INFORMATION PRIVACY AND CYBERSECURITY

Professor Kaminski
Final Exam - Spring 2023
Untimed

Honor Code Reminder: Under the Honor Code, the submission of any academic work constitutes a
representation on the student’s part that such work has been done and submission is being made in
compliance with all applicable provisions of the Code. You are responsible for knowing and complying
with the Honor Code, and with all exam instructions.

You are on your honor not to photograph, copy, screenshot, or otherwise save, reproduce or
recreate any portion of this exam or any of the questions on this exam. After the exam, you must
delete and/or dispose of the assessment questions. Failure to do so is a violation of the Honor Code.

By obtaining this assessment, by whatever means, you have agreed to be bound by the Honor Code.

EXAM INSTRUCTIONS
1. Format. This final exam will be in two parts: Multiple Choice (as a Quiz in Canvas) and
Essay (as an Assignment in Canvas). When the availability window opens, navigate to the
Quizzes section of Canvas and select “Final Exam Multiple Choice Questions” to complete
the Multiple Choice portion. Navigate to the Assignments area of Canvas and select “Final
Exam Essay Questions” to complete the Essay portion.

2. Time Limit, Availability Window, and Deadline. The window to take both parts of the exam
is anytime during the two-week exam period, with earliest access beginning on Monday, May
1 at 8:00 a.m. MT (Mountain Time), and latest upload of your Essay and Multiple Choice
submissions by Thursday, May 11, at 5:00 p.m. MT (Mountain Time). Other than availability
constraints, the exam will be untimed. Note that tech support is only available during regular
business hours, M-F from 8:00 a.m. – 5:00 p.m. MT (Mountain Time). Please take support
availability into consideration when choosing a time to take your assessment.

3. Anonymity. Do not put your name on or in your response to the Essay portion of the exam.
Instead, please insert your six-digit Exam ID into the header of your submission. Your Exam
ID can be found here: https://www.colorado.edu/law/examid. Prior to submission, be sure to
scrub your document of identifying information (see this link for how to remove metadata:
https://bit.ly/3uXWAAU).

4. Because this exam is Untimed, you may enter and exit both Essay and Multiple Choice portions
at will. If you exit the Multiple Choice portion prior to finishing and submitting it, or if you

Professor Kaminski—Info Privacy and Cybersecurity—Final Exam—Spring 2023 Page 1 of 4

 are otherwise disconnected, Canvas should save the answers to the questions you have already
addressed, and upon re-entry, you can resume the quiz where you left off. Once you have
answered a Multiple Choice question, you may go back and change the answer until you click
“submit.”

5. Work during the exam must be entirely your own. You may not collaborate with students or
others. You may not use Chat GPT or other AI systems to either answer questions or aid in
your answers.

6. Allowed Materials. This exam is open book except for the use of AI systems such as Chat
GPT or Bard. You may use any of the materials we used in this course, including your
casebook, notes, outline, and slides, and you may use the internet. However, this exam tests
only on the basis of material covered in this class. If you use materials outside of what we
covered in this class, you do so at your own risk.

7. Space Limitations and Word Count. The suggested overall time for taking this exam is
around three hours and fifteen minutes (3:15). The suggested maximum word count for the
Essay section is 2500 words (approximately 1800 words for Essay 1 and 700 words for Essay
2). This is a suggested maximum, not a requirement. Shorter answers may still receive full
credit, and longer answers will not be formally penalized. Word count can be checked within
Microsoft Word.

8. Instructions. This exam consists of two (2) sections: I. Multiple Choice; II. and Essays. The
suggested overall time for taking this exam is around three (3) hours. You may take longer or
shorter as you wish. Section I consists of fifteen (15) multiple choice questions. Please choose
the best answer between the four (4) presented answers, a-d inclusive. The suggested time for
this section is one hour and fifteen minutes (1:15), and it constitutes forty-five percent (45%)
of your overall exam grade. Section II consists of two short Essays. The suggested time is
approximately two hours. Section II constitutes fifty-five percent (55%) of your overall exam
grade. Essay 1 constitutes thirty-five percent (35%), Essay 2 constitutes twenty percent (20%)
of your overall exam grade. The suggested times are just suggestions; you may choose to spend
more or less time on any one section. Please write in full sentences, and be sure to show your
work, even when rejecting a particular line of reasoning, doctrine, or law.

9. After the exam, you must delete and/or dispose of the exam questions, and failure to do
so is a violation of the Honor Code.

10. If you have any technical questions regarding Canvas, please contact
lawfacassist@colorado.edu and NOT your professor. The Registrar’s Office is also available
for assistance at lawreg@colorado.edu. Please do not contact the Registrar or your professor
with any questions regarding exam content; instead, work any issues into your answers.

Professor Kaminski—Info Privacy and Cybersecurity—Final Exam—Spring 2023 Page 2 of 4

 II. ESSAY

This Section consists of two Essays. It constitutes fifty-five percent (55%) of your overall exam
grade. The suggested time is approximately two hours. Essay 1 constitutes thirty-five percent
(35%) and Essay 2 constitutes twenty percent (20%) of your overall exam grade.

The suggested maximum word count for this section is 2500 words (approximately 1800 words
for Essay 1 and 700 words for Essay 2). This is a suggested maximum, not a requirement. Shorter
answers may still receive full credit, and longer answers will not be formally penalized. Word
count can be checked within Microsoft Word.

The suggested times are just suggestions; you may choose to spend more or less time on any one
section. Please write in full sentences, and be sure to show your work, even when rejecting a
particular line of reasoning, doctrine, or law.

Essay 1 (35%):

A new startup called SmartShield makes home security systems. Like Ring doorbells, SmartShield
enables users to set up and record video footage right outside their front doors, using a doorbell
with an internet-enabled video camera and audio recorder. The SmartShield system comes with
three additional cameras that users are instructed to install in various spots on the exterior of their
home and garage so as to record as much of their front lawn and driveway as possible. These
cameras also record sound, and are able to capture amplified sound from the public sidewalk.

The SmartShield system includes a “smart lock” that can open with an iris scan, fingerprint, or by
voice command. SmartShield advertises this lock as being “Secure as Steel, Smart as AI.”
Additionally, the SmartShield system includes several thermal sensors built into the doorbell, lock,
and cameras that SmartShield claims can communicate with users in real time as to their house’s
energy use levels and can even be linked to a smart thermostat (sold separately) that will
automatically adjust the home temperature according to user settings.

SmartShield initially does extraordinarily well, with a high rate of user adoption. Then, however,
a host of things go wrong. First, a SmartShield user starts streaming the feed from his cameras
directly to a social media site, where he has a few thousand people in his social network. Several
of these people then copy and stream the feed to the public internet. This user catches an otherwise
private conversation between his neighbors on the sidewalk just in front of his front lawn, talking
about how they plan to take over the neighborhood HOA and sabotage another HOA board
member. He records a mailman yelling curses and kicking at his dog, on his front driveway. And
he records a number of schoolchildren walking by his house each day on their way to the
neighborhood school—which reveals the timing of the children’s walk and makes evident that
several of the children in the group, for whatever reasons, have been getting to school late on a
regular basis, or skipping out on school entirely.

Then SmartShield, or really one of SmartShield’s vendors, gets hacked. The vendor had been
responsible for storing user biometric data used to open the smart lock. However, it turns out the

Professor Kaminski—Info Privacy and Cybersecurity—Final Exam—Spring 2023 Page 3 of 4

vendor stored all the data in readable text (not encrypted). News of the hack—and of hackers’
abilities to now remotely access and open or close the smart locks—spreads widely.

Then a reporter runs an article about the close relationship SmartShield has had with local police.
The reporter claims that the police have an agreement with SmartShield whereby they have access
to a searchable database of user camera and audio feeds for all SmartShield users, which includes
both live access and stored recordings. They also have access to a live stream of sensor data from
the thermal sensors. According to the reporter, SmartShield has not required police to get a search
warrant or court order to access either of these databases. SmartShield’s Privacy Policy states the
following:

SmartShield does not disclose user information in response to government demands unless
we’re required to comply. SmartShield objects to legal requests it determines to be
overbroad or inappropriate. For example, SmartShield would object to a subpoena
requesting a list of all Ring device locations in a city.

SmartShield distinguishes between content and non-content information. We do not

produce content information in response to subpoenas. We may produce non-content and
content information in response to valid and binding search warrants.

“Non-content” means user information such as name, address, email address, billing
information, date of account creation, and certain purchase history information.

“Content” means the content of data files stored in a user’s account such as videos and
recordings of audio.

Please respond to the following questions:

Is the SmartShield user who is streaming video liable for any of the privacy torts? Are the police
violating any law or laws by accessing the video, audio, and sensor feeds (assume this is for
domestic law enforcement use only)? What federal law or laws is SmartShield likely violating?

Note that ECPA does not apply to video or camera surveillance without an audio component.

Essay 2 (20%):

If Congress finally passes an omnibus federal data privacy law, should it include a private right of
action? Why or why not? Please draw on support and examples from throughout our class. Be sure
to address counterarguments.

Professor Kaminski—Info Privacy and Cybersecurity—Final Exam—Spring 2023 Page 4 of 4