Holiday Privacy Reads and Videos

A one eyed black cat with cartoon antlers sitting and looking up.

The Executive Assistant wishes all of our subscribers and readers a happy holiday season!

We will be back at the start of the new year; in the meantime, here are some videos and long reads to keep you company as we go on our holiday break:

Have a safe and healthy rest of 2020!

Just Published – Data Privacy Best Practices Toolkit for Libraries

Welcome to this week’s Tip of the Hat!

Today we’re happy to announce the publication of the Data Privacy Best Practices Toolkit for Libraries. This toolkit is part of the Data Privacy Best Practices Training for Libraries project, an LSTA-funded collaborative project between the Pacific Library Partnership and LDH focusing on teaching libraries the basics of data privacy. This introduction into data privacy in libraries serves as a guide for both administration and front-line workers, providing practical advice and knowledge in protecting patron data privacy.

The cover page for Data Privacy Best Practices Toolkit for Libraries: A Guide for Managing and Protecting Patron Data.

What does the toolkit cover? The topics range from the data lifecycle and managing vendor relationships to creating policies and procedures to protect patron privacy. The toolkit covers specific privacy concerns in the library, including law enforcement requests, surveillance, and data analytics. We also get to meet Mel and Rafaël, two library patrons who have unique privacy issues that libraries need to consider when thinking about patron privacy.  At the end of the toolkit is an extensive resource section with library privacy scholarship, professional standards, and regulations for further reading.

This toolkit is part of a larger group of resources, including templates and examples libraries can use to develop contract addendums, privacy policies and procedures, and data inventories and privacy risk assessments. In short, there are a lot of resources that are freely available for you to use in your library! Please let us know if you have any questions about the project resources.

Finally, stay tuned – the project is going into its second year, focusing on “train the trainer” workshops for both data privacy and cybersecurity. We’ll keep you updated as more materials are published!

News and Resource Roundup – Michigan Privacy Law Update, Privacy Literacy Toolkit, and Testing Your Infosec+Digital Literacy Knowledge

Welcome to this week’s Tip of the Hat! This week we bring you an important state legislative update, a resource guide, and three quizzes to start your week.

Michigan library patron data law amendment update

Last December LDH reported on SB 0611, an amendment that would considerably weaken Michigan’s library data privacy laws. The bill allows for libraries to release patron data to law enforcement without a court order:

A library may disclose library records without a court order or the written consent described in subsection (2) under any of the following circumstances:

(a) Upon the request of a law enforcement officer who is investigating criminal activity alleged to have occurred at the library or if the library requests the assistance of a law enforcement officer regarding criminal activity alleged to have occurred at the library, the library may disclose to the law enforcement officer any library record pertinent to the alleged criminal activity. The library director and any other person designated by the library board or commission is authorized to determine whether to disclose library records subject to this subdivision. The library is not required to release library records under this subdivision and may require the law enforcement officer to obtain written consent or an order of the court as required in subsection (2)

After almost a year of inactivity, the bill is now progressing through the state legislature. If you are a Michigan library and concerned about this bill, please contact your state representative and senator about your concerns.

Privacy literacy clearinghouse

If you are searching for resources or examples of privacy literacy instruction after reading our last post, you’re in luck! Digital Shred is a collection of teaching resources and case studies for anyone wanting to incorporate privacy literacy into their instruction work, from information literacy sessions to dedicated privacy workshops. Created and curated by Sarah Hartman-Caverly and Alexandria Chisholm, the authors of the article featured in the last TotH post, Digital Shred also provides another way to keep current on ongoing privacy and surveillance news and issues. Explore the site, and don’t forget to check out the teaching resources and materials for the privacy workshop series created by the authors!

Quiz time

The school year is in full swing, and students are now facing their first round of quizzes and tests. We want to share the pain joy of test-taking by highlighting three quizzes to test your information security – as well as literacy! – knowledge and skills:

  • Spot the Phish – This quiz tests how well you can spot a phishing email in the Gmail email service. While the focus is only on one email platform, the lessons here can apply to any email service!
  • Spot the Deepfake – Deepfakes are images or videos that have been altered to create a realistic image or recording of someone’s likeness doing or saying things that, in reality, did not happen. AI, machine learning, and other developments in technology have made it so that some deepfakes are almost indistinguishable from unaltered media. This quiz will test your observational skills along with your critical thinking by asking you which videos are deepfakes and which ones are the real thing.
  • Spot the Troll – our last quiz focuses on identifying which social media accounts are real, and which ones are fake. It’s not as easy as you’d think…

Ch-ch-ch-ch-changes…

Welcome to this week’s Tip of the Hat!

We’ve been busy the last couple of weeks with website and newsletter changes, and now with the dust mostly settled from these changes, we’d like to give you an update about these changes.

Newsletter changes

LDH has been sending newsletters to your inbox for almost a year and a half. While it’s a convenient way to receive the latest privacy updates, searching and linking to these posts were less than convenient. To make access to our privacy updates easier for our subscribers and to the general public, we are proud to launch our Tip of the Hat blog!

What does this mean for newsletter subscribers? You will still receive the latest posts in your inbox. The greatest change is the ease of searching and accessing older posts. The majority of the newsletter archive have now been migrated to the blog, where you can search the archive in multiple ways: free text search, tags, and categories. Each post also has a shorter, permanent URL for easier sharing with your colleagues. We hope that this new blog will give you easier access to all the privacy news you can use!

Website changes

In addition to the blog, LDH has updated our website, including:

  • Services – updated list of services LDH provides for clients and examples of previous client work
  • About – updated list of library privacy work in the field, as well as adding a personnel entry for our Assistant to the Executive Assistant

We’re always looking for ways to improve the website, including content offerings. What would you like to find on the LDH website? Let us know by sending an email to newsletter@ldhconsultingservices.com and we’ll take it from there.

New ALA Guidelines and Zoom Update

Welcome to this week’s Tip of the Hat!

In case you missed it – last week ALA announced a trio of new guidelines for libraries concerned with patron privacy during the reopening process as well as libraries who use security cameras at their branches:

Guidelines for Reopening Libraries During the COVID-19 Pandemic – Theresa Chmara, J.D. guides libraries with planning reopening procedures and policies, including requirements around wearing masks, health screenings of both patrons and staff, and contact tracing. While these guidelines are not legal advice, these guidelines should inform your discussions with your local legal advisors.

Guidelines on Contact Tracing, Health Checks, and Library Users’ Privacy – This statement from IFC reaffirms the importance of patron privacy in the reopening process, including giving newly published guidelines around contact tracing at the library. The statement also directs libraries to the Protecting Privacy in a Pandemic Resource Guide, which brings together several privacy resources for libraries to incorporate into their reopening processes, as well as the expansion of existing patron services to online.

Video Surveillance in the Library Guidelines – Libraries who use security cameras should review their existing policies around camera placement, recording storage and retention, and law enforcement requests for recordings considering the new guidelines. There are also sections around patrons filming library staff and other patrons which public libraries should review regarding staff and patron privacy and safety.

Take some time to review the above guidelines and discuss how these guidelines might affect your library’s reopening or use of security cameras in the building!

Zoom Update

Zoom reported that they will not provide end-to-end encryption for free-tier users so Zoom can comply with law enforcement. Now that you know how Zoom will respond to law enforcement requests, does their stance line up with your library’s law enforcement request policy, as well as your patron privacy policy? If not, how will your library adjust your use of Zoom for patron services? One option is to not use Zoom, but as we covered in previous newsletters, Zoom is arguably one of the user-friendly video conferencing software in the market. Nonetheless, there are alternatives out there that do a better job protecting privacy, including Jitsi. If you must use Zoom for patron services, check out the Zoom Security Recommendations, Settings List, and Resources document from LDH’s Remote Work presentation in April to help you secure your Zoom calls.

Choose Privacy Week Recap

Welcome to this week’s Tip of the Hat!

This weekend was hot in Seattle, with temperatures near 90 F. While the Executive Assistant took this time to bask in this heat, we at LDH tried to find a cool spot in the home office to work, away from the Executive Assistant’s gaze.

Last week was a busy week on the Choose Privacy Every Day site for Choose Privacy Week! Here’s what you might have missed:

  • Virtual Programming and Patron Privacy – Jaime Eastman along with the ALSC Children and Technology committee give much-needed guidance for library workers who are moving children-oriented programs and services online due to the pandemic. The post goes into the Children’s Online Privacy Protection Act (COPPA), and what library workers need to do to protect the privacy of children while keeping in compliance with COPPA. Bookmark the ALSC Virtual Storytime Services Resource Guide for additional guidance (coming soon!).
  • Protecting Privacy In A Pandemic: A Resource Guide – On Friday, May 8th, OIF hosted a Privacy Town Hall about patron privacy. While we wait for the recording of the Town Hall event, the blog post lists the main topics and resources covered by the panelists in the Town Hall.
  • When libraries become medical screeners: User health data and library privacy – Some libraries are now giving medical screenings to patrons who want to enter the library building. What privacy risks are there in collecting health data of your patrons? Read the article by LDH to find out why library workers might not be the best choice in handling health data.

Finally, if you have that one library privacy topic that you’ve been meaning to write about or if you want to share your privacy thoughts to a wide audience, Choose Privacy Every Day is looking for blog authors! There are some requirements for being an author for the blog, but this is a great opportunity to get your ideas and thoughts out into the library world.

That’s a wrap! Or, at least, the computer core temperature says it’s time to put the computer in the freezer. If you’re on the West Coast, stay cool, and for those of you who got snow on the East Coast, stay warm!

Week Roundup – In The News and What Would You Do?

Welcome to this week’s Tip of the Hat! Last week was a busy week. Here’s a recap of what you might have missed.

LDH in the News

What Would You Do?

One public library in New Jersey has been finding various ways to support their community while the library building is closed, but one strategy has started a debate on Library Twitter – using patron data to do welfare checks:

Recently, the Library decided to take more direct action to help the Roxbury community. Armed with its enormous patron database, library staffers are going through the list and, literally in descending order, calling the oldest and most vulnerable of Roxbury’s residents to inquire on their well-being, let them know someone cares and will listen, and when need be to connect them to vital resources to get them through this difficult time.

The article goes on to describe how this strategy led to an increase in requests for masks to be distributed by the library.

While this single instance seems to have had a positive outcome, the use of the data collected by the library to do wellness checks brings up the question of “we could, but should we?” concerning using patron data in this manner. Some of the issues and considerations brought up on Library Twitter include:

  • Scope creep – several library workers serve as de facto social workers in their communities. How can libraries in this position support their community while working with local community organizations and local government departments who are better suited for social work? How can this work be done while honoring patron privacy?
  • Data quality – the article stated that the library staff used the age listed in the patron database. How reliable is that data? ILS migrations and even the move to an automated library system can introduce data quality issues in the patron record, including age.
    • For example – one library that moved from a paper-based system to an ILS in the mid-1990s still found patrons whose birthdays were listed as the date of the migration years later.
  • Notice and consent – patrons have certain expectations when giving data to libraries. Some of these expectations come from what the library states in their privacy and confidentiality notices, as well as other communications to patrons from the library. It’s safe to say that libraries don’t list “wellness checks” in their patron privacy notices as one potential use of patron data. This gets into the issue of using data outside of the stated purposes when the data was exchanged between the patron and the library. Recent data privacy legal regulations and best practices address this by requiring businesses to inform about the new use and to get affirmative consent before using the data for said new use.

There are some other items brought up in the Twitter discussion, such as different expectations from patrons, the size of the community, and patron-staff relationships. Some patrons chimed in as well! Like many other real-world data privacy conundrums, this one is not as clear cut in terms of how to best approach addressing the issue at hand – making sure that patrons in under-supported or vulnerable community groups get the support that they need.

We want to hear from you – what would you do in this situation? Email us at newsletter@ldhconsultingservices.com and we’ll discuss the results in a future newsletter. We will not post names or institutions in the newsletter results, so email away and we’ll do the rest to protect your privacy as we discuss patron privacy. Let us know what you think!

Two Reasons to Celebrate Privacy This Week

Welcome to this week’s Tip of the Hat! This week marks two important dates. The first date is this Tuesday! Data Privacy Day is a worldwide event to raise awareness as well as promote data privacy practices. Some last-minute ideas to celebrate #DataPrivacyDay at your library can include:

  • Posts to your library’s blogs, news feed, or social media about how patrons can protect their privacy online and at the library. Not sure what to share with your patrons? The User Tools section on the Choose Privacy Everyday is a good place to start.
  • If you need a last-minute book/material display for your library, here is a list of materials from the Library Freedom Institute to help you seed your public display.
  • Cookies for your staff – with a catch, of course. If your library has a staff room or area, bring in some cookies to share and place some information about web trackers and cookies alongside the actual cookies.
  • Consider distributing How Did We Get Here?: A Zine About Privacy at the Library at your library, and have a brown bag lunch (or better yet, provide lunch) discussion about privacy practices at the library.
  • If you work with students, or if you have a student in your household (or if you’re a student yourself!), read up on students and privacy at https://studentprivacy.ed.gov/.

The second date marks the first anniversary of LDH Consulting Services! We launched at Midwinter 2019, aiming to provide libraries and library vendors guidance on all things library data privacy. It’s been a busy year getting the word out at our first ALA Annual, as well as word of mouth and this newsletter. This first year saw many training sessions, legislation reviews, and even a guest lecture or two! Thank you to everyone – our clients, supporters, newsletter subscribers – for helping LDH through the first year. We hope to serve the library and vendor community in protecting patron privacy for years to come.

Speaking of serving – LDH is still accepting projects and clients for Summer and Fall of 2020. We have a variety of training offerings for staff, including data lifecycle management, vendors and privacy, privacy impact assessments, and implementing privacy at your organization. LDH can also help you keep track of developing data privacy regulations in your state! With California’s new data privacy law in effect, many other states are looking to implement similar laws that can impact how libraries do business with vendors concerning patron privacy. If your organization needs that initial push in adopting best privacy practices or a review of existing privacy policies and practices, LDH is more than ready to help with that push.

The majority of our clients come to LDH through word of mouth, so we appreciate you all telling your colleagues about LDH and our services!

All Things Privacy At #alamw20

Welcome to this week’s Tip of the Hat! Are you prepared for ALA Midwinter in Philadelphia this week? If not, you’re not alone. LDH is ready to help you get the most out of #alamw20!

Before You Go

Here are some reminders as to how to protect your privacy while traveling and conferencing:

VPN? Check. AC wall charger or power bank for the phone? Check. Mental reminder to take off the conference badge outside of conference spaces? Check!

In the Exhibit Hall

Booth #1823 – Stop by and get a sneak peak of the upcoming Privacy Field Guides! These guides cover a variety of topics, including privacy audits and the data lifecycle.
Booth #864 – The Library Freedom Project will be answering any questions about the Institute (applications due February 10th) as well as handing out resources about protecting privacy at your library and community.

In the Schedule

Sunday, January 26th seems to be the day for privacy at Midwinter:

Intellectual Freedom Committee (IFC) Privacy Subcommittee Meeting; 8:30 AM – 10:00 AM; Room 111-A
Learn more about the current projects going on in the Privacy Subcommittee! You don’t have to be a member to attend the meeting.

Data and Diversity: Navigating the Ethics of Demographic Data in Inclusive Community Collections; 1:00 PM – 2:00 PM; Room 203-AB
Abstract: Librarians building local collections want to represent the diversity of their communities. When we use information about people’s identities to assess a collection’s inclusivity, how do we protect people’s privacy and respect their autonomy? We’ll discuss how we addressed these questions for local digital music collections at public libraries in Seattle and beyond.

We’ll share best practices we created, how we developed those practices, and how we continue to adapt them. We present our work with community data as a template for engaging with the complex and evolving issues facing librarians in an era of rapid technological and societal change.

LITA Top Tech Trends; 1:00 PM – 2:00 PM; Room 122-A
LITA’s Top Tech Trends is always a popular event, and privacy and security will most likely make their way into the panel discussion.

Data Abuse: Is There a Sustainable Solution to Help Notify Users of Egregious Data Abuses?; 4:00 PM – 5:00 PM; Room 204-C
Abstract: How can patrons easily understand the extent of data collection that results from their use of electronic resources? Often, the resource provider just wants to confirm a patron’s institutional affiliation, but some vendors require that users create an account, subscribe to a newsletter, or provide demographic information. At Cornell University Library, staff are exploring options for helping patrons easily understand data collection from electronic resources – a system that can be supported, shared, and used by all. In this discussion, we will explore our ideas so far, and seek input on how to make such a service sustainable.

LDH will not be at Midwinter this year, but we plan to be at Annual in Chicago. We hope to catch you then! In the meantime, safe travels to Philly, and enjoy all the privacy offerings Midwinter has to offer.

Last Week In Library Privacy: Evernote, LFI, and an Amendment to Weaken MI Library Privacy Law

Welcome to this week’s Tip of the Hat! Last week was a busy news week, and you might have missed an important update that could affect your library. Here are some of the major privacy news updates that you might have missed.

Evernote and law enforcement requests

Last week Motherboard reported that Evernote gave user data to law enforcement as part of a drug investigation. The company received a warrant from the Drug Enforcement Administration requesting user data, including notes that have been recently deleted by the user – the article noted that Evernote still retains data deleted by the user for some time.

While the case itself is not connected to a library, many library staff use Evernote and other cloud products for work, including creating work documents, spreadsheets, and presentations to share with other library staff. Also, staff use cloud products such as Google Forms and SurveyMonkey to collect patron information. Limiting the amount of patron data in cloud products can reduce the risk of that data being handed over to other third parties such as law enforcement. If you decide to use a third-party cloud product such as Evernote, review their law enforcement request policies and other policies surrounding the sharing of user data to other third parties.

Michigan library patron data law challenge

Michigan lawmakers are considering changing state library privacy laws. Senate Bill 611 seeks to amend existing law to allow for library directors to release patron information to law enforcement without a court order. The following text is the change that would allow for such disclosure:

A library may disclose library records without a court order or the written consent described in subsection (2) under any of the following circumstances:

(a) Upon the request of a law enforcement officer who is investigating criminal activity alleged to have occurred at the library or if the library requests the assistance of a law enforcement officer regarding criminal activity alleged to have occurred at the library, the library may disclose to the law enforcement officer any library record pertinent to the alleged criminal activity. The library director and any other person designated by the library board or commission is authorized to determine whether to disclose library records subject to this subdivision. The library is not required to release library records under this subdivision and may require the law enforcement officer to obtain written consent or an order of the court as required in subsection (2)

The law also allows for additional disclosures of patron information to third parties, such as collection agencies.

If you are a Michigan library and concerned about this bill, please contact your state representative and senator about your concerns.

(Thank you to OIF and Erin Berman for notifying us about this story!)

New web tracking guide

The Electronic Freedom Frontier (EFF) published Behind the One-Way Mirror, a comprehensive guide to web tracking. This guide goes into depth about the multitude of tracking methods, including mobile, web, and real-world user tracking. For readers who enjoyed the Web Cookies newsletters, this is a perfect resource to further explore the topic in depth.

LFI 2020 applications now open

The Library Freedom Institute is now accepting applications for its third cohort! This four-month institute allows library workers to learn more about privacy and libraries and to become privacy advocates in their libraries and their communities. If you are curious to learn about what all is covered in the Institute, you can view the course materials and resources for previous cohorts on the Library Freedom Project’s wiki. The third cohort is set to start in March 2020, and applications are due February 10th, 2020.

Ransomware – tell us your story

Libraries are no strangers to being the target of ransomware attacks. LDH is teaming up with Blake Carver to present “Held at Ransom: How Libraries Can Best Defend Against and Recover From Ransomware Attacks” at ALA Annual 2020 in Chicago. We are looking for your stories of dealing with ransomware at your library! We hope to gather information and stories that can help other libraries better prepare for ransomware attacks, as well as give them hope that there are ways to recover from the attacks. If you have a story to share, please fill out the form at https://forms.gle/i6J4vAN23GMR3Ez59.