All Things Privacy At #alamw20

Welcome to this week’s Tip of the Hat! Are you prepared for ALA Midwinter in Philadelphia this week? If not, you’re not alone. LDH is ready to help you get the most out of #alamw20!

Before You Go

Here are some reminders as to how to protect your privacy while traveling and conferencing:

VPN? Check. AC wall charger or power bank for the phone? Check. Mental reminder to take off the conference badge outside of conference spaces? Check!

In the Exhibit Hall

Booth #1823 – Stop by and get a sneak peak of the upcoming Privacy Field Guides! These guides cover a variety of topics, including privacy audits and the data lifecycle.
Booth #864 – The Library Freedom Project will be answering any questions about the Institute (applications due February 10th) as well as handing out resources about protecting privacy at your library and community.

In the Schedule

Sunday, January 26th seems to be the day for privacy at Midwinter:

Intellectual Freedom Committee (IFC) Privacy Subcommittee Meeting; 8:30 AM – 10:00 AM; Room 111-A
Learn more about the current projects going on in the Privacy Subcommittee! You don’t have to be a member to attend the meeting.

Data and Diversity: Navigating the Ethics of Demographic Data in Inclusive Community Collections; 1:00 PM – 2:00 PM; Room 203-AB
Abstract: Librarians building local collections want to represent the diversity of their communities. When we use information about people’s identities to assess a collection’s inclusivity, how do we protect people’s privacy and respect their autonomy? We’ll discuss how we addressed these questions for local digital music collections at public libraries in Seattle and beyond.

We’ll share best practices we created, how we developed those practices, and how we continue to adapt them. We present our work with community data as a template for engaging with the complex and evolving issues facing librarians in an era of rapid technological and societal change.

LITA Top Tech Trends; 1:00 PM – 2:00 PM; Room 122-A
LITA’s Top Tech Trends is always a popular event, and privacy and security will most likely make their way into the panel discussion.

Data Abuse: Is There a Sustainable Solution to Help Notify Users of Egregious Data Abuses?; 4:00 PM – 5:00 PM; Room 204-C
Abstract: How can patrons easily understand the extent of data collection that results from their use of electronic resources? Often, the resource provider just wants to confirm a patron’s institutional affiliation, but some vendors require that users create an account, subscribe to a newsletter, or provide demographic information. At Cornell University Library, staff are exploring options for helping patrons easily understand data collection from electronic resources – a system that can be supported, shared, and used by all. In this discussion, we will explore our ideas so far, and seek input on how to make such a service sustainable.

LDH will not be at Midwinter this year, but we plan to be at Annual in Chicago. We hope to catch you then! In the meantime, safe travels to Philly, and enjoy all the privacy offerings Midwinter has to offer.

Last Week In Library Privacy: Evernote, LFI, and an Amendment to Weaken MI Library Privacy Law

Welcome to this week’s Tip of the Hat! Last week was a busy news week, and you might have missed an important update that could affect your library. Here are some of the major privacy news updates that you might have missed.

Evernote and law enforcement requests

Last week Motherboard reported that Evernote gave user data to law enforcement as part of a drug investigation. The company received a warrant from the Drug Enforcement Administration requesting user data, including notes that have been recently deleted by the user – the article noted that Evernote still retains data deleted by the user for some time.

While the case itself is not connected to a library, many library staff use Evernote and other cloud products for work, including creating work documents, spreadsheets, and presentations to share with other library staff. Also, staff use cloud products such as Google Forms and SurveyMonkey to collect patron information. Limiting the amount of patron data in cloud products can reduce the risk of that data being handed over to other third parties such as law enforcement. If you decide to use a third-party cloud product such as Evernote, review their law enforcement request policies and other policies surrounding the sharing of user data to other third parties.

Michigan library patron data law challenge

Michigan lawmakers are considering changing state library privacy laws. Senate Bill 611 seeks to amend existing law to allow for library directors to release patron information to law enforcement without a court order. The following text is the change that would allow for such disclosure:

A library may disclose library records without a court order or the written consent described in subsection (2) under any of the following circumstances:

(a) Upon the request of a law enforcement officer who is investigating criminal activity alleged to have occurred at the library or if the library requests the assistance of a law enforcement officer regarding criminal activity alleged to have occurred at the library, the library may disclose to the law enforcement officer any library record pertinent to the alleged criminal activity. The library director and any other person designated by the library board or commission is authorized to determine whether to disclose library records subject to this subdivision. The library is not required to release library records under this subdivision and may require the law enforcement officer to obtain written consent or an order of the court as required in subsection (2)

The law also allows for additional disclosures of patron information to third parties, such as collection agencies.

If you are a Michigan library and concerned about this bill, please contact your state representative and senator about your concerns.

(Thank you to OIF and Erin Berman for notifying us about this story!)

New web tracking guide

The Electronic Freedom Frontier (EFF) published Behind the One-Way Mirror, a comprehensive guide to web tracking. This guide goes into depth about the multitude of tracking methods, including mobile, web, and real-world user tracking. For readers who enjoyed the Web Cookies newsletters, this is a perfect resource to further explore the topic in depth.

LFI 2020 applications now open

The Library Freedom Institute is now accepting applications for its third cohort! This four-month institute allows library workers to learn more about privacy and libraries and to become privacy advocates in their libraries and their communities. If you are curious to learn about what all is covered in the Institute, you can view the course materials and resources for previous cohorts on the Library Freedom Project’s wiki. The third cohort is set to start in March 2020, and applications are due February 10th, 2020.

Ransomware – tell us your story

Libraries are no strangers to being the target of ransomware attacks. LDH is teaming up with Blake Carver to present “Held at Ransom: How Libraries Can Best Defend Against and Recover From Ransomware Attacks” at ALA Annual 2020 in Chicago. We are looking for your stories of dealing with ransomware at your library! We hope to gather information and stories that can help other libraries better prepare for ransomware attacks, as well as give them hope that there are ways to recover from the attacks. If you have a story to share, please fill out the form at

Last Minute Panic: A CCPA Update

Welcome to this week’s Tip of the Hat!

We hate to break it to you, but there are only a few weeks left in 2019. Do you know what that means? That’s right – only a few more weeks before the California Consumer Privacy Act comes into effect. A lot has happened since our first newsletter about the CCPA in March, so let’s take some time to catch everyone up on the need-to-knows about CCPA as we head into 2020.

Everything and nothing have changed

Lawmakers introduced almost 20 amendments in the past few months in the State Legislature, ranging from grammatical edits to substantial changes to the CCPA. In the end, only a handful of amendments were signed by the state governor, all of which do not substantially change the core of CCPA. There are now a few exceptions to CCPA with the amendments, such as employee data, but that’s the extent to the changes introduced into the Act going into 2020.

However, this doesn’t mean that we won’t see some of the stalled or dead amendments come back in the next legislative session. Expect additional amendments in the coming year, including new amendments that might affect regulation and scope of the Act.

What you need to know about regulation and enforcement

In October 2019, the California Attorney General office published a draft set of regulations of how their office will enforce CCPA. While the public comment period is open until December 6th, many businesses are taking the regulations as their new playbook in preparing for CCPA compliance.

“Household” dilemma

The problematic definition of “personal information” remains… problematic. The amendment that sought to remove “household” from the definition stalled in the State Legislature. The regulations address the handling of household information to a small extent. If someone requests access to personal information, including household information, the business has the option to give aggregated data if they cannot verify the identity of the requester.

Again, this broad definition has ramifications regarding patrons requesting information from library vendors. Libraries should work with library vendors in reviewing confidentiality and privacy policies and procedures and discuss the possible impact this definition will have on patron privacy.

Hello, COPPA!

One of the major elements of CCPA is the regulations surrounding collecting and processing personal information from anyone under 16 years of age. CCPA requires businesses to get affirmative authorization from anyone 13 years old up to 16 years old before the business can sell their personal information. To comply with the new requirement, many businesses might now have to collect or otherwise verify the age of the online user. This leads into the realm of the Children’s Online Privacy Protection Act (COPPA) – now that the business has actual knowledge of the online user’s age, more businesses could be subject to liability under COPPA.

This could lead to another tricky conversation for libraries – library vendors who fall under CCPA collecting additional patron data for compliance. Collecting and processing patron data is sometimes unavoidable due to operational needs, but it’s still worthwhile to ensure that the data is properly secured, processed, and deleted.

Do Not Track, for real this time

Do your browsers on your library public computers have “Do Not Track” turned on by default, or have other browser plugins that prevent tracking by third parties? If not, here’s another reason to do so – the regulations state that “If a business collects personal information from consumers online, the business shall treat user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request…” So get installing those privacy plugins already!

Do we have to comply with CCPA?

It depends on who the “we” is in this question. As of now, most California libraries are most likely out of the scope of CCPA (though, as Joshua Metayer pointed out, the CCPA gives no guidance as to what is considered a for “profit” business). Library vendors will most likely have to comply if they do business in California. Some businesses are trying to keep CCPA compliance strictly to CA residents by setting up a separate site for California, while other businesses, such as Microsoft, plan to give all US residents the same rights CA residents have under CCPA.

We’ve only covered a section of what’s all going on with CCPA – there’s still a lively debate as to what is all entailed by the definition of “sale” in regards to personal information which is a newsletter in itself! We also could have an entire newsletter on CCPA 2.0, which is slated to be on the November 2020 ballot. California continues to be a forerunner in privacy law in the US, and the next year will prove to be an important one not only for everyone under the scope of CCPA but for other states looking to implement their CCPA-like state law.

Privacy Regulation Update from #PSR19

Welcome to this week’s Tip of the Hat! The temperature in Las Vegas in September is still hot, but LDH survived the heat while attending the Privacy. Security. Risk. 2019 conference hosted by the International Association of Privacy Professionals. Thousands of privacy professionals from a variety of backgrounds came together to share their knowledge and experiences in implementing privacy in their workplaces. Some of the presentation slides and materials are already available on the schedule page, so feel free to browse.

The California Consumer Privacy Act was on everyone’s minds and in conversations at PSR, and for good reason – enforcement begins in about three months. The amendments process is all but wrapped up, and now businesses are scrambling to be in full compliance by January 1st, 2020. Libraries do not fall under the scope of CCPA; however, library vendors who do business in California and meet certain criteria fall under the scope of CCPA.

CCPA wasn’t the only waves California made at PSR. Last week the same group that sparked the creation of CCPA proposed a new ballot initiative, the California Privacy Rights and Enforcement Act, slated for a 2020 ballot. This initiative provides additional protections to consumers on top of what CCPA already provides:

  • Rights surrounding use and sale of sensitive data such as health, race/ethnic, and location data
  • Require opt-in consent for data collection from consumers under 16 years of age
  • Require businesses to be more transparent about the use of algorithms or automatic creation of profiles from data, as well as the use of profiles in decision making

Again, while libraries are most likely not in the scope of CPREA, library vendors will need to keep track of the progression of this new initiative.

But enough about California. What are the other states doing? Take a look at “CCPA and Its Progeny: States Take Control While Congress Weighs a Broad New Law” where you will get a broad overview of privacy regulations in other states. Many states are poised to either introduce or pass privacy legislation modeled off of CCPA or GDPR in the next year. Without a general data privacy law on the federal level, many states are filling in the gaps as they did with data breach response regulations. Currently, you have 50+ different laws (including Puerto Rico) to comply with when responding to a data breach! We might reach the same situation with data privacy regulation if the federal government does not pass a data privacy bill that preempts state law. Don’t expect a federal bill to be passed during a presidential election year, though. The soonest we might have a chance for a federal bill to pass will be two to three years’ out, which gives states more than enough time to pass their own bills.

In any case, 2020 will be another busy year for privacy regulation, and LDH will keep you updated on the most relevant information for libraries and vendors.

Ransomware, CS and Privacy, and #FollowMonday

Welcome to this week’s Tip of the Hat! Summer is in full swing this August, and the Executive Assistant is contemplating where would be the coolest place in the office to park herself to work. While she roams the office and while I make sure she doesn’t make a small blanket fort connected to the office refrigerator, here are a couple of quick links and updates in the privacy and library worlds to start your week.

A refrigerator with its door open, and a green tent set up in front of the open door.
Ransomware strikes another library system

Last month, the Butler County Federated Library System in Pennsylvania became the latest library system to succumb to ransomware. As a result, the system has gone back to using paper to track circulation information. Like other ransomware attacks, the system might have to rebuild their online infrastructure if they are unable to retrieve the ransomed data.

If your library hasn’t been hit with ransomware yet, the best defense against ransomware is to prevent it from taking over your system. Awareness programs and information security training can help with educating staff about the ways that ransomware and other viruses and malware can infiltrate the library system, and regular reminders and updates can also help keep staff current on trends and new infosec practices.

Training can only go so far, though, and having a plan in place will not only help mitigate panic when ransomware takes over a system, but also mitigate any overlooked vulnerabilities concerning patron data privacy. For example, while libraries have used paper for decades to track circulation information, automation in the last few decades has taken over this process. Making sure that staff are trained and have current procedures in handling sensitive patron data in paper format – including storage and disposal – can help protect against inadvertent privacy breaches.

H/T to Jessamyn West for the link!

Is it time for Computer Science curriculums to prioritize privacy?

In an op-ed in Forbes, Kalev Leetaru argues that CS curriculum should follow the way of library and information science and emphasize privacy in their programs. Near the end of the article, Leetaru illustrates the struggle between privacy and analytics:

Privacy naturally conflicts with capability when it comes to data analytics. The more data and the higher resolution it is, the more insight algorithms can yield. Thus, the more companies prioritize privacy and actively delete everything they can and minimize the resolution on what they do have to collect, the less capability their analytics have to offer.

This represents a philosophical tradeoff. On the one hand, computer science students are taught to collect every datapoint they can at the highest resolution they can and to hoard it indefinitely. This extends all the way to things like diagnostic logging that often becomes an everything-or-nothing concept that has led even major companies to have serious security breaches. On the other hand, disciplines like library and information science emphasize privacy over capability, getting rid of data the moment it is safe to do so.

What do you think? Would emphasizing privacy in CS programs change current data privacy practices (or lack thereof) in technology companies?

#FollowMonday – @privacyala

Keeping up with all the latest developments in the privacy field is a challenge. There is so much happening that it can be a full-time job to keep up with all the developments. ALA’s Choose Privacy Every Day Twitter account can help you sift through all the content in a nicely packaged weekly post of the major developments and updates in the privacy world, be it in libraries or out there in the world. You can find out about new legislation, tools to help protect your patrons’ privacy, and yes, there is a section to keep up with the latest data breaches.

Privacy in the News: LinkedIn and the “Like” Button

Welcome to this week’s Tip of the Hat! We have various updates from around libraryland and beyond, so let’s start the week by catching you up on important news and developments.

LinkedIn Learning Stalemate

Last week we learned that negotiations between ALA representatives and LinkedIn Learning stalled over the proposed changes the company plans to implement later this year that would require users to create a LinkedIn profile to access LinkedIn Learning resources. ALA released a public statement to LinkedIn Learning to reconsider their changes, while a petition on EveryLibrary is collecting signatures of libraries and library staff who will not renew (or will consider not renewing) their contracts with LinkedIn Learning in light of this upcoming change. The list of libraries committed to not renewing the service grows, with state libraries getting into the fray.

The story has also found its way to various news outlets:

LinkedIn Learning has directed those seeking comment for the recent statements from ALA and libraries to a blog post from June 2019, which doesn’t give much in the way of addressing the concerns raised in the recent weeks.

Time to rethink the embedded “Like” button?

Today, the Court of Justice for the European Union delivered a ruling that could have ripple effects in the US. The Court ruled that websites that embed the Facebook “Like” button are responsible for the privacy of the users on the website. According to the Court, a website that has the “Like” button must follow the same consent and data processing regulations laid out in European law, even though that data is being transferred to Facebook. This is not the first time that the embedded “Like” button has gotten into trouble in the EU – a recent example comes from 2016, where a German court ruled that a site with the embedded button violated user privacy.

Many libraries and vendor products include the “Like” button on websites, catalogs, and other patron-facing applications and services. Embedding social media buttons such as the “Like” button already presents several privacy issues. For example, this 2013 article from Mother Jones explains how companies can track users through websites that have the “Tweet” button embedded into their pages. These buttons and widgets collect patron information and this information can be sent back those social media sites even if the patron doesn’t use the buttons on the page.

With US states looking toward the EU and GDPR as a foundation to build their own state data privacy laws, this ruling may influence how US law interprets the responsibility for user privacy when a website embeds social media buttons that have been known to track users. Even if no laws come to pass, it would still be worthwhile to revisit your organization’s use of these types of social media buttons on your websites and if that use aligns with your privacy policy and patron privacy expectations.

All Things Privacy – ALA Annual 2019 Edition

Welcome to this week’s Tip of the Hat! This week is the American Library Association Annual Conference in DC, and LDH is packed up and ready to talk all things privacy to thousands of library folks from across the country. The Executive Assistant will keep things in order while we exhibit, but she is not letting the other half of LDH go it alone at #alaac19. Who is this new addition to LDH? Come by our booth (#844) at Annual to find out more!

If you are one of the lucky folks who is attending #alaac19, LDH would like to help you have a great conference while keeping some of your privacy intact in the process. Here are some ways to enjoy your conference and protect your privacy at the same time:

At the airport – if you are flying to DC, your airline might be using facial recognition during the boarding process. In most cases, you can opt out. Techcrunch wrote about the process and you can learn more about the opt-out process there.

Connecting to public, hotel, and conference wifi – Use a VPN anytime you are connecting to a public wifi network or other network that is not your home or your work network. Your place of work might already have a VPN available for use for when you are working outside the office; however, keep in mind that work can also see any non-work traffic you might engage in while connected. If you don’t have work VPN or want to have a VPN separate from work, there are several options you can choose from. LDH uses Private Internet Access, which offers good VPN service at a reasonable cost, and works across multiple platforms (Windows, iOS, Android). The one thing to remember, though, is to never use a free VPN service. If the product is “free” the actual cost to use the product is your own personal data.

On the Exhibit Floor – You might notice that the QR code or barcode under your name on your badge. Exhibitors sometimes ask you if they can scan your badge, particularly if you want nice swag! What exactly is in that QR code? When I scanned my badge from Midwinter using an Android barcode scanner app, this is the output: “csi313|1237819|Becky|Yoose|”. My name is there, but also note the two strings of numbers before it. While indecipherable to attendees, those strings could eventually lead to the vendor getting your contact information. If you wouldn’t give your physical business card to a vendor, you might want to decline the offer to have your badge scanned by the same vendor. Better yet, ask the vendor what they do with the information that they get off of your scanned badge.

Outside the conferencetake off your badge. This is for both security and privacy reasons. DC is full of tourists, but they do not need to know your name while you’re walking through the streets to your next meeting!

At the conference – there are several privacy-related events happening at #alaac19! The Office for Intellectual Freedom created a list of programs and meetings of all things privacy-related programming, including sessions on Privacy by Design and minors privacy rights. Between sessions, check out the Glass Room Experience in the exhibit hall at booth #3446! The booth will be featuring the community edition of the original Glass Room Experience. From the organizer of the booth – “This edition was developed as a result of high demand from visitors of larger Glass Rooms in London and New York, who also wanted to set up similar exhibitions in their cities. This smaller, portable version comes in a lightweight and adaptable format that can be set up in a variety of different spaces from libraries and schools to conferences and metro stations.”

Last but not least, stop by booth #844 and say hi to LDH! We will be sharing the booth with Equinox Open Library Initiative. If you want to learn more about how open source technology can help empower your library, the folks over at Equinox OLI would be more than happy to talk to you at the booth.

If you are heading to DC this week, safe travels and we hope to see you at booth #844!

Lightbeams and Stickers and Summer, Oh My!

Welcome to this week’s Tip of the Hat and to the unofficial start of summer. This week’s newsletter comes to you in two parts as you get back into the work routine after the holiday weekend.

Trackers, trackers everywhere

Many of you probably have at least some protection against web site trackers in your browser of choice, but do you know the true extent of user tracking on the web – perhaps even the website for your library or business? The Firefox Lightbeam add-on provides a comprehensive overview of the various trackers on a website that you’d otherwise miss if you try to compile this information on your own. The overview not only captures trackers from the web site but also third-party trackers. Once you have installed the add-on, disable your tracker blockers and browse the web, and Lightbeam will visualize how you are being tracked throughout your entire web browsing session. Give this tool a try if you want to get a sense of the extent of tracking of library patrons visiting multiple sites across different owners (for example, a patron going from a library home page to search for an ebook, landing on a results page in the discovery layer, and then going to the ebook vendor’s site). H/T to SwiftOnSecurity for tweeting about the extension!

Stickers, stickers everywhere

The Executive Assistant has been busy as LDH prepares for our trip to ALA Annual in DC, but she’s found some time to give us a sneak peek of what will be available at our table…

A brown hat sticker placed on top of a black cat looking at the camera.
For those who will be at the Exhibit Hall Grand Opening on Friday, June 21st, we will have laptop stickers! Below are the two designs that will be available: a hat sticker and a hexagon sticker.

 Two stickers: one hexagon sticker with a brown hat, and the other a brown hat.

Subscribers to this newsletter don’t have to wait until Annual to get their stickers – reply to this email and we will mail a few stickers your way. Stick them to your laptop, your door, your water bottle, or any other place where you want to tell folks that you care about library privacy and to “Follow The Hat.” Many thanks to Scott Carlson for creating the sticker design.

Quick Tips

A one eyed black cat in a carrier, looking upwards in despair about her current predicament.

Welcome to this week’s Tip of the Hat! This last week proved to be a harrowing one for our Executive Assistant. She has now found more places to hide in order to avoid copy-editing newsletter drafts; hence, this week’s letter will be shorter than usual. We will be back to normal operations by next week, or when all the hiding spots have been located.

LDH in the News

LDH received a mention in last week’s CNET article about libraries and privacy in the era of ebooks. The article gave a brief overview of various technologies libraries are or have adopted, and the privacy implications that come with said adoption. Customer relations management systems (CRMs) receive a mention, and we will expand on CRMs and libraries in a future newsletter.

Your Browser’s Privacy Settings Are Changing For The Worse (Unless You’re Using Firefox)

Last week Bleeping Computer reported that the majority of browsers are or plan to disable the setting for users to prevent tracking link clicks by websites. The article explains in depth what information is being tracked if you click on a link on a site that uses this type of link auditing to track their users’ behavior. Don’t lose hope yet – if you use Firefox or Brave, you still have the ability to control this setting!

While other browsers are reducing the ability for users to protect their privacy, Firefox is working on blocking browser fingerprinting. Read more about browser fingerprinting and how it can compromise your online privacy, and maybe even test your browser to see how well your current browser protects you from tracking.

A Link A (Work) Day: Five Links for National Library Week 2019

Three children and an adult man dancing in front of a staircase in a library. 6 other adults are dancing on the stairway.

Welcome to this week’s Tip of the Hat, and happy National Library Week! To celebrate all things library, here are some library privacy resources to check out* this week:

Choose Privacy Everyday
Every year, ALA’s Office of Intellectual Freedom hosts Choose Privacy Week, usually around the first week in May. This site contains a multitude of information and resources for training, event and outreach planning, and other information to implement better privacy practices at libraries. This year’s theme for Choose Privacy Week is Inclusive Privacy: Closing the Gap.

How did we get here: A zine about privacy at the library
This is a great primer for those looking for an overview of the various factors playing into the relationship between libraries and privacy. Print it out or download the file and send it around your workplace! If folks are interested in learning more, the companion site gives folks a more detailed overview of the history of the privacy-library relationship.

Library Values and Privacy Summit Report
2018 was a bumper crop year for IMLS-funded projects and forums surrounding library privacy. One of the first in 2018 was the Library Values and Privacy Summit in New York City. The final meeting in the “Library Values & Privacy in our National Digital Strategies: Field guides, Convenings, and Conversations” project, 30 participants from various library, civic, and privacy organizations focused on various issues surrounding library privacy in several areas, including vendor relations, training, learning analytics, and staff and patron training.

National Web Privacy Forum Report
Another IMLS-funded forum took place in September 2018, bringing together 40 library, privacy, education, and technology professionals to take the first steps in creating practical action plans surrounding the enhancement of web privacy. The action plans range from dashboards and values-based assessment to privacy leadership training and education and outreach in tribal educational institutions.

Library Freedom Project
Last but not least we end with the Library Freedom Project. You might have first heard of the Project with their work surrounding Tor as well as the HTTPS Pledge. Recently the LFP co-launched the Library Freedom Institute, a six-month program educating library workers to become Privacy Advocates at their library as well as their community.

The Executive Assistant’s entry – The Library Cats Map
This page is no longer kept up to date, but is a good historical snapshot of the various library cats that have graced the stacks of various libraries.

*Pun semi-intended.