacy by design, and communicate the outcome of their research through a written report, technical artifacts, and oral presentations.