NYLA 2014 - Patron Privacy Presentation 20141106
•Download as PPTX, PDF•
0 likes•383 views
The right to privacy was first officially recognized by ALA's Code of Ethics for Librarians in 1939 and this tenet remains a central part of our profession. Traditionally, we strove to protect library users' confidentiality by restricting library patrons' records from the general public. Now we live in the age of Big Data in which patron rights are being further eroded by the unfettered data mining conducted by commercial and government entities. Librarians continue to staunchly support patron privacy as a key component in ensuring intellectual freedom yet the challenges of safeguarding user information have proliferated exponentially, mandating that we construct new means of addressing the problem. This presentation is an outgrowth of last year's SMART flash talk regarding librarians' perspectives on patron privacy and Library 2.0. While the previous session provided a brief overview of the results from a 2013 survey on the topic, this presentation will focus primarily on developing practical approaches to identifying privacy gaps and suggest methods for monitoring legislation pertinent to library user data. We will also discuss ways in which library staff can collaborate to strengthen user protections as well as technological tools designed to improve privacy in networked environments.
Recommended
More Related Content
Similar to NYLA 2014 - Patron Privacy Presentation 20141106
Similar to NYLA 2014 - Patron Privacy Presentation 20141106 (20)
Recently uploaded
Recently uploaded (20)
NYLA 2014 - Patron Privacy Presentation 20141106
- 1. Patron Privacy in a Library 2.0 World: Investigating Our Options Stephanie Hess Binghamton University NYLA 2014 Annual Conference
- 9. Library 2.0
- 10. E-Reader Data Security Issues See: http://the-digital-reader.com/2014/10/06/adobe-spying-users-collecting- data-ebook-libraries/#.VFp3IPldU1J
- 12. Events: Data Privacy Day
- 13. Events: Choose Privacy Week
- 14. Means of Protecting Patron Privacy
- 19. Adequacy & Compliance Audits
- 20. Creating a Privacy Policy
- 22. Policy Benchmarks Boston Public Library • www.bpl.prg/general/policies/privacy.htm San Francisco Public Library • http://sfpl.org/index.php?pg=2000001301 Cornell University Library • www.library.cornell.edu/privacy University of Wisconsin • www.uwm.edu/libraries/about/privacy.cfm Library of Congress • www.loc.gov/homepage/legal.html
- 23. Negotiating with 3rd Parties ALA’s Office for Information Technology Policy – Ebook Business Models Scorecard for Public Libraries • www.districtdispatch.org/wp- content/uploads/2013/01/Ebook_Scorecard.pdf ALA’s Intellectual Freedom Office • www.ala.org/offices/oif/ifissues/issuesrelatedlinks/privacyresources • www.ala.org/offices/oif/iftoolkitsprivacy/libraryprivacy NYLA Intellectual Freedom Manual – http://www.nyla.org/images/nyla/IF-Manual/2013-09-IF-Manual.pdf ** Always be sure to check your state’s laws! **
- 25. New Jersey Statutes Section 18A:73-43.1. "Library," library record" defined. For the purposes of this act: a. "Library" means a library maintained by any State or local governmental agency, school, college, or industrial, commercial or other special group, association or agency, whether public or private. b. "Library record" means any document or record, however maintained, the primary purpose of which is to provide for control of the circulation or other public use of library materials. Section 18A:73-43.2. Confidentiality; exceptions. Library records which contain the names or other personally identifying details regarding the users of libraries are confidential and shall not be disclosed except in the following circumstances: a. The records are necessary for the proper operation of the library; b. Disclosure is requested by the user; or c. Disclosure is required pursuant to a subpena issued by a court or court order. L. 1985, c. 172, s. 1-2, eff. May 31, 1985.
- 29. Disrupting Data Flow & Forensic Analysis
- 30. Defensive Technologies • Anonymous Search Engines and E-mail providers – ixQuick HushMail • Encryption software – AppRiver, Eraser, TrueCrypt, etc. • Metadata removal tools and scrubbers – ExifTool, iScrub, etc. • Platform for Privacy Peferences (P3P) – Protocol enables websites to express their privacy practices in a standard format that is computer readable; policies automatically retrieved and ranked then posted on websites as privacy meters – http://www.w3.org/P3P/
- 34. Act locally…
- 36. Think globally…
- 37. Completing the Privacy Puzzle
- 38. Questions? Comments? Stephanie Hess Electronic Resources Librarian shess@binghamton.edu
Editor's Notes
- Description: Privacy is a difficult concept to define and even more difficult to justify given the rapidly evolving community standards of cyberspace. Contrary to the mores embraced by the American Library Association (ALA) and guaranteed in the U.S. Constitution, we willingly trade information about ourselves in exchange for the conveniences afforded by cloud computing, e-commerce, instant communication, and social media networking. This session is an outgrowth of last year’s flash talk on librarians’ perspectives regarding patron privacy and Library 2.0 which was based on a non-scientific survey of 461 participants conducted in 2013. A few details from that survey: 85.6 % (392 of 466 participants) hold at least a Masters of Library/ Information Science The survey’s results affirmed that we librarians, regardless of demographics such as age, library type, library size, continue to regard patron privacy as essential in ensuring intellectual freedom and free speech. However, Library 2.0 has skewed the privacy playing field in previously unimaginable ways, amplifying opportunities for privacy violations. Today we’re going to focus less on librarians’ viewpoints and more on what we, as librarians, can do to help safeguard patrons’ online interactions and personal data. We’re going to start with some best practice tips on how to formulate local privacy policies. We will focus on developing practical approaches to identifying privacy gaps and suggest methods for monitoring legislation pertinent to library user data. Also being discussed are ways in which library staff can collaborate to strengthen user protections as well as technological tools designed to improve privacy in networked environments.
- Description: Privacy is a difficult concept to define and even more difficult to justify given the rapidly evolving community standards of cyberspace. Contrary to the mores embraced by the American Library Association (ALA) and guaranteed in the U.S. Constitution, we willingly trade information about ourselves in exchange for the conveniences afforded by cloud computing, e-commerce, instant communication, and social media networking. Library 2.0 has skewed the privacy playing field in previously unimaginable ways, amplifying opportunities for privacy violations.
- This session is an outgrowth of last year’s flash talk on librarians’ perspectives regarding patron privacy and Library 2.0 which was based on a non-scientific survey of 461 participants conducted in 2013. However, today we’re going to focus less on librarians’ viewpoints and more on what we, as librarians, can do to help safeguard patrons’ online interactions and personal data. Obviously, the survey’s results affirmed that we librarians as a group, and regardless of location or demographics such as age, library type, library size, continue to regard privacy as essential in ensuring intellectual freedom and free speech. The real question is how can we effectively protect our patrons’ personal data in accordance with our professional beliefs without sacrificing services? Today we’re going to review some best practice tips on how to formulate local privacy policies. We will focus on developing practical approaches to identifying privacy gaps and suggest methods for monitoring legislation pertinent to library user data. And, finally we’ll suggest ways in which library staff can collaborate to strengthen user protections and deploy technological tools designed to improve privacy in networked environments in a manner that covers as many of our users as possible
- First, just a few details from that survey to set the stage and provide some context: 85.6 % (392 of 466 participants) hold at least a Masters of Library/ Information Science More than 95% respondents hailed from the U.S. although several respondents chimed in from the EU, and Africa; U.S. respondents were distributed throughout the U.S. although the highest concentrations (percentage-wise) manifested in Massachusetts, New York, Florida, California, Louisiana, and Texas. Nearly half of the 453 who answered this question were working in an academic setting that they described as being of medium size. In terms of age, the largest group was 55-64 (30.35% or 139 respondents) followed by rough approximationseven division between 25-34 (23.58% or 108 respondents), 35-44 (20.74% or 95 respondents), 45 to 54 (19.65% or 90 respondents).
- But what do patrons think of protecting their own privacy when using their libraries’ facilities and resources? Since polling patrons fell outside of the scope of our survey, we’re relying here on what the library workers reported. You’ll notice that 22.42% stated that patrons had indeed expressed concerns while several comments indicated that most privacy concerns expressed were related to the Web/ e-resources and personal information on public computer terminals. Another rather telling comment that we received in regards to this question was “I think sometimes patrons don’t really understand how we could violate their privacy but we often have conversations with folks about privacy issues and they seem confused.” This gets right to the heart of the challenge for us. How can we expand and educate library users who are confused about privacy in a library setting, especially if we haven’t any policy and/ or they are remote users? In responding to another questions about views on education and outreach, an overwhelming majority (88.89%, or 408 respondents) agreed with the statement that, as part of information literacy instruction, librarians should teach patrons about privacy issues. An additional facet of the challenge is that data security risks change frequently and without warning.
- As you can see, almost 70% of respondents indicated that their websites do not have any sort of warning. It’s relatively easy for Systems or IT departments to add a pop up, or in the case of most resources provided by academic libraries, authentication is the means of access which could also be an easy, cost-effective means of building in an automatic privacy safeguard. We should also try to negotiate license terms that discourage our content providers from selling/ re-using our patrons data whenever they access resources via a vendor site. This method is clearly on libraries’ radar given that several comments included: We are revising our policy now to deal with this matter/ We are discussing this Rarely there is a warning but it doesn't focus on privacy so much as alerting them to the fact that they are leaving the library's site. We do for downloads to a Kindle - didn't think to do that with databases In some cases, but not in all
- Here is a snapshot of the many different types of technologies and services that our respondents’ libraries offering. Obviously there are so many (and the number is growing) so that really expands the amount of territory we have to cover when monitoring risks. Total Respondents: 429 Answer Choices & Responses: –Blogs (Typepad, WordPress, etc.) 47.55% (204) –E-books/ Audiobooks 92.54% (397) –E-readers (iPad, Kindle, Nook, etc.) 47.09% (202) –Instant Messaging/ SMS/ Texting 34.50% (148) –Podcasting 13.29% (57) –Recommender systems (MyMediaLite.net, etc.) 4.66% (20) –RSS feeds 27.04% (116) –Skype 13.29% (57) –Social bookmarking (del.icio.us, CitULike, etc.) 15.62% (67) –Social media networking sites (Facebook, LinkedIn, MySpace, Twitter, etc.) 74.13% (318) –Vodcasting 1.86% (8)
- Ethics change with technology. –Larry Niven Digitize me! Library services provided for mobile devices carry additional risks as they frequently require patrons to register their devices prior to accessing material provided by a contracted, third-party vendor.
- We’ve known about privacy issues with e-reader services such as OverDrive and Amazon since at least 2012, but the most recently discovered e-reader security issue arose early last month by Nate HoffelderThe technical problem, that arguably private data is sent in plain text from a reader’s device to a central data-store, seems pretty obvious once it was discovered. The potential legal problem stems from laws in every state which protect reader privacy which set expectations for data security, plus other laws which may apply. The philosophical problem has several facets, which could be simplified down to the tension between privacy and convenience. Here are the library profession’s basic positions: 1) Each individual’s reading choices and behavior should be private (i.e. anonymized or, better, not tracked) 2) Data gathered for user-desired functionality across devices should be private (i.e. anonymized) 3) Insofar as there is any tracking of reading choices and behavior, there should be an opt-out option readily available to individuals (i.e. not buried in the fine print) In his October 9th post from The Digital Shift, Matt Enis reported that Adobe was working to correct the problem of data being transmitted in clear text but the company “maintained that its collection of this data is covered under its user agreement.” After a couple weeks, Adobe released a new version of its reader with improved security features but this action was largely taken following loud protesting on the part of technology security organizations and library organizations, like ALA.
- In addition to professional listservs like OIF-L, I recommend subscribing to various technology reporting outlets such as EFF and Ars Technica. I think this case demonstrates jus how important it is that we know what’s happening with our vendors so that we can formulate a suitable response when necessary. This is merely an extension of the usual liaison work that we do, especially in the acquisitions, serials, and systems areas.
- Raise awareness by sponsoring and/ or participating in data privacy events, such as Data Privacy Day which is sponsored by the National Cyber Security Alliance…
- …or Choose Privacy Week hosted by ALA.
- Source -- http://www.pinterest.com/pin/196117758746537727/ Overall, I think our best bet in protecting patron data and educate is to take an aggressive multi-prong approach to expanding confidentiality standards and privacy protections. First, we need to keep patrons informed of potential risks. One good, cost-effective way is to craft a strong privacy policy and have it easily accessible to patrons and staff alike.
- Question 11. Does your library have an official patron privacy policy? The interesting aspect of this particular graph generated from our survey was the number of respondents who stated that they were unsure of whether or not their library had a privacy policy. That seems a clear indication that administrators/ managers conduct thorough training regarding not just what the policy is, but where it is.
- Question 12. If yes, how is this policy made available to library users? (Select all that apply) We can deduct from this chart that library policies are most often shared via the website and through interactions with staff. This makes it incredibly important that we make sure that the policy is posted in a prominent place online and that all staff are trained in understanding the policies that are in place (if any). Also, I think that many of us would like to see the number of digital literacy trainings increase even though we have might be understaffed. Perhaps we could create interactive tutorials that would provide an overview of the issues which could then be posted online as well.
- Question 13. If your library does NOT have an official privacy policy, are there plans to create one? I love to see that so many libraries already have privacy policies in place (or are planning to create on) and that they are making the policies available through a variety of channels, i.e. website, staff outreach, brochures, literacy classes, etc. But again, the unsure and no categories concern me because that’s a fairly large chunk of organizations that are making themselves (and staff members) vulnerable to legal liability if there’s a chance that state or federal confidentiality regulations are breached.
- Only 402 respondents described the types of personal information that their libraries retain about their users. In a separate question only 2.94% stated that they do NOT keep circulation of any kind. The rest retained various types of circulation data but
- A privacy audit of current policies and practices can be an excellent first step in developing a library policy. It will provide insights into strengths and weakness embodied in the existing library’s culture. If not conducted early in the development or revision of a privacy policy, a privacy audit should be conducted before the conclusion of the process and should be repeated regularly thereafter. A privacy audit provides a mean of benchmarking privacy practices against what the law requires and what industry best practices demand. There are two different types of audits: adequacy and compliance. Adequacy audits typically determine whether an organization’s data privacy policies are adequately addressing all applicable data privacy laws and regulations (both domestic and international) Adequacy audit: Are data privacy policies adequately addressing all applicable data privacy laws? Are they consistently applied to all data processing that is being conducted within the organization? Entails review of all extant policies/ guidelines/ procedures re: handling of personal data (within the organization in dealing with third-party vendors) Mapping of internal and external data flows Compliance audits set a higher hurdle than adequacy audits because they determine if an organization is actually abiding by the policies and procedures identified.
- ALA has a handy privacy toolkit that can help us formulate, revise, and/ or implement data privacy policies according to our industry standards. The kit includes step-by-step guidelines on how to conduct a privacy audit, various checklists, and cites areas that should be reviewed as well as sections that should be included in the final policy.
- NYS library records law doesn’t necessarily cover 3rd party vendors who supply e-content services, like Overdrive, etc.
- However, other state laws do. NJ state law, for instance, broadens the definition of “library” in order to protect records created by industrial, commercial, and other special groups in the course of doing business with libraries. It’s extremely important to know your own state’s library record laws and advocate to update and strengthen relevant laws as technology changes. And then when it’s time to negotiate with an e-resource vendor, you’ll hopefully have some legal standing to draw on that will help you convince your supplier to include personal data protection clauses in your library’s contract.
- Opportunity to educate patrons
- Envision the General Flow of a Computer Forensics Data Analysis • Hashing,of,files procured from hard drive and/ or cloud-based services • Indexing,and,searching,of,files,and,unallocated,space, • Recovery,of,deleted,files, • ApplicaFon,specific,analysis, – Web activity from cache history and cookies, – E-mail activity from local/ remote storage sites How to disrupt? There are several points at which we can implement software to disrupt and we are now going to describe a few.
- Tor is a collection of privacy tools that enables users to mask information about who they are, where they are connecting to the Internet, and in some cases where the sites they are accessing are located. The Tor network relies on volunteers to run nodes that traffic can pass through, but connecting is as easy as downloading the Tor Browser Bundle and hopping online. We've helped strengthen the Tor network by running a challenge to encourage more volunteer support, and our newly updated Surveillance Self Defense guide has information for Windows users on how to use the software. The Tor Project was also a winner of EFF's 2012 Pioneer Award. However, no system is 100% fool-proof. It has been noted by computer forensic experts that Tor does not always securely delete • For example, Privoxy is a Tor-aware. When wget was configured to use Privoxy to relay the information to Tor, it was able trace back downloaded page contents, server information because Tor seemed keep the last used HTTP header in its memory. There’s always a flaw in the system.
- Tails is based on Tor. Free software, like Tails, enables its users to check exactly what the software distribution consists of and how it functions since the source code must be made available to all who receive it. Hence a thorough audit of the code can reveal if any malicious code, like a backdoor, is present. Furthermore, with the source code it is possible to build the software, and then compare the result against any version that is already built and being distributed, like the Tails ISO images you can download from us. That way it can be determined whether the distributed version actually was built with the source code, or if any malicious changes have been made. Of course, most people do not have the knowledge, skills or time required to do this, but due to public scrutiny anyone can have a certain degree of implicit trust in Free software, at least if it is popular enough that other developers look into the source code and do what was described in the previous paragraph. After all, there is a strong tradition within the Free software community to publicly report serious issues that are found within software. General Flow of a Computer Forensics Data Analysis Timeline of activity based on MAC,Fmes,, • Hashing,of,files, • Indexing,and,searching,of,files,and,unallocated,space, • Recovery,of,deleted,files, • ApplicaFon,specific,analysis, – Web,acFvity,from,cache,,history,,and,cookies, – E#mail,acFvity,from,local,stores,(PST,,Mbox,,…), The,Amnesic,Incognito,Live,System,(TAILS),[1], – “No,trace,is,left,on,local,storage,devices,unless,explicitly,asked.” – “All,outgoing,connecFons,to,the,Internet,are,forced,to,go,through,the,Tor,network”
- I highly recommend checking out the EFF’s Surveillance Self-Defense Index. It lists most of the known data disrupters and provides additional explanations of the pros and cons of each. The index likewise includes interactive tutorials.
- So what else can we do to educate our patrons, even if they never set foot in our physical plant? Online Guides, such are a fast way to provide any visitors to our website
- May 2009 – European Commission announced new EU recommendations to make sure 21st century bar codes respect privacy. See -- http://europa.eu/rapid/press-release_IP-09-740_en.htm?locale=en July 2014 -- Privacy Impact Assessment standards to ensure “data protection by design” within EU data protection rules are in place. European Commission Vice President @NeelieKroesEU said: "Smart tags and systems are part of everyday life now, they simplify systems and boost our economy. But it is important to have standards in place which ensure those benefits do not come at a cost to data protection and security of personal data". According to reports, the global market for RFID applications is expected to grow to $9.2 billion in 2014. Consumers should not face surveillance from RFID chips, they should be deactivated by default immediately and free-of-charge at the point of sale. See http://europa.eu/rapid/press-release_IP-14-889_en.htm
- So, to summarize, how can library staff collaborate across departments work to strengthen patron privacy protections? Administrators can support the creation and implementation of effective policies using appropriate benchmarks, relevant state library laws, and a variety of distribution channels. This includes regular periodic audits of existing policies. Library staff who interact directly with the public can help encourage patrons to employ some of the circumvention software that was describe previously via , i.e. one-one instruction group instruction sessions. Library staff responsible for vetting, recommending, and implementing new technology should monitor security programming developments and recommend new software as it becomes available. They can also install a variety of administrator-approved tools on library devices to help circumvent spyware, etc. Library staff from every area can utilize automated tools to educate on-site/ off-site patrons regarding security risks and patches, i.e. LibGuides, messages that alert patrons when they’re leaving the library web site, privacy widgets Keep all staff informed of your library’s privacy policy, its whereabouts, updates, etc. and provide training on how to properly handle local confidentiality breaches. 6) Support staff attending or watching professional development events related to data privacy. For example, the Charleston Conference had a livestreaming channel and aired a panel presentation called Privacy in the Digital Age: Publishers, Libraries, and Higher Education earlier today (11:30 AM - 12:15 PM) which will be archived on the conference website for later viewing. Or perhaps staff can attend webinars or take a course such as Stanford’s Surveillance Law MOOC which is currently in progress. I encourage all of us to be creative in seeking out such opportunities and encourage everyone to take an aggressive stance in pursuing better privacy and confidentiality standards across the board. Thank you so much for coming! Now I’d like to open the floor for questions and comments.