Week Roundup – In The News and What Would You Do?

Welcome to this week’s Tip of the Hat! Last week was a busy week. Here’s a recap of what you might have missed.

LDH in the News

“A Civilized Term for Hate Crime”: How to protect your library from Zoombombing – How Zoombombing is affecting library professionals and how they are addressing the challenges presented by Zoombombing.
If you are looking for ways to secure your Zoom meeting, check out the newly added Zoom Security Recommendations list at https://is.gd/LDH_RemotePrivacy.
Data Privacy While Working From Home – Advocating for remote desktop/VPN access, browser security, and multifactor authentication – three questions from attendees of “A Crash Course in Protecting Library Data While Working From Home” that are answered in the latest LITA blog post.

What Would You Do?

One public library in New Jersey has been finding various ways to support their community while the library building is closed, but one strategy has started a debate on Library Twitter – using patron data to do welfare checks:

Recently, the Library decided to take more direct action to help the Roxbury community. Armed with its enormous patron database, library staffers are going through the list and, literally in descending order, calling the oldest and most vulnerable of Roxbury’s residents to inquire on their well-being, let them know someone cares and will listen, and when need be to connect them to vital resources to get them through this difficult time.

The article goes on to describe how this strategy led to an increase in requests for masks to be distributed by the library.

While this single instance seems to have had a positive outcome, the use of the data collected by the library to do wellness checks brings up the question of “we could, but should we?” concerning using patron data in this manner. Some of the issues and considerations brought up on Library Twitter include:

Scope creep – several library workers serve as de facto social workers in their communities. How can libraries in this position support their community while working with local community organizations and local government departments who are better suited for social work? How can this work be done while honoring patron privacy?
Data quality – the article stated that the library staff used the age listed in the patron database. How reliable is that data? ILS migrations and even the move to an automated library system can introduce data quality issues in the patron record, including age.
- For example – one library that moved from a paper-based system to an ILS in the mid-1990s still found patrons whose birthdays were listed as the date of the migration years later.
Notice and consent – patrons have certain expectations when giving data to libraries. Some of these expectations come from what the library states in their privacy and confidentiality notices, as well as other communications to patrons from the library. It’s safe to say that libraries don’t list “wellness checks” in their patron privacy notices as one potential use of patron data. This gets into the issue of using data outside of the stated purposes when the data was exchanged between the patron and the library. Recent data privacy legal regulations and best practices address this by requiring businesses to inform about the new use and to get affirmative consent before using the data for said new use.

There are some other items brought up in the Twitter discussion, such as different expectations from patrons, the size of the community, and patron-staff relationships. Some patrons chimed in as well! Like many other real-world data privacy conundrums, this one is not as clear cut in terms of how to best approach addressing the issue at hand – making sure that patrons in under-supported or vulnerable community groups get the support that they need.

We want to hear from you – what would you do in this situation? Email us at newsletter@ldhconsultingservices.com and we’ll discuss the results in a future newsletter. We will not post names or institutions in the newsletter results, so email away and we’ll do the rest to protect your privacy as we discuss patron privacy. Let us know what you think!

April 20, 2020July 29, 2020

#dataspringcleaning, Home Office Edition

Welcome to this week’s Tip of the Hat!

The trees outside the LDH office are now covered in leaves, the tulips and daffodils are blooming, and the grass has started growing again. All of which means one thing – ~~allergy season~~ Spring Cleaning Season! Or, as we at LDH like to call it, #dataspringcleaning season.

We covered the basics of #dataspringcleaning in a previous newsletter; however, determining if your data sparks joy might be a challenge this year given the state of current affairs. For this year’s #dataspringcleaning season, here’s a short cleaning list for your newly minted home office to help you in your data cleaning efforts.

Paper documents

Shred! If you don’t have a shredder at home, you have a couple of options:

Store documents for shredding at the office in a secured place in your home away from housemates.
Buy a shredder for your home. Look for a shredder that can shred at or above Level P-4. Having a shredder at home not only helps you protect patron privacy but also your privacy now that you have a convenient way to shred your personal documents and files.

Shredded paper should not go into your recycling bin – it’s most likely that your recycling center cannot accept shredded paper. In King County (where LDH is located) residents are instructed to use shredded paper for composting. You can also take a few handfuls of shredded paper to top off any garbage cans before closing up the garbage bag when you take the garbage out. Check with your local solid waste and recycling departments in your local area for more guidance about disposing of shredded paper.

Electronic equipment

Store patron data on work storage or equipment when necessary. Do not use personal hard drives, flash drives, or other personal storage devices to store patron data.
Do a quick data inventory of any personal cloud storage services you use, such as Google Drive or Evernote.
- What patron data do you have stored in those services?
- Can you migrate that data to work storage?
- What data do you need to keep, and what data can be deleted?
If you have your work computer at home, now would also be a good time to do a data inventory of what’s stored on the local drive.
Remember, deleting a file doesn’t mean that the file is deleted! There are many programs available to help you permanently delete files.
If you do end up having to retire a physical disk or drive that held patron data, what tools do you have in your home toolbox? You most likely have a hammer, but you can also get creative depending on what’s available… we’ve mentioned power drills before, but perhaps you might want to try out the nail gun. Remember – safety first!

#dataspringcleaning at home is a good way to spend the time between meetings or to begin or end your workdays at home. A little bit of cleaning each day adds up to help protect patron privacy 🙂 Happy cleaning!

April 13, 2020July 29, 2020

The Obligatory Password Manager Newsletter

We regularly get asked at LDH about password managers: what they are, if people should use them, and which ones to use. While there is some consensus in the information security world about password managers, there is still some debate – if you ask three security experts about password managers, you will get at least five answers. Today we’ll add to the mix and answer the most frequently asked questions about password managers.

What is a password manager?

At its core, a password manager is a software application that generates, stores, and retrieves passwords and other login information for various accounts. These passwords are accessible through the manager via a master password or passphrase. Think of a password manager as a vault – the vault has your passwords and you gain access to the vault through a combination that you and only you know.

Should I use a password manager?

Yes! Password managers are a great way to help you secure your online accounts. Password managers do the remembering of (almost) all the passwords for you, so you can break the bad habits of reusing passwords for multiple accounts or using weaker passwords that you can remember from memory – both habits put you at higher risk of having your account compromised. Some password managers can automatically change your passwords for you, as well as the ability to generate stronger passwords for each of your accounts. Another benefit of password managers is that you can securely share passwords for family accounts with others in your family (as long as they too use a password manager).

The one password that you have to remember is the master password to get into your manager. To create a strong password that you are likely going to remember, I recommend creating a passphrase. You can generate a strong passphrase through Diceware.

Are they safe?

Safety usually comes up when someone asks about password managers, and for good reason. This is a software application that could potentially have information for your financial accounts, your social media accounts, your shopping accounts, your medical accounts, and so on, and if that application has a data breach or leak, you are at high risk for identity theft at best. There is the fact that some password managers have had breaches in the past, the most prominent one being LastPass. You might also have read news stories about how other password managers might be vulnerable to breaches.

Nonetheless, for most folks, the risks associated with the use of a password manager are far less than using weaker passwords or reusing passwords. This gets into your threat model – what are the most realistic risks in terms of who wants your data, why they want your data, and how they’ll get your data. This is a risk assessment where you not only need to consider the severity of if the risk is realized but also the likelihood that a risk will be realized. Yes, a password manager might be breached, but the likelihood of a well-known password manager being breached is lower than a breach of an account that uses a weaker password or a password that was used by another account that was part of another breach or leak.

[A gentle reminder that using a weak password or reusing a password for your master password for the password manager also puts you at the same level of risk as not using a password manager at all!]

If you’re still wary of using a password manager, there are a couple of strategies I’ve encountered from my discussions with others that can mitigate some risks, including using multiple password managers to store different types of passwords and other sensitive information, or only use their password manager to manage passwords, and not store any other information, like security question answers and payment information.

Which password manager do you recommend?

It depends on your needs.

Some people use their browsers to manage their passwords, but that limits users to the browser that they are using. To get the full benefit, I recommend using a password manager separate from an individual browser’s password vault.
In general, you want to use a password manager that:

Uses strong encryption to store and to sync data in and between clients and apps
Offers secure cross-platform compatibility (desktop, mobile device) for all the platforms that you use in your daily life
Has an established reputation in the password manager world

The question of paid versus free accounts sometimes comes into the conversation. Several password managers have a free plan, while other password managers are free open source software. It depends on your needs and your comfort level when it comes to if you want to stick with a free plan/manager or move to a paid plan.
With all that said, here are some password managers to check out:

1Password
Bitwarden
Dashlane [Currently used at LDH!]
KeePass
LastPass [They cleaned up pretty well after their 2015 breach – read more about their security]

Are there alternative ways to store passwords outside a password manager?

There’s always this. ;c)

Special thanks to newsletter subscriber Chris Reimers and the folks in the ALA LITA/OIF webinar last week for the newsletter topic suggestion!

Recording now available for remote work and data privacy

If you missed last week’s “A Crash Course in Protecting Library Data While Working From Home”, don’t worry – we recorded the session! You can access the recording and transcript of of last week’s webinar in Google Drive. Resources and handouts for the webinar can be access at https://is.gd/LDH_RemotePrivacy.

April 6, 2020July 29, 2020

More Zoom Updates and Free Webinar About Remote Work and Data Privacy

Welcome to this week’s Tip of the Hat!

Zoom has had one of those weeks. Since we last wrote about Zoom’s privacy issues last week, the number of additional privacy issues has skyrocketed. It’s gotten to the point where there are news articles just trying to keep track of all these updates. Even those articles are struggling to keep up. On March 31, TechCrunch published an article that listed the known privacy issues at that time, including the misleading advertising of true end-to-end encryption for voice chats, but the article came out a day before an article about zero-day bugs found by an ex-NSA hacker that could allow access to passwords and webcam/mic control if someone had physical access to the computer. Then the next day we learned that Zoom leaked LinkedIn data to other users. Additional reports suggest that Zoom is a very good target for intelligence gathering and interceptions for various governments.

Like we said – it’s hard to keep up with all the updates! Security expert Bruce Schneier’s writeup on Zoom is the most up to date list at the time of this writing.

The best option, in this case, is not to use Zoom, right? Unfortunately, it’s not that clear cut. A conversation on Twitter about Zoom brought up the point that Zoom fairs better than other web conferencing software in terms of screen reader access. While Zoom might be a hot mess when it comes to privacy, it still provides access to those who otherwise wouldn’t have it with other options. Workplaces complying with privacy and accessibility regulations find themselves in a tightrope act with trying to protect employee and patron privacy while at the same time provide tools that their staff can use. Zoom announced that they are addressing the privacy and security issues, which if the company follows through on their promise would solve the issue in the short term. The longer-term issue remains, however, with web conferencing software that have better privacy practices are not accessible for users, including for library workers.

For now, the best you can do is to lock down your Zoom meetings as much as possible and to review user and administration settings to ensure that all privacy and security settings are enabled. Some universities have created publicly accessible guides to more secure Zoom meetings, such as this guide from the University of Washington, as well as FAQs on privacy and security, that can help you formulate messaging to library staff about using Zoom.

Webinar on remote work and data privacy, April 9th

LDH Consulting Services is proud to sponsor this week’s LITA webinar “A Crash Course in Protecting Library Data While Working From Home”. This free webinar will provide strategies and actions in protecting patron privacy for library workers working from home, as well as some of the longer-term implications to patron privacy with libraries moving all essential operations and patron services online for the foreseeable future. Attendees will have the opportunity to share what they are doing to protect data privacy while working from home. Register today!