Privacy Tech Toolkit: VPNs

Welcome to this week’s Tip of the Hat!

Data breach and website hacking stories are (sadly) commonplace in the news. But what happens when the hack in question did not involve a single site, but your entire browsing history, complete with sensitive data, while you were logged into what was supposed to be a secure and private connection? With the recent breach with three VPN services – NordVPN, TorGuard, and Viking VPN – customers might be looking at that reality.

Some of you might be scratching your heads while reading the reports, though. Not everyone is familiar with VPNs, how they work, why they matter, and when you should use one. In this newsletter, we’ll cover the basics of VPNs, including how you can use them to protect your online privacy.

VPN Basics

A virtual private network (VPN) is a network of computers that provide access to the internet from a private network. Let’s use your work’s VPN service as an example. You are traveling with your work computer and you need to log into a work application. The problem is that the application can’t be accessed by computers outside the office. That’s where the work VPN comes in. You open your VPN client and log into the VPN service, creating a connection between your computer and the office server running the VPN service. This connection allows you to use the internet from that office server, making it appear that you are back in the office. Your computer can then access the work application now that the application thinks that your computer’s location is at the office and not in a hotel room.

Typically, the VPN connection is secure and encrypted, which makes VPN use essential for when you are connecting to public WIFI connections. Being able to change your location by using a server in another part of the world can also help protect privacy by placing you in a location other than the one you’re currently at. This comes in handy when trying to access sites that are geo-locked (sites that you cannot access outside of a certain geographical area, such as a country). Then there is the privacy component. A VPN can provide privacy protection for browsing history, current location, and web activity. Overall, VPNs can provide a secure and private space for you to browse the web away from those who want to track your every online move, be it some random person running Wireshark on a public network, your internet service provider looking for data for targeted advertising purposes, or possibly even the government (depending on your location).

VPN Considerations

A private and secure connection to the internet can protect online privacy, but as we found out last week, VPNs themselves are susceptible to breaches. This might cause some to wonder if VPNs are still a good choice in protecting online privacy. While VPNs are still an essential tool in the privacy toolkit, you still have to evaluate them like any other tool. There are some things to look for when choosing a VPN for work or personal use:

  • Encryption, protocols, and overall security – is the connection between your computer and the VPN server encrypted? You also have to consider the processes used in the actual creation of the tunnel between you and the VPN server. You might run across a lot of protocol terminology that is unfamiliar. NordVPN has a good post explaining various security protocols to help you wrap your head around VPN protocols.
  • Activity logs – is the VPN service keeping a log of activity on its servers? You might not know if your work VPN keeps a log of user activity, so it’s safer to use a separate VPN service than your work VPN for any personal use. No logs mean no record of your activity and your privacy remains intact.
  • Location – What server locations are available so you can access geo-blocked sites? Do you need your computer’s location to be at a specific IP address or location for work?
  • Price (for personal VPN use) – Never use a free VPN service. They are the most likely to log your activity as well as sell your data to third parties.

VPNs @ Your Library

Most likely you have access to a VPN service at work. While the technical aspects of work VPN are relegated to the IT and Systems departments, there is the question of who can use a VPN. Some libraries do not restrict VPN use to certain types of staff while other libraries only allow those who travel for work or do remote work to use VPN. A potential risk with work VPNs is when staff change roles or leave the organization. Auditing the list of users who have VPN access to the system will help mitigate the risk of unauthorized access to work systems by those who no longer should have access.

Your library provides internet access to patrons, so how do VPNs fit into all of this? First, we have WIFI access. Your library’s WIFI is a public network and patrons who want to protect their privacy might use a VPN to protect their privacy. Can your patrons use their VPN service while connected to the WIFI? Your desktop computers are another place where patrons are using a public network, but many public computers don’t allow patrons to install software, including VPN clients. There are ways to configure the public network to break the ties between one IP address and one computer, so web activity cannot be traced back to a single computer user based on IP alone.

VPNs And Other Tools In The Privacy Tech Toolkit

VPNs are just one way to protect your privacy online. There are many other ways you can protect privacy, including Tor and other types of proxy servers. Sometimes folks use multiple tools to protect their privacy; for example, some folks use both a VPN service and the Tor browser. Each tool has its strengths and weaknesses in protecting your privacy, and choosing which one to use depends on your situation. We’ll be covering other tools in the Privacy Tech Toolkit soon, so stay tuned!

Cookies, Tracking, and You: Part 2

Welcome to this week’s Tip of the Hat! We covered the basics of web cookies in Part One, including tracking and what users can do to protect their online privacy and not be tracked by these not-so-delicious cookies. Part Two focuses on the site owners who use tracking products to serve up those cookies to their users.

A Necessary Evil (Cookie)?

Many site owners use web analytics products to assess the effectiveness of an online service or site. These products can measure not only site visits but also how visitors get to the site, including search terms in popular search engines. Other products can track and visualize the “flow” or “path” through the site: where users enter the site (landing page), how users navigate between pages on the site, and what page users end their site visit (exit page).

Web analytics products provide site metrics that can help assess the current site and determine the next steps in investigating potential site issues, such as developing usability testing for a particular area of the site where the visitor flow seems to drop off dramatically. Yet, products such as Google Analytics collect personal information by default, creating user profiles that are accessible to you, the company, and whoever the company decides to share the data. Libraries try to limit data collection in other systems such as the ILS to prevent such a setup, so it shouldn’t be any different for web analytics products.

Protecting Site User Privacy

There are a few ways libraries can protect patron privacy while collecting site data. Most libraries can do at least one or two of these strategies, while other strategies might require negotiation with vendors or external IT departments.

User consent and opt-out

Many sites nowadays have banners and popups notifying visitors that the site uses cookies. You can thank the EU for all of these popups, including the ePrivacy Directive (the initial law that prompted all those popups) and GDPR. US libraries such as Santa Cruz Public Library and Stanford University Libraries [1] have either adopted the popup or otherwise provided information to opt-out of being tracked while on their site. The major drawback to this approach, as one study points out, is that these popups and pages can be meaningless to users, or even confuse them. If you decide to go this route, user notification needs to be clear and concise and user consent needs to be explicit.

Use a product other than Google Analytics

Chances are, your server is already keeping track of site visits. Install AWStats and you’ll find site visit counts, IP addresses, dates and times of visits, search engine keyword results, and more just from your server logs.

(Which, BTW, do you know what logs are kept by your server and what data they are collecting?)

Several web analytics products provide site data without compromising user privacy by default. One of the more popular products is Matomo, formerly Piwik, which is used by several libraries. Cornell University Library wrote about their decision to move to Piwik and the installation process, and other libraries are already running Matomo or are starting to make the migration. You can find more information about privacy-focused analytics products in the Action Handbook from the National Forum of Web Privacy and Web Analytics. Many of these products allow you to control what data is being collected, as well as allow you to install and host the product on a local server.

If you must use Google Analytics

There are times where you can’t avoid GA. Your vendor or organization might use GA by default. You might not have the resources to use another analytics product. While this is not the optimal setup, there are a couple of ways to protect user privacy, including telling GA to anonymize IP addresses and turning off data sharing options. Again, you can find a list of recommended actions in the Action Handbook. You might also want to read Eric Hellman’s posts about GA and privacy in libraries, as well as how library catalogs leak searches to Amazon via cookies.

Protecting patron privacy while they use your library’s online services doesn’t necessarily mean prohibiting any data collection, or cookies for that matter. Controlling what data is collected by the web analytics product and giving your patrons meaningful information about your site’s cookie use are two ways in which you can protect patron privacy and still have data for assessing online services.

[1] Hat tip to Shana McDanold for the Stanford link!

Cookies, Tracking, and You: Part 1

Welcome to this week’s Tip of the Hat!

LDH would like to let our readers know that in the eternal feud between Team Cookie and Team Brownie, we are firmly on Team Brookie.
A pan of brookies cut into bars, with two bars missing. One bar sits on top of the other bars.
But that doesn’t mean we don’t appreciate a good cookie!
A plate of honey nut cookies.
Unfortunately, not all cookies are as tasty as the ones above, and some we actively want to avoid if we want to keep what we do online private. One such cookie is the web cookie.

Web Cookie 101

You probably encountered the terms browser cookie, HTTP cookie, and web cookie when you read articles about cookies and tracking, and they all refer to the same thing. A web cookie is data sent from a website and stored in the user browser, such as Edge, Chrome, or Firefox. Web cookies come in many different flavors including cookies that keep you signed into a website, remember your site preferences, and what you put in your shopping cart when you were doing some online shopping at 2 am. Some cookies only last until you close your browser (session cookies) and some will stick around after you close and reopen your browser (persistent cookies). A website can have cookies from the site owner (first-party cookies) and cookies from other sites (third-party cookies). Yep, you read that right – the site that you’re visiting may have other sites tracking you, even if you don’t visit those other sites.

However, you don’t need a third-party cookie for a site to track you. Chances are that you’ve been tracked when you are browsing the Web by web analytics products such as Google Analytics. What does that all entail, and how does it affect your privacy online?

Tracking Cookies and Privacy

Many web analytics products use cookies to collect data from site visitors. Google Analytics, for example, collects user IP addresses, user device information (such as browser and OS), network information, geolocation, if the user is a returning or new site visitor, and user behavior on the site itself. A site owner can build a user profile of your activity on their website based on this information alone, but Google Analytics doesn’t stop there. Google Analytics also generates demographic reports for site owners. Where do they get this demographic data from? Cookies, for the most part. This is a feature that site owners have to turn, but the option is there if the owner wants to build a more complete user profile.

(Let’s not think about how many libraries might have this feature turned on, lest you want to stress-eat a batch of cookies in one sitting.)

This is one example of how cookies can compromise user privacy. There are other examples out there, including social media sites and advertising companies using cookies to collect user information. Facebook is notorious for tracking users on other sites and even tracking users who do not have a Facebook account. If there’s a way to track and collect user data, there’s a web site that’s doing it.

Using Protection While Browsing The Web

Web users have several options in blocking tracking cookies. The following guides and resources can help you set up a more private online browsing experience:

You can also test out your current browser setup with Panopticlick from the EFF to find out if your browser tracker blocker settings are set up correctly.

Stay Tuned…

But why do users have to do all the work? Where do site owners come into protecting their users’ privacy? Next week, we’ll switch to the site owners’ side and talk about cookies: what can you do to collect data responsibly, regulations around web cookies, and resources and examples from the library world. For now, go get a real-world cookie while you wait!

Ethics Breach As Privacy Breach

Welcome to this week’s Tip of the Hat! We’re still sorting through the big pile of notes and handouts from our trip to #PSR19 last month. This week’s newsletter will cover another session from the conference. Escaping the clutches of CCPA we focus on another important topic – particularly for libraries – for reasons that will become clear below.


Data breaches are a common occurrence in life. We get email notifications from Have I Been Pwned, credit monitoring referrals, and the inevitable “we value your privacy” statement from the breached company. Breaches also happen at libraries and library vendors; there’s no escaping from the impact from a data breach.

What you might not know, though, is that breaches come in different forms. In their presentation “The Data Breach vs. The Ethics Breach: How to Prepare For Both,” James Casey and Mark Surber broke down the three types of data breaches: security, data, and ethics. Security and data breaches take many forms: improper staff access levels to a database, a stolen unencrypted laptop, or sending an email with sensitive data to the wrong email address.

While security and data breaches focus primarily on failures to secure data on a technical, procedural, or compliance level, ethics breaches focus on the failure to handle the data consistent with organizational or professional values. A key point is that you can still have an ethics breach even if you follow rules and regulations. Ethics breaches involving privacy can include using consumer data for purposes that, while not violating any legal regulations, the consumer would not expect their data to be used for such a purpose. Another example is doing the absolute minimum for data security and privacy based on regulations and industry standards, even when the reality is that these minimum requirements will not adequately protect data from a breach.

Ethics breaches damage an organization’s reputation and public trust in that organization and, given the difficult nature of cultivating reputation and trust with the public, are hard to restore to pre-breach levels. Monetary fines and settlements make data and security breaches costly, but the lost reputation and trust from ethics breaches could very well be the more expensive type of loss even before you factor in the harm to the persons whose data was caught in the breach.

Casey and Surber’s talk proposed an Ethics by Design approach to aligning data practices in all stages of development and processes to ethical standards and practices. Ethics by Design might look something like this in libraries:

  • Adherence to professional ethics codes and standards, including:
  • Auditing vendors for potential ethics breaches – this audit can be done at the same time as your regularly scheduled privacy and security audits.
  • Considering patron expectations – patrons expect libraries to respect and protect their privacy. That privacy extends to the library’s data practices around collection, use, and sharing with third parties. They do not expect to be subject to the same level of surveillance and tracking as practiced by the commercial sector. The ethics breach litmus test from Casey and Surber’s talk can help identify an unethical data practice – upon learning of a particular practice, would a consumer (or in this case, patron) respond by saying “you did WHAT with my data?!”? If so, that practice might lead to an ethics breach and needs to be re-evaluated.

Ethics by Design asks us to “do the right thing”. Ethical practices need money, time, and resources – all which many libraries are short of at one time or another. It is easy to bypass ethical standards and practices, as well as doing the absolute minimum to follow regulations, particularly when “everyone else is doing it.” The nature of library work at its core is to uphold our patrons’ human rights to access information. Ethics guides libraries in creating practices that uphold and protect those rights, including the right to privacy. Protecting patron privacy should not only focus on preventing a security or data breach but also preventing an ethics breach.