Upgrade to Pro — share decks privately, control downloads, hide ads and more …

We, Surveilled and Afraid, in a World We Never Made

Dorothea Salo
October 11, 2018

We, Surveilled and Afraid, in a World We Never Made

Given for the Minnesota Library Association Annual Conference, 11 October 2018.

Dorothea Salo

October 11, 2018

More Decks by Dorothea Salo

Other Decks in Technology


  1. We, SURVEILL ED and AFRAID in a World We Never

    Made Dorothea Salo University of Wisconsin-Madison Information School Minnesota Library Association Annual Conference 2018 Photo: Jay Phagan, “Surveillance Cameras” https://www.flickr.com/photos/jayphagan/33870031091/ CC-BY, cropped, darkened, masked *REMEMBER TO VISIBLY CHECK ON WIRESHARK AFTER THE PROJECTOR IS WORKING BUT BEFORE THE TALK STARTS* *GO TO CAPTURE—>OPTIONS IF THERE’S TIME, CLICK ON WIFI OPTION AT BOTTOM. (DON’T CLICK START OBVIOUSLY, BUT CLICK CLOSE FAST SO THEY’RE NOT SURE WHAT YOU CLICKED)* Hi, everybody, and thanks for having me here. I believe it important to acknowledge that we gather today on land that belonged to and was wrongfully taken from the Ojibwe and Dakota peoples. My talk title is a riff on a rather strange and uncharacteristic A.E. Housman poem, and it caught my ear because of how we as a society are finally getting scared of this Jeremy Bentham surveillance panopticon world we somehow find ourselves part of, from surveillance cameras practically everywhere to pervasive and hard-to-escape surveillance online. No lie, I am afraid of the panopticon, surveillance and behavior tracking and Big Data and machine learning and A-I and all the rest of it. No lie, I am a librarian partly because our profession’s ethics statements say “we do not do the surveillance thing, it’s not cool and it’s not okay, we give people the surveillance-free mental space they need to think and learn and create.” A couple months ago, in fact, I had a viscerally angry reaction to someone’s innocent suggestion that I’m an information scientist rather than a librarian. In my head I was all “noooooooo, information scientists gave us behavioral ad tracking and browser fingerprinting and DoubleClick! Information scientists gave us Cambridge Analytica! I don’t identify with those creepy snoops! I am a LIBRARIAN, THANK YOU VERY MUCH, and WE ARE DIFFERENT.”
  2. “… a radically disembedded and extractive variant of information capitalism…

    can be identified as SURVEILLANCE CAPIT AL ISM.” —Shoshana Zuboff Photo: David Bleasdale, “surveillance” https://www.flickr.com/photos/sidelong/41562981290/ CC-BY, cropped Yet here I am, here we all are, stuck in this world, this world of what scholar Shoshana Zuboff calls “surveillance capitalism.” This world. This WORLD, Y’ALL. Where do I even start? Well, okay. I want to start by naming-and-shaming some characteristics of our current surveillance situation that I think are well beyond the ethical pale generally, never mind compared to librarian ethics. I’ll give examples, too, just to be a little clearer about what I mean.
  3. ENTIT L EMENT Entitlement. World plus dog thinks they’re somehow

    entitled to any data they can grab about me, and any data they can grab about you—any data they can grab about pretty much everybody. They don’t even ASK themselves if maybe, just maybe, they’re not entitled to know. “We CAN collect these data, therefore it must be okay to!” they say. “Nobody even knows we’re collecting these data, so who’s to object?” says every terms-of-service agreement everywhere, merely by being fifty gazillion pages of dense legalese. “It’s our business model, so that automatically makes it okay!” Gotta pay back those venture capitalists, that’s clearly the most important thing ever. “Surveillance is how we improve our service for our users!” Like, do these people believe the garbage coming out of their mouths?
  4. And obviously Facebook and Google are the easy targets here,

    their entitlement is appalling, but I want to sidestep to something more libraryish: Adobe. In twenty- fourteen, Adobe Digital Editions—that’s their ebook-reading software, I’m sure a lot of you have used it—Adobe Digital Editions got caught red-handed sending information about each of its individual users over the internet back to Adobe. Exactly what ebooks you opened, how much and which parts of each one you read, when you did that reading… all of that going back to Adobe. In what UNIVERSE is Adobe entitled to know this? Especially such that we can’t even tell them to stop? But they sure think they’re entitled to collect this data about our reading. Amazon’s just as bad, of course.

    LET YOU HAVE IT!”) Another bad thing that the entitlement fuels is sheer carelessness with data. Sure, let’s collect every piece of data we can imagine and then fire it indiscriminately all over the place, what could possibly go wrong? Why should we bother, I don’t know, asking people first? “But we took out the personally-identifiable information!” says every sketchy web tracker everywhere. Look. Y’all. The more data that’s collected on people, the less meaning P-I-I even has. With enough information about us, we’re all identifiable, it doesn’t even matter if our names and social-security numbers get taken out. And in this world of surveillance, that information absolutely exists. So careless sharing is a real danger to all of us.
  6. “But it’s public data!” skeevy sharers often say. That’s what

    OKCupid said, after publishing their users’ dating data. Well, after a fashion, yeah, but look, privacy is not a binary, okay? It’s more complicated than that, and we should be able to expect the services we use and the gatherers of our data to respect those complications. “But it’s REE-surch!” they also said. Like that justifies this. We have Institutional Review Boards—and I just went through an IRB process, it was hair-tearingly awful and I hated every minute of it—but we have IRBs because we KNOW not all research questions or research methods are okay, okay?
  7. SECRECY AND L IES And, you know, secrecy and lies

    also go right along with the whole entitlement thing—these nosy creeps will do ANYTHING to keep pretending they’re entitled to spy on us, so they keep secrets and tell lies about what they’re actually doing.
  8. Gizmodo, 26 September 2018 https://gizmodo.com/facebook-is-giving-advertisers-access-to-your-shadow-co-1828476051 Fair use asserted My rule

    of thumb is, if somebody’s telling lies on the Internet, it’s probably Facebook. Kashmir Hill, who is a terrific journalist on the privacy and security beat, asked Facebook if they were letting advertisers get at, like, cell phone numbers and email addresses of people who didn’t even give Facebook that information, much less permission to use it. And Facebook said “nope, not us, we’d never”—and then Hill and some researchers proved it, whereupon Facebook finally, grudgingly admitted it. Let me say this again: FACEBOOK LIED TO A JOURNALIST ABOUT THIS. And that was AFTER trying to keep it secret.
  9. And then there’s GOOGLE. Our good buddy Google just got

    SO OWNED for fibbing. There’s this toggle in Google’s privacy settings to turn Location Sharing off, here’s what it looks like, and Princeton media researcher Günes Acar discovered that if you turn this setting off, as I have done, Google was still tracking your location! But wait, wait, it gets better! Vanderbilt researcher Douglas Schmidt also demonstrated recently that no matter WHAT your Google privacy settings look like, if you have an Android phone, it’s communicating your location to Google several times an hour. And look, this is not even CLOSE to the first time our good buddy Google has been owned. K-12 schools using Google Apps for Education caught Google building advertising profiles on children. Of course the whole time Google was saying children’s privacy was important to them. Yeah, right. That thing where the conference wifi auto-redirects to Google? Um… DuckDuckGo please? So, lemme ask, how many of y’all’s library websites use Google Analytics? Show of HANDS, please, come on, don’t be shy. (If few hands: Y’all. I’m talking about secrecy and lies here. Don’t think I don’t know a lot of you are fibbing by omission.) Google makes claims about the privacy of that data. I imagine at least SOME of you have investigated them. I just want you to ask yourselves: whatever those claims are, you believe Google about them why, exactly? Based on its track record, Google isn’t trustworthy.
  10. EXPLOITING POWER ASYMME T RIES And we can’t have this

    discussion without talking about power, okay? Our inability to escape surveillance has a lot to do with all the power that we as individual citizens, as Internet users, as librarians, as employees, as library patrons, as device owners, as students—hi students, glad you’re here!—all the power we don’t currently have.
  11. Law enforcement targeting activists of color, government agencies using black-box

    prediction systems that unfairly deny people services, there are hideous abuses of power fueled by surveillance. But I want to point out, probably not news to most of you, that just the ability to observe can create an exploitable power asymmetry. These screenshots came from Alex Halpern on Twitter, and it’s a conversation between Alex and some creep who asked a friend who works for a public library to look up Alex’s library checkout record. And then this creep tried to use that against Alex. More or less privately, yeah, but I can imagine ways to try to harm Alex publicly, and I bet you can too. Our professional ethics codes were designed to avoid exactly this kind of thing. We DO NOT use people’s information behavior against them, nor allow it to be used against them when we can avoid that.
  12. WILL ING COLLABORA TION Speaking of avoiding it, public librarians’

    resistance to the Patriot Act set librarianship pretty explicitly against corporations who just rolled over on their customers to United States federal enforcers—telecom corporations particularly, but they’re not the only ones. To be totally blunt about this, a lot of corporations are data quislings, they are collaborators (in the deal-with-the-devil sense of that word). When evil asks them to jump they just ask how high.
  13. Gonna just read this headline… {DO SO} Times like this

    I remember what “yahoo” originally meant, thank you Jonathan Swift…
  14. SURVEILLANCE CREEP And collaboration, in ALL senses of that word,

    is part of how we get what researchers call surveillance creep—the reuse and augmentation of existing data for new and sometimes nefarious purposes that weren’t originally planned for or even imagined. And social scientists say ruefully that surveillance creep is hard, if not impossible, to stop. In other words, expect any data you collect and store to be used for purposes you didn’t intend—and maybe wouldn’t approve of.
  15. After all, this is kind of how we got to

    Cambridge Analytica, right? Supposedly they and Facebook were collecting silly quiz data because silly quiz data, or maybe because advertising. Ha ha, joke’s on us, Cambridge Analytica was trying to use the data to throw elections! Whether they were successful or not, and that one’s debatable, just the idea that using people’s data to manipulate them at scale is not only possible, but in fact COMMON—this article here is about marketers doing it—this should maybe give us pause about data collection.

    The utter indifference to the harm they’re doing, whether it’s Cambridge Analytica or Uber or Facebook or Google or Twitter, I can’t get over this. It’s so stark, and so awful.
  17. SERIOUSLY, FACEBOOK?! Facebook didn’t care that it was letting anti-Semitic

    and white-supremacist organizations target ads to more of the same. They DID NOT CARE they were helping people attack other people, until it became an image problem for them. That sweet, sweet ad money their surveillance gets them, that’s all Facebook cared about.
  18. This is not the or wanted. we made So, this

    is not the world we made or wanted. We actually wrote a whole ethics code for ourselves back in nineteen-thirty-nine in part to AVOID this kind of world!
  19. This is still the live in. our patrons must …

    and if you don’t like this world and wish it were different, I am RIGHT THERE WITH YOU.
  20. There are twelve regional public library systems in Minnesota, thank

    you Minnesota Department of Education website. Let’s ask a really basic online security and privacy question. How many of these twelve public library systems serve up their websites securely? Don’t, like, yell out a guess or anything, that’s rude, but look, H-T-T-P-S is basic web privacy hygiene now… and the public-library sector generally is known to be lagging badly at it, which is why I ask.
  21. X X X X X ? Here’s your answer. When

    I checked, I found six secure websites, good job and thank you, y’all… *CLICK* one misconfiguration—no worries, it happens, at least they’re trying!—and *CLICK* five that are still insecure. FIVE. Y’all!
  22. CAREL ESS SHARING This is what careless data sharing looks

    like in the real world of Minnesota libraries. I’m sorry but it’s true.

    ALL TEXT, IMAGES FROM INSECURE WEBSITES So what? you might be wondering. Okay, fair enough, I’m going to demo a piece of free open-source software called Wireshark for you. *CLICK* Wireshark is what’s called a packet sniffer, or network traffic analyzer if you’re feeling fancy. *CLICK* If you turn Wireshark loose in what’s called “promiscuous mode” on a local network such as a wifi network, *CLICK* Wireshark copies and saves all the information bouncing through that network from all the different phones and tablets and computers connected to it, okay? Including web traffic, email traffic, chat, mobile apps that use the network, whatever. And if a website is not being served securely—like, it’s coming from one of those five still-insecure library websites I just showed you? *CLICK* Wireshark captures absolutely everything the person who surfed to that site is seeing, all the text, all the HTML, all the images, everything. So I, as the Wireshark user hanging out on the wifi, can trivially snoop on people using insecure websites.
  24. Here’s a canned screenshot of what that looks like, it’s

    from a Wireshark lab I have students do in my new information-security course. If you’re close enough and you squint a bit you can see the actual HTML of a web page in Wireshark’s bottom pane. So straight from Wireshark I can see every single thing about this page that the web browser of the person using this site sees. But I promised y’all a demo, right? I actually booted up Wireshark when I came into the room today, and I’ve been capturing Internet traffic on the conference wifi I’m attached to ever since. So hey, we can all take a look at what websites we’ve been surfing to on our phones and laptops during lunchtime keynote at Annual, okay? All of us, unless you’re using a VPN my Wireshark knows where you’ve been, and if you’ve been surfing to insecure websites, my Wireshark knows exactly what you saw there. So let’s look at that. Let me just exit out of my slides here, and pull up Wireshark…

    BLANK SLIDE.* Okay, look. I did not actually do that. I did have Wireshark running, but I didn’t capture any traffic with it, because that would be a terrible violation of y’all’s information privacy. I’m a librarian. I do my level best to operate according to our professional ethics. So I wouldn’t do that, and I didn’t. Even that Wireshark screenshot I showed you was from my own home wifi when nobody but me was using it.

    like you to check in real quick with how you’re feeling right now, okay? I won’t tell you how to feel, I don’t have the right, but see if any of the words I’m throwing up here strike a chord with you. And I ask you to remember how you’re feeling. Maybe look around and gauge how other people seem to be feeling. Beyond this talk, beyond this CONFERENCE, remember how information surveillance made us feel, please. And remember we do NOT want to make patrons in our libraries feel any of these ways; isn’t library anxiety already bad enough? Beyond all the highfalutin’ rhetoric about ethics and intellectual freedom and stuff—that’s a big reason we drew a line in the sand in nineteen thirty- nine about surveilling our patrons.
  27. INDIFFERENCE T O HARM I apologize for scaring you. Unlike

    Facebook or Google or Cambridge Analytica, I am not indifferent to the harm I just caused, and I am sorry for it. It was the best way I could think of to get people really feeling website and network security, instead of thinking it’s yet another obscure annoying techie argument. But I’m still sorry, even as I wrote this into my slides I knew it was a shabby trick. I hope you’ll forgive me.
  28. Photo: Paul Sableman, “Neighborhood Association Cornerstone - Erected 1927 A.D.”

    https://www.flickr.com/photos/pasa/8604904182/ CC-BY, cropped But let me also suggest that fundamentals like website security are the cornerstone of present-day privacy in libraries, okay? Defending our patrons against well-known information-surveillance threats like packet sniffing is fundamental. Information security in general IS FUNDAMENTAL. If we can’t get the fundamentals right, we librarians don’t have much business bragging on ourselves about privacy.
  29. Photo: Pru Mitchell, “Library gate” https://www.flickr.com/photos/pru/14467143883/ CC-BY, cropped A while

    ago, I was talking with an academic-librarian friend of mine at an event we were both attending. She told me about another librarian at her library who was THRILLED to be able to tap into data from ID-card swipes at the library gates. “Just think,” this other librarian said, “we can know exactly who they are and what they’re majoring in before they even approach the ref desk!” And when my friend gently suggested that this might be a privacy problem? The librarian scoffed and said, “Oh, they won’t even know, so it’s fine.” Let’s take this story apart a piece at a time.
  30. ENTIT L EMENT “Just think, we can know exactly who

    they are and what they’re majoring in!” Without doing students the basic courtesy of asking, nor allowing them to decide not to tell us. That’s entitlement.
  31. EXPLOITING POWER ASYMME T RIES “Before they even approach the

    ref desk!” That library has the power of surveillance, of observation and identification, over those students, and there’s probably nothing the individual students can do about it. And my friend’s librarian colleague apparently thinks exploiting that power asymmetry is peachy-keen.
  32. SECRECY AND L IES “Pssh, they won’t even know it’s

    happening, so it’s fine!” *PAUSE* It’s not fine. This is NOT FINE. That world where we’re all surveilled and afraid? That world we’ve historically been proud of NOT contributing to? This is what libraries actively contributing to a world of surveillance looks like, folks, and keeping it secret only makes it worse. And where, you might well ask, where is this library with this librarian who apparently learned ethics from Facebook, Adobe, and Google rather than the ALA or library school?
  33. Photo: Teresa Boardman, “Minnesota State Capitol” https://www.flickr.com/photos/tboard/1356990933/ CC-BY, desaturated, cropped

    Minnesota. Minnesooooooooota. Sorry, folks, disappointing but true. You might have legitimately guessed Arizona, but no, my librarian friend and their colleague are from Minnesota. “The students won’t know, so it’s okay.” I just. What is that I can’t even. Moving on…
  34. As I was poking around Minnesota library websites, I came

    across M-N-link, which I’m guessing needs no introduction in this room. Secure website, by the way, so good job there, Minitex. I clicked links but mostly couldn’t get places because I’m not a Minnesota resident or library-card holder, which I kind of expected, so okay. So I clicked on the Tutorials link under More Resources, suspecting THAT at least would be locally-created and I’d be able to see it, and yay! I was right.
  35. And on the tutorials page I noticed my uBlock Origin,

    the ad- and tracker blocker I have installed in my browser, posting a total of twenty-five advertising and surveillance-type things blocked on the page. Twenty-five is kind of a lot? Especially for a library website? Huh, I muttered to myself, and clicked on uBlock Origin’s icon to see what was going on.
  36. And then I muttered something under my breath which I

    will not repeat here, this being a family conference. I blew this up as big as I could, but wow this is a big room, so. Doubleclick dot net. DOUBLECLICK is being allowed to load something onto M-N-link’s tutorials page. I don’t know what, I don’t even CARE what, this is a thing that should not be. Doubleclick is one of the Four Horsemen of the Online Surveillance Ad-pocalypse, okay? Minitex. MI-NI-TEX. How did this get past you? I know you’re better than this!
  37. And I don’t mean to belabor this point about library

    websites and the surveillance world we live in, but stuff just kept happening and I kept cussing under my breath and I’m gonna include you in my pain, okay? This is the home page for the Great River Regional Library system, headquartered here in town. Also secure, so thank you for that. But I’ve got my uBlock window open again, so brace yourselves.
  38. Google Analytics, of course, but check THIS out, ad-n-x-s dot

    com. Ad Nexus. The company itself is called App Nexus, and hey, it just got bought out by AT&T, which of course has a STERLING record in protecting people’s privacy, it didn’t roll over on its customers to the NSA at all! Ad Nexus should reeeeeeally not be here.
  39. It’s not like App Nexus even makes a secret of

    being in the business of surveillance for marketers, y’all. Look at this, straight off their home page, how shameless is that eye—graph—thing? And check their verbiage out: (READ THE LITTLE PARA.) So, they brag on how transparent they are—to buyers and sellers of advertising. The people they’re tracking across the web, including on Great River Library’s website, don’t… apparently… matter? Or need transparency? Or something.
  40. CAREL ESS SHARING Now, I’m sure nobody at Minitex or

    Great River Library thinks to themselves “hey, today I’ll go to work and feed all our patrons into the surveillance-capitalism panopticon! that’ll be greeeeeeeeat!” This is likely to be careless sharing. To which I say, we could stand to be more careful about this?
  41. WILL ING COLLABORA TION But I also think there’s an

    argument that lack of intent is not magic. In effect, Minitex, Great River Regional Library, and all y’all using Google Analytics are collaborating, in the deal-with-the-devil sense of that word, with corporate surveillance. Because it’s convenient, right? Google Analytics is just so very convenient. *PAUSE* So, convenience is all surveillance capitalism has to pay to buy patron privacy off libraries? Huh. If y’all haven’t done so already, please install an anti-tracker plugin in your favorite browser. It doesn’t even have to block stuff if you don’t want it to, I just NEED y’all to become more aware of behavioral tracking online. I’d be even happier if you installed uBlock on all your patron-facing machines in your library. If you need to convince anybody in IT, tell them it’ll cut way down on bandwidth costs—happens to be true!
  42. Here’s another carnival of funhouse surveillance mirrors for your enjoyment

    today. It’s called “learning analytics” and it’s a big honkin’ deal in some colleges and universities these days. Learning analytics is about surveilling students, emphatically including their information behavior. Who they are, what they do online, what they do offline, what they do IN class, what they do out of it. Basically anything students do, some learning analytics project somewhere wants to record it and analyze it. And colleges and universities doing learning analytics want their libraries to join in the fun!
  43. And this is where it’s appropriate for me to declare

    that I have a dog in this hunt, and this is it: I’m part of a research project funded by the Institute for Museum and Library Services that’s going to ask students what they think about academic libraries participating in learning analytics initiatives. I hear a lot of people say “nobody cares about privacy!” I don’t actually believe that, and current research in non-library contexts aligns with me. But, either way, shouldn’t we KNOW? So the Data Doubles team is aiming to go find out. By the way, if any of you are coming to LITA Forum in the Twin Cities next month, hi, I’ll see you there, and I want you to know that Jenica Rogers of SUNY-Potsdam is speaking about her experience finding out what students THERE think of all this. I’ll be in that audience with bells on, and if you’re going, it’d be great if you were there too.
  44. Photo: Plings, “plings_005” https://www.flickr.com/photos/plings/4453697565/ CC-BY, cropped Okay, so. Let me

    walk you through one real-world library-based learning-analytics research project, okay? Just to give you a sense of how it works.
  45. ALL first-year undergraduates, surveilled through their ENTIRE TIME at the

    school. First, let’s talk about the research population studied. It was an entire cohort of first-year undergrads at the school, and the researchers surveilled them in various ways throughout their time there.
  46. SECRECY AND L IES As far as I can tell

    from what’s been published, these researchers offered no way for any student in the cohort to opt out of this research. Heck, it looks to me like they didn’t even really tell the students it was happening, much less ask them whether they were okay with it.
  47. EXPLOITING POWER ASYMME T RIES And look, even if the

    researchers had said something, think back to how YOU felt as a brand-new undergrad. Overwhelmed, small, and scared, if you were anything like me. So some librarian researcher comes up to you saying “we wanna watch you like a bug under a microscope, is that okay?” Of course you’re not gonna say no, much less “ew, gross, stay out of my life!” You’re feeling overwhelmed, small, and scared and here’s this authority who wants something from you! This is exploitation of power asymmetry in a nutshell. And while I’m mentioning it, power asymmetry is what allowed those researchers to get away with NOT EVEN TELLING STUDENTS that what they did in the library was being turned into data.
  48. Race/ethnicity Socioeconomic status (via Pell Grant data) Gender On/off campus

    First-generation status University division Incoming SAT/ACT scores Age range Part- or full-time status Here’s the data the researchers got about everyone in the cohort from the university records folks. (READ THE LIST.) Already we’re pretty deep into creepy territory, I think? Especially when there’s been no notice or consent. I want y’all to notice, too, that combining all these characteristics plus the cohort entry year, which has been published, it’s gonna be pretty trivial to reidentify a WHOLE LOT of these individual students by name—heck, gimme five minutes on LinkedIn and I’ll get you some of them. Not that these researchers actually seemed to care about that, mind you—they kept actual campus identifiers for the students throughout their research—but if their dataset ever leaks, things will get real ugly real fast.
  49. # library (e)book checkouts # and date(s) of library-computer logins

    # library databases accessed # academic journals accessed Appointments with peer tutors Chat reference transactions Interlibrary loan transactions Participation in first-year seminar programs And here’s what the researchers tracked about the individual students during their time at the school. (READ THE LIST.) (N.B. library computer logins are a form of geolocating students, which is creepy all by itself.) Wow, so, okay, that’s a lot. And in their publications the researchers actually lament that they couldn’t get more.
  50. # of classes attended with library instruction Term GPA Cumulative

    GPA 4-year graduation rate YIKES! But wait, wait, I’m not even done yet, I couldn’t fit it all onto one slide! These researchers also captured (READ THE LIST). *CLICK* If you’re not creeped out about this level of information-behavior tracking happening to you or your child or cousin or sibling or nibling, without their knowledge and consent, I don’t even know what to tell you, except that I SURE AM. And if you wouldn’t be even a little bit leery of walking into this library or visiting it online, knowing it was tracking all this stuff about you, I don’t even know what to tell you, except that I wouldn’t set foot or mouse-click in this library for love or money if I could avoid it.
  51. 2. The privacy of library users is and must be

    inviolable. Policies should be in place that maintain confidentiality of library borrowing records and of other information relating to personal use of library information and services. Maybe just one more thing, too. This is directly from the ALA’s Intellectual Freedom Principles for Academic Libraries. It starts out, “THE PRIVACY OF LIBRARY USERS IS AND MUST BE INVIOLABLE.” *pause* Welp.
  52. ENTIT L EMENT You might be asking yourself right now,

    “Who TOLD these people they were entitled to do this?” And I get it, I hear you, this whole thing reeks of entitlement, but look, you have to turn it around: until me? right this minute? Nobody said they couldn’t or shouldn’t, is my bet. I mean, except their professional ethics codes, and *pssh* who reads those, right?
  53. WILL ING COLLABORA TION And there are a lot of

    people who could have told them no. Their library administrators. Their institutional administrators. Their institutional lawyers. Maybe their Institutional Review Board, though as best I can tell their IRB never even saw this. Their institution’s records managers. Their IT and data people. The editors and peer reviewers at the journals where they’ve published about this. Our professional organizations. Best I can tell, nobody who could have said “no, rethink this” actually did. That makes an awful lot of people collaborators in surveillance. Nothing about surveillance is ever gonna change until somebody somewhere starts saying no, y’all.
  54. SURVEILLANCE CREEP This is also classic, classic surveillance creep. None

    of the pre-existing data this research used was collected for that purpose, and a lot of the data they DID intentionally collect, it either isn’t normally collected or isn’t used for research! But they could, and nobody told them no, so they did, and it sure looks to me like they didn’t think twice. I don’t think that’s a healthy precedent at all. Where, you might well ask, did this research happen? Where is the academic library that thinks this is okay?
  55. Photo: Teresa Boardman, “Minnesota State Capitol” https://www.flickr.com/photos/tboard/1356990933/ CC-BY, desaturated, cropped

    Minnesota! Minnesooooooooota. Sorry, disappointing but true. It’s not hard to find; as I’ve mentioned, the research team has published about it several times. I’m not going to tell y’all exactly what you should think about that, much less what you should DO about it. I don’t have that right. I’m just going to beg you to THINK ABOUT IT, as librarians who are different from Facebook and Google and Cambridge Analytica. *CHECK TIME. IF >10 MINUTES LEFT:* Also as educators, those of us who are. I’m an instructor and a student advisor. I work with students from oppressed and outlier populations, I work with students who are vulnerable, I work with students who are in active crisis, I work with students who for good and cogent reasons don’t trust the larger university I work for. And here’s what I want to say about this research as an instructor and advisor—I need my students to trust me, or I can’t do my job. This means I need researchers not to be indifferent to the harm they can do by undermining that trust. I’m pretty upset about this research, I won’t lie, and anyway it’s probably obvious, right? But I have reasons for how I feel beyond the purely abstract.
  56. We, SURVEILL ED and AFRAID in a World We Never

    Made Photo: Jay Phagan, “Surveillance Cameras” https://www.flickr.com/photos/jayphagan/33870031091/ CC-BY, cropped, darkened, masked aren’t preventing, and sometimes buy into or even facilitate! So, this is where we’ve landed as a profession, I think. We’re suspicious and scared of surveillance, as we should be. But what we can’t do, I hope I’ve convinced you, is deny that we are part of this world of surveillance. We ARE part of it, just as much as Facebook and Google and Cambridge Analytica and Adobe. Some of us have even bought into it whole-hog! We’re actually NOT so different.
  57. Photo: La Vladina, “Shut Up, take 3” https://www.flickr.com/photos/ danielavladimirova/6234626228/ CC-BY,

    cropped But even those of us who fear and loathe surveillance mostly haven’t done much about it, and I include myself in that. Silent partners in the surveillance state. Dunno about you, but that’s not what I went to library school to do.
  58. Photo: mslavick, “No!” https://www.flickr.com/photos/supernintendo_chalmers/3827043121/ CC-BY, cropped They say “no” is

    a complete sentence. Maybe when we see one another taking dumps on privacy, pardon my language, we yell NO. It could be that simple!
  59. Photo: Zeev Barkan, “Fine art vs. documentary photographs” https://www.flickr.com/photos/zeevveez/7095563439/ CC-BY,

    cropped But, you know, asking questions can be easier, and I think that’s a big part of what we can all do about this. Ask questions, when you’re feeling some patron surveillance coming on at your library. “Are we actually entitled to collect or use this data? Shouldn’t we just delete it? How are we going to tell our patrons this is happening? Isn’t this surveillance creep? What harm could come to our patrons from this?” Ask, and keep asking.
  60. Photo: Paul Sableman, “Neighborhood Association Cornerstone - Erected 1927 A.D.”

    https://www.flickr.com/photos/pasa/8604904182/ CC-BY, cropped And part of this is going back to fundamentals, to privacy cornerstones. For example, ALA has an amazingly great how-to on library privacy audits, which are not by any means a new idea; they just take on new importance in the shadow of the digital panopticon. Now, I realize and respect that a lot of us in this room are feeling unprepared for this technically. I won’t ask you to raise your hands, but hey, I’m betting this is the first a lot of you have ever heard of Wireshark. It’s okay, I’m not mad at you, nobody’s born knowing this stuff. But it does mean we have a lot of each-one-teach-one to do in our profession about the fundamentals of information security. I just want to reassure you that I myself have only been boning up on infosec for a little over a year. If I can pick up a baseline understanding that fast, I definitely think lots more of us can.
  61. Photo: Teresa Boardman, “Minnesota State Capitol” https://www.flickr.com/photos/tboard/1356990933/ CC-BY, cropped So

    let’s get started right here in Minnesota. This is my closing challenge to all of you here: make Minnesota the national example of doing twenty-first-century library privacy right! Lead the whole country! Don’t be afraid, spit in surveillance’s eye! Eye—graph—thing. Now, y’all maybe have a ways to go to get there, but you’re not alone—we all do. Could I have come up with Wisconsin examples today? Oh, I SO could have. And in spite of the examples I used today, I believe in you. I believe in you! Make this happen, Minnesota!
  62. Photo: Teresa Boardman, “Minnesota State Capitol” https://www.flickr.com/photos/tboard/1356990933/ CC-BY, darkened, cropped

    Thank you! Copyright 2018 by Dorothea Salo. This presentation is available under a Creative Commons Attribution 4.0 International license. Please respect licenses on included photos. And my best wishes to you. Thank you.