CSCI-2390: Privacy-Conscious Computer Systems

⚠️ This is not the current iteration of the course! Head here for the current offering.

Projects

Final projects should seek to answer a research question through implementation of a new idea in a real system. This could take one of several forms:

Prototype a new, privacy-centered system design.
Apply a privacy-enhancing or privacy-preserving technique in an existing system, and measure its impact.
Conduct a study of privacy risks and deficiencies in existing software, and analyze what it would take to address them.

You may work on projects individually, or in groups of two to three students. Your project deliverables include a proposal, a progress report, a final paper describing design and implementation, your code, and a presentation I will post the final presentation and writeup to the course website (unless you explicitly want it kept confidential for a good reason).

Important dates

October 2, 2020: submit your project proposal (by 11pm).
October 29, 2020: first project conference, at which you present your progress.
November 6, 2020: submit a progress report on your project (by 11pm).
November 19, 2020: second project conference, at which you present your progress.
December 3, 2020: presentation and demo.
December 9, 2020: submit your code and final report.

Project proposal

Please use the OSDI 2018 submission template. Your proposal should be a one-page summary of what your idea is, how you plan to go about investigating it, and what techniques you will apply (or need to learn about beyond the course material).

Project ideas

Here's a list of some starter ideas to get you thinking. Please feel free to pursue your own ideas!

Write a GDPR-compliant subject access and erasure tool for HotCRP.
Design a language for machine-readable privacy policies, and a way to verify or enforce that a web application follows these policies.
Implement GDPR compliance by construction in an existing web framework (e.g., Django) or storage system (e.g., MySQL, Postgres).
Help evaluate a new approach to retrofit GDPR compliance onto existing databases (somewhat similar to Odlaw); contact Malte for details.
Build a multiverse database extension for MySQL or PostgreSQL.
Apply Resin-style information flow control to a web application to enforce the GDPR's purpose limitation.
Add support for a deletion framework (à la DELF) to an open-source web application framework (e.g., Django).
Build a tool that extracts and visualizes information hidden in the data returned from access requests (e.g., Twitter's ad data).
Build a web browser plugin that visualizes how web trackers are tracking the user across sites (cf. NYT article).
Add another database to GDPRBench and collect results for it.
Add support for GDPR Subject Access Requests (SARs) and data deletion requests to an open-source web application.
Check out the ideas for decentralized application projects from MIT's 6.S974.