$30 off During Our Annual Pro Sale. View Details »

We, Surveilled and Afraid, in a World We Never Made

We, Surveilled and Afraid, in a World We Never Made

Given for the Minnesota Library Association Annual Conference, 11 October 2018.

Dorothea Salo

October 11, 2018
Tweet

More Decks by Dorothea Salo

Other Decks in Technology

Transcript

  1. We, SURVEILL
    ED and AFRAID
    in a World We Never Made
    Dorothea Salo
    University of Wisconsin-Madison Information School
    Minnesota Library Association
    Annual Conference 2018
    Photo: Jay Phagan, “Surveillance Cameras”
    https://www.flickr.com/photos/jayphagan/33870031091/
    CC-BY, cropped, darkened, masked
    *REMEMBER TO VISIBLY CHECK ON WIRESHARK AFTER THE PROJECTOR IS WORKING BUT BEFORE THE TALK STARTS*

    *GO TO CAPTURE—>OPTIONS IF THERE’S TIME, CLICK ON WIFI OPTION AT BOTTOM. (DON’T CLICK START OBVIOUSLY, BUT CLICK CLOSE FAST SO THEY’RE
    NOT SURE WHAT YOU CLICKED)*

    Hi, everybody, and thanks for having me here. I believe it important to acknowledge that we gather today on land that belonged to and was wrongfully taken from the
    Ojibwe and Dakota peoples.

    My talk title is a riff on a rather strange and uncharacteristic A.E. Housman poem, and it caught my ear because of how we as a society are finally getting scared of this
    Jeremy Bentham surveillance panopticon world we somehow find ourselves part of, from surveillance cameras practically everywhere to pervasive and hard-to-escape
    surveillance online.

    No lie, I am afraid of the panopticon, surveillance and behavior tracking and Big Data and machine learning and A-I and all the rest of it. No lie, I am a librarian partly
    because our profession’s ethics statements say “we do not do the surveillance thing, it’s not cool and it’s not okay, we give people the surveillance-free mental space
    they need to think and learn and create.”

    A couple months ago, in fact, I had a viscerally angry reaction to someone’s innocent suggestion that I’m an information scientist rather than a librarian. In my head I was
    all “noooooooo, information scientists gave us behavioral ad tracking and browser fingerprinting and DoubleClick! Information scientists gave us Cambridge Analytica! I
    don’t identify with those creepy snoops! I am a LIBRARIAN, THANK YOU VERY MUCH, and WE ARE DIFFERENT.”

    View Slide

  2. “… a radically disembedded and extractive variant of
    information capitalism… can be identified as
    SURVEILLANCE CAPIT
    AL
    ISM.”
    —Shoshana Zuboff
    Photo: David Bleasdale, “surveillance”
    https://www.flickr.com/photos/sidelong/41562981290/
    CC-BY, cropped
    Yet here I am, here we all are, stuck in this world, this world of what scholar Shoshana Zuboff calls “surveillance capitalism.” This world. This WORLD, Y’ALL. Where do I
    even start?

    Well, okay. I want to start by naming-and-shaming some characteristics of our current surveillance situation that I think are well beyond the ethical pale generally, never
    mind compared to librarian ethics. I’ll give examples, too, just to be a little clearer about what I mean.

    View Slide

  3. ENTIT
    L
    EMENT
    Entitlement. World plus dog thinks they’re somehow entitled to any data they can grab about me, and any data they can grab about you—any data they can grab about
    pretty much everybody. They don’t even ASK themselves if maybe, just maybe, they’re not entitled to know. “We CAN collect these data, therefore it must be okay to!”
    they say.

    “Nobody even knows we’re collecting these data, so who’s to object?” says every terms-of-service agreement everywhere, merely by being fifty gazillion pages of dense
    legalese.

    “It’s our business model, so that automatically makes it okay!” Gotta pay back those venture capitalists, that’s clearly the most important thing ever. “Surveillance is how
    we improve our service for our users!” Like, do these people believe the garbage coming out of their mouths?

    View Slide

  4. And obviously Facebook and Google are the easy targets here, their entitlement is appalling, but I want to sidestep to something more libraryish: Adobe. In twenty-
    fourteen, Adobe Digital Editions—that’s their ebook-reading software, I’m sure a lot of you have used it—Adobe Digital Editions got caught red-handed sending
    information about each of its individual users over the internet back to Adobe. Exactly what ebooks you opened, how much and which parts of each one you read, when
    you did that reading… all of that going back to Adobe.

    In what UNIVERSE is Adobe entitled to know this? Especially such that we can’t even tell them to stop? But they sure think they’re entitled to collect this data about our
    reading. Amazon’s just as bad, of course.

    View Slide

  5. CAREL
    ESS SHARING
    (“EVEN IF YOU WANT PRIVACY,
    WE WON’T LET YOU HAVE IT!”)
    Another bad thing that the entitlement fuels is sheer carelessness with data. Sure, let’s collect every piece of data we can imagine and then fire it indiscriminately all over
    the place, what could possibly go wrong? Why should we bother, I don’t know, asking people first?

    “But we took out the personally-identifiable information!” says every sketchy web tracker everywhere. Look. Y’all. The more data that’s collected on people, the less
    meaning P-I-I even has. With enough information about us, we’re all identifiable, it doesn’t even matter if our names and social-security numbers get taken out. And in
    this world of surveillance, that information absolutely exists.

    So careless sharing is a real danger to all of us.

    View Slide

  6. “But it’s public data!” skeevy sharers often say. That’s what OKCupid said, after publishing their users’ dating data. Well, after a fashion, yeah, but look, privacy is not a
    binary, okay? It’s more complicated than that, and we should be able to expect the services we use and the gatherers of our data to respect those complications.

    “But it’s REE-surch!” they also said. Like that justifies this. We have Institutional Review Boards—and I just went through an IRB process, it was hair-tearingly awful and I
    hated every minute of it—but we have IRBs because we KNOW not all research questions or research methods are okay, okay?

    View Slide

  7. SECRECY AND L
    IES
    And, you know, secrecy and lies also go right along with the whole entitlement thing—these nosy creeps will do ANYTHING to keep pretending they’re entitled to spy on
    us, so they keep secrets and tell lies about what they’re actually doing.

    View Slide

  8. Gizmodo, 26 September 2018
    https://gizmodo.com/facebook-is-giving-advertisers-access-to-your-shadow-co-1828476051
    Fair use asserted
    My rule of thumb is, if somebody’s telling lies on the Internet, it’s probably Facebook. Kashmir Hill, who is a terrific journalist on the privacy and security beat, asked
    Facebook if they were letting advertisers get at, like, cell phone numbers and email addresses of people who didn’t even give Facebook that information, much less
    permission to use it. And Facebook said “nope, not us, we’d never”—and then Hill and some researchers proved it, whereupon Facebook finally, grudgingly admitted it.

    Let me say this again: FACEBOOK LIED TO A JOURNALIST ABOUT THIS. And that was AFTER trying to keep it secret.

    View Slide

  9. And then there’s GOOGLE. Our good buddy Google just got SO OWNED for fibbing. There’s this toggle in Google’s privacy settings to turn Location Sharing off, here’s
    what it looks like, and Princeton media researcher Günes Acar discovered that if you turn this setting off, as I have done, Google was still tracking your location!

    But wait, wait, it gets better! Vanderbilt researcher Douglas Schmidt also demonstrated recently that no matter WHAT your Google privacy settings look like, if you have
    an Android phone, it’s communicating your location to Google several times an hour.

    And look, this is not even CLOSE to the first time our good buddy Google has been owned. K-12 schools using Google Apps for Education caught Google building
    advertising profiles on children. Of course the whole time Google was saying children’s privacy was important to them. Yeah, right.

    That thing where the conference wifi auto-redirects to Google? Um… DuckDuckGo please?

    So, lemme ask, how many of y’all’s library websites use Google Analytics? Show of HANDS, please, come on, don’t be shy. (If few hands: Y’all. I’m talking about secrecy
    and lies here. Don’t think I don’t know a lot of you are fibbing by omission.) Google makes claims about the privacy of that data. I imagine at least SOME of you have
    investigated them. I just want you to ask yourselves: whatever those claims are, you believe Google about them why, exactly? Based on its track record, Google isn’t
    trustworthy.

    View Slide

  10. EXPLOITING
    POWER ASYMME
    T
    RIES
    And we can’t have this discussion without talking about power, okay? Our inability to escape surveillance has a lot to do with all the power that we as individual citizens,
    as Internet users, as librarians, as employees, as library patrons, as device owners, as students—hi students, glad you’re here!—all the power we don’t currently have.

    View Slide

  11. Law enforcement targeting activists of color, government agencies using black-box prediction systems that unfairly deny people services, there are hideous abuses of
    power fueled by surveillance.

    But I want to point out, probably not news to most of you, that just the ability to observe can create an exploitable power asymmetry. These screenshots came from Alex
    Halpern on Twitter, and it’s a conversation between Alex and some creep who asked a friend who works for a public library to look up Alex’s library checkout record. And
    then this creep tried to use that against Alex. More or less privately, yeah, but I can imagine ways to try to harm Alex publicly, and I bet you can too.

    Our professional ethics codes were designed to avoid exactly this kind of thing. We DO NOT use people’s information behavior against them, nor allow it to be used
    against them when we can avoid that.

    View Slide

  12. WILL
    ING
    COLLABORA
    TION
    Speaking of avoiding it, public librarians’ resistance to the Patriot Act set librarianship pretty explicitly against corporations who just rolled over on their customers to
    United States federal enforcers—telecom corporations particularly, but they’re not the only ones. To be totally blunt about this, a lot of corporations are data quislings,
    they are collaborators (in the deal-with-the-devil sense of that word). When evil asks them to jump they just ask how high.

    View Slide

  13. Gonna just read this headline… {DO SO} Times like this I remember what “yahoo” originally meant, thank you Jonathan Swift…

    View Slide

  14. SURVEILLANCE
    CREEP
    And collaboration, in ALL senses of that word, is part of how we get what researchers call surveillance creep—the reuse and augmentation of existing data for new and
    sometimes nefarious purposes that weren’t originally planned for or even imagined.

    And social scientists say ruefully that surveillance creep is hard, if not impossible, to stop. In other words, expect any data you collect and store to be used for purposes
    you didn’t intend—and maybe wouldn’t approve of.

    View Slide

  15. After all, this is kind of how we got to Cambridge Analytica, right? Supposedly they and Facebook were collecting silly quiz data because silly quiz data, or maybe
    because advertising.

    Ha ha, joke’s on us, Cambridge Analytica was trying to use the data to throw elections! Whether they were successful or not, and that one’s debatable, just the idea that
    using people’s data to manipulate them at scale is not only possible, but in fact COMMON—this article here is about marketers doing it—this should maybe give us
    pause about data collection.

    View Slide

  16. INDIFFERENCE
    T
    O HARM
    (“I GOT MINE, YOU DON’T MATTER!”)
    The utter indifference to the harm they’re doing, whether it’s Cambridge Analytica or Uber or Facebook or Google or Twitter, I can’t get over this. It’s so stark, and so
    awful.

    View Slide

  17. SERIOUSLY, FACEBOOK?!
    Facebook didn’t care that it was letting anti-Semitic and white-supremacist organizations target ads to more of the same. They DID NOT CARE they were helping people
    attack other people, until it became an image problem for them.

    That sweet, sweet ad money their surveillance gets them, that’s all Facebook cared about.

    View Slide

  18. This is not the
    or wanted.
    we made
    So, this is not the world we made or wanted.

    We actually wrote a whole ethics code for ourselves back in nineteen-thirty-nine in part to AVOID this kind of world!

    View Slide

  19. This is still the
    live in.
    we must

    View Slide

  20. This is still the
    live in.
    our patrons must
    … and if you don’t like this world and wish it were different, I am RIGHT THERE WITH YOU.

    View Slide

  21. How are we coping with this?
    Let’s find out.

    View Slide

  22. There are twelve regional public library systems in Minnesota, thank you Minnesota Department of Education website.

    Let’s ask a really basic online security and privacy question. How many of these twelve public library systems serve up their websites securely? Don’t, like, yell out a
    guess or anything, that’s rude, but look, H-T-T-P-S is basic web privacy hygiene now… and the public-library sector generally is known to be lagging badly at it, which is
    why I ask.

    View Slide

  23. X
    X
    X
    X
    X
    ?
    Here’s your answer. When I checked, I found six secure websites, good job and thank you, y’all… *CLICK* one misconfiguration—no worries, it happens, at least they’re
    trying!—and *CLICK* five that are still insecure.

    FIVE. Y’all!

    View Slide

  24. CAREL
    ESS SHARING
    This is what careless data sharing looks like in the real world of Minnesota libraries. I’m sorry but it’s true.

    View Slide

  25. “PACKET SNIFFER”
    COPIES-AND-SAVES
    NETWORK TRAFFIC
    WORKS ON LOCAL
    NETWORKS, WIFI
    ALL TEXT, IMAGES
    FROM INSECURE
    WEBSITES
    So what? you might be wondering. Okay, fair enough, I’m going to demo a piece of free open-source software called Wireshark for you. *CLICK* Wireshark is what’s
    called a packet sniffer, or network traffic analyzer if you’re feeling fancy. *CLICK* If you turn Wireshark loose in what’s called “promiscuous mode” on a local network such
    as a wifi network, *CLICK* Wireshark copies and saves all the information bouncing through that network from all the different phones and tablets and computers
    connected to it, okay? Including web traffic, email traffic, chat, mobile apps that use the network, whatever.

    And if a website is not being served securely—like, it’s coming from one of those five still-insecure library websites I just showed you? *CLICK* Wireshark captures
    absolutely everything the person who surfed to that site is seeing, all the text, all the HTML, all the images, everything. So I, as the Wireshark user hanging out on the wifi,
    can trivially snoop on people using insecure websites.

    View Slide

  26. Here’s a canned screenshot of what that looks like, it’s from a Wireshark lab I have students do in my new information-security course. If you’re close enough and you
    squint a bit you can see the actual HTML of a web page in Wireshark’s bottom pane. So straight from Wireshark I can see every single thing about this page that the web
    browser of the person using this site sees.

    But I promised y’all a demo, right? I actually booted up Wireshark when I came into the room today, and I’ve been capturing Internet traffic on the conference wifi I’m
    attached to ever since. So hey, we can all take a look at what websites we’ve been surfing to on our phones and laptops during lunchtime keynote at Annual, okay? All of
    us, unless you’re using a VPN my Wireshark knows where you’ve been, and if you’ve been surfing to insecure websites, my Wireshark knows exactly what you saw there.

    So let’s look at that. Let me just exit out of my slides here, and pull up Wireshark…

    View Slide

  27. *OPEN WIRESHARK, QUIT OUT OF IT, RESTART DECK FROM THIS BLANK SLIDE.*

    Okay, look. I did not actually do that. I did have Wireshark running, but I didn’t capture any traffic with it, because that would be a terrible violation of y’all’s information
    privacy. I’m a librarian. I do my level best to operate according to our professional ethics. So I wouldn’t do that, and I didn’t. Even that Wireshark screenshot I showed you
    was from my own home wifi when nobody but me was using it.

    View Slide

  28. ANG
    RY
    BE
    T
    RAYED
    UPSE
    T
    UNSAFE
    SHOCKED
    I’d like you to check in real quick with how you’re feeling right now, okay? I won’t tell you how to feel, I don’t have the right, but see if any of the words I’m throwing up
    here strike a chord with you.

    And I ask you to remember how you’re feeling. Maybe look around and gauge how other people seem to be feeling. Beyond this talk, beyond this CONFERENCE,
    remember how information surveillance made us feel, please. And remember we do NOT want to make patrons in our libraries feel any of these ways; isn’t library anxiety
    already bad enough? Beyond all the highfalutin’ rhetoric about ethics and intellectual freedom and stuff—that’s a big reason we drew a line in the sand in nineteen thirty-
    nine about surveilling our patrons.

    View Slide

  29. INDIFFERENCE
    T
    O HARM
    I apologize for scaring you. Unlike Facebook or Google or Cambridge Analytica, I am not indifferent to the harm I just caused, and I am sorry for it. It was the best way I
    could think of to get people really feeling website and network security, instead of thinking it’s yet another obscure annoying techie argument. But I’m still sorry, even as I
    wrote this into my slides I knew it was a shabby trick. I hope you’ll forgive me.

    View Slide

  30. Photo: Paul Sableman, “Neighborhood Association Cornerstone -
    Erected 1927 A.D.”
    https://www.flickr.com/photos/pasa/8604904182/
    CC-BY, cropped
    But let me also suggest that fundamentals like website security are the cornerstone of present-day privacy in libraries, okay? Defending our patrons against well-known
    information-surveillance threats like packet sniffing is fundamental. Information security in general IS FUNDAMENTAL.

    If we can’t get the fundamentals right, we librarians don’t have much business bragging on ourselves about privacy.

    View Slide

  31. Photo: Pru Mitchell, “Library gate”
    https://www.flickr.com/photos/pru/14467143883/
    CC-BY, cropped
    A while ago, I was talking with an academic-librarian friend of mine at an event we were both attending. She told me about another librarian at her library who was
    THRILLED to be able to tap into data from ID-card swipes at the library gates. “Just think,” this other librarian said, “we can know exactly who they are and what they’re
    majoring in before they even approach the ref desk!”

    And when my friend gently suggested that this might be a privacy problem? The librarian scoffed and said, “Oh, they won’t even know, so it’s fine.”

    Let’s take this story apart a piece at a time.

    View Slide

  32. ENTIT
    L
    EMENT
    “Just think, we can know exactly who they are and what they’re majoring in!” Without doing students the basic courtesy of asking, nor allowing them to decide not to tell
    us.

    That’s entitlement.

    View Slide

  33. EXPLOITING
    POWER ASYMME
    T
    RIES
    “Before they even approach the ref desk!”

    That library has the power of surveillance, of observation and identification, over those students, and there’s probably nothing the individual students can do about it. And
    my friend’s librarian colleague apparently thinks exploiting that power asymmetry is peachy-keen.

    View Slide

  34. SECRECY AND L
    IES
    “Pssh, they won’t even know it’s happening, so it’s fine!”

    *PAUSE*

    It’s not fine. This is NOT FINE. That world where we’re all surveilled and afraid? That world we’ve historically been proud of NOT contributing to? This is what libraries
    actively contributing to a world of surveillance looks like, folks, and keeping it secret only makes it worse.

    And where, you might well ask, where is this library with this librarian who apparently learned ethics from Facebook, Adobe, and Google rather than the ALA or library
    school?

    View Slide

  35. Photo: Teresa Boardman, “Minnesota State Capitol”
    https://www.flickr.com/photos/tboard/1356990933/
    CC-BY, desaturated, cropped
    Minnesota. Minnesooooooooota. Sorry, folks, disappointing but true. You might have legitimately guessed Arizona, but no, my librarian friend and their colleague are from
    Minnesota.

    “The students won’t know, so it’s okay.” I just. What is that I can’t even. Moving on…

    View Slide

  36. As I was poking around Minnesota library websites, I came across M-N-link, which I’m guessing needs no introduction in this room. Secure website, by the way, so good
    job there, Minitex. I clicked links but mostly couldn’t get places because I’m not a Minnesota resident or library-card holder, which I kind of expected, so okay.

    So I clicked on the Tutorials link under More Resources, suspecting THAT at least would be locally-created and I’d be able to see it, and yay! I was right.

    View Slide

  37. And on the tutorials page I noticed my uBlock Origin, the ad- and tracker blocker I have installed in my browser, posting a total of twenty-five advertising and
    surveillance-type things blocked on the page. Twenty-five is kind of a lot? Especially for a library website? Huh, I muttered to myself, and clicked on uBlock Origin’s icon
    to see what was going on.

    View Slide

  38. And then I muttered something under my breath which I will not repeat here, this being a family conference. I blew this up as big as I could, but wow this is a big room,
    so.

    Doubleclick dot net. DOUBLECLICK is being allowed to load something onto M-N-link’s tutorials page. I don’t know what, I don’t even CARE what, this is a thing that
    should not be. Doubleclick is one of the Four Horsemen of the Online Surveillance Ad-pocalypse, okay?

    Minitex. MI-NI-TEX. How did this get past you? I know you’re better than this!

    View Slide

  39. And I don’t mean to belabor this point about library websites and the surveillance world we live in, but stuff just kept happening and I kept cussing under my breath and
    I’m gonna include you in my pain, okay?

    This is the home page for the Great River Regional Library system, headquartered here in town. Also secure, so thank you for that. But I’ve got my uBlock window open
    again, so brace yourselves.

    View Slide

  40. Google Analytics, of course, but check THIS out, ad-n-x-s dot com. Ad Nexus. The company itself is called App Nexus, and hey, it just got bought out by AT&T, which of
    course has a STERLING record in protecting people’s privacy, it didn’t roll over on its customers to the NSA at all!

    Ad Nexus should reeeeeeally not be here.

    View Slide

  41. It’s not like App Nexus even makes a secret of being in the business of surveillance for marketers, y’all. Look at this, straight off their home page, how shameless is that
    eye—graph—thing? And check their verbiage out: (READ THE LITTLE PARA.) So, they brag on how transparent they are—to buyers and sellers of advertising. The
    people they’re tracking across the web, including on Great River Library’s website, don’t… apparently… matter? Or need transparency? Or something.

    View Slide

  42. CAREL
    ESS SHARING
    Now, I’m sure nobody at Minitex or Great River Library thinks to themselves “hey, today I’ll go to work and feed all our patrons into the surveillance-capitalism
    panopticon! that’ll be greeeeeeeeat!” This is likely to be careless sharing. To which I say, we could stand to be more careful about this?

    View Slide

  43. WILL
    ING
    COLLABORA
    TION
    But I also think there’s an argument that lack of intent is not magic. In effect, Minitex, Great River Regional Library, and all y’all using Google Analytics are collaborating, in
    the deal-with-the-devil sense of that word, with corporate surveillance.

    Because it’s convenient, right? Google Analytics is just so very convenient. *PAUSE* So, convenience is all surveillance capitalism has to pay to buy patron privacy off
    libraries? Huh.

    If y’all haven’t done so already, please install an anti-tracker plugin in your favorite browser. It doesn’t even have to block stuff if you don’t want it to, I just NEED y’all to
    become more aware of behavioral tracking online. I’d be even happier if you installed uBlock on all your patron-facing machines in your library. If you need to convince
    anybody in IT, tell them it’ll cut way down on bandwidth costs—happens to be true!

    View Slide

  44. Here’s another carnival of funhouse surveillance mirrors for your enjoyment today. It’s called “learning analytics” and it’s a big honkin’ deal in some colleges and
    universities these days.

    Learning analytics is about surveilling students, emphatically including their information behavior. Who they are, what they do online, what they do offline, what they do IN
    class, what they do out of it. Basically anything students do, some learning analytics project somewhere wants to record it and analyze it.

    And colleges and universities doing learning analytics want their libraries to join in the fun!

    View Slide

  45. And this is where it’s appropriate for me to declare that I have a dog in this hunt, and this is it: I’m part of a research project funded by the Institute for Museum and
    Library Services that’s going to ask students what they think about academic libraries participating in learning analytics initiatives.

    I hear a lot of people say “nobody cares about privacy!” I don’t actually believe that, and current research in non-library contexts aligns with me. But, either way, shouldn’t
    we KNOW? So the Data Doubles team is aiming to go find out.

    By the way, if any of you are coming to LITA Forum in the Twin Cities next month, hi, I’ll see you there, and I want you to know that Jenica Rogers of SUNY-Potsdam is
    speaking about her experience finding out what students THERE think of all this. I’ll be in that audience with bells on, and if you’re going, it’d be great if you were there
    too.

    View Slide

  46. Photo: Plings, “plings_005”
    https://www.flickr.com/photos/plings/4453697565/
    CC-BY, cropped
    Okay, so. Let me walk you through one real-world library-based learning-analytics research project, okay? Just to give you a sense of how it works.

    View Slide

  47. ALL first-year undergraduates,
    surveilled through their ENTIRE TIME
    at the school.
    First, let’s talk about the research population studied. It was an entire cohort of first-year undergrads at the school, and the researchers surveilled them in various ways
    throughout their time there.

    View Slide

  48. SECRECY AND L
    IES
    As far as I can tell from what’s been published, these researchers offered no way for any student in the cohort to opt out of this research. Heck, it looks to me like they
    didn’t even really tell the students it was happening, much less ask them whether they were okay with it.

    View Slide

  49. EXPLOITING
    POWER ASYMME
    T
    RIES
    And look, even if the researchers had said something, think back to how YOU felt as a brand-new undergrad. Overwhelmed, small, and scared, if you were anything like
    me. So some librarian researcher comes up to you saying “we wanna watch you like a bug under a microscope, is that okay?” Of course you’re not gonna say no, much
    less “ew, gross, stay out of my life!” You’re feeling overwhelmed, small, and scared and here’s this authority who wants something from you!

    This is exploitation of power asymmetry in a nutshell. And while I’m mentioning it, power asymmetry is what allowed those researchers to get away with NOT EVEN
    TELLING STUDENTS that what they did in the library was being turned into data.

    View Slide

  50. Race/ethnicity
    Socioeconomic status
    (via Pell Grant data)
    Gender
    On/off campus
    First-generation status
    University division
    Incoming SAT/ACT scores
    Age range
    Part- or full-time status
    Here’s the data the researchers got about everyone in the cohort from the university records folks. (READ THE LIST.) Already we’re pretty deep into creepy territory, I
    think? Especially when there’s been no notice or consent.

    I want y’all to notice, too, that combining all these characteristics plus the cohort entry year, which has been published, it’s gonna be pretty trivial to reidentify a WHOLE
    LOT of these individual students by name—heck, gimme five minutes on LinkedIn and I’ll get you some of them. Not that these researchers actually seemed to care
    about that, mind you—they kept actual campus identifiers for the students throughout their research—but if their dataset ever leaks, things will get real ugly real fast.

    View Slide

  51. # library (e)book checkouts
    # and date(s)
    of library-computer logins
    # library databases
    accessed
    # academic journals
    accessed
    Appointments with
    peer tutors
    Chat reference
    transactions
    Interlibrary loan
    transactions
    Participation in first-year
    seminar programs
    And here’s what the researchers tracked about the individual students during their time at the school. (READ THE LIST.)

    (N.B. library computer logins are a form of geolocating students, which is creepy all by itself.)

    Wow, so, okay, that’s a lot. And in their publications the researchers actually lament that they couldn’t get more.

    View Slide

  52. # of classes attended
    with library instruction
    Term GPA
    Cumulative GPA
    4-year graduation
    rate
    YIKES!
    But wait, wait, I’m not even done yet, I couldn’t fit it all onto one slide! These researchers also captured (READ THE LIST).

    *CLICK* If you’re not creeped out about this level of information-behavior tracking happening to you or your child or cousin or sibling or nibling, without their knowledge
    and consent, I don’t even know what to tell you, except that I SURE AM.

    And if you wouldn’t be even a little bit leery of walking into this library or visiting it online, knowing it was tracking all this stuff about you, I don’t even know what to tell
    you, except that I wouldn’t set foot or mouse-click in this library for love or money if I could avoid it.

    View Slide

  53. 2. The privacy of library users
    is and must be inviolable.
    Policies should be in place that maintain
    confidentiality of library borrowing records and
    of other information relating to personal use
    of library information and services.
    Maybe just one more thing, too. This is directly from the ALA’s Intellectual Freedom Principles for Academic Libraries. It starts out, “THE PRIVACY OF LIBRARY USERS
    IS AND MUST BE INVIOLABLE.”

    *pause* Welp.

    View Slide

  54. ENTIT
    L
    EMENT
    You might be asking yourself right now, “Who TOLD these people they were entitled to do this?” And I get it, I hear you, this whole thing reeks of entitlement, but look,
    you have to turn it around: until me? right this minute? Nobody said they couldn’t or shouldn’t, is my bet. I mean, except their professional ethics codes, and *pssh* who
    reads those, right?

    View Slide

  55. WILL
    ING
    COLLABORA
    TION
    And there are a lot of people who could have told them no. Their library administrators. Their institutional administrators. Their institutional lawyers. Maybe their
    Institutional Review Board, though as best I can tell their IRB never even saw this. Their institution’s records managers. Their IT and data people. The editors and peer
    reviewers at the journals where they’ve published about this. Our professional organizations.

    Best I can tell, nobody who could have said “no, rethink this” actually did. That makes an awful lot of people collaborators in surveillance. Nothing about surveillance is
    ever gonna change until somebody somewhere starts saying no, y’all.

    View Slide

  56. SURVEILLANCE
    CREEP
    This is also classic, classic surveillance creep. None of the pre-existing data this research used was collected for that purpose, and a lot of the data they DID intentionally
    collect, it either isn’t normally collected or isn’t used for research!

    But they could, and nobody told them no, so they did, and it sure looks to me like they didn’t think twice. I don’t think that’s a healthy precedent at all.

    Where, you might well ask, did this research happen? Where is the academic library that thinks this is okay?

    View Slide

  57. Photo: Teresa Boardman, “Minnesota State Capitol”
    https://www.flickr.com/photos/tboard/1356990933/
    CC-BY, desaturated, cropped
    Minnesota! Minnesooooooooota. Sorry, disappointing but true. It’s not hard to find; as I’ve mentioned, the research team has published about it several times. I’m not
    going to tell y’all exactly what you should think about that, much less what you should DO about it. I don’t have that right. I’m just going to beg you to THINK ABOUT IT,
    as librarians who are different from Facebook and Google and Cambridge Analytica.

    *CHECK TIME. IF >10 MINUTES LEFT:*

    Also as educators, those of us who are. I’m an instructor and a student advisor. I work with students from oppressed and outlier populations, I work with students who
    are vulnerable, I work with students who are in active crisis, I work with students who for good and cogent reasons don’t trust the larger university I work for. And here’s
    what I want to say about this research as an instructor and advisor—I need my students to trust me, or I can’t do my job. This means I need researchers not to be
    indifferent to the harm they can do by undermining that trust.

    I’m pretty upset about this research, I won’t lie, and anyway it’s probably obvious, right? But I have reasons for how I feel beyond the purely abstract.

    View Slide

  58. We, SURVEILL
    ED and AFRAID
    in a World We Never Made
    Photo: Jay Phagan, “Surveillance Cameras”
    https://www.flickr.com/photos/jayphagan/33870031091/
    CC-BY, cropped, darkened, masked
    aren’t preventing,
    and sometimes buy into
    or even facilitate!
    So, this is where we’ve landed as a profession, I think. We’re suspicious and scared of surveillance, as we should be.

    But what we can’t do, I hope I’ve convinced you, is deny that we are part of this world of surveillance. We ARE part of it, just as much as Facebook and Google and
    Cambridge Analytica and Adobe. Some of us have even bought into it whole-hog! We’re actually NOT so different.

    View Slide

  59. Photo: La Vladina, “Shut Up, take 3”
    https://www.flickr.com/photos/
    danielavladimirova/6234626228/
    CC-BY, cropped
    But even those of us who fear and loathe surveillance mostly haven’t done much about it, and I include myself in that. Silent partners in the surveillance state. Dunno
    about you, but that’s not what I went to library school to do.

    View Slide

  60. How are we coping with this?
    Maybe not so well! How can we cope better?

    View Slide

  61. Photo: mslavick, “No!”
    https://www.flickr.com/photos/supernintendo_chalmers/3827043121/
    CC-BY, cropped
    They say “no” is a complete sentence. Maybe when we see one another taking dumps on privacy, pardon my language, we yell NO. It could be that simple!

    View Slide

  62. Photo: Zeev Barkan, “Fine art vs. documentary photographs”
    https://www.flickr.com/photos/zeevveez/7095563439/
    CC-BY, cropped
    But, you know, asking questions can be easier, and I think that’s a big part of what we can all do about this. Ask questions, when you’re feeling some patron surveillance
    coming on at your library. “Are we actually entitled to collect or use this data? Shouldn’t we just delete it? How are we going to tell our patrons this is happening? Isn’t
    this surveillance creep? What harm could come to our patrons from this?” Ask, and keep asking.

    View Slide

  63. Photo: Paul Sableman, “Neighborhood Association Cornerstone -
    Erected 1927 A.D.”
    https://www.flickr.com/photos/pasa/8604904182/
    CC-BY, cropped
    And part of this is going back to fundamentals, to privacy cornerstones. For example, ALA has an amazingly great how-to on library privacy audits, which are not by any
    means a new idea; they just take on new importance in the shadow of the digital panopticon.

    Now, I realize and respect that a lot of us in this room are feeling unprepared for this technically. I won’t ask you to raise your hands, but hey, I’m betting this is the first a
    lot of you have ever heard of Wireshark. It’s okay, I’m not mad at you, nobody’s born knowing this stuff. But it does mean we have a lot of each-one-teach-one to do in
    our profession about the fundamentals of information security. I just want to reassure you that I myself have only been boning up on infosec for a little over a year. If I can
    pick up a baseline understanding that fast, I definitely think lots more of us can.

    View Slide

  64. Photo: Teresa Boardman, “Minnesota State Capitol”
    https://www.flickr.com/photos/tboard/1356990933/
    CC-BY, cropped
    So let’s get started right here in Minnesota. This is my closing challenge to all of you here: make Minnesota the national example of doing twenty-first-century library
    privacy right! Lead the whole country! Don’t be afraid, spit in surveillance’s eye! Eye—graph—thing.

    Now, y’all maybe have a ways to go to get there, but you’re not alone—we all do. Could I have come up with Wisconsin examples today? Oh, I SO could have. And in
    spite of the examples I used today, I believe in you. I believe in you! Make this happen, Minnesota!

    View Slide

  65. Photo: Teresa Boardman, “Minnesota State Capitol”
    https://www.flickr.com/photos/tboard/1356990933/
    CC-BY, darkened, cropped
    Thank you!
    Copyright 2018 by Dorothea Salo.
    This presentation is available
    under a Creative Commons Attribution
    4.0 International license.
    Please respect licenses on included photos.
    And my best wishes to you.

    Thank you.

    View Slide