Tracking the Trackers: Blacklight

Welcome to this week’s Tip of the Hat!

Visiting a website almost always means that you will be tracked. Be it a cookie, or a script, or even an access log on the server that hosts the site, you will leave some sort of data trail for folks to collect, analyze, and use. However, it’s becoming increasingly difficult to track all the ways (pun semi-intended) a website is keeping tabs on you. What trackers should you be worried about the most? Which trackers should you allow in your browser? Are there any trackers that might track you even when you leave the site?

The Markup published Blacklight, the latest tool in the suite of tracker detection tools that allow users to discover the many ways a website is tracking users and collecting data in the process. In all, Blacklight reports on major tracking methods, including cookies, ad trackers, Facebook tracking, and Google Analytics. Blacklight also checks to find out if the website is taking your digital fingerprint on top of logging your keystrokes or session. The creators of the tool blogged about their development process, for those who want to nitty-gritty technical details on the development of the tool and how it works.

One unique feature of Blacklight is giving the user the ability to find out how a website tracks without having to visit the website. This is nothing new for folks who can write a script; however, Blacklight makes this process much easier to achieve for the majority of users who are otherwise visiting website after website to investigate how each website is tracking them. One example would be libraries performing privacy audits or reviews on library or vendor websites. Instead of having to potentially expose the worker to various tracking methods while auditing or dealing with different browsers and their settings during the auditing/testing process, the worker can work from a list of URLs and stay on one tab in their browser of choice.

There are some drawbacks if libraries want to use Blacklight as their main tracker detection tool. As mentioned above, Blacklight tracks major tracking methods, but the resulting report does not give much information beyond if Blacklight found something. Let’s take Hoopla for example. We entered the main site URL – www.hoopladigital.com – and Blacklight visited a random page…

A screenshot explaining how Blacklight accessed the Hoopla homepage, including two screenshots of the mobile version of the Hoopla home page and their privacy policy.
The irony of the random page chosen is not lost on us.

This is what Blacklight found:

  • Three ad trackers
  • Facebook tracking
  • Google Analytics cross-site tracking
  • Session logging (as well as possible keystroke logging)

However, the report only tells the user that these trackers are present. There is no information in the report about how to prevent session logging or blocking ad trackers. Instead, the user will need to go elsewhere for that information. The tool creators did create a post for users wondering what to do with the results, but this information is not front and center in the report.

Another drawback is that several library vendor URLS might not be able to be checked due to proxy or access restrictions. Let’s say you want to test https://web-a-ebscohost-com.ezproxy.spl.org/ehost/search/basic?vid=1&sid=e58a91f5-4f12-4648-991f-4bdc9ff8f94b%40sdc-v-sessmgr01 – the link to access an EBSCO database for a local public library. Blacklight will try to visit the website but will be stopped at the EZproxy login page every time. There is a possible way to work around this limitation by taking the source code from the two Blacklight Github repositories and reworking the code to allow for authentication during the testing process. However, it might be simpler for some libraries to visit the individual site with tracking detection and blocking browser add-ons, such as Privacy Badger, DuckDuckGo Privacy Essentials, and Ghostery.

Despite these drawbacks, Blacklight is useful in illustrating the prevalence of tracking on major websites. Library workers might use Blacklight alongside other tracking detection tools for privacy audits, provided that the library workers know the next steps in interpreting the results, such as comparing what they found to the privacy policy of the vendor or library to determine if the policy reflects reality. The tool would also be a welcomed addition to any digital literacy and privacy programming for patrons to demonstrate how websites can track users, even when a user leaves the website. Blacklight will most likely have updates and new features since the code is freely available, so it might be that some of these drawbacks will be addressed in an update down the road. But enough talking – take Blacklight out for a spin! First destination – your library’s homepage. 😉

News and Resource Roundup – Michigan Privacy Law Update, Privacy Literacy Toolkit, and Testing Your Infosec+Digital Literacy Knowledge

Welcome to this week’s Tip of the Hat! This week we bring you an important state legislative update, a resource guide, and three quizzes to start your week.

Michigan library patron data law amendment update

Last December LDH reported on SB 0611, an amendment that would considerably weaken Michigan’s library data privacy laws. The bill allows for libraries to release patron data to law enforcement without a court order:

A library may disclose library records without a court order or the written consent described in subsection (2) under any of the following circumstances:

(a) Upon the request of a law enforcement officer who is investigating criminal activity alleged to have occurred at the library or if the library requests the assistance of a law enforcement officer regarding criminal activity alleged to have occurred at the library, the library may disclose to the law enforcement officer any library record pertinent to the alleged criminal activity. The library director and any other person designated by the library board or commission is authorized to determine whether to disclose library records subject to this subdivision. The library is not required to release library records under this subdivision and may require the law enforcement officer to obtain written consent or an order of the court as required in subsection (2)

After almost a year of inactivity, the bill is now progressing through the state legislature. If you are a Michigan library and concerned about this bill, please contact your state representative and senator about your concerns.

Privacy literacy clearinghouse

If you are searching for resources or examples of privacy literacy instruction after reading our last post, you’re in luck! Digital Shred is a collection of teaching resources and case studies for anyone wanting to incorporate privacy literacy into their instruction work, from information literacy sessions to dedicated privacy workshops. Created and curated by Sarah Hartman-Caverly and Alexandria Chisholm, the authors of the article featured in the last TotH post, Digital Shred also provides another way to keep current on ongoing privacy and surveillance news and issues. Explore the site, and don’t forget to check out the teaching resources and materials for the privacy workshop series created by the authors!

Quiz time

The school year is in full swing, and students are now facing their first round of quizzes and tests. We want to share the pain joy of test-taking by highlighting three quizzes to test your information security – as well as literacy! – knowledge and skills:

  • Spot the Phish – This quiz tests how well you can spot a phishing email in the Gmail email service. While the focus is only on one email platform, the lessons here can apply to any email service!
  • Spot the Deepfake – Deepfakes are images or videos that have been altered to create a realistic image or recording of someone’s likeness doing or saying things that, in reality, did not happen. AI, machine learning, and other developments in technology have made it so that some deepfakes are almost indistinguishable from unaltered media. This quiz will test your observational skills along with your critical thinking by asking you which videos are deepfakes and which ones are the real thing.
  • Spot the Troll – our last quiz focuses on identifying which social media accounts are real, and which ones are fake. It’s not as easy as you’d think…

Teaching Privacy in Information Literacy Sessions

Welcome to this week’s Tip of the Hat!

Summer is over, and for many library workers, the start of the fall season means an uptick of library instruction sessions and programs. Academic and school library workers who already face the challenge of creating and teaching “one-shot” instructional sessions have the added challenge of moving these sessions online instruction during a pandemic. With this move to online comes the increased use of learning management systems and other online tools and applications that collect, process, and share student data. This increase in use translates into an increased risk to student privacy, particularly while interacting with the library’s online services and programs, and this risk might not be readily apparent to students who are facing many stressors and challenges in their first few weeks into the new school year.

Navigating “one-shot” library instruction sessions or other short interactions between the library and the student is not easy; however, these instruction sessions and interactions also present the opportunity to raise awareness about data privacy and security. One way to take advantage of this opportunity is to move away from the mindset of approaching data privacy in library instructional sessions as “yet-one-more-thing” to teach in an already packed session. That’s not an easy task for anyone, even for those of us who are privacy advocates.

In their article “Privacy literacy instruction practices in academic libraries: Past, present, and possibilities“, Sarah Hartman-Caverly and Alexandria Chisholm surveyed academic library workers and their experiences incorporating privacy into their instructional sessions. Out of 80 respondents, over one-third reported not including privacy topics in their library instruction sessions. Even those who include privacy topics in their instruction were not satisfied with privacy instruction at their institutions, with the majority being neutral or somewhat dissatisfied. This dissatisfaction stems from a variety of factors, with 80% of 55 respondents (n=44) stating that they do not have enough instructional time to cover privacy. This is the reality of many library instructors overall and requires a radical departure of how libraries traditionally deliver library instruction to students, as well as working with faculty and staff in developing and delivering this instruction.

What caught our attention at LDH is the second factor that almost 62% of survey respondents (n=34) identified as to why they are dissatisfied with privacy instruction – “Privacy is not a priority learning outcome for IL sessions”. What can make privacy a priority, then? Again, this requires a radical departure of how libraries approach information literacy (IL), but it also requires an examination of the priorities of the individual library as well as the professional frameworks library workers use to inform their approach to IL and pedagogy. While ALA’s Library Bill of Rights explicitly states privacy as a patron right, the ACRL Framework for Information Literacy for Higher Education only includes one mention of privacy concerning “issues related to privacy and the commodification of personal information.” Privacy is much more than the commodification of personal information, but the Framework does not reflect this reality. The lack of guidance in the Framework, as well as the dearth of concrete case studies of privacy in IL in the LIS literature noted by Hartman-Caverly and Chisholm, leave IL instructors little to work within a time where privacy instruction is more vital than ever.

Hartman-Caverly and Chisholm give their readers some guidance in their privacy literacy case study as well as their recommendations for addressing the barriers noted by survey respondents. The literature review of the article is another resource to glean strategies in bringing privacy into IL practices.

For those who are still struggling in thinking about how to incorporate privacy into an already packed lesson plan, think about this – what library resources and apps are you teaching to your students? Library systems and applications, particularly third-party apps and resources, also collect, process, and share patron data. Talking about digital data privacy and security in the context of using library services and resources can be one way to introduce students to privacy literacy while educating patrons about the library’s privacy practices. This approach to privacy literacy in “one-shot” instructional sessions can be strengthened by offering patron data privacy services such as the services provided by Cornell University; nonetheless, using the library’s own resources and tools when talking about privacy is a start for library instructors who are short on time.