Privacy Policy

We are committed to protecting your data. ETH Zurich considers the protection of not only your personal data, but all data, to be of the utmost importance. As part of the measures taken in this respect, we process personal data in accordance with Swiss data protection legislation and, where applicable, in accordance with the EU General Data Protection Regulation (GDPR).

In the following, we will inform you of which data pertaining to visitors and users of the Applied Crypto Labs platform is collected, processed and disclosed by ETH Zurich as well as of the measures taken to ensure the security of this data.

1. Purpose of Data Collection

The Applied Crypto Labs platform hosted at aclabs.ethz.ch and graded.aclabs.ethz.ch ("the platform") is an instance of the CTFd framework. The purpose this platform is to deliver lab exercise to the students, and to record their performance in graded and non-graded assessments.

2. Use of data

This Privacy Policy only applies to the platform. ETH Zurich only collects personal data that is required in order to achieve the aforementioned objectives. ETH Zurich only stores your personal data for as long as is required for the purposes described in section 1. Stored data is managed with care and protected against misuse. ETH Zurich complies with the relevant data protection principles. Personal data may be disclosed to authorities if required by mandatory legal provisions or official orders.

2.1. Data disclosure to third parties

ETH Zurich may instruct service providers to process the data collected via the Applied Crypto Labs platform for the purposes described in section 1. ETH Zurich and the instructed third-party service providers shall ensure the protection of your data through the use of legal, technical and organisational measures.

2.2. Server log files

The following information is stored in log files when you access the Applied Crypto Labs platform:

• IP address of the accessing computer
• time of the server request

This data is used to detect cheating over the course of graded labs.

2.3. User profile

Each student is assigned a pseudonymous random user. Students can submit "flags" in order to solve "challenges" and gain "points".

The following information is stored for each attempted submission:

• user
• time of the server request
• submitted flag
• points awarded for correctly solving the challenge, if any
• points deduced for eventual hints, if any
• writeups in form of code fragments, if any

2.3.1. Non-graded assessments

For non-graded assessments, the cumulative score of each user is visible to all registered students. Students may choose not to submit flags.

All other data is only visible to Teaching Assistants. This data is used to track attendance and to improve upon the labs.

2.3.2. Graded assessments

For graded assessments, the cumulative score of each user is only visible to Teaching Assistants. Students are required to submit flags and writeups.

All other data is only visible to Teaching Assistants. This data is used to record the student performance and detect cheating.

2.4. Cookies

The web front-end of the platform uses cookies. Cookies are small text files that are permanently or temporarily stored on your computer when you visit the web front-end of the platform. The only purpose of cookies is to authenticate user sessions.

3. Security

For reasons of security and in order to protect the transmission of confidential content, such as data pertinent to performance records, the platform uses TLS encryption.

Additionally, ETH Zurich implements technical and organisational measures to ensure that the data which is collected and processed via the platform remains confidential and protected against accidental or unlawful access, alteration or disclosure, and loss or destruction.

Access to data is only granted to those who require access to the personal data on account of their function and role on a need to know basis.

The measures to be taken are determined by the type of information, the nature and purpose of its use, and the state of the art.

4. Validity

Should such be made necessary by the implementation of new technologies or legislation, ETH Zurich reserves the right to amend the Privacy Policy at any time with effect for the future. We therefore recommend that you regularly review the Privacy Policy.

5. Right to information

Should you wish to obtain information regarding the personal data concerning you that is collected and processed, request the correction, erasure or blocking of this data, or have further questions regarding its use, please contact the Applied Cryptography Group:

Applied Cryptography Group

Universitaetstrasse 6 CNB building, E floor 8092 Zurich

Switzerland

+41 44 632 72 80