Faculty of Applied Sciences and Engineering

UNIVERSITY OF TORONTO

FACULTY OF INFORMATION STUDIES

FACULTY OF APPLIED SCIENCES AND ENGINEERING

ECE1508H – Special Topics in Communications

FIS2198H – Special Topics in Information Studies

Seminar in Security Technology and Policy

Course Outline - Fall 2007

MondaysPublic lecture: 12-1 PM Galbraith 120 (35 St George)

Seminar: 1-3PM Bahen 7256 (40 St George)

Instructors:Andrew Clement (FIS) 416-978-3111

Scott Graham (MCS, UTM) 905-828-5341

Dimitris Hatzinakos (ECE) 416-978-1613

Kostas Plataniotis (ECE) 416-946-5605

We have recently witnessed the rapid growth of Internet and information technologies into many aspects of everyday. At the same time there has been a growing preoccupation with ‘security’ post-9/11. These developments raise a host of complex social, technical, scientific, legal and ethical issues. What are the threats to personal safety, national security, vital infrastructures, civil liberties, democratic processes? What protections are appropriate? What values and techniques should guide our efforts to promote identity integrity, privacy and security?

One key question, therefore, is how do we secure the networked infrastructures on which personal and national economy, safety and security and other critical operations depend? This need has spurred an unprecedented interest and activity in safety and security technologies over the last few years. Secure electronic transactions, biometric passports, smart access cards, and electronic surveillance are some examples of growing security trends. Simultaneously, linked to this movement, the societal implications of security technologies on ethics and human rights have radically expanded.

The successful development of meaningful and viable security technologies touches upon a number of diverse disciplines ranging from Communications and Computer Networks to Law and Information Policies. Also, the widespread implementation of security technologies and systems will depend upon a new breed of professionals who are able to design, develop and implement effective but also fair and transparent security products and services. This course aims to provide an interdisciplinary foundation for the education of such security professionals.

This course is the single common required course in the MISt Concentration in Security Policy, and the MEng Concentration in Security Technology, as part of the Identity, Privacy and Security initiative, jointly offered by the Faculty of Information Studies and the Faculty of Applied Sciences and Engineering (ECE, MEng program). See:

Calendar Description:

This is an interdisciplinary course based on a series of seminars addressing the problems of identity, privacy and information security. It consists of topics in three areas: A) Security Technologies, B) Security Policies, and C) Security Sciences. It is a required course for graduate students taking the MISt with concentration in Integrated Security Technologies and Policies, jointly offered by the Faculty of Applied Science and Engineering and the Faculty of Information Studies. Seminars open to general attendance will be scheduled regularly during the first part of each lecture. The second part of the lecture will be restricted to students enrolled to the course. Enrolled students will be required to participate actively in each seminar, read and discuss assigned material, and work on a term project assignment.

Prerequisites:

Students should come with a basic appreciation for the recurring technical, scientific or policy issues in the security field. While students should already have some basic background in one of these areas, it is not expected that they will come with substantial knowledge in them, only the interest to learn. Because this course is jointly offered by Electrical and Computer Engineering (ECE), the Faculty of Information Studies (FIS) and the Department of Mathematical and Computational Sciences at UTM, students should expect to be exposed to technical, policy and mathematical approaches to security topics they will not immediately be familiar with. However, given the deliberate interdisciplinarity of the course, presentations and materials will be tailored to suit a broad range of backgrounds. If you have concerns about whether you have the necessary preparation for the course, contact an instructor as soon as possible to discuss this.

Teaching approach:

The course will be conducted as a combination of public lectures made by guest speakers, followed by seminar discussions among registered students, the guest speaker and instructors – with student review and commentary on the lectures, assigned readings and recent media news reports. There will be a strong emphasis on exploring security issues from a variety of perspectives with others who have varied disciplinary backgrounds. Active participation in these discussions, based on prior reading and/or experience is expected. Bring marked-up hard copies of required readings to each class, and be prepared to discuss them. Students will also be expected to participate in an on-line discussion forum reflecting on the readings and class discussions.

On-line Facilities:

The course will make use of the Sakai learning management system for announcements, sharing documents, posting assignments, ... Students need to register themselves via and then complete a personal profile, the template for which can be found in the Resources/ Student profiles folder. We will also be making use of Bibwiki, an experimental, but already (fairly) robust, prototype collaborative bibliographic service currently being developed by Sunir Shah and a KMDI project team.

Required Readings:

Required readings identified below and assigned during the course, as well as supplemental readings, will be available through the on-line course repository, in Resources/Readings.

Evaluation:

Grades will be assigned individually (I) and collectively within project groups (G) for the following assignments:

Literature reviews (contributed to course bibliography, Bibwiki)15% (I)

Oral presentation of required reading10% (I)

Group project

• Personal profiles 0% (I)
• Initial group memo 10% (G)
• Backgrounder article (one per project member) 15% (I)
• Integrative summary (interim report)10% (G)
• Project presentation 15% (G)
• Final project report10% (G)

Class participation (in-class and electronically)15% (I)

See the Assignment Details section below for further explanation.

PhD students registered in the course will also be expected to write a short supplementary research-oriented paper as negotiated with the instructor. 10% (I)

Teaching Assistant:

Joseph Ferenbok, PhD candidate, (to be confirmed)

Schedule:

WeekTopics + Required Readings +Guests + Due dates

1. Sept 17Introduction to Privacy and Security

Course welcome, overview, self-introductions, logistics,

Guest: Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario

“Privacy by Design ‘Building it in’ A crucial Design Principle”

*** Note special time and place ***

2:00 - 3:00 p.m. George Ignatieff Theatre, Trinity College, 15 Devonshire Place)

2. Sept 24Course Overview

Introductions by the co-instructors to the core course topics of security, technology, policy and sciences, and their inter-relations

Course expectations

Read:Butler, D (2007), Big bio is watching you: The biometric state may be closer than we thought. Montreal Gazette, June 17.

+ TBD

Due: Personal profiles

3. Oct 1 Security Technology - I

Biometric encryption

Read:Cavoukian, A & Stoianov, A (2007, March) Biometric Encryption: A Positive Sum Technology that Achieves Strong Authentication, Security AND Privacy. IPC- Ontario

Guest: Alex Stoianov, Biometric Scientist

Due: Oral presentation schedule finalized

Initial project memo

Oct 8Thanksgiving – No class

4. Oct 15 Security Technology - II

Biometric-based assistance for situational awareness and risk management support

Read:TBD

Guest: Prof Svetlana Yanushkevich, Dept of Electrical and Computer Engineering, Univ of Calgary

Due: TBD

5. Oct 22Security Technology - III

Read:TBD

Guest: Prof Kostas Plataniotis, Dept of Electrical and Computer Engineering, UofT

Due: TBD

6. Oct 29Security Policy – I - Security andprivacy in (governmental) organizations:

Privacy, Security and Customer Service

Read:TBD

Guest: Peter Hope-Tindall, Privacy Lead, ServiceOntario

Due: TBD

7. Nov 5 Security Policy – II Biometrics, security and national ID schemes

Policymaking and New Security Technologies: Roles, Responsibilities, Influences and Outcomes

Read:TBD

Guest: Dean Barry, Senior Policy Advisor, International Affairs Directorate, Public Safety Canada

Due: TBD

8. Nov 12 Security Policy – III – Security Theatre

Security Theatre, No-Fly lists and Identity Integrity

Read:TBD

Guest: Prof Andrew Clement, Faculty of Information Studies, UofT

Due: TBD

9. Nov 19 Security Sciences - I

Cryptography

Read:TBD

Guest: Prof Kumar Murty, Dept of Mathematical and Computational Sciences, UTM

Due: TBD

10. Nov 26 Security Sciences - II

Identity and Computer Crime

Read:TBD

Guest: Robert Beggs, CISSP, CISA, President, Digital Defence

Due: TBD

11. Dec 3 Security Sciences - III

Read:TBD

Guest: TBD

Due: TBD

12. Dec 10Class project presentations - I

13. Dec 17Class project presentations – II

Course Wrap-up

Dec 21 All term work due (Confirm this)

Reading list:

TO COME

In the meantime, a few items for background:

Some notable experts with useful websites:

Bruce Schneier

HisCryptogram newsletter:

Roger Clarke

Ross Anderson

Peter Neumann

Jean Camp

Books:

Bruce Schneier (2003) Beyond Fear: Thinking Sensibly about Security in an Uncertain

World, Copernicus Books.

Maureen Webb (2007) Illusions of Security: Global Surveillance and Democracy in the Post-

9/11 World, City Lights.

Someresources on Biometrics and Information Security:

Biometrics Consortium: Publications Page -

European Biometric Forum -

Face Recognition Web Page:

U.S. of America - DoD Biometrics Task Force - Online Tutorial

Yahoo Biometrics Discussion Group:

NSTC Biometrics Glossary (in pdfformat).

(Under the button "additional Resources" you will find a number of reports

including testimony to the US Senate. Sorry most of the resources are from

the States).

US Government Accounting Office GAO-04-467 report: "Information Security: Technologies to Secure Federal Systems"

It is a review of available technologies and their evaluation for non-experts.

Canada, House of Commons. (October, 2003) A National Identity Card for Canada? (Interim) Report of the Standing Committee on Citizenship and Immigration.

Instructors' publications relevant to the course:

Boa, Clement, Davies & Hosein (2007) CAN ID? Visions for Canada’s Identity

Policy: Understanding Identity Policy and Policy Alternatives. Draft report to the Office of the

Privacy Commissioner, available at:

(PDF, 2.8MB)

Clement, Guerra, Johnson & Stalder (2002) NATIONAL IDENTIFICATION SCHEMES

(NIDS): A Remedy Against Terrorist Attack? Proceedings of the Sixth Conference on Human

Choice and Computers HCC6, IFIP World Computer Congress, Kluwer, Dordrecht, Netherlands

(2002) (K. Brunnstein & J. Berleur, editors).

Assignment details:

Literature reviews15% (I) Due week 6

The purpose of this assignment is to familiarize yourself and classmates with the relevant security literature, in particular the key concepts as they will be useful in this course. There are two forms of literature review to be submitted. Both these two pieces of writing should be posted to the course Bibwiki site

:

1. Review of an article (300-500words),

Choose an article that is relevant to your course project that does not already have a Bibwiki entry on it and write a short summary, highlighting what for you are the most interesting or problematic aspects. Create a new Bibwiki entry (Add citation) providing the full correct citation (with URL if available) and then enter the description. Provide several relevant keywords, including where possible some already listed on the site. Identify yourself as the contributor in the signature area, including a brief self-description for your own entry.

2. Key concept explication (300-500words)

Choose a key concept from the security technologies, policy or sciences literature that is helpful in understanding the article chosen in 1) above but does not already have a description. Write a short explanation of the key concept in terms that would be useful for your classmates, making reference to its relevance to the first article chosen. Include [[Links]] to at least two references that you drew upon in developing these explanations. Again, identify yourself as the contributor in the signature area.

No two members of the same project team can review the same article nor summarize the same concept, so you should consult with group members early to avoid this duplication. Note however, that it is to your advantage to choose articles and concepts that will be useful later in the group project work.

Where you reference a previously described citation or keyword, you should make sure that the entry is accurate and edit if necessary. By ‘signing’ the edit it will make visible your contribution in the Recent Changes and History.

Following the return of the marked assignment, please update your entries taking account of any recommended revisions. Your entries should remain on the Bibwiki until the end of the term. After that you may remove them before the site becomes public in January 2008, but we hope you will let them remain as a contributions to this growing intellectual resource that will benefit successive students in this course as well as those interested in these topics more generally.

Oral review of a required reading10% (I or G)

Over the duration of the course, each student will individually or in a small group review one of the required readings to the class. This will involve delivering a pithy summary and critique (10 mins max) and launching the discussion by posing a couple of thought-provoking questions to the guest speaker or to the class. The reading presented orally can be the same as the one reviewed in the first assignment above. The schedule for oral presentations will be established in week 3.

Group project 60%

The purpose of the group project is investigate in depth one particular security application area, highlighting the technology, policy and scientific aspects. (Needs elaboration)

Project teams will normally consist of 2–4 members, though smaller or larger teams will be considered if the circumstances warrant. Preferably students should come from different backgrounds as the project will need to address issues from across the technological/scientific/policy spectrum.

The project work has been divided into several distinct components to facilitate orderly investigation and feedback throughout. Most of the these components will be prepared by the group collectively and graded as such (G), while the Backgrounder essay will be graded individually (I).

1. Personal profiles 0% (I)Due week 2

The first step in forming teams is to let others in the class know of your interests in particular security technologies and issues, as well as factors that would affect your participation in group work (skills and schedules). Please complete the personal profile form found in the course web repository, and post it in the Personal profiles folder for other class members to view. This should be done before the second class. Hand in a printed copy in class.

1. Initial memo 10% (G) Due week 3

Once a mutually willing and compatible project group has formed, prepare a short memo to me that includes the following:

• Names of the group members
• Initial group coordinator (responsible for convening project meetings and following up on schedules) and secretary (responsible for maintaining the shared records of the group, e.g. meeting minutes, resources, task assignments) Note: these roles can rotate over the course of the project
• Focal security application area to be analyzed
• Primary issues to be explored – these issues should include both policy and technical/scientific ones
• Preferred project presentation date (one of Dec 10 or 17)

This memo should be posted to the course repository before the third class and a printed copy handed in at the beginning of class.

1. Backgrounder article (one per project member) 15% (I)Due week 9

Each member of the project group will write their own short essay about a particular aspect of the focal security application area. This essay can focus on a specific technology, policy or scientific issue. The group should carefully position these essays to cover the main dimensions of the focal security application area, while avoiding significant duplication of topic or treatment between them. Length: 10 pages maximum, citations additional. Create your own project folder in the main course Projects folder and post these summaries there.

1. Integrative summary and interim report10% (G)Due week 9

Drawing from and explicitly linking these various individual essays, the group will collectively write an integrative summary. This should highlight the main points of each essay, within a framework that shows the connections between them as part of a coherent account of the focal security application area. 10 pages maximum, citations additional. Post to your projects folder. The summary and individual essays should be handed in bound together with the individually authored backgrounders as separate appendices.

The usual academic writing conventions apply to these backgrounders and integrative summaries. They will be marked and returned at least one week before the group’s scheduled project presentation in the final weeks of the course.

1. Project presentation 15% (G) Due week 12 or 13

The final two weeks of the course is devoted to project presentations. Each group will present an overview of their project work, the main issues they examined and their key findings. Part of the presentation can be oriented to showing off and inviting constructive commentary on

The format of the presentation and time allotted to each group will depend on the number of members and the total class size. With a modest class size, each team will present in turn, with time allotted to discussion. For a larger class, posters will be prepared and presented in a whole class session devoted to this.

1. Final Report 10% (G) Due before the University shuts for Christmas

A revised and updated version of the interim report, taking account of the comments made on the interim report and the discussion around the project presentation.

General Course Policies

Cite it Right! No Plagiarism

Each student in this course is expected to abide by the U of T Code of Behaviour on Academic Matters. Any work submitted by a student in this course for academic credit must be the student’s own work and must have been written for this course specifically. There are rules and techniques to signal when you, as a writer, are relying on other people’s work and ideas (citation, quotation, etc). Plagiarism is the failure to mark sufficiently – for whatever reason – somebody else’s work in your own writing. It constitutes a serious violation of academic conduct. Please make yourselves familiar with this important issue. This means you are responsible for doing your own intellectual work, carefully citing all sources, and NOT buying, borrowing, or stealing material from others. Failure to do so can result in an “F” for the term, or worse. When in doubt about citation practices, ask. A very good way to avoid this problem, and learn good citation practices, is to take the Cite It Right workshop offered by the FIS Inforum.