Webinar – Protecting Patron Privacy in Public Libraries – 2017-03-16
Articles,  Blog

Webinar – Protecting Patron Privacy in Public Libraries – 2017-03-16

Crystal: Welcome and thank you for joining
us for today’s TechSoup for Library’s webinar. Today’s topic is protecting patron privacy in public
libraries. My name is Crystal, and I’ll be your host. Patron privacy is of critical importance to libraries.
It’s included in the American Library Association’s Code of Ethics and the Library Bill of
Rights. As technology changes rapidly, libraries and librarians are working hard to keep
up with digital security issues to better protect the privacy of their users, but this is not an
easy task. Today we have two guests joining us to help us sort out some of these
issues and share examples of solutions. We will focus on public access technology
and focus on other related areas as well. Before we begin, I have just a
few announcements. We will be using the ReadyTalk platform for our meeting today.
Please use the chat in the lower, left corner to send questions and comments to the
presenters. We will be tracking your questions throughout the webinar and will answer them at
the designated Q&A section after each presenter. All of your chat comments will only come to the
presenters, but if you have comments or ideas to share, we will forward them back out to the
entire group. You don’t need to raise your hand to ask a question; simply type it into the chat
box. Should you get disconnected during the webinar, you can reconnect using the same
link in your confirmation email. You should be hearing the conference
audio through your computer speakers, but if your audio connection is unclear,
you can dial in using the phone number in your confirmation email or
that we’ve shared here in the chat. If you’re having technical issues, please send
us a chat message, and we will try to assist you. This webinar is being recorded and will
be archived on the TechSoup website. If you’re called away from the webinar
or if you have connection issues, you can watch a full recording of this webinar later.
You will receive an archive email within a few days that will include a link to the recording, the Power
Point slides, and any additional links or resources shared during the session. If you’re tweeting
this webinar, please use the hashtag #ts4libs. We have someone from TechSoup live
tweeting this event, so please join us in the conversation there. TechSoup Global is dedicated to serving the
world’s nonprofit organizations and libraries. TechSoup was founded in 1987 with a global
network of partners. We connect libraries and nonprofits to technology, resources,
and support, so that you can operate at your full potential, more effectively
deliver your programs and services, and better achieve your missions. TechSoup has helped to distribute over 14
million software and hardware donations to date through our product donation program. We offer
a wide range of software, hardware, and services that are both cost-effective and
environmentally friendly. For more information about TechSoup product donations or
services, please visit techsoup.org and click on Get Products and Services. For today’s webinar we’re joined by two
guests. First up, we have Bill Budington from the Electronic Frontier Foundation, the
EFF. Bill will talk about digital security issues that impact patron privacy in public libraries
and will share tools and information from EFF that can be useful for libraries.
Then we’ll hear from Chuck McAndrew, the IT librarian at the Lebanon Public Libraries
in New Hampshire. He will share examples of actions he has taken at this small
library to better protect patron privacy and to teach library users how to
better protect their own privacy. My name is Crystal Schimpf, and I’ll be your
host for today’s webinar. Assisting us with chat, we have Becky Wiegand, and on Twitter
we have Molly Bacon, both joining us from the TechSoup team. We’ll have time,
again, for Q&A after each presenter, and we’ll be tracking your questions throughout.
Please share your questions in the chat as they arrive. Lastly, we will be sending out
an archive that will have all of the links shared during the session today, so you can
expect that in your email within a few days. Alright. Without further ado, I think it’s
time for me to hand things over to Bill, so he can talk to us about
digital privacy and security. Bill? Bill: Hi there. Thanks for joining me. I’m having
some technical difficulties right now, actually. So one thing that I can do is,
Crystal, if you could advance my slides, and I can pull up a
parallel set of slides. Crystal: I sure can. Bill: On my side. Sorry.
Just one second. [Pause] Crystal: Thanks for bearing with us, everyone,
as we sort out this technical difficulty. We’ll get started in just a moment. Bill: Ok. Thanks so much for joining me in this
Digital Privacy and Security Library Edition. Who am I, and why should you listen
to me? My name is Bill Budington. I am a security technologist and security
engineer at the Electron Frontier Foundation. I advise lawyers and activists on
technical matters as my primary day job. What is EFF? EFF is the
Electronic Frontier Foundation. We are a member-supported nonprofit, and we’ve
been fighting for 26 years to promote privacy and civil liberties in the digital world. We do
this for, basically, with a three-pronged attack. We have technologists on staff. We also
have lawyers, and we also have activists. And using these three different teams at EFF, we
have that mission of supporting your civil liberties in the digital world. What is privacy and security, and
why is it important for librarians? Well, I like to start with this
quote from Robert G. Vosper, who is the head of the
American Library Association. “The library is an open sanctuary. It is devoted to
individual, intellectual inquiry and contemplation. Its function is to provide free access to
ideas and information. It is a haven of privacy, a source of both cultural and intellectual
sustenance for the individual reader.” So I think that this really kind of drives home the
point of why privacy is important for our librarians. I think most librarians actually understand
this. It’s not a controversial idea. It’s something that is expected as a librarian
when you’re going into the profession. Also, libraries are really seen as these
sanctuaries, whether it’s actually true or not. Most people go into libraries,
and they kind of feel this solace. They actually feel like they’re being
protected in some degree from the outside world, and they can kind of pursue their intellectual
freedom and desires in a protected way that’s free. So libraries are seen as these
sanctuaries. To bring it to the current day, they’re seen as sanctuaries,
especially for at-risk communities. But why security? Why is
security important as well? Well, to answer that question, we need
to take a detour through the internet. Yes, the internet. When most people think about the internet,
they think of an email, and they send an email. So we have these two figures, Alice and
Bob, and Alice wants to send an email to Bob. And it looks like, from Alice’s perspective,
that email is going directly to the inbox of Bob. But, in actuality, there are a number
of intermediaries between the connection of Alice and Bob: primarily, the email service
providers and the internet service providers. And also, three-letter agencies, such as the
NSA, that has control or has special hardware that they can install on backbone and
privileged network nodes. Next slide. In addition, you also have eavesdroppers,
which can possible be snooping on the connection either in the home or café that Alice is
connecting from or in Bob’s home or café or wherever they are connecting from.
Next slide. With the help of encryption, we can actually make this connection much
more secure, and people can actually be ensured that the communications that they are sending
are not interceptable and not readable. What is encryption? Well, encryption scrambles
the message content so that it’s not readable from anyone that’s sitting on the
network in the middle of Alice and Bob. It also, to note, still has metadata. That’s
everything that isn’t the direct content of that message. What is metadata? In this
example, metadata is the time that that email is sent, the subject line, the time
received, you know, the name of the sender, the name of the recipient. All of that data
is still accessible even if encryption is used. So for HTTPS — HTTPS is basically web
encryption. The contents for HTTPS — What’s actually encrypted is
what exact page you’re accessing. For instance, if you are
accessing example.com/somepath, the somepath part of that URL, of that
website, that’s the encrypted part. The username and password, if you’re
logging into a site, that’s also encrypted, if you’re using HTTPS. Also, if you’re
logging into a session, say Facebook.com, if you are posting content,
that’s also encrypted. What’s not encrypted is the metadata:
what domain you’re on — for instance, if you’re on bing.com, that’s not encrypted;
that can be seen — what time you accessed it, and your location data, for instance, your IP
address. Your IP address is this unique identifier that’s linked to your location. You can see
here by this graph, in the first instance, what is encrypted and what’s plainly
visible from HTTPS and on HTTPS connections. Here you can see that there is this green lock,
and that indicates that you’re actually using an HTTPS connection. That way you can be
insured that your connection on the web is encrypted. We develop at EFF
a product called HTTPS Everywhere. What this does is it ensures that if a website
offers HTTPS and an unencrypted connection, that you’re actually using the
encrypted connection to that website. You’re actually using the best security
for that website that is available. This is a downloadable browser extension
that’s available for both Firefox and Chrome, and you can install it on both your own
computer and also the patrons’ computers that are public
stations at your library. Why is security important for librarians?
This article by the American Libraries magazine kind of drives home why it’s important
and also some of the failures of libraries to actually deploy good HTTPS. Their
findings are that without encryption, the content that the patrons search for,
view, or download is easily intercepted. These online streams of communication
deserve the same protections granted to circulation records, but few libraries are
taking even minimal steps to encrypt this data. You can see that this is something, you
know, encryption, HTTPS specifically, is something that really is important for —
And it should be granted the same kind of level as circulation records. Their findings continue
that out of the top 124 American Research Libraries, only 13% of them are actually using HTTPS.
And out of the 25 largest public libraries that they surveyed, only two of them, 8%,
were using HTTPS on their main websites, and only 28% defaulted HTTPS for search
activity. So they conclude that we could better attribute this gap in deploying HTTPS
to an awareness or lack of expertise in reconfiguring implementations. Which
basically means that there’s not enough staff, and there’s not enough people with the
skill level to really make it viable for these libraries to deploy HTTPS. This is really troubling! So, why is it troubling? Who
cares if HTTPS is on sites? We know that the NSA is compromising
cloud services. This slide was revealed in the Snowden revelations, and what it
shows is that the NSA is actually intercepting the background communications of
Google and trying to syphon off data of users of Google services. We know
that the NSA is undermining encryption. They have, for instance, paid $10 million to RSA
to essentially privilege a weakened encryption, what’s called a cipher, which is
a way that encryption is performed, and privilege that in the
cipher suite that RSA provides. So we know that the FBI has
demanded patron records as well. This is a case where, in Connecticut,
libraries were – Their service providers were, basically, issued national security
letters. The ACLU challenged that, and that’s why we’re able to talk about it, because
national security letters, under the Patriot Act, are accompanied by gag orders,
so you can’t even talk about them unless you are combating and winning
those cases. You know, this is something that’s really troubling, that patron records
are actually being requested by the government, by the FBI in this case. And they’re
being requested over, and over again. These two cases were brought against the FBI
– demanded records of the Internet Archive, which is the online digital archive. And what
they were doing was, they were saying in 2007, we want your records. EFF challenged that,
and we were able to talk about it in 2007. The latest case in 2016, just last year,
the NSL was accompanied by information that instructed how to challenge the
NSL, but that was faulty information. They were giving out information, how to
challenge the NSL, that was actually erroneous and misleading. So we challenged that
and got them to stop that as well. So why aren’t more library websites offering
HTTPS? Well, traditionally, obtaining a certificate, which you need to provide HTTPS, is pretty
hard, and installing that HTTPS certificate, once you get it, is also really hard.
HTTPS certificates also cost money. They have traditionally not been free, and there’s
no reason why. Security shouldn’t be anything but free. For certain certificate
authorities, which issue HTTPS certificates, these are automated systems that cost pennies to
issue a single certificate, and there’s no reason why they should cost $10 a pop for
every website that you want to encrypt. Introducing Certbot. Cerbot is a project of the
Electronic Frontier Foundation in collaboration with other organizations, and what it does
is it automatically issues HTTPS certificates and configures your software to use them — so
it’s not actually hard to deploy — for free. It’s important to note here that HTTPS provides
security, but it does not protect privacy. Your data is big money. This is a graphic
that shows when you access The New York Times all your data is actually being delivered.
It doesn’t just go to The New York Times; it goes to dozens of other organizations, and
that’s because when you access The New York Times, it’s pulling in resources from other organizations,
maybe ad networks, maybe fonts that are included in other places that New York Times itself
doesn’t host. So these are actually all places where your data is being delivered when
you access the The New York Times website. And that’s delivered to advertisers to market your products
at you. For instance, there have been notable instances of differential pricing. If you live closer to a Walmart,
for instance, then a website that’s trying to sell you things that are also available at that Walmart
will have a lower price than if you live very far from a Walmart. And there’s also these diploma
mills which market, typically, at low-income people to attend universities that grant diplomas that
aren’t really worth the paper they’re printed on. Web trackers also do big-data analysis on
you, and they do that without your consent. No one actually is displayed a
warning that’s saying, “Hey look. Your data is going to X, Y, and Z places.”
There are regulations in the European Union but not here. There’s not any federal
data protection regime in the U.S. So there is this August
2016 study of web trackers. And they found that at least 75% of the
top 500 internet sites contain trackers, and this is up from less than 5% in 1998.
So we’ve been seeing a real, real increase in the amount of sites that are actually performing
web tracking that are syphoning off your data as you browse the web. The findings continue
that the number of trackers have increased as well as the ability of the trackers to
actually employ technologies that track you and the complexity of those trackers.
This has all kind of increased, and this is a really troubling dynamic. Enter Privacy Badger. Privacy Badger
is an extension that’s developed at EFF. It’s also, like HTTPS Everywhere,
a downloadable browser extension, that’s available for Firefox and Chrome
browser. And what it does is it tells sites that you do not wish to be tracked. It looks
for third parties as you browse the web, and if a third party is seen on several different
domains, and it appears to be tracking you, then it gets blocked. So it looks for these
different tracking mechanisms that trackers use, and it tries to determine if it’s a tracker or
not that’s doing it, and it blocks them if it is. This is Privacy Badger in action. You
can see that some websites are blocked because they look like trackers,
and other websites are allowed. What this all really comes down
to is a question of user education. Unfortunately, users aren’t really aware
of what is happening with their data. Generally, users don’t really know the risks to
their privacy and security when they browse the web, when they access the internet. There are
often vested interests that are actively trying to subvert knowledge about how users can
protect themselves. I mean, in the case of HTTPS, it might be a government, but in the case
of browsing with privacy, then these trackers are ad agencies. And there’s this difficult task
of actually raising awareness and letting users know that their privacy is at risk. So what librarians
can do is they can kind of let their patrons know about these risks. Perhaps the
Home page for their public computers can be something that includes text
about how their privacy is being affected. One of our resources at EFF is ssd.eff.org,
which is the last resource here, and that explains a lot more info
about how users can protect themselves and how you can help your patrons know – and
yourself – get informed about these risks. I also have the resources here for additional
information in the presentation. Thanks very much! Crystal: Great! Thanks, Bill, and thanks for
bearing with us with those technical difficulties. I think we got through everything ok,
so thanks for working with me on that. We’ve got some great questions that have come in.
Before we get to those, I just want to say thanks for sharing all of this. I mean, this is an information
– rich presentation that you’ve just given with lots of links and lots of resources. And
I just want to remind everyone who has joined us that we are going to be sharing those links in
the archive. And I know there were lots of articles that were referenced, and those will also
be included, so you can go and follow up with those later on. We did get one question
about sharing the name of that study, and I think I know which one this is, and I’m just
gonna go back to it. Actually, I’ll see if I can find it in a moment, and we’ll go back
to that one that had the study. But, Bill, we’ve been getting some good
questions from participants, so I’m going to go through as many as we can in the few
minutes we have before Chuck’s presentation. One of those questions is, “Does Certbot
rely on the Let’s Encrypt certificates,” and could you talk a
little bit more about that? Bill: Right. Certbot is what’s called the client
side of the dynamic duo of Let’s Encrypt and Certbot. The Let’s Encrypt is what’s called the server
side. Let’s Encrypt acts as the issuing body. Let’s Encrypt software runs on not your own
computer that you want to get a certificate for a website that you own, but it runs as the issuer on
the internet, so that you request certificates from it. Let’s Encrypt is, you know, basically – Let’s
Encrypt works with Certbot to issue certificates, and they’re kind of part and
parcel of the same overall thing. Crystal: Great. Another related question
– and I think that you answered this. It came in early on, but I want to make sure we get this really clear.
Is there a cost to going to HTTPS versus HTTP? I think you shared an option with us
that was either free or very low-cost. Bill: Right. With Certbot, if you download Certbot
— and the link I have at the end of my presentation has where you can actually download
Certbot software — that’s absolutely free. There’s no cost for HTTPS deployment other than
the cost that it takes to have a sys admin run this software, and traditionally, that’s been
a very high bar. Sys Admin that want to deploy a certificate, it took them – It took, actually,
security researchers and experts hours, often, to get it right. What Certbot does is it takes a
very hands-on approach and deploys the certificates for you, so you don’t have to worry
about all the configuration options. Crystal: Great. We have a question about HTTPS
Everywhere. What browsers does that work for? And I’m just going to go back to
the slide where we talked about that. Bill: Sure! HTTPS Everywhere is what
I do at EFF. It’s my primary job at EFF is to maintain that browser extension. Currently
it is supported in Firefox and in Chrome browser, also in Chromium, if you use Chromium, which is
the free version of – or free software version of Chrome browser, and also in
Opera Browser, if you use that. Crystal: Great. Then – Gosh, I’m just trying to
go through a couple of the quick questions here. We’ve got some big questions which we’ll try
to save for later on once we’ve heard from Chuck as well. But a question about Privacy
Badger: is Privacy Badger free? Bill: Yes. All the tools that protect your users that
I have listed in this presentation are absolutely free. Certbot is free and so is HTTPS
Everywhere and Privacy Badger. Crystal: Great. Thanks for clarifying that. I
know we kind of went through each one individually as those questions came in. Then we
got a question about the difference between the browser option to
deny tracking and Privacy Badger. Maybe you could talk a little bit about that, and
this might be our last question before we move on. Bill: Sure. So what browsers started doing
early – I believe it’s either early this decade or last decade – is they started delivering
this little flag to websites that you access that says that you do not wish to be
tracked. And that’s something that is great, but it also isn’t really enforceable. We send it
with Privacy Badger. We actually set that flag to say, “Hey, browser you should send this to websites
that I’m accessing that I do not consent to being tracked,” but it’s not an enforceable
mechanism. That’s called Do Not Track, the Do Not Track flag. There’s also Do Not
Track policy that is different, that we at EFF have formulated. That is something that says that if
websites say that they are not going to track users, promise not to track users, and post a policy, a
privacy policy, that actually puts in writing that that’s that effect, that they’re not going
to track those users, then with Privacy Badger we will selectively unblock those sites that
have that good privacy policy, that have promised not to track users. It’s a little bit
tricky, but – There’s the Do Not Track Policy and the Do Not Track flag. Yeah. Crystal: Great! Well, thanks for
clarifying the difference between those. I’m just going to get back to this
slide one last time to let everybody know that I know we had some other questions come in,
and we haven’t had a chance to get to all of them. We’ll try to bring Bill back at the end
to answer a few more of your questions. And we will follow up via email with anything
that we weren’t able to answer live today, so don’t be discouraged if you asked
a question we haven’t gotten to yet. We’ll have other opportunities to
do that. But we have another guest, and we want to hear from him as well.
At this point, I want to welcome Chuck, again, joining us from the Lebanon
Public Libraries in New Hampshire. And Chuck is going to talk to us about what he has
done in his library, so Chuck, I’ll hand it over to you now. Let me know if you
need me to advance your slides. I understand you’re having
the same technical issue. Chuck: Thanks, Crystal. My name is
Chuck McAndrew. I’m the IT librarian at the Lebanon Public Libraries in Lebanon, New
Hampshire. Bill gave you a really good overview of the higher-level stuff, the way that traffic
goes over the internet. So what I want to do today is give some practical tips, something you can
take home and implement in your library right now or today. It’s stuff that we’ve done in our library,
and we found worked well. But before I do that, I just wanted to add a plug for Certbot; that’s
what we use in our library. It is very good, and not only that, I’ve also pushed our ILS
vendor to implement it, and they recently announced that they are putting it in place for all
their customers. So all their customers, now, will have HTTPS by default because
of Certbot. It’s very easy to use. Go ahead and next
slide, please, Crystal. I am from the Lebanon Public Libraries. We’re
about half-way up the state of New Hampshire, right on the Vermont border. We’re kind of in the
middle of nowhere. We think we’re a big library for the area. We have about 14,000 people,
which is big for the area, but I know nationally that’s not too huge. But we do a lot
for patron privacy in our library, and if we can do it, so
can you. Next slide, please. So, the first thing I want to talk about is
Wi-Fi because a lot of times you see open Wi-Fi in libraries, and that’s fine, but there
are some things you should be aware of when you have open Wi-Fi. Open Wi-Fi is the
best for convenience. People can just walk in and click on the Wi-Fi and don’t need
to worry about a password or anything, and it actually promotes access
in that when the library is closed, or someone doesn’t even want to come to the
doors at the library, they can use that Wi-Fi, but it’s unencrypted. So the connection between
the computer and the wireless access point is not encrypted, which potentially allows
for snooping and man-in-the-middle attacks. A man-in-the-middle attack is where
someone else pretends to be the website that you’re trying to connect to. Now, if you
have an end-to-end encryption system in place like HTTPS, this is not a huge deal, but if
you’re connecting to an unencrypted connection, then basically, anyone on that
network can see everything you do. Essentially, what we’re doing by having open Wi-Fi
is we’re placing the responsibility for security on the patron rather than on the library. Most of our
patrons in our library are not extremely tech-savvy, so the more we can do to help them out with
privacy, and the more we can do to build secure, private systems that they can use,
the better we’re doing as librarians. An alternative is to have secured
Wi-Fi; this is Wi-Fi with a password. The pros is it’s an encrypted connection. It is the
best for privacy and security. It can limit access, though, and it’s not as convenient. Just
as a note, please don’t use WEP encryption. Only use WPA2. WEP is broken. You can crack
it really quickly with just a normal laptop. You can try publically posting the password.
You’ll see this a lot of times like in coffee shops and stuff, and that is one way to
reduce the convenience concerns here, but it doesn’t allow that 24-hour access
to your library’s Wi-Fi, which, to me is actually a big service. I know there have been
times when I’ve traveled on road trips and stuff, and I’ve been able to pull into a library’s parking
lot and use their Wi-Fi even when they’re closed, and that was hugely handy. There’s compromises: one is to have
both a secured and an open network, and the other compromise is to broadcast a
secured network with the password in the name. At our library we do both. This is
actually a screenshot from my laptop of our library Wi-Fi networks. We
have library guest, which is unsecured; it’s open, and anyone can use it. Then we
have library guest; password is leblibrary. That is just what it sounds like. It’s a guest
network with the password right in the name, so anyone looking at that knows what the
password is. Then we have library staff because you should never have your library staff
using the same network as your library guests, which gets more into the infrastructure side
of things, but this is a big problem that I see with a lot of libraries. You really want to segregate
that out because library staff is dealing with a lot of sensitive patron data that is protected by
law in most cases, so you don’t want to have random people able to
snoop on your staff network. Those are kind of some of the
considerations that go into Wi-Fi selection. You can see we hedged our bets and did all of
the above. Now I’m going to talk a little bit about public computers and how we can protect
patrons’ privacies using our public computers. This is not exhaustive. I teach an online privacy
course at my library. It’s two-hour sessions, and there’s five sessions in the course, and
I consider that kind of just an introduction. So 30 minutes of talking on a
webinar is not enough to go into this. These are just what I would consider very basic
things that everyone should be implementing. I’ll also note that in the links we’ve
included at the end of this presentation, the American Library Association has
recently released some checklists of things that libraries should be doing. Take a look at those
checklists and run through them for your library. They’re very good, and they’re
much more exhaustive than this. Public computers – Keep them up to date. This
is the number one thing you can do for security on your computers at home, your
patron computers, your staff computers, any computers. Most exploits, most hacks, are
on vulnerabilities that have already been fixed. Software companies these days are actually pretty
good about getting fixes out pretty quickly, and a lot of security researchers will notify
the software company about a vulnerability before they release it publically. But the software
companies, all they can do is release the fix. If you don’t update, then that’s actually on you.
You also want to make sure your rollback software doesn’t roll back your updates. So if
you’re using something like Deep Freeze, you have to make sure it unfreezes for updates.
Otherwise, you can install your updates, but it’s going to roll them back.
Automatically installing security updates is a very good thing because it makes sure
they get done. You don’t have to add it to your schedule. It’s not another thing you
have to do. There’s a little bit of potential for breaking something with automatic updates,
but most people in libraries who I’ve seen don’t go to the trouble of testing
updates before they apply them anyway, so you might as well have
them automatically installed. The next thing, and this is very important
for public privacy, not in the sense that someone’s going to be snooping on
them over the internet, but in the sense that the next person who sits down at the
computer after them might see something. Restore your computers to a known good
state between patrons. I’ve gone in libraries and seen credit card applications saved on
those computers. You have to wipe out everything the patron does between users. Otherwise,
it doesn’t matter whether you have the most secure connection in the world. The next
person who sits down can see everything they did. If you’re using, like, Windows computers,
having some kind of rollback software such as Deep Freeze – Deep Freeze is
just the one I’ve heard of the most – is really important if you’re using something
like Chromebooks or Chromeboxes, Chrome OS. This actually comes built into it; you just need
a Google domain, and you use public sessions. If you’re doing something oddball like
we do at my library, and you’re using an open-source operating system like Linux,
then there’s actually a script that I wrote that accomplishes this. But regardless of what
system you’re using, it can be done on all of them. Just make sure that you have a strategy
for ensuring that every patron who sits down has a known good situation. This also
prevents tampering with the system like installing malicious software such as
keyloggers. There was an article that came out last year about a university library where
there were some, I think it was 30 or 40, keyloggers installed on library computers, so
everything that anyone was sitting down and typing into those computers was logged. If you’re
restoring the system to a known good state and patrons don’t have administrative
privileges, which is another important point, then anything malicious they
try to do should be undone. There’s also a lot of tweaks you can make to your
browser settings. This example that I have up here is from Google Chrome, but the same
– All the major browsers allow this. Either have the browser not remember history
or open in incognito mode, and what that does is it ensures that nothing is
retained between browser sessions. So even if the patron doesn’t log out,
as long as they close that browser window, then it’s not going to remember stuff on
the browser window. Now, that doesn’t help if they download something, but
it’s a good step. And you may say, “Well, I have this rollback software, so I don’t
need to do this.” The fact is that none of these are perfect solutions, so having a defense in
depth, where you have multiple layers of security, is the way to go. Have it not remember
history; do not have it remember form data. Definitely do not have it remember passwords.
And more on the internet privacy side of things, set your plugins to click-to-play. This ensures that
plugins like the Flash Player don’t just start up and run when you go to a website because
those are, essentially, little programs running inside your web browser. So
you want the patron to have control over whether that runs or not. And
finally, disable third party cookies. All this is done through the settings.
The details of it vary by which browser, so just do a quick online search for all of
these for whatever your browser of choice is, and you can figure out how
to do it. Next slide, please. So, Bill talked about two of the three plugins that
we install on all our public computers, already: HTTPS Everywhere and Privacy Badger,
both very good plugins, and like I say, I put them on all my public computers. Then
the third one I install is uBlock Origin. What uBlock Origin is, it’s an ad blocker.
Now, there’s some debate about ad blockers because a lot of sites on the
internet use ad revenue to keep going, and some people feel that there’s kind of
an implicit contract: you go to the site, you utilize their services, and you don’t
pay anything. You should look at their ads. I can certainly understand that. I have a
lot of sympathy for that. However, the problem is that not just that ads are annoying; ads
are frequently malicious, and this is even true, or especially true, on big, well-known websites.
These websites do not have the time, money, or staff to really vet every ad, so what they do
is they contract it out to third party advertising companies. All of them major websites have
had cases of malicious advertising showing up on their website. Now, malicious advertising
means that if you click on that ad, it will do something malicious to your
computer. So until they figure out a better way to ensure that their ads are actually
safe, I think that it is just common sense that anyone going on the internet
does, in fact, block ads by default. uBlock Origin provides a very easy way to
disable it if you do want to see ads on a site or if it’s necessary to see ads for the site
to work properly. Just like Privacy Badger and HTTPS Everywhere are very easy to disable.
Some of these may interfere with the functionality of some websites, and that’s, actually, ok
in my view because often the functionality they’re interfering with is not functionality
you want. It doesn’t benefit your patrons. But there are times when it will prevent
the patron from doing what they want. So it’s important that your staff know
how to disable them, so if a website is not working properly, you can try disabling it.
But we want on a default. We want safe by default to ensure that our patrons, when they
sit down at a library, we can’t guarantee they have a completely safe or a completely
private experience, but what we can do is we can take care of the low-hanging
fruit. We can take care of the easy stuff. If someone is being tracked by the NSA,
probably not much we do on our public computers is going to help them. But we can prevent the, you
know, script kiddies from being able to figure out what they’re doing. The final thing I would say for public
computers is install the Tor Browser. If you aren’t familiar with Tor, what
Tor is it’s a strong anonymity product, and what it does is it encrypts your traffic,
and it severs the link between the sender and the receiver. It does this by bouncing
it through three voluntarily operated relays. Your computer will connect to what’s called
a guard relay, and then the guard relay will bounce it to a middle relay. The middle
relay has no idea who you are or where the traffic came from. It has no idea where the traffic’s going.
All it knows is the two other relays it’s talking to. The traffic is then sent to what’s known
as an exit relay, which is what goes out and talks to the website. The website sees
this traffic as coming from the exit relay rather than from your computer.
Tor also will create a new circuit for every separate domain and every
separate tab within the browser. So that means if you’re on Twitter
and on Google in two separate tabs, Twitter may think you’re connecting from
the Netherlands, and Google may think you’re connecting from Canada. This prevents
cross-site tracking, which Bill talked about a little bit earlier, which is becoming
more and more of an issue, these trackers, because so many sites have them. They’ll
follow you across sites which can give them a whole lot of insight into your behavior
that you may not want them to have. So the Tor Browser is basically a modified
version of Firefox that runs everything through the Tor network. By providing
it – and again, this is a screenshot from our public computers at our library
– By providing access to the Tor Browser, you’re giving your patrons strong privacy
and anonymity, but you’re not requiring it. You still offer the other browsers.
You’re just giving them the option. Now, some libraries may have issue with this
if they’re required to filter their internet. One solution that we’ve kind of come up with
when talking to people who are in that situation, is you can actually install the Tor Browser
to a thumb drive. You don’t have to install it to the computer. You can put it on a
thumb drive, and it will run just fine. So you can put the Tor Browser on thumb
drives and make that available to patrons. That will allow you to still filter your internet,
but have the possibility of using the Tor Browser for patrons who want it and who aren’t
subject to filtering, like adults. I would recommend that every library have the Tor
Browser available to their patrons. It is free. It runs on every major operating
system, and it’s relatively easy to use. Not only are you offering the technical
benefits of the encryption and the anonymity, but it’s also a great way to start conversations
about digital privacy. Once we installed it on our computers and put up signs explaining
what it is, I’ve had a lot of patrons come up and start talking to me about these issues, and
it’s a great way to start an education initiative with patrons. Once they started talking
about that, they started asking for classes on how to stay safer online, and that led
to our, we call it online self-defense, which I shamelessly stole from the EFF
with their surveillance self-defense because I thought it was such a cool name.
You can see the link on the slide there, leblibrary.com/online-self-defense. That’s my
entire curriculum, and you can download the slides and all my notes. Feel free to
use it in your library, by the way. And there’s the ALA Privacy Checklist, the
Library Freedom Project. If you don’t know about Library Freedom Project, Allison
Macrina is awesome. She will come to your area and teach you how to do all this stuff. San Jose
Public has an awesome privacy program as well, as well as the Electronic Frontier
Foundation. That is all I have today. Crystal: Alright. Chuck, thank you for,
again, a very information-rich presentation. And again, just to let everybody know, we are
going to share the slides and all of these links in the archive, and you will get that in your
email that you used to register for this webinar, so that will be coming within a few days.
Now, we’ve gotten a lot of questions, Chuck. People want to know more details
about some of the things you’re doing, so I’m going to see how many of these we can
get to in the short period of time that we have. And I know, Bill’s been responding to
some of those extra questions in chat, so we’ll let him keep working on that.
If we have time, we’ll bring him back. But we got some questions, just to go back
to what you were talking about early on with the Wi-Fi network. We got one question
that said – And I think this is a good one – When you broadcast your password as
you showed over the Wi-Fi network, can’t you still get man-in-the-middle, MITM,
attacks? I’m just going to go back to the slide where you talked about this. Chuck: That’s a good question, and the answer is
no because the password is not the important part. The encryption is the important part.
So the secured network, basically, creates the encrypted connection between
the wireless access point and the computer. The password is not the encryption key. So
each individual client, each individual computer will have its own one-time use encryption key that
secures that session. So every time you connect, it, basically, generates a new encryption
key, and that’s what prevents the snooping, and that’s what prevents the man-in-the-middle
attack. It’s, basically, the same thing that’s going on with HTTPS. Crystal: Great. And we got another question,
and I feel like the answer may be similar, but correct me if I’m wrong. On Wi-Fi if
everyone shares the same login, can they use that to decrypt all the traffic? If we all have
the same password, do we all have the same key? Chuck: And the answer is no. You don’t have
the same key. The password is just, essentially, to authenticate yourself to the network, but
then your computer and the wireless access point negotiate a key. If you want to know
more about how the encryption works, the Khan Academy has an excellent series on
YouTube. It’s called “Gambling With Secrets.” I haven’t included that link, but I can find it
real quick. It is really great for understanding how encryption works, including
how do you negotiate a key without having a shared
key to start with. Crystal: Great. And Chuck, if you share that with
me, then we’ll try to include that in the archive. That would be a great additional resource to
add. Alright. We got a question, now moving on to the restoring the PCs to their known good
state. Someone said, “To restore our public PCs to a known good state requires a reboot, so would
rebooting so often decrease the life of the PC?” Chuck: It should not. It especially wouldn’t
if you had a solid state hard drive, but no. It should not significantly
impact the life of the computer. Crystal: Great. Of course, many of the things
that you’re talking about here are related to kind of the back end IT function of the computers,
so you do a lot of that in-house as your role as IT librarian. We got a question for those
who maybe don’t have that same relationship with their IT department: “All of our computers are
maintained through the IT department at the city, and we don’t have a lot of control over
these issues. So do you have any suggestions for how to convince the
city of the importance?” Chuck: That is actually where my library was a
few years ago, and they hired an IT librarian, specifically, to change that. So that is one option,
is to bring it in-house. A lot of IT departments, especially like municipal IT departments,
don’t really have a good understanding about the IT needs of libraries because
what we do tends to be very different than what other city departments do. So
you either need to be able to communicate with the IT department in a way they
understand your needs — which, of course, involves understanding your IT needs, so you
need a base level of understanding yourself, so you can talk to them and communicate —
or you need to train or hire someone on staff who has this understanding and either
can do it themselves or can communicate. So it will involve either staff training,
professional development, or it will involve actually hiring someone who already has
those skills. But I would say, if you look at what public libraries, especially, do today,
the technology side is as important as books are, if not much more important. And we never
think twice about hiring a cataloger or hiring someone to do collection development,
but a lot of libraries balk at hiring someone with IT skills, and I think that just needs to change
in libraries. This is a mindset that hasn’t kept up with the reality of what we do. Crystal: Alright. Great. Thanks for answering that
question. We’re still getting a lot of good questions coming in, and I want to just assure everybody
that if we don’t have time for them today, we’ll get to them via email later on. But I have
one, last question. Actually, this came early on, and Chuck, I’m going to have you answer it first,
and then Bill, if you have any last comments, we’ll have time for that as well, just a minute
or two, whether it’s to answer this question or just to add anything else in. But this question
actually gets a little bit at some of the – and we didn’t talk about this a whole lot – but
about the concept of collecting library patron data, whether this is from the ILS or the
public computers, the types of data you might be collecting to make customer
service decisions and to market services better to patrons. Chuck, I don’t know if in your
library you had any conversations around this, but it certainly revolves around this patron
privacy issue. So Chuck, if you have some brief words on that to share from your perspective in
the IT or your perspective as a librarian, and then we’ll bounce it over to Bill. Chuck: Sure. First, I would say, check your local
laws because every state has patron privacy laws regarding what library information can
and cannot be used for what purposes. Now, like, using patron information to better
market your library’s services, I would say, typically, what we would look for is just
making it an opt in rather than an opt out. That is, you don’t just send out mass
emails to everyone who has a library card, but you can ask them when they sign up for a
card, would you like to be included in our emails. Our children’s librarian actually collects email
addresses from parents, so she can let them know about upcoming children’s events, and that’s
an opt-in model. I think that’s perfectly fine because that’s patrons actually saying,
yes, we would like to participate in this. Yes, we would like to have our
information used for these purposes. And you also have to have a good, well
thought out privacy policy saying what you will and will not use the information for, and make
sure you hold yourself and your staff to it. Crystal: Great. And just one more bit. Chuck,
thank you for sharing your perspective on that from your library. This is also something that
is included in the American Library Association’s statements on patron privacy and collection
of patron data, and those are links we will also be sharing in the archives, and it’s
a part of the new checklist that we talked about as well. So it is included, the recommendations
from the American Library Association and LITA are going to be included in the
archive. Bill, we have just one minute if you’re still on the line, and you
have any last words you want to share, whether it’s on that question or
something else. Come on and let us know. Bill: The only other thing that I would add to that
— and Chuck really did that question due diligence is to make sure that the patrons themselves are
aware of any information that they are giving out and have links to learn more. User
education, again, is really important, and if the patrons don’t know where
that information is being delivered and how it’s being dealt with, then they
can’t really have any objective assessment of whether or not they’d
like to opt in or opt out. Crystal: Great. Alright. Thank you, Bill.
Thank you, Chuck, for sharing all of this today. I’m afraid that’s all that we have time for,
but it sure has been an information-rich hour. We’ll follow up on those
unanswered questions soon via email. I did want to let you all know about some
upcoming webinars that might be of interest including one on the 28th of March about
technology donations through TechSoup, one on disaster prep and recovery on April 4th,
and one on digital storytelling for libraries on April 26th. Save the date for that one.
Also, please visit us at techsoupforlibraries.org where we’ve got blog posts and webinar
archives and all sorts of other information that is library-specific for you. And that’s all!
We would just want to give one last word of thanks to ReadyTalk, our webinar sponsor, for today, and
thanks to all of you for joining us. Have a great day.

Leave a Reply

Your email address will not be published. Required fields are marked *