Privacy & Security in the Internet of Things

Please Keep Up To Date On Canvas
Fall 2016

L Jean Camp
Steve Myers Ryan Henry

Guest Instructors
Tadayoshi Kohno
Shwetak N. Patel


Security and privacy lapses in the Internet of Things can cause real and significant harm to people, their pets, and their homes. Computer security and privacy for an IoT ecosystem is fundamentally important and challenging. From a human-centered design perspective, complex issues arise when designing technologies for a diverse collection of stakeholders, including vulnerable populations such as children and those using in-home care technologies. From a technical perspective, security and privacy are challenging not only because of the properties of IoT devices themselves but also because of risks that emerge only when technologies are combined in unexpected ways. IoT devices will be pervasive, and may have very constrained computational, communications, and energy resources.

Meeting these challenges requires a large, interdisciplinary effort. A holistic approach to IoT security and privacy integrates human-computer interaction, network security, cryptography, and pervasive computing. The translation layer requires an undertsanding of people’s privacy and security requirements and the ability to expresses these as cryptographically enforced data controls. This embeds usability and social informatics challenges, requiring understanding what people want and presenting these in a manner people can understand. The home environment is one of the most complex contexts in which to consider IoT security and privacy, due in part to the diversity of families involved as well as the knowledge and technical support (or lack thereof) that one can assume in terms of computer security and privacy. This includes cryptographic challanges in aligning the cryptographic implementations to the requirements derived from human contexts. There is the networking challenge of communicating these. The ability to enforce these requirements on devices and in their interactions is a complex challenge even with the assumption of well-behaved devices.


One Time Announcement

Download the initial schedule ofreadings at This will not be updated. As soon as you are can access Canvas, it is your responsibility to track updates using Canvas resources. This is a collaboratively taught course, so this website is the overview and announcement.


Course Goals

Creating a more secure IoT requires more than reading and discussion, it requires active engagement in research. The research will be informed by continuous feedback through industry outreach, and our research collaborations both inside and beyond the classroom.
Grading is based on these goals. There will be a brief anonymous survey at least once to determine how well the class is helping you achieve these goals. Depending on the results, We may ask for additional feedback with an additional survey. Canvas does not support anonymous submissions, so these are likely to be in class.


Project Possibilities & Requirements

Your choice of project will align you with a specific instructor. Threat assessments and data projects may be of interest to all the instructors. User-centered projects are a best fit with Prof. Camp, while building and breaking is likely to be aligned with Prof. Myers. Any cryptographic work, for example an implementation on a constrained device, would best fit with Prof. Myers or Prof. Henry.


Grading Guidelines

The primary assignment for this course is the preparation of an research plan in a team which addresses at least two dimensions of security and privacy IoT. There are 1000 potential points that you can earn in this course; 20% of the grades (200 points) are individually based and assess your class participation and contribution to group work; 60% (600 points) of your grade is determined by your group’s project; the other 20% (200 points) is determined by specific in-class activities.

We expect class discussion to be wide ranging. While we have readings for each class the discussion is not bound by those readings. Part of this class will be brainstorming. We may take a class period, for example, to evaluate a survey designed by one group before the group distributes. Or we may join up in pairs to go through an experimental protocol of one group. Alternatively we may discuss preliminary results which seem inscrutable to a team. After you begin, your project is a component of the course.

Many of the courses will begin with current affairs. The first few days the faculty will choose any current even to present for discussion. After that students will sign up to select a security event of the day. Unfortunately we can always count on a data breach. There are also policy events, technical breakthroughs, and new malware.

Individual Assignments include quizzes, in-class assignments, online assignments, and attendance. The individual statement of goals is included in the project because it is focused on the project outcome. These sum to 200 points across the semester.

In-class leadership includes the presentation of the hot topic, which is a current event associated with security, privacy, and impinging on the Internet of Things. That presentation is 50 points or five percent of the grade. This also includes the day that your team presents related work. We expect that presentation to include brainstorming with the entire class, if needed. The group leadership of the entire class is 150 points.

The Project consists of ten components from identification of your individual goals for the class, through group development of an abstract, then reification of the abstract to a researchable question. Finally the group will come together and present the finding, both in class as a set of appropriate documents. All of these steps are part of the project grade because each contributes uniquely to the final deliverable.

60 points: Individual Statement of Goals

50 points: Extended Abstract Including Method

50 points: Revised Abstract & Outline

70 points: Initial Research Results

70 points: Research Progress Documentation

60 points: Initial Completed Report

70 points: Final Completed Report

50 points: Final Presentation

20 points: Peer Review of peer presentations

100 points: Turn in final plan and all slides

Students with successful, accepted submissions to an approved conference as a poster will receive an "A" on the presentation component, even if this requires a change from the initial grade. If you complete the presentation and believe your grade is incorrect, then polish the work and submit it. Given that the goal of this is effective presentation; you will receive an "A" grade. The School provides travel funds for graduate students with publications, so you should be able to present.



These policies are in addition to and not a substitute for University Academic Conduct policies.

Due dates for assignments are firm. The group will be subject to 10 late points for each day that an assignment is late.

One Late Pass is available for your group this semester. Because of the fast pace of the course, your group may use one late pass, and have one additional week to turn in one assignment.

Attendance is expected and will be monitored. You may miss two classes without penalty. More than 5 absences will result in an automatic F. You may also be excused for religious holidays. Please let us know by the first week of class if you are intending to miss for any religious holidays.

Assignments should be professional in appearance and should follow current APA format. Please seek help from the 5th edition of the APA Manual or the campus Writing Center.

Academic and personal misconduct by students is defined and will be dealt with according to the newly revised procedures in the CODE OF STUDENT ETHICS. Be sure to review cheating and plagiarism. Plagiarism constitutes using others’ ideas, words or images without properly giving credit to those sources. If you turn in any work with your name affixed to it, I assume that work is your own and that all sources are indicated and documented in the text (with quotations and/or citations). Any written work that appears to be plagiarized will be submitted to

Video and audio recording of the course is not allowed. The class time includes discussion. Asking a question is difficult for some people, being recorded increases the burden of asking. I expect the class participants, as graduate students, to be able to answer the questions and engage fully in classroom exercises. This means that there will be moments of disagreement, and even intellectual struggle or conflict. Experience indicates and research does not contradict the assertion that recording hinders discussion and the education that requires it. A violation of this class policy will be treated as a violation of academic integrity.

If you have a particular need to record you may do so unobtrusively and under a confidentiality agreement that respects the expectations of other students. Please talk to me privately about this.

The class has a set of basic topics, and each topic will be explored and examined according to the interest of the students. Thus, if the class wants to focus an additional day on a topic, other topics can be compressed. What is important is to meet the goals of the class.

Initial Course Readings

These readings and speakers will be updated on Canvas. This is a draft of the course not a real time guide. Download the readings at To repeat, as soon as you are can access Canvas, it is your responsibility to track updates using Canvas resources. This is a collaboratively taught course, so this website is the overview and announcement.