Celebrating All Things Data Privacy

Happy early Data Privacy Day from LDH! Even though there might not be an opportunity this year to put cookies in the staff room as a way to educate staff about their less-than-tasty web counterparts, you can still celebrate this day at a safe distance. This January 28^th, celebrate the day with your colleagues and patrons with the following suggestions:

Want to know about the recent history and current issues around personal data but don’t have the time to go through the stack of books about the subject? The WIRED Guide to Your Personal Data (and Who Is Using It) provides a quick(ish) overview of the historical and current issues around personal data.
Review your privacy settings on popular websites and services. The National Cybersecurity Alliance created a list of the privacy setting pages of several major companies and services to help you, your colleagues, and patrons to get started.
We created a list of data privacy films and videos for a patron or staff watch party that you can use for planning virtual watch parties and discussions (popcorn not included).
Take some time on the Surveillance Self-Defense site to shore up basic data security on your devices and applications. Check out the Security Starter Pack if you don’t know where to begin. If you are a seasoned pro or are looking for something more advanced, SSD has you covered with a list of advanced guides for you to continue your learning.
Data privacy isn’t just for adults. Teen librarians can use Data Detox X Youth to teach preteens and teens about data privacy/security basics and navigating misinformation online.

This week also marks the second anniversary of the launch of LDH Consulting Services! 2020 proved to be a challenging year for everyone, including fledgling businesses such as ours. Thank you to all of our clients and supporters for your continuing support. You can check out some of the projects and workshops we completed in 2020 on our Services page. We will update the page with our 2021 projects and workshops materials – bookmark the page to keep on top of updates. We’re also accepting new projects and clients for the Fall and Winter 2021/2022 seasons. From privacy training and policy reviews to data audits and risk assessments, LDH can help your library or organization protect patron privacy in your data practices. Contact us to set up an initial consultation – we look forward to hearing from you!

January 19, 2021January 19, 2021

Stop Collecting Data About Your Patrons’ Gender Identity

A four-way stop sign in front of snow-covered tree branches. — Image source: https://www.flickr.com/photos/ben_grey/4383358421/ (CC BY-SA 2.0)

tl;dr – Your library doesn’t need to collect data about your patrons’ gender identity.

Longer tl;dr – Your library doesn’t need to collect data about your patrons’ gender identity for library workers to do their daily work.

Nuanced tl;dr – Your library doesn’t need to collect data about your patrons’ gender identity 99% of the time, and in that 1% where the data is required, you’re probably doing more harm than good in your collection methods.

This post is brought to you by yet another conversation about including gender identity data in patron records. Libraries collected this data on their patrons for decades; it’s not uncommon to have a “gender” field in the patron record of many integrated library systems and patron-facing vendor services and applications. But why collect this data in the first place?

Two explanations that come up are that gender identity data can be used for marketing to patrons and for reading recommendations. However, these explanations do not account for the problem of relying on harmful gender stereotypes. Take the belief that boys are reluctant readers, for example. Joel A. Nichols wrote about his experience as a children’s librarian and how libraries do more harm than help in adopting this belief:

These efforts presume that some boys are not achieving well in school because teachers and librarians (who are mostly women) are offering them books that are not interesting to them (because they are boys). I find this premise illogical and impracticable, in particular because I am queer: the things that were supposed to interest boys did not necessarily interest me, and the things that were supposed to interest girls sometimes did. Additionally, after years of working in children’s departments, I found over and over again that lots of different things interested lots of different kids. In my experience, it was the parents that sometimes asked for “boy books” or “girl books.” The premise that boys need special “boy” topics shortchanges librarians and the children themselves, and can alienate kids who are queer or genderqueer.

This collection of patron data can be used to harm patrons in other ways, such as library staff misgendering and harassing patrons based on the patron’s gender identity. A recent example comes from the 2019 incident where library staff repeatedly misgendered a minor patron when she was with her parent to sign up for her library card. While the library decided to stop collecting gender identity data on library card applications as a result of the incident, the harm done cannot be remedied as easily as changing the application form.

The ALA Rainbow Round Table recommends that libraries do not collect gender identity data from patrons unless absolutely needed. Since the recommendation in 2015, several libraries evaluated their collection of gender identity data only to find that they were not using that data. Collecting data for “just in case” opens library patrons to additional harm if the library suffers a data breach. If there is no demonstrated business need for a data point, do not collect that data point.

In the rare case that your library absolutely must collect data about the gender identity of your patrons (such as a requirement to report on aggregated patron demographic data for a grant-funded project), care must be taken in collecting this data to mitigate additional harms through alienation and exclusion. The Rainbow Round Table recommends the Williams Institute’s report “Best Practices for Asking Questions to Identify Transgender and Other Gender Minority Respondents on Population-Based Surveys” as a guide to collecting such data. The Williams Institute has also created a short guide to create survey questions around gender identity. Here are more resources that can guide respectful demographic data collection:

Again, the resources above are only for the rare case that your library absolutely must collect this data from your patrons. Libraries considering collecting gender identity data must review the rationale behind the collection. A patron should not be required to tell the library their gender identity to use the library’s collections and services. Even the act of collecting this data can harm and disenfranchise patrons.

tl;dr – Your library doesn’t need to collect data about your patrons’ gender identity.

January 11, 2021January 11, 2021

In Case of Emergency

A pull fire alarm with a sign next to it stating "Exit Alarm Only - this alarm does not summon the fire dept In case of Fire call 911" — Image source – https://www.flickr.com/photos/laurablume/5356203877 (CC BY ND 2.0)

Last Wednesday’s attempted insurrection at the US Capitol left many in various states of shock, despair, anger, and grief. As the fallout from the attempt continues to unfold, we are starting to learn more about the possible cybersecurity breaches that resulted from the attempt. Cybersecurity professionals, who are still trying to investigate the extent of the damage done by the SolarWinds attack weeks before, are now trying to piece together what could have been compromised when the mob entered the building. Stolen laptops and other mobile devices, unlocked desktop computers, paperwork left on desks – the immediate evacuation of congresspeople and workers meant that the mob had potential access to sensitive or confidential information as well as sensitive internal systems.

Leaving a desk, office, or service point immediately to get to safety is a real possibility, even for libraries. Active shooter training has become standard for many US organizations, joining common fire and severe weather drills where staff leave their workstations to head to safe areas. Other library workers have personal experience leaving their work station to get to safety; in one instance, someone I knew barricaded themselves in a work office with other library staff after a patron started attacking them at the information desk. Physical safety comes first. Nonetheless, this leaves information security and privacy professionals planning on how to mitigate the risk that comes with potential data and security breaches in these life-threatening emergencies.

Incident response planning and several cybersecurity strategies help mitigate risk during emergencies where staff immediately leave work areas. Preventative measures can include:

Encrypting hard drives on computers and mobile devices
Requiring multifactor authentication (MFA) for device and application access
Installing remote wipe software to wipe devices if they are reported missing or stolen
Not writing down passwords and posting them on computer monitors, keyboards, desks, etc.
Conducting an inventory of library staff computers and mobile devices (tablets, phones, etc.)
Setting up auto-lock or auto-logoff on staff computers after a few minutes of inactivity
Storing confidential or sensitive data in designated secured network storage and not on local hard drives or USB drives
Limit access to systems, applications, and data through user-based roles, providing the lowest level of access needed for the user to perform their daily work
Storing mobile devices and drives as well as sensitive paper documents in secured areas when not in use (such as a locked desk drawer or cabinet)

After the emergency, an incident response plan guides the process in responding to potential data breaches: containing the damage, removing the attacker from doing more damage, and how to repair the damage. The incident response plan also provides communication plans for users affected in the breach as well as any regulatory obligations for reporting to a government office or official.

All of this will involve a considerable amount of resources and time; however, the time spent in planning and in training (think the tabletop exercises mentioned in our post about gaming in cybersecurity training) will be less time spent after the fact where emotions and stress are running high, resulting in things being missed or falling through the cracks after the emergency.

January 4, 2021January 4, 2021

A Quick Data Privacy Check-in for The New Year

A small orange and white kitten sits on an Apple floppy drive, while a picture of a gray cat is displayed on an Apple monitor. — Image source: https://www.flickr.com/photos/50946938@N03/5957820087/ (CC BY 2.0)

Welcome to 2021! We hope that everyone had a restful holiday break. There might be some changes to your work environment for the new year that could affect the privacy and security of your patrons’ data. Let’s start this year off with a quick (and gentle) check-in.

Smart devices

Smartwatches, smart speakers, smart TVs – what new internet-enabled smart device has taken residence in your home, office, or even on your person? You might not know that these devices eavesdrop on your conversations and, in some instances, eavesdrop on what you type. If you are working with a patron or talking with a colleague that includes patron information, what smart devices are in listening range that weren’t before the new year?

Depending on the device, you might be able to prevent eavesdropping; however, other devices might not have this option. Disconnecting the internet from the device is also an option, but this might be more of a hassle than a help. The one sure way to stop a device from eavesdropping is to remove it from listening range, or, better yet, disconnecting the device from its power source.

Computers and mobile devices

A new year could mean a new computer or mobile device. If this is you, and if you are using a personal computer or mobile device for working with patrons or patron data, don’t forget to do the following while setting up your new device:

Install antivirus software (depending on your organization, you might have access to free or discounted software)
Install the VPN client provided by your organization
Install privacy-preserving tools and browser extensions
Enable auto-updates for the operating system and any applications installed on the device
Review the privacy and security settings for your operating system:
- Windows 10 – recommendations from Virginia Tech and Computerworld
- Mac and iOS devices – Apple recently published a document listing security and privacy settings on all Apple devices. The tl;dr summary by Lifehacker is a good resource if you’re not sure where to begin
- Android – Computerworld’s guide to Android privacy is long but worthwhile if you want a list of actions to take based on the level of privacy you want on your device. Also, visit Google’s Data Privacy Settings and Controls page to change your Google account privacy settings (because now is a good time as any to review Google settings).

Evergreen recommendations

Even if you didn’t get a new smart device or computer for the holidays, here are a few actions you can do with any device to start the new year right by protecting your and your patrons’ privacy:

Enable multifactor authentication when available
Start using a password manager and update your passwords
Update your security question answers
Go through the Remote Work and Library Data Privacy Crash Course Checklist to review your home office setup (more documents are available at https://is.gd/LDH_RemotePrivacy, as well as the recording in Google Drive).

Take a few moments this week to review privacy settings and risks – a moment of prevention can prevent a privacy breach down the road.