Pro Yearly is on sale from $80 to $50! »

Protecting Patron Privacy on Library Computers

Protecting Patron Privacy on Library Computers

Given at Library Technology Conference 2014, Minneapolis MN. Available under a Creative Commons 4.0 Attribution license.

837b357dc46c47fc99560e03b8841a27?s=128

Dorothea Salo

March 19, 2014
Tweet

Transcript

  1. PROTECTING PATRON PRIVACY ON LIBRARY COMPUTERS Dorothea Salo University of

    Wisconsin-Madison http://pinboard.in/u:dsalo/t:libtechcon
  2. The only URL to write down •http://pinboard.in/u:dsalo/t:libtechcon •Every tool and

    website I will mention in this presentation is on that list. Promise!
  3. I always feel like somebody’s watchin’ me! •(many 1980s points

    to anyone who can source the slide title) •That would be because somebody is, on the Internet. Guaranteed. •Lots of somebodies, in fact... •Our friends at the National Security Agency, along with who knows what other nation-level traffic snoops •Our friends at Facebook and other social-media properties (but especially Facebook) who pay their bills by selling personal and behavioral information •Our friends at Google, increasingly •Our marketing friends, who love to track our peregrinations across the web •Our black-hat hacker un-friends
  4. How did the NSA get all that data without the

    public realizing? •(via Ars Technica, http://arstechnica.com/tech-policy/2013/09/let-us-count-the-ways-how-the- feds-legally-technically-get-our-data/ Categories mine.) •Social engineering •A company volunteers to help (and gets paid for it) •A company complies under legal duress •Spooks infiltrate a company •Spooks coerce upstream companies (and standards agencies?) to weaken crypto in their products/install backdoors •Actual technology breakage •Spooks copy the traffic directly off the fiber (sometimes without owner’s knowledge) •Spooks brute force the crypto •Spooks compromise a digital certificate •Spooks hack a target computer directly, stealing keys and/or data; sabotage.
  5. Well, so what? •Code of Ethics of the American Library

    Association: III. We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted. VI. We do not advance private interests at the expense of library users, colleagues, or our employing institutions. •Does this include patron Internet access? Well, why wouldn’t it?
  6. IN OTHER WORDS, PROTECTING THEIR PRIVACY IS OUR JOB.

  7. Some caveats, first •We can’t stop all surveillance efforts. •It’s

    not like we’re going to deep-sea-dive to prevent data from being lifted off overseas fiber! •Interdependence is the nature of the Internet; we don’t have much choice but to trust some possibly-untrustworthy actors. •We can’t always stop people from compromising their own privacy and security, sometimes in really amazingly thoughtless ways. •You have my blessing not to fix all the things! •I don’t think that’s license to throw up our hands and do nothing. I hope you agree.
  8. Questions to ask about available strategies •What/whom does this protect

    against? •How much will this disrupt the patron experience? The librarian’s day? •The ideal: nobody notices, but everybody is safer. •How much care and feeding does this take? •Installation and upgrading •Support •For some strategies, bandwidth •Can a librarian turn this off? A patron? •The correct answer is ideally “yes, but you won’t want to.”
  9. RIGHT. OKAY. HOW DO WE DO THIS?

  10. A taxonomy of strategies (strictly for convenience) •Passive strategies •Informational

    strategies •Blocking strategies •Encryption strategies •Advocacy strategies •These are not mutually exclusive! Nor is there a one-to-one relationship between a specific strategy and these categories.
  11. PASSIVE STRATEGIES no special software required

  12. Patching and upgrades •I know it’s annoying. I know it’s

    expensive. I know it’s time- consuming, including the time to learn the new version. •Do it anyway. Including for any browser plugins you install. •Black hats love to pwn older software. •So do spooks. •Red alert: if you’re using any software that’s gone past its last support date. This is hideously dangerous. Don’t do it! •If your IT shop is recalcitrant about patches and upgrades... this is actually a hill you DO want to die on.
  13. Don’t keep data! •The spook hasn’t been born who can

    misuse nonexistent data. •So don’t keep data whenever you can avoid it. •Patron-specific circulation data (we’re used to this) •Chat-reference logs •Access data on electronic resources, especially if tied to an individual patron •Behavior data on patron computers, e.g. use logs, browser caches, browser history, search logs. Return computers to a neutral state as often as feasible. •Website behavior data (I know, I know!) •Keep (as little) aggregate data (as possible) when you have a specific need for it. Otherwise, pitch that too! •You never know when “reidentification” strategies will bite someone.
  14. Real-world situation: Georgia State e-reserves lawsuit •Three publishers alleged that

    GSU’s electronic reserves violated their copyright. •Among other things in the ruling (my paraphrase): “If students didn’t read it, copyright wasn’t infringed.” •I have my doubts this will hold up on appeal (IANAL), but even so... •... doesn’t that mean that if publishers can’t prove students read anything, it’s harder for them to prove infringement? •If so, that means forget about student analytics, delete course-management system logs!!!!!! •(“Student/learning analytics” is getting to be stunningly creepy anyway. School and academic librarians, we should be questioning this movement.)
  15. Don’t use social-media web bugs on the library website! •That

    Facebook Like button? Is a web bug. •If a patron is logged into Facebook, Facebook records pages they browse that have Like buttons on them. Even if the patron never clicks Like! •Facebook swears it doesn’t track logged-out users any more. That they once did inclines me not to believe them. •And Facebook is just the one we happen to know about. •Getty embedded-image program: includes surveillance by web bug! •If you must have social-media buttons in the more social parts of your web presence, okay, I can’t stop you. •But not in your OPAC! Not ever! Hat tip: Sarah Houghton-Jan
  16. Policy and staff education •This is the only social-engineering defense

    that stands a chance of working. •It’s not a big chance, mind you... •Write clear policy and procedure about who can have what data when, and after what formalities. •Train staff on it. With role-playing exercises. •Trust me, you are doing them a favor. Social engineering is used to attack private individuals all the time! •Write clear policy and procedure on data retention or (ideally) lack thereof. •This is just common cover-your-posterior sense.
  17. “Do Not Track” browser setting •It’s pretty much useless. •Set

    it in your default/neutral browser configuration anyway.
  18. Change default search engine •Google tracks everything. Don’t default to

    it! •Browsers let you change the default site searched with the browser search bar, or via the URL bar. •Better option: DuckDuckGo •Better option: Ixquick •Patrons may notice the difference; leave a spiel at the ref desk.
  19. Other browser settings •Do not let the browser keep passwords.

    •Do not let the browser keep history. •Wiping at the end of a session is fine. •Do not let the browser share location information without informing the patron. •If your bandwidth can stand it, turn browser caching off. •If patrons notice slow browsing, then let the browser cache, but set it to delete the cache on quit. •Shortcut to a lot of this: “private browsing” mode by default.
  20. None
  21. screenshot courtesy zemkat

  22. IE browser settings screenshots courtesy zemkat

  23. INFORMATIONAL STRATEGIES

  24. Showing tracking in action •Check your profile in Google Ads:

    https:// www.google.com/settings/ads •(for best results, log into any Google account you have first; or compare logged-in and logged-out states) •Pretty creepy, huh? Yeah. Thought so. •There’s a few teensy opt-out links toward the bottom of the page. Go ahead and use them. (I’ll wait.) •Now go and show this to others! (And imagine Facebook’s. Shudder.) •Glutton for punishment? •http://juliaangwin.com/privacy-tools-opting-out-from-data-brokers/ Hat tip: Stephen Francoeur
  25. Warrant canaries •Invented by librarian Jessamyn West! •http://www.librarian.net/technicality.html •A sort

    of dead-man’s-switch for surveillance. •It may be illegal to tell a patron they’re being surveilled (Patriot Act)... •... but is it illegal to tell them they’re not? Or, um, stop telling them they’re not? •Important caveat: we don’t actually know. Nobody’s taken a warrant canary to court yet. •Useful publicity stunt as part of education? •Also, watch warrant canaries from service and equipment providers.
  26. Apple’s warrant canary

  27. tosdr.org •Browser plugin “grades” website TOSes. •Couple this with an

    education campaign... it’s easy to miss.
  28. Lightbeam Hat tip: Myron Groover

  29. Password managers •Makes and stores strong passwords that you don’t

    have to remember. You just have to remember your password manager’s password! •You probably can’t implement these in your library... •... but you CAN and SHOULD evangelize them! •Solid choices: •LastPass (Win, Mac, Linux, iOS, WinMobile, Android, BlackBerry) •1Password (Win, Mac, iOS, Android) •KeePass Password Safe (open-source, cross-platform)
  30. BLOCKING STRATEGIES ...in rough order from least intrusive to most

  31. Privacy-protecting browser plugins •Typically block trackers, tracking cookies, marketing/social media

    “web bugs” •They do not block ads! They do help keep ads from damaging privacy. •Several available, e.g. •Ghostery: ghostery.com •DoNotTrackMe: dnt.abine.com •Disconnect: disconnect.me •In my experience, when these are working well they are completely unobtrusive. •Test first! I personally have had Ghostery issues on Firefox/Mac. •Leave “how to disable” instructions at the ref desk, just in case.
  32. Ad blockers •There’s an intellectual-freedom argument against ad blocking; I

    get that. •If you decide against ad blockers on that basis, we’re still friends. •I do not buy the “but our site is paid for by advertising!” argument. Not in libraries. •ALA Code of Ethics VI •The winner and still champ: getadblock.com •Add EasyList for automatic blocking of many ads. •Patrons may notice... usually in a good way! •Training/tech support: Suggest installing an adblocker in the browser of an Internet-naïve or otherwise scam-vulnerable person.
  33. Cookie managers •Unobtrusive when used to delete cookies at session-end.

    •Most browsers have a preference for this anyway, but a few don’t. •Mostly unobtrusive when used to block so-called “third-party cookies.” •I won’t swear you won’t run into the occasional issue, however. •Very obtrusive when used to block all cookies preemptively. I don’t recommend this. •Cookie Monster (Firefox): addons.mozilla.org/en-US/ firefox/addon/cookie-monster/
  34. Only if you want your reference folks doing nothing but

    tech support! screenshot courtesy zemkat
  35. Flash and Javascript blockers •These are 100% guaranteed to disrupt

    patron experience of the web. •I therefore cannot recommend them for daily use. They are the nuclear option! •That said... noscript.net (Firefox), javascript- blocker.toggleable.com (Safari) •Flash: FlashBlock (Firefox, Chrome)
  36. Java •Ugh. Just ugh. •I’m in the “don’t even install

    it; uninstall it if it’s there” camp. •Big caveat: web conferencing, including Adobe Connect and Elluminate/Blackboard, often depends on it. •So if you must have it, don’t let it auto-run anything ever.
  37. ENCRYPTION STRATEGIES

  38. Wired computer connections •Hate Ethernet cable clutter? Thinking of going

    wireless on your patron machines? •Don’t. •All else being equal, wired is more secure than wireless.
  39. Wireless encryption •Snooping unencrypted wireless traffic is TRIVIAL. •ENCRYPT LIBRARY

    WIRELESS. Talk to your nerds about this. •WPA2 is better than WPA, which is better than WEP, which is (marginally) better than nothing. •... they’re all kind of bad, honestly. But it’s what we have. •“Coffeehouse wifi” may be most practical: one prominently-posted username/password combo •(This is lousy security. But again, it’s the better-than-nothing scenario. With WPA, this doesn’t actually mean that wireless users on your network can snoop other wireless users’ traffic.)
  40. HTTPS Everywhere •Browser plugin (Firefox, Chrome, Opera) that automatically sends

    patrons to the secure version of any website that has one •Completely unobtrusive •https://www.eff.org/https-everywhere
  41. The Onion Browser (TOR) •Foils attacks based on analyzing net

    traffic •Routes bits and bytes through a labyrinth •Will slow down browsing appreciably! •Probably overrides web-filtering software, if you’re using it (hint, hint) •Does help create “herd immunity” to surveillance, however. •Not quite the nuclear option, but... rocket-launcher option, maybe?
  42. ADVOCACY STRATEGIES

  43. Against the spooks •ECPA reform •Electronic Communications Protection Act. Theoretically

    protects email; in fact, exposes it. •Patriot Act reform •Especially against National Security Letters, associated gag orders. •NSA reform •Two-pronged effort here: legal restrictions and NSA-resistant technology (and technology companies)
  44. Against marketing tracking •Consumer privacy protection law •... pinch me,

    I’m dreaming here •But other countries have done it! •State-level legislation is another possibility; watch California.
  45. Organizations going our way •Electronic Frontier Foundation: eff.org •Public Knowledge

    (yes, really): publicknowledge.org •Fight for the Future: fightforthefuture.org •Demand Progress: demandprogress.org
  46. Websites to watch •Ars Technica has excellent coverage of technology

    law. •Techdirt, if you can stand the snark and casual sexism and ableism. •ARL Policy blog: policynotes.arl.org •About much more than privacy, but I consider that a feature, not a bug!
  47. Thanks! And be careful out there. This presentation is available

    under a Creative Commons 4.0 Attribution United States license.