Hat Tip: Latanya Sweeney, Ph.D.

Welcome to this week’s Tip of the Hat!

Many of you might be preparing the last public displays for Black History Month or setting up the first set of Women’s History Month displays. If you need to add one more person to feature in either or both displays, or if you wish to know more important black women in STEM, you’re in luck! Today’s newsletter is a quick introduction to one of the major players in the data privacy field, Latanya Sweeney, Ph.D.

Latanya Sweeney is a Professor of Government and Technology in Residence at Harvard University and the founding director of Harvard’s Data Privacy Lab. She is also the first African American woman to receive a Computer Science Ph.D. from MIT. Sweeney made many major contributions to the technology field, but the most well-known contribution for privacy professionals is Sweeney’s work on k-anonymity. Her work on the re-identification of individuals through data has prompted a shift in many in the privacy field in reassessing the concept of anonymization. For example, in a study published in 2000, Sweeney found that 87% of the US population can be identified based on zip code, gender, and date of birth. Health data is also an area in which Sweeney has shown again and again how easy it can be to re-identify data that used certain anonymization methods.

Other parts of Professor Sweeney’s work delves into how data can be used to discriminate, including her work on the discrimination found in online ad delivery. The projects page for the Data Privacy Lab and the various tools on the home page shows the vast array of research areas under the guidance of Sweeney’s direction of the Lab.

Did we also mention that she was also the Chief Technologist at the FTC in 2014?

Some recent talks and panels include:

We leave you with an excerpt from a 2007 interview from Scientific American where many can appreciate Sweeney’s approach to privacy:

[Walter] Why is privacy versus security becoming such a problem? Why should we even care?

[Sweeney](Laughs) Well, one issue is we need privacy. I don’t mean political issues. We literally can’t live in a society without it. Even in nature animals have to have some kind of secrecy to operate…. There’s a primal need for secrecy so we can achieve our goals.

Privacy also allows an individual the opportunity to grow and make mistakes and really develop in a way you can’t do in the absence of privacy, where there’s no forgiving and everyone knows what everyone else is doing… With today’s technology, though, you basically get a record from birth to grave and there’s no forgiveness. And so as a result we need technology that will preserve our privacy.

A New Privacy Framework For You

Welcome to this week’s Tip of the Hat!

The National Institute of Standards and Technology recently published version 1.0 of their Privacy Framework. The purpose of the framework is to create a holistic approach to manage privacy risks in an organization. The Framework is different from other standards in such that the goal is not full compliance with the Framework. Instead, the Framework encourages organizations to design a privacy program that best meets the current realities and needs of the organization and key stakeholders, such as customers.

The Framework structure is split into three parts:

  • The Core is the activities and outcomes for protecting privacy in an organization. These are broken down by Function, Category, and Subcategory. For example:
    • Identify-P (the P is there to differentiate from NIST’s Cybersecurity Framework) is a Function in which the organization is developing an organizational awareness of privacy risks in their data processing practices.
    • A Category of the Identify-P Function is Inventory and Mapping, which is taking stock of various systems and processes.
    • The Subcategories of the Category are what you would expect from a data inventory: what data is being collected where, when, how, by who, and why.
  • The Profile plays two roles – it can represent the current privacy practices of an organization, as well as a target set of practices for which the organization can aim for. A Current Profile lists the current Functions, Categories, and Subcategories the organization is currently doing to manage privacy risks. The Target Profile helps businesses figure out what Functions, Categories, and Subcategories should be in place to best protect privacy and to mitigate privacy risk.
  • The Implementation Tiers are a measurement of how the organization is doing in terms of managing privacy risk. There are four Tiers in total, ranging from minimal to proactive privacy risk management. Organizations can use their Current Profile to determine which Tier describes their current operations. Target Profiles can be developed with the desired Tier in mind.

Why should libraries care about this framework? Libraries, like other organizations, have a variety of risks to manage as part of their daily operations. Privacy risks come in a variety of shapes and sizes, from collecting more data than operationally necessary and not restricting sharing of patron data with vendors to lack of clear communications with staff about privacy-related policies and procedures. Some organizations deal with privacy risks through privacy risk assessments (or privacy impact assessments). The drawback is that the assessments are best suited for focusing on specific parts of an organization and not the organization itself.

The Privacy Framework provides a way for organizations to manage privacy risks on an organizational level. The Framework takes the same approach to privacy as Privacy by Design (PbD) by making privacy a part of the entire process or project. The Framework can be integrated into existing organizations, which is by design – one of the criticisms of PbD is the complications of trying to implement it in existing projects and processes. The flexibility of the Framework can mean that different types of libraries – school, academic, public, and special – can create Profiles that both address the realities of their organization as well as creating Target Profiles that incorporate standards and regulations specific for their library. School libraries can address the risks and needs surrounding student library data as presented in FERPA, while public libraries can identify and mitigate privacy risks facing different patron groups in their community. The Framework also allows for the creation of Subcategories to cover any gaps specific to an industry or organization not covered by the existing Framework, which gives libraries added flexibility to address library industry-specific needs and risks.

The flexibility of the Framework is a strength for organizations looking for a customized approach to organizational privacy risk management. This same flexibility can also be a drawback for libraries looking for a more structured approach. The Framework incorporates other NIST standards and frameworks, which can help ease apprehension of those looking for more structure. Nonetheless, libraries that want to explore risk management and incorporate privacy into their organization should give NIST Privacy Framework some consideration.

Data Discounts

Welcome to this week’s Tip of the Hat!

At LDH we have been known to have a sweet tooth – there are always four to five different types of sweets within reach of the office desk. Therefore, it shouldn’t come to a surprise to our newsletter readers that when presented with the option to get a free cup of Heart Eyes (red velvet cookie dough, white chocolate chips, and heart sprinkles) from a local edible cookie dough vendor, LDH took full advantage of the opportunity to indulge.

The free cup of dough came with a catch, though. The free dough was part of a grand opening celebration for a co-working space. To receive the free dough, you had to give your email address to the co-working space company. Here we have a dilemma – what are the privacy tradeoffs that I’m willing to make for cookie dough?

Multiple times a day we find ourselves asking similar questions – what are the privacy tradeoffs that we’re willing to make for discounts at our favorite store, or a particular brand, or other business? What are the privacy tradeoffs you’re willing to make for everyday items or essential services? A recent opinion piece in The New York Times illustrates this tradeoff with a fictionalized company that finds its inspirations from many different sources, from grocery store loyalty cards to checking in at a store location or posting a brand marketing hashtag on social media. The story also touches on how surveillance and tracking disproportionally affect vulnerable populations, such as those who can’t afford basic services without giving up their data to receive a discount. A real-life example of this happened to LDH. We received an offer from our health insurance company to sign up for a discounted Amazon Prime account that was only available to those receiving insurance through the state health insurance marketplace (we declined the offer).

You can choose to not trade your data for discounted goods and services, though it is getting harder to avoid this data transaction when paying for goods and services, or if you interacted with a business through their website or social media. Even going to a physical store location can involve a data transaction if the business is using beacons to seek out your mobile phone WiFi or Bluetooth signal or using facial recognition technology at their store. If the only way that you can afford health or car insurance is to install a tracking device in your car or to provide data from your health app, then your data is paying for that cash discount.

Currently, you have limited options to protect your privacy when dealing with health and car insurance companies. For other businesses, though, there are some ways you can limit how much data you give to them:

Using one or more of these strategies can limit the amount of personal data collected on you by the business while still receiving the financial incentives provided by the company.

Going back to our “free” cookie dough situation, the co-working space company did get an email address (used for promotions) from us, but nothing more, even though the email form included fields for name, address, and phone number. We got our cookie dough, the company got an email address that will promptly toss their promotional emails into a filtered folder, followed by an unsubscribe request. The things that we will do for free cookie dough…

NISO Cybersecurity webinar, February 12th

Come join LDH and others on Wednesday, February 12th, for a webinar discussion on cybersecurity!

NFAIS Forethought: Cybersecurity: Protecting Your Internal Systems
Every organization, as a standard course of action, should be implementing protection policies and updating protective measures surrounding their confidential data and internal systems. Phishing and malware are a constant threat. As a response, reliable cybersecurity requires an integrated approach in ensuring the safety of networks, devices, and data. How should enterprises and institutions be thinking about their cybersecurity needs? What basic requirements should be in place? What guidelines or best practices exist? What are the best resources? This roundtable discussion will bring together experts active in the field to address these and other questions.

Confirmed participants in this roundtable discussion include: Daniel Ayala, Founder, CISO/Chief Privacy Officer, Secratic; Blake Carver, Senior Systems Administrator, LYRASIS, Becky Yoose, Principal, LDH Consulting Services; Hong Ma, Head, Library Systems, Loyola University of Chicago; Wayne Strickland, Acting Associate Director at Department of Commerce, National Technical Information Service; Christian Kohl, Principal, Kohl Consulting.

NISO members can attend the webinar for free; non-members can also register for the webinar at https://www.niso.org/events/2020/02/nfais-forethought-cybersecurity-protecting-your-internal-systems. We hope to see you there!

Privacy Film Party

Welcome to this week’s Tip of the Hat!

Even if the groundhog in your area didn’t see their shadow yesterday, we in the Northern Hemisphere still have a long winter ahead of us. How will you spend the long winter nights for the next few months? Might we suggest that you stay inside where it’s warm and watch a film? Better yet, make that film about privacy! Here are some privacy film recommendations depending on what you’re looking for:

For library programming about data and privacyScreening Surveillance [Content warning – suicide, mental health illness] is a grant-funded project to raise awareness around big data and surveillance. The project produced three short films – 10 minutes in length each – approaching specific issues of data sharing, data ownership, and sensor and facial recognition software. These three short films come with facilitation guides that help audiences process and discuss the specific issues raised in each film.

For a succinct introduction into general privacy concepts Privacy International’s Privacy 101 is a series of short animated videos introducing viewers to the concept of privacy as well as various topics in privacy, including metadata, big data, and data protection. These videos are a good way to acquaint someone with privacy concepts, in short, bite-sized portions. These videos are short enough that you can use these videos in staff training or discussions around privacy, as well as any public programming around data security and privacy.

For when the college instructor gives you the entire class session to teach their class about privacyThe Power of Privacy by The Guardian is a 30 minute documentary about the major challenges to privacy in the digital age. The film provides a balance between the historical “how did we get here?” and the present and near-future realities of data privacy. Library workers have choices in using this film to teach privacy, either by choosing to show segments to focus on specific topics, like phishing or IoT, or show the entire film for a holistic view of the current issues around data privacy.

For the library worker who is trying to navigate student privacy – Student privacy is governed by additional regulations, such as FERPA, which makes protecting student patron privacy more complex in academic and school libraries than in other libraries. The School Safety and Privacy video series from Future of Privacy Forum delve into this complex topic, including approaching the creation of policies, digital equity, facial recognition in schools, and how to talk to administrators and leadership about privacy matters.

BONUS! If you want more videos on student privacy, The Student Privacy Resource Center has a playlist to meet your additional student privacy video needs.

Finally, an artistic philosophical video for your night offPhilosophy Tube’s video on Data [NSFW – language, adult topics] gets into data, surveillance, algorithms, machine learning, structural inequality, targeted advertising, monetization of data, consent, notice, data rights, and how technology shapes society and how society shapes technology (phew!). All of this takes place in a 30-minute discussion-turned-machine-learning-simulation between a bouncer and a person in front of a nightclub.

There are plenty of other videos and films on privacy not covered here, but these recommendations are just a start. If you have a privacy-related film or video that you like, reply to this email and we’ll provide a list of subscriber-recommended videos in a future newsletter.