1. Students can describe the user’s personal role in protecting their own online privacy.
2. Students can explain the purpose of a privacy policy.
3. Students can describe some of the limitations of privacy policies.
4. Students can describe some limitations of the laws protecting privacy.
5. Students can explain why it is important to periodically check privacy settings.
6. Students can give examples of effective actions they can take towards improving online privacy protections in general, including actions that can affect business practices and government regulations.

Lesson elements in this module can be used to address the following computer-science curricular standards.

AP Computer Science Principles Curriculum Framework

Elements substantially address the following Essential Knowledge under Big Idea 7, Global Impact:

• 7.3.1G. Privacy and security concerns arise in the development and use of computational systems and artifacts.

The following Essential Knowledge is also touched on:

• Under Big Idea 6: The Internet: 6.3.1A.
• Under Big Idea 7: Global Impact: 7.3.1A, 7.3.1J, 7.3.1K, 7.3.1L, 7.3.1M.

CSTA K–12 Computer Science Standards (Level 3 — High School)

Elements substantially address the following learning objective under Level 3, Course 3A: Computer Science in the Modern World:

• CI.10. Describe security and privacy issues that relate to computer networks.

Elements substantially address the following learning objective under Level 3, Course 3B: Computer Science Concepts and Practices:

• CI.6. Analyze the impact of government regulation on privacy and security.

The following learning objectives are also touched on:

• Under Level 3, Course 3B: Computer Science Concepts and Practices: CI.5.

ACM Computer Science Curricula 2013 (CS2013) Guidelines (Undergraduate)

The following Learning Outcomes are touched on:

• Under Networking and Communication: Social Networking 2.
• Under Social Issues and Professional Practice: Analytical Tools 5; Professional Ethics 5; Privacy and Civil Liberties 3, 5, 6; Security Policies, Laws and Computer Crimes 6.

Estimated Time: 3-5 minutes for each question or follow-up prompt.
What You’ll Need: Blackboard/whiteboard (optional).

Ignite Question

Do you trust the websites you use? Why or why not?

Fanning the Fires:

• What does it mean to trust a website?
• If they have a privacy policy, does that mean they’re more trustworthy?
• If they have privacy settings, does that mean they’re more trustworthy?
• If their settings changed, would you still trust the website?

Quick Knowledge Check

Who’s responsible for protecting your online privacy?

Follow-Up Questions:

• Is there anyone else who has as much interest as you do in protecting your privacy?
• What other interests do companies have that might be more important, to them, than maintaining your privacy?
• Would the creation of new privacy laws affect your level of responsibility for protecting your online privacy? Why or why not?

High-Level Answer: You will always be the primary person responsible for your own online privacy, because no one else has as much of a stake in it as you do.

Details/Background for Teachers: Currently there are no comprehensive, national-level laws that protect the consumer’s online privacy — and even if there were, it would still be necessary to pay attention in case they changed, or in case they weren’t enforced. Many companies have Terms of Service and privacy clauses that are made specifically to protect the company itself, not you. Like it or not, the consumer has the most responsibility for their own privacy, because the consumer has the most interest in it.

The Quick Hook

Estimated Time: 3-5 minutes per story.
What You’ll Need: Computer and projector (optional).

These news items can be used to illustrate the real-life consequences of privacy breaches. If you have a computer and projector, you can show the stories on a screen as you talk about them. If not, you can simply summarize them verbally.

You Can’t Sue Family Over Unwanted Facebook Photos, Says Judge

• Summary: Aaron Olson tries to sue his uncle for posting an embarrassing childhood photo, but the suit is unsuccessful; the uncle eventually removes the tag, but the photo is still on Facebook.
• Content Advisory: The video version of the story ends with an unrelated very short clip of someone shooting a laptop with a gun.

Why I Deleted Foursquare, and Why You Should, Too!

• Summary: Blogger decides to delete her FourSquare account after it changes its privacy policy to remove the “private check-in” option for some app versions; decides to experiment first with what else she can find out about people using their FourSquare profile information.

Families Struggle to Delete Loved Ones’ Online Presence After Death

• Summary: A dead woman’s email account is hacked and the hacker starts sending spam to her family; it takes two months to get through the post-death account-closing process.
• Content Advisory: Contains a reference to spam ads for “male enhancement products”.

Optional Extension

Estimated Additional Time: 6-8 minutes per story.

For each news item, ask the students:

• What happened in this story that caused the user to feel their privacy had been violated?
• How could the situation have been avoided?
• What (if anything) did the company that provides the website/app do to protect the user’s privacy?
  • Do you think it was the right response?
• What (if anything) did the government do to protect the user’s privacy?
  • Do you think it was the right response?
• Who was most concerned about protecting the user’s privacy?
• Do you think something like this could happen again?

Estimated Time: 10-15 minutes.
What You’ll Need: Blackboard/whiteboard (optional).

Ask students to list some issues that people are concerned about related to their privacy online. Issues can be written on the board.

Pick a few interesting issues of concern and ask:

• Who do you think should be responsible for doing something about this issue?
• Do you think there should be laws related to this issue?
  • If Yes: What laws do you think there should be?
• Do you think companies/providers should change their policies or practices on this issue?
  • If Yes: How?
• What responsibility do you (the user) have for protecting yourself with respect to this issue?

Some Examples You Can Start Them Off With:

• Websites and apps tracking their activities
• Recording and sharing of information without consent
• Duplication and re-sharing of information online
• Inability to delete copies of information (from the source, from backups, from search-engine indexes)
• Hackers eavesdropping on insecure connections

Note: This activity can be a lead-in to the “Write to Policymakers” Elaborate activity.

Optional Extension — College-Level

Estimated Additional Time: 15-20 minutes.

Additional questions to ask about each of the targeted issues:

• Do you know of any laws related to this issue?
• What are they?
• How do those laws (try to) balance the interests of everyone who is affected by them?
• Do you think there should be more laws related to this issue? Less? About right?
• Under the existing laws, what responsibility do you have for protecting your own online privacy?

Estimated Time: 10-15 minutes.
What You’ll Need: Blackboard/whiteboard (optional).

Ask students to name some actions they can take to better protect their privacy online. Actions can be written on the board.

Pick a few interesting proposed actions and ask:

• How does this action help protect your privacy?
• Are there any other benefits to you?
• Are there any risks, costs, or negative consequences for you? What are they?
• If you take this action, does it impact anyone else? How?
• Based on this cost/benefit analysis, is it worth it to use this method to better protect your privacy?

Some Examples You Can Start Them Off With:

• Read or check up on privacy policies for apps and services you use.
• Only give minimal personal information to apps or services when creating a profile.
• Set your web browser to clear all cookies at the end of every session.

Estimated Time: 5-10 minutes.
What You’ll Need: Computer and projector.

These slides can be used for an overview lecture on the basic concepts underlying the principle “Only you have an interest in maintaining your privacy”. The slides are accompanied by Notes with details and examples to guide your lecture.

Access Slide Deck: “Privacy Requires Work”

Coming soon! We will be adding a graphic organizer to guide students’ notetaking.

The Blown to Bits textbook covers a wide spectrum of ideas related to Internet privacy, with a particular focus on the new, unique, ever-changing nature of the Internet.

Online Version: Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion, by Hal Abelson, Ken Ledeen, and Harry Lewis

You can assign students all or parts of the following chapters for an in-depth but engaging exploration of the ideas covered in Module 5.

• Chapter 3: Ghosts in the Machine: Secrets and Surprises of Electronic Documents — Excerpt
• Chapter 5: Secret Bits: How Codes Became Unbreakable — Excerpt

• Content Advisory: Blown to Bits refers to STI outbreaks and discusses the dangers of sending sexually explicit content online.

Estimated Time: 20 minutes or more.
What You’ll Need: Computers or mobile devices.

Have the students break up into groups of three or four. Each group should pick a social-media website or app, or another popular service. Next, have the students look up the privacy policy for that site, app, or service, and discuss the following questions:

What does the privacy policy for the app/site/service you chose say about…

• What data is collected by the company?

Examples From Privacy Policies for Popular Services: Device information, activity logs, location information… Via local storage on your devices: cookies and anonymous identifiers, information from third parties/affiliate services…

• What your data can be used for?

Examples From Privacy Policies for Popular Services: Data collected about usage can be used to provide, maintain, protect, and improve any of the services within the app/site. Survey/research data can be used to test features in development, to evaluate and improve products/services, and to develop new features or products.

• Who they share your data with?

Examples from Privacy Policies for Popular Services: Your data can be shared with related businesses, with companies that serve ads on the site you’re visiting, with unrelated “affiliates” (i.e., any other company)…

• What those third parties can use your data for?

Examples From Privacy Policies for Popular Services: Resell your data, use your data to target ads specific to you, learn about the market and target audience for their products…

Follow-Up Question for Large-Group Discussion: Do you have to explicitly say you agree to a company’s privacy policy before they can share your information?

Target Answer: Not necessarily. In many cases, companies include a notice (somewhere, not necessarily prominent) that state that the use of the site or service is considered to constitute acceptance of the company’s terms of service, including the privacy policy. (This is legally debatable, but it’s common practice.)

You can point out to students that they are now among the select few who have actually read and evaluated a privacy policy!

Estimated Time: 25-30 minutes.
What You’ll Need: Computers or mobile devices; paper and pens or pencils (optional).

In this activity students create their own imaginary privacy policy for a social-media site (preferably one that they haven’t reviewed in a previous activity).

Suggested group size: About four students per group.

1. (2-3 minutes) Have the class pick a social-media site.
2. (5-7 minutes) Next, split into groups and have each group choose one of the following topics found in a typical privacy policy:
   • The site’s collection and use of personal information.
   • The site’s disclosure of personal information to third parties, and responsibility for informing users about that disclosure.
   • Users’ ability to change the settings and preferences on their accounts with respect to use and sharing of personal information.
   • Users’ ability to close/delete their accounts.
   • The site or company’s liability for security breaches and responsibility for notifying users about them
   • The site’s notification of users if and when it changes its privacy policy.
   • ** Any other important aspect the teacher wishes to include. **
3. (9-12 minutes) Have the students write a draft section for their own privacy policy, with each group covering its chosen topic. Their wording should be original (not just a copy of the site’s version) and easy to read. As the students write their draft, they should consider the following questions:
   • What points should be included?
   • What kind of data is handled by the site?
   • What services is the site providing?
   • How does the site support itself financially?
   • Does the user get choices? If so, how many?
   • Will the choices be opt-in (something only happens if you say it should) or opt-out (something happens unless you say it shouldn’t)?
   • Is there anything, that students know of, that legally must be included?
4. (9-12 minutes) Have the students compare their section of their imaginary privacy policy with the respective section of the site’s real policy, and consider the following questions:
   • How does your policy compare to the real one? Are there any significant differences?
   • Why do you think the company has a different policy?
   • What surprises you about the company’s privacy policy?
   • Is there anything important that you now think should be added either to your imaginary policy or to the real one?
   • Is there anyone in the group who disagrees with something about the imaginary policy your group made? If so, why?

Optional Pre-Activity Backgrounder:

Introduce students to guidelines for fair information practices. Such guidelines are commonly accepted as outlining what good privacy policies should include (though it doesn’t always happen in practice). There are several versions you might choose to use:

• Full guidelines from the Federal Trade Commission: Fair Information Practice Principles (link is to the Internet Archive version; the FTC no longer posts the document, but it is still widely cited as an authoritative formulation)
• Quick summary of the FTC version, from Cornell’s IT Policy office: Fair Information Principles (top half of page)
• Guidelines from the National Institute of Standards and Technology: The Fair Information Practice Principles (most relevant to identity and online transactions, but broadly applicable)

Additional Alternatives:

• Instead of comparing their own privacy-policy section with the original site’s, the students can compare another group’s section with the respective real one.
• For a quicker task, each group can outline the main points that should appear in their section, rather than writing it out in complete sentences.
• Rather than separating into groups, the entire class can create a list of the main points of the imaginary policy, while the teacher lists them on the board. Then they can all compare and analyze the policy on the board.

Estimated Time: 15 minutes or more.
What You’ll Need: Computers or paper and pens or pencils.

In this activity, students each write a letter to a policymaker expressing their views on online privacy.

In their letters, students should express their views on current regulations. In particular, they should discuss whether they think there should be more or less regulation regarding a specific issue (or whether they think the status quo is appropriate), and why. Students should expect their letters to be truly sent, and therefore, they should attempt to use appropriate written English (grammar, punctuation, etc.).

Some specific regulatory issues might include:

• How user data can be used outside of what is necessary to provide the service (i.e., repurposing of user data).
• When users can require companies to delete data about them, and how thorough it must be.
• What kinds of data can be shared with third parties, under what circumstances.
• Users’ control over providers’ sharing of their data with third parties, including other companies or government agencies.
• What companies are required to tell users about how they are using and sharing the users’ data.
• Companies’ and organizations’ responsibility for maintaining the security of user data.
• What companies can do with data made public by another party (e.g., the “right to be forgotten”).
• ** Anything else privacy-related that students feel strongly about! **

Relevant policymakers in the U.S. could include:

• U.S. Congress
• The White House
• Federal Trade Commission (FTC)
• Federal Communications Commission (FCC)

Options and Suggestions:

• Letters can be typed or hand-written. Typed letters can be printed and mailed, or students can submit them via email or via contact forms on the policymakers’ websites (linked above).
• Students can use ideas from the “There Oughta Be a Law!!!” Brainstorming Discussion about what laws/protections they would like to have.
• Students can support, oppose, or critique legislation or policy frameworks currently under consideration in the U.S., or frameworks currently in force elsewhere that could be used as models. For example, as of July 2015, this might include the Consumer Privacy Bill of Rights (legislation currently being drafted in the U.S.) or the General Data Protection Regulation (currently under consideration in Europe).
• For an in-class activity, you may wish to set a maximum of one page.

Estimated Time: 10-15 minutes.
What You’ll Need: Copies of review sheet.

This learning assessment can be used as an in-class quiz or as homework.

Download Assessment: “Privacy Requires Work: Review Questions”

Teachers: Find out how to access the answer key for the Module 10 review questions.

Lesson Plan: Who Knows? Your Privacy in the Information Age

• Target grades: 8–10
• Summary: A series of consumer-privacy activities in which students think about what information businesses and agencies have about them and explore potential consequences. Note: These lesson materials are Canadian and reference Canadian statistics and regulations.
• Produced by: MediaSmarts
• Link: http://mediasmarts.ca/lessonplan/who-knows-your-privacy-information-age-lesson

Lesson Plans and Readings: Your Privacy Online

• Target grades: College undergraduate
• Summary: Lesson materials on multiple topics, including ethical and legal ramifications of online data-sharing and data-brokering and discussion of popular attitudes, along with some how-to’s for protecting privacy.
• Produced by: Markkula Center for Applied Ethics, Santa Clara University
• Link: https://www.scu.edu/ethics/privacy/