Month: December 2019

Posted on

Give The Gift of Privacy

Welcome to this week’s Tip of the Hat! This is our last newsletter of the year – the Executive Assistant is on Holiday Break. We’ll be back on January 6th with the first newsletter of 2020.

Before we head out for the year, give the gift of privacy this holiday season:

Happy holidays from all of us at LDH, and we’ll catch you in 2020!

A black cat with a brown hat sticker placed on her side.

Posted on

Safe Travel for the Holidays (Guest Post)

Welcome to this week’s Tip of the Hat! Many of you will be traveling the next couple of weeks, which might involve flying to your destination. This week we bring you a guest post from Joe Reimers, Sales Engineer at III, about how to protect your privacy at the airport. Joe also writes about traveling tips and tricks at https://flyinfrequently.wordpress.com.

Holiday season is once again upon us, and for a number of us, that means air travel. For some, it’s another opportunity for grand adventure; for others, it’s an ordeal to be endured so we see family, friends and loved ones. For all of us, it’s another way for our personal data to be exposed to others.

Airports are public places where there is no reasonable expectation of privacy – you are always being observed and recorded. TSA and other law enforcement have the authority to search you and your bags. On domestic flights they may not search the contents of your phone or laptop (this is still unsettled law on inbound international flights), but they can require that you turn those devices on to prove that they are what they appear to be. Note that you don’t need to authenticate in, they just need to see the login screen. Air travel, like banking, is very, very closely tied to your legal identity – you can’t board unless the names on your ticket and ID match exactly, and the government can and does look at who is traveling where.

With this in mind, the privacy-minded traveler can prepare themselves accordingly. First and foremost, don’t bring anything you really don’t want other people to see or handle. Bringing some personal stuff is unavoidable, but I’ve found that when packing clothes in packing cubes or see-through bags, clothes that are obviously clothes are generally left alone. Another consideration is your ID – you’re going to need it at multiple times at the airport, typically when checking a bag and at the security checkpoint. You’ll want to keep your ID ready along with your boarding pass, but otherwise I try to keep it out of sight as much as possible. If you’re flying with a passport, it’s generally OK to keep out, but keep it closed and away from prying eyes.

A number of airports are now starting to use biometrics as a way to verify identification. I have very, very mixed feelings about this. The advantages are undeniable: things move quicker and you have less paperwork to keep track of (CLEAR + TSA Pre-Check at JFK or Atlanta is the difference between clearing security in 5 minutes vs. half an hour or more.) The disadvantages are also undeniable: the government gets regularly updated data about you and what you’re doing, and they don’t have to be transparent about how this data gets used. The same is true of third-party companies like CLEAR. And if there’s a data breach, well… What’s critical for you as a traveler is to understand that you cannot be compelled to submit to biometric identification. It can appear that there’s no choice but to use biometrics, but neither the airlines nor the government can legally compel its use.

Next, let’s talk boarding passes. To a skilled identity thief, boarding passes are treasure troves. They provide your full legal name as it appears on your ID. They provide hints about your frequent flyer information and status – frequent flyer miles are common targets for theft! They also contain your PNR (Passenger Name Record) and ticket number, which allow thieves to do fantastic damage. But the real danger is in the 3D barcodes (or QR codes on electronic boarding passes), which store a lot of this data in plain “text” rather than masked or by reference. If you have a paper boarding pass, protect it as you would an ID card, and destroy it the same way you’d destroy a credit card statement – not in an airport or hotel trash bin!

Now on to tech toys. Airports are public spaces where threat actors have lots of opportunity to get up to lots of mischief. It’s safe to assume that both airport WiFi and USB charging ports are compromised – even in airline clubs. Fortunately, these are easily countered with wall plug adapters and the use of VPN. Please also bear in mind that airports are public places with lots of people around. I’ve heard more than my share of “personal” phone calls. Headphones are a Very Good Thing but people tend to speak louder when wearing them. Calls aren’t always avoidable, but I strongly recommend keeping them short and light on private details until you’re someplace a bit further from prying ears.

Ultimately protecting yourself while at the airport boils down to two things: plan ahead, and stay alert. With a little bit of preparation and a little bit of awareness, it’s quite possible to keep your personal information and identity pretty safe while traveling. While you can’t control everything, controlling those things you CAN control can make all the difference.

Thanks again to Joe for the guest post! If you have an idea for a guest post, email us at newsletter@ldhconsultingservices.com.

Posted on

Last Week In Library Privacy: Evernote, LFI, and an Amendment to Weaken MI Library Privacy Law

Welcome to this week’s Tip of the Hat! Last week was a busy news week, and you might have missed an important update that could affect your library. Here are some of the major privacy news updates that you might have missed.

Evernote and law enforcement requests

Last week Motherboard reported that Evernote gave user data to law enforcement as part of a drug investigation. The company received a warrant from the Drug Enforcement Administration requesting user data, including notes that have been recently deleted by the user – the article noted that Evernote still retains data deleted by the user for some time.

While the case itself is not connected to a library, many library staff use Evernote and other cloud products for work, including creating work documents, spreadsheets, and presentations to share with other library staff. Also, staff use cloud products such as Google Forms and SurveyMonkey to collect patron information. Limiting the amount of patron data in cloud products can reduce the risk of that data being handed over to other third parties such as law enforcement. If you decide to use a third-party cloud product such as Evernote, review their law enforcement request policies and other policies surrounding the sharing of user data to other third parties.

Michigan library patron data law challenge

Michigan lawmakers are considering changing state library privacy laws. Senate Bill 611 seeks to amend existing law to allow for library directors to release patron information to law enforcement without a court order. The following text is the change that would allow for such disclosure:

A library may disclose library records without a court order or the written consent described in subsection (2) under any of the following circumstances:

(a) Upon the request of a law enforcement officer who is investigating criminal activity alleged to have occurred at the library or if the library requests the assistance of a law enforcement officer regarding criminal activity alleged to have occurred at the library, the library may disclose to the law enforcement officer any library record pertinent to the alleged criminal activity. The library director and any other person designated by the library board or commission is authorized to determine whether to disclose library records subject to this subdivision. The library is not required to release library records under this subdivision and may require the law enforcement officer to obtain written consent or an order of the court as required in subsection (2)

The law also allows for additional disclosures of patron information to third parties, such as collection agencies.

If you are a Michigan library and concerned about this bill, please contact your state representative and senator about your concerns.

(Thank you to OIF and Erin Berman for notifying us about this story!)

New web tracking guide

The Electronic Freedom Frontier (EFF) published Behind the One-Way Mirror, a comprehensive guide to web tracking. This guide goes into depth about the multitude of tracking methods, including mobile, web, and real-world user tracking. For readers who enjoyed the Web Cookies newsletters, this is a perfect resource to further explore the topic in depth.

LFI 2020 applications now open

The Library Freedom Institute is now accepting applications for its third cohort! This four-month institute allows library workers to learn more about privacy and libraries and to become privacy advocates in their libraries and their communities. If you are curious to learn about what all is covered in the Institute, you can view the course materials and resources for previous cohorts on the Library Freedom Project’s wiki. The third cohort is set to start in March 2020, and applications are due February 10th, 2020.

Ransomware – tell us your story

Libraries are no strangers to being the target of ransomware attacks. LDH is teaming up with Blake Carver to present “Held at Ransom: How Libraries Can Best Defend Against and Recover From Ransomware Attacks” at ALA Annual 2020 in Chicago. We are looking for your stories of dealing with ransomware at your library! We hope to gather information and stories that can help other libraries better prepare for ransomware attacks, as well as give them hope that there are ways to recover from the attacks. If you have a story to share, please fill out the form at https://forms.gle/i6J4vAN23GMR3Ez59.

Posted on

Beyond Web Cookies: WordPress, Plugins, and Privacy

Welcome to this week’s Tip of the Hat!

Previous posts in our series about web cookies, tracking, and privacy discussed ways that tracking applications such as Google Analytics can track website users across sites. We covered how using other Google-related products can put site user privacy at risk through third party data collection. This week we explore another area in which online user privacy might be compromised, and this area is one that libraries and library vendors are familiar with – WordPress.

WordPress is one of the most used content management systems – over 35% of the sites you visit on the Web use WordPress. Sometimes libraries need a website that works “out of the box”: install on a local server, pick a theme, edit some pages, and publish. Sometimes libraries choose to host a site on the WordPress.com commercial hosting service. Other times libraries use WordPress when they need a customized site to fit their libraries’ needs. Library vendors also work with WordPress by working with libraries to create customized WordPress sites and plugins.

WordPress is popular for a reason. It’s flexible enough to provide a good basic site with as little or as many customizations as the site owner sees fit. One of the ways WordPress achieves this flexibility is plugins. Because WordPress is Open Source, anyone can write a plugin and share the plugin with others. On the WordPress Plugin Directory site, there are almost 55,000 plugins to choose from, ranging from site statistics and analytics and form creators to social media integrations and email newsletter systems (for example, LDH uses MailPoet). The possibilities plugins bring to a library website are endless.

The same could be said about the ways that plugins can put your patrons’ privacy at risk. WordPress plugins have the potential to collect, retain, and even share your site users’ data to the creators of the plugin and other third parties. For example, some libraries might forego Google Analytics to use Jetpack or other WordPress statistics and site management plugins. What they might not be aware of is that site management plugins like Jetpack also use cookies, along with other tracking methods, to collect user data from your site.

These plugins can carry a security risk as well. WordPress plugins are used to compromise WordPress sites. One such hack happened with the GDPR compliance plugin in 2018 (the irony of this hack is not lost on LDH). What can you do to protect the privacy of your library and site users when using WordPress plugins?

  • Research the developer – some plugins are created by one person, while others are created by companies. Evaluating the developer can help with determining the trustworthiness of the plugin as well as uncover any potential privacy red flags.
  • Read the privacy policy – unfortunately, the Plugin Directory doesn’t have a standard spot for developers to publish their plugin privacy policy, which means that you will need to research the developer’s site. Jetpack has a general site regarding data collection and tracking which some might have skipped over if they didn’t search the support site.
  • Download plugins from trusted sources – the Plugin Directory is a good place to search for plugins, though this doesn’t relieve you from doing some homework before downloading the plugin.
  • Once you download the plugin:
    • Check and change any settings that might be collecting or sharing user data
    • Update the plugin regularly
    • If you no longer use the plugin, delete it from your site

This is only a small part of how you can use WordPress and still protect the privacy of your patrons. In a future installment of the series, we will talk about how you can be proactive in communicating privacy practices and options to your site visitors through WordPress.

Thanks to subscriber Carol Bean for the topic suggestion!