Hasso-Plattner-Institut25 Jahre HPI
Hasso-Plattner-Institut25 Jahre HPI

Usable Security and Privacy (Sommersemester 2023)

Dozent: Dr. Anne Kayem (Internet-Technologien und -Systeme)

Allgemeine Information

  • Semesterwochenstunden: 4
  • ECTS: 6
  • Benotet: Ja
  • Einschreibefrist: 01.04.2023 - 07.05.2023
  • Lehrform: Seminar
  • Belegungsart: Wahlpflichtmodul
  • Lehrsprache: Englisch

Studiengänge, Modulgruppen & Module

IT-Systems Engineering MA
  • ISAE: Internet, Security & Algorithm Engineering
    • HPI-ISAE-T Techniken und Werkzeuge
  • ISAE: Internet, Security & Algorithm Engineering
    • HPI-ISAE-K Konzepte und Methoden
  • ISAE: Internet, Security & Algorithm Engineering
    • HPI-ISAE-S Spezialisierung
Cybersecurity MA
Digital Health MA
Data Engineering MA
Software Systems Engineering MA



In this seminar we will focus on the decision-making hurdles (challenges) that users face in making complex privacy and security decisions online (Web) with respect to sharing sensitive personal information. For instance, with the advent of GDPR legislation, web applications were required to integrate clear messages to obtain explicit user consent regarding the use of cookies (or other tracking tools), the types of information being collected, and planned usage objectives. However, while organisations like Statistica indicate that web application users are concerned about the disclosure of their sensitive personal data, studies also indicate that many users feel overwhelmed and that they really do not have a choice except to ”Accept” if they wish to use these web applications.

Our goal during this seminar will be to implement and experiment with some existing automated techniques to aid users in making more proactive and ”better” privacy and security choices. We will study these techniques from both the protective and adversarial perspective, in the sense that oftentimes tools that are designed to support ”better” privacy and/or security choices, can also be exploited to achieve the opposite effect. For instance, research shows that most users never change default settings on web applications. Automated privacy- friendly defaults can support users by providing some baseline privacy settings. However, several application providers also take advantage of this to encourage users to install unnecessary third party applications that disclose personal information for the application provider’s benefit.

What we will do:

In the first phase of the semester leading up to the mid-semester presentation, each team will select a protective privacy and/or security mechanism which they will implement. The goal is to proactively support users in making ”better” decisions to protect their personal information while using web applications. Following the mid-semester presentation, in the second phase of the semester leading up to the final presentation, each team will modify the approach they designed in the first phase in order to deliberately (adversarially) collect personal information from users. Each team will then test both the proactive and adversarial approaches with a group of 6 -10 users of your choice (this can also be participants in the seminar), to determine if the behaviours ”learnt” from the supportive mechanisms actually do provide longterm protective benefits.



  • Good programming skills 
  • A background in data collection and analysis (statistical analysis) would be helpful.


Relevant literature will be provided to you.

Lern- und Lehrformen

At the end of this seminar you should be able to do the following:

  • Design automated mechanisms to support users in making "better" privacy/security decisions on the web
  • Critically assess the potential for such mechanisms to be exploited adversarially
  • Critically assess whether or not automation is useful in overriding user decisions, and what the long term impact is
  • Learn about experimental designs for testing the effectiveness (and counter-effectiveness) of the mechanisms studied


Evaluations towards the final grade, will be based on presentations of results (mid-semester and final), as well as a technical (group) report of 12 - 15 pages (6000-7500 words) on the findings drawn from the project conducted during the seminar. Presentations will count for a combined total of 50% and the report for 50%. The grading rubric is summarised below:

Grading Rubric When? Grade
Mid-Semester Presentation (30 minutes) Tentative: 15. June 2023 25%
Final Presentation (30 minutes) Tentative: 24 July 2023 25%
Final Report (12 - 15 pages) 15.08.2023 50%


Course work will be organised on a project work basis. Participants can work in groups of 2-3 persons or individually (1 person) on a topic of their choice but centred on theme and goals of the seminar.

Lectures and project meetings will hold weekly, as follows in H.E. 51/52: 

  • Mondays, 09.15 - 10.45 (Lectures)
  • Thursdays, 13.30 - 15.00 (Project Work Discussions)

Lecture notes (slides) will be accessible on Moodle. 

To register and access materials for the seminar, please logon to the HPI moodle platform, navigate to Site Home --> Internet Technologies and Systems --> Summer Semester 2023 --> Usable Security and Privacy (USP2023)

You may enroll using: USP-2023