New ALA Guidelines and Zoom Update

Welcome to this week’s Tip of the Hat!

In case you missed it – last week ALA announced a trio of new guidelines for libraries concerned with patron privacy during the reopening process as well as libraries who use security cameras at their branches:

Guidelines for Reopening Libraries During the COVID-19 Pandemic – Theresa Chmara, J.D. guides libraries with planning reopening procedures and policies, including requirements around wearing masks, health screenings of both patrons and staff, and contact tracing. While these guidelines are not legal advice, these guidelines should inform your discussions with your local legal advisors.

Guidelines on Contact Tracing, Health Checks, and Library Users’ Privacy – This statement from IFC reaffirms the importance of patron privacy in the reopening process, including giving newly published guidelines around contact tracing at the library. The statement also directs libraries to the Protecting Privacy in a Pandemic Resource Guide, which brings together several privacy resources for libraries to incorporate into their reopening processes, as well as the expansion of existing patron services to online.

Video Surveillance in the Library Guidelines – Libraries who use security cameras should review their existing policies around camera placement, recording storage and retention, and law enforcement requests for recordings considering the new guidelines. There are also sections around patrons filming library staff and other patrons which public libraries should review regarding staff and patron privacy and safety.

Take some time to review the above guidelines and discuss how these guidelines might affect your library’s reopening or use of security cameras in the building!

Zoom Update

Zoom reported that they will not provide end-to-end encryption for free-tier users so Zoom can comply with law enforcement. Now that you know how Zoom will respond to law enforcement requests, does their stance line up with your library’s law enforcement request policy, as well as your patron privacy policy? If not, how will your library adjust your use of Zoom for patron services? One option is to not use Zoom, but as we covered in previous newsletters, Zoom is arguably one of the user-friendly video conferencing software in the market. Nonetheless, there are alternatives out there that do a better job protecting privacy, including Jitsi. If you must use Zoom for patron services, check out the Zoom Security Recommendations, Settings List, and Resources document from LDH’s Remote Work presentation in April to help you secure your Zoom calls.

All Things Privacy At #alamw20

Welcome to this week’s Tip of the Hat! Are you prepared for ALA Midwinter in Philadelphia this week? If not, you’re not alone. LDH is ready to help you get the most out of #alamw20!

Before You Go

Here are some reminders as to how to protect your privacy while traveling and conferencing:

VPN? Check. AC wall charger or power bank for the phone? Check. Mental reminder to take off the conference badge outside of conference spaces? Check!

In the Exhibit Hall

Booth #1823 – Stop by and get a sneak peak of the upcoming Privacy Field Guides! These guides cover a variety of topics, including privacy audits and the data lifecycle.
Booth #864 – The Library Freedom Project will be answering any questions about the Institute (applications due February 10th) as well as handing out resources about protecting privacy at your library and community.

In the Schedule

Sunday, January 26th seems to be the day for privacy at Midwinter:

Intellectual Freedom Committee (IFC) Privacy Subcommittee Meeting; 8:30 AM – 10:00 AM; Room 111-A
Learn more about the current projects going on in the Privacy Subcommittee! You don’t have to be a member to attend the meeting.

Data and Diversity: Navigating the Ethics of Demographic Data in Inclusive Community Collections; 1:00 PM – 2:00 PM; Room 203-AB
Abstract: Librarians building local collections want to represent the diversity of their communities. When we use information about people’s identities to assess a collection’s inclusivity, how do we protect people’s privacy and respect their autonomy? We’ll discuss how we addressed these questions for local digital music collections at public libraries in Seattle and beyond.

We’ll share best practices we created, how we developed those practices, and how we continue to adapt them. We present our work with community data as a template for engaging with the complex and evolving issues facing librarians in an era of rapid technological and societal change.

LITA Top Tech Trends; 1:00 PM – 2:00 PM; Room 122-A
LITA’s Top Tech Trends is always a popular event, and privacy and security will most likely make their way into the panel discussion.

Data Abuse: Is There a Sustainable Solution to Help Notify Users of Egregious Data Abuses?; 4:00 PM – 5:00 PM; Room 204-C
Abstract: How can patrons easily understand the extent of data collection that results from their use of electronic resources? Often, the resource provider just wants to confirm a patron’s institutional affiliation, but some vendors require that users create an account, subscribe to a newsletter, or provide demographic information. At Cornell University Library, staff are exploring options for helping patrons easily understand data collection from electronic resources – a system that can be supported, shared, and used by all. In this discussion, we will explore our ideas so far, and seek input on how to make such a service sustainable.

LDH will not be at Midwinter this year, but we plan to be at Annual in Chicago. We hope to catch you then! In the meantime, safe travels to Philly, and enjoy all the privacy offerings Midwinter has to offer.

Ransomware, CS and Privacy, and #FollowMonday

Welcome to this week’s Tip of the Hat! Summer is in full swing this August, and the Executive Assistant is contemplating where would be the coolest place in the office to park herself to work. While she roams the office and while I make sure she doesn’t make a small blanket fort connected to the office refrigerator, here are a couple of quick links and updates in the privacy and library worlds to start your week.

A refrigerator with its door open, and a green tent set up in front of the open door.
Ransomware strikes another library system

Last month, the Butler County Federated Library System in Pennsylvania became the latest library system to succumb to ransomware. As a result, the system has gone back to using paper to track circulation information. Like other ransomware attacks, the system might have to rebuild their online infrastructure if they are unable to retrieve the ransomed data.

If your library hasn’t been hit with ransomware yet, the best defense against ransomware is to prevent it from taking over your system. Awareness programs and information security training can help with educating staff about the ways that ransomware and other viruses and malware can infiltrate the library system, and regular reminders and updates can also help keep staff current on trends and new infosec practices.

Training can only go so far, though, and having a plan in place will not only help mitigate panic when ransomware takes over a system, but also mitigate any overlooked vulnerabilities concerning patron data privacy. For example, while libraries have used paper for decades to track circulation information, automation in the last few decades has taken over this process. Making sure that staff are trained and have current procedures in handling sensitive patron data in paper format – including storage and disposal – can help protect against inadvertent privacy breaches.

H/T to Jessamyn West for the link!

Is it time for Computer Science curriculums to prioritize privacy?

In an op-ed in Forbes, Kalev Leetaru argues that CS curriculum should follow the way of library and information science and emphasize privacy in their programs. Near the end of the article, Leetaru illustrates the struggle between privacy and analytics:

Privacy naturally conflicts with capability when it comes to data analytics. The more data and the higher resolution it is, the more insight algorithms can yield. Thus, the more companies prioritize privacy and actively delete everything they can and minimize the resolution on what they do have to collect, the less capability their analytics have to offer.

This represents a philosophical tradeoff. On the one hand, computer science students are taught to collect every datapoint they can at the highest resolution they can and to hoard it indefinitely. This extends all the way to things like diagnostic logging that often becomes an everything-or-nothing concept that has led even major companies to have serious security breaches. On the other hand, disciplines like library and information science emphasize privacy over capability, getting rid of data the moment it is safe to do so.

What do you think? Would emphasizing privacy in CS programs change current data privacy practices (or lack thereof) in technology companies?

#FollowMonday – @privacyala

Keeping up with all the latest developments in the privacy field is a challenge. There is so much happening that it can be a full-time job to keep up with all the developments. ALA’s Choose Privacy Every Day Twitter account can help you sift through all the content in a nicely packaged weekly post of the major developments and updates in the privacy world, be it in libraries or out there in the world. You can find out about new legislation, tools to help protect your patrons’ privacy, and yes, there is a section to keep up with the latest data breaches.

All Things Privacy – ALA Annual 2019 Edition

Welcome to this week’s Tip of the Hat! This week is the American Library Association Annual Conference in DC, and LDH is packed up and ready to talk all things privacy to thousands of library folks from across the country. The Executive Assistant will keep things in order while we exhibit, but she is not letting the other half of LDH go it alone at #alaac19. Who is this new addition to LDH? Come by our booth (#844) at Annual to find out more!

If you are one of the lucky folks who is attending #alaac19, LDH would like to help you have a great conference while keeping some of your privacy intact in the process. Here are some ways to enjoy your conference and protect your privacy at the same time:

At the airport – if you are flying to DC, your airline might be using facial recognition during the boarding process. In most cases, you can opt out. Techcrunch wrote about the process and you can learn more about the opt-out process there.

Connecting to public, hotel, and conference wifi – Use a VPN anytime you are connecting to a public wifi network or other network that is not your home or your work network. Your place of work might already have a VPN available for use for when you are working outside the office; however, keep in mind that work can also see any non-work traffic you might engage in while connected. If you don’t have work VPN or want to have a VPN separate from work, there are several options you can choose from. LDH uses Private Internet Access, which offers good VPN service at a reasonable cost, and works across multiple platforms (Windows, iOS, Android). The one thing to remember, though, is to never use a free VPN service. If the product is “free” the actual cost to use the product is your own personal data.

On the Exhibit Floor – You might notice that the QR code or barcode under your name on your badge. Exhibitors sometimes ask you if they can scan your badge, particularly if you want nice swag! What exactly is in that QR code? When I scanned my badge from Midwinter using an Android barcode scanner app, this is the output: “csi313|1237819|Becky|Yoose|”. My name is there, but also note the two strings of numbers before it. While indecipherable to attendees, those strings could eventually lead to the vendor getting your contact information. If you wouldn’t give your physical business card to a vendor, you might want to decline the offer to have your badge scanned by the same vendor. Better yet, ask the vendor what they do with the information that they get off of your scanned badge.

Outside the conferencetake off your badge. This is for both security and privacy reasons. DC is full of tourists, but they do not need to know your name while you’re walking through the streets to your next meeting!

At the conference – there are several privacy-related events happening at #alaac19! The Office for Intellectual Freedom created a list of programs and meetings of all things privacy-related programming, including sessions on Privacy by Design and minors privacy rights. Between sessions, check out the Glass Room Experience in the exhibit hall at booth #3446! The booth will be featuring the community edition of the original Glass Room Experience. From the organizer of the booth – “This edition was developed as a result of high demand from visitors of larger Glass Rooms in London and New York, who also wanted to set up similar exhibitions in their cities. This smaller, portable version comes in a lightweight and adaptable format that can be set up in a variety of different spaces from libraries and schools to conferences and metro stations.”

Last but not least, stop by booth #844 and say hi to LDH! We will be sharing the booth with Equinox Open Library Initiative. If you want to learn more about how open source technology can help empower your library, the folks over at Equinox OLI would be more than happy to talk to you at the booth.

If you are heading to DC this week, safe travels and we hope to see you at booth #844!

Monday Mystery: Conference Information Sharing

Welcome to this week’s Tip of the Hat! It seems that spring has just arrived for many of us in the US; however, the calendar tells us that we are only weeks away from the ALA Annual Conference in Washington DC in June. Our Executive Assistant was going through the PDF registration form the other day and noticed the following question:

A text box with the following text: "Attendees may receive exciting advance information from exhibitors like invitations, contests and other hot news. COUNT ME IN!" Yes/No checkboxes are next to the last sentence.

The above question on the registration form asks if the person (or in this case, cat) wants to receive information from conference exhibitors. The Executive Assistant paused. What does checking the “Yes” box all entail? Since we’re in the data privacy business, this is a perfect Monday Mystery for us to investigate.

After a quick search of the conference website, we land on ALA’s Privacy Policy at http://www.ala.org/privacypolicy. If you haven’t spent time with a privacy policy, it can seem daunting or downright boring. Let’s walk through this policy to find out what happens when we check the “Yes” box.

The “Information Collection & Use” section lays out what information is collected and when. They define “personal data” as information that can be used to identify someone: name, email, address, etc. The section breaks down some common actions and situations when ALA collects data, including event registration. We already guessed that ALA was collecting our information for event registration purposes, but we need to dig deeper into the policy to answer our question.

We then find a section labeled “Information Sharing” in which we might find our answer! The section lists who ALA shares information with in detail, including the type of data and circumstances that the data is shared. “Services Providers” seems promising – that is until we get into the details. The data listed that is shared to service providers is mostly technical data – location data, log files, and cookies – and has nothing regarding giving information to receive updates from exhibitors. Back to square one.

Moving down the policy, we arrive at the “Your Rights and Choices Regarding Your Information” section, which lists the following right:

Object to processing – You have the right to object to your Personal Data used in the following manners: (a) processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); (b) direct marketing (including profiling); and (c) processing for purposes of scientific/historical research and statistics;”

Okay, we have the right to ask ALA not to use our personal data for marketing purposes. That’s a very important right to have, though that doesn’t exactly solve the mystery of what happens when we click on the “Yes” box.

This, readers, is where we are going to cheat in this investigation. It’s time to put our exhibitor hat on!

Exhibitors at major conferences are usually offered some form of registrant/member list as a means to promote their business before the conference. ALA does the same with Annual, and exhibitors can rent attendee lists. From https://2019.alaannual.org/list-rental, exhibitors have the option to “[t]arget buyers by industry segment, demographic profile or geographic area.” So, just not names and emails are shared!

On the exhibitor side, having that information would allow for targeted marketing – instead of blasting the entire attendee list, exhibitors can reach out to those most likely to be receptive to their service or product. On the attendee side, some want to have this type of targeted marketing to plan their time at the conference efficiently, or to do homework before hitting the exhibit hall. For other attendees, though, it means more emails that they’ll just delete or unsubscribe. And then there’s the question about what happens to that attendee data after the conference…

In the end, we still have a bit of a mystery on our hands. The only reason we got this far in our little Monday Mystery investigation is that LDH has been bombarded with emails trying to sell us attendee lists which tipped us off to start looking at the exhibitor section of the conference site. Your average conference attendee wouldn’t have that information and would be left scratching their heads due to the lack of information at the point of registration about what information is shared on these attendee lists. While we don’t have a clear answer to end today’s investigation, we hope that this gives our readers a little reminder to do some research the next time they are asked a similar question on a registration form.

Speaking of ALA Annual, LDH Consulting Services is excited to announce that we will be exhibiting in DC in booth 844! Many thanks to Equinox Open Library Initiative for making exhibiting at ALA Annual possible for LDH. Give us a ping if you will be at Annual and would like to talk more about LDH can do for your organization.

There’s a Checklist For That!

Welcome to this week’s Tip of the Hat!

Last week was a busy week on both state and federal privacy regulation fronts, and it was a busy week for one-half of LDH too due to jury duty! The Executive Assistant was tasked to keep an eye on the state and federal updates; however, when asked for the report, the Executive Assistant was not forthcoming:

A black cat curled up on a yellow and green blanket.
While we catch up from a very busy week of updates, let’s talk about checklists.

Many of us use checklists each day, either as a to-do list, or to confirm that everything is in place before opening a library, or launching a new online service. Checklists can help prioritize and direct focus on otherwise large nebulous encompassing things, making sure that the important bits are not overlooked.

When we talk about privacy, many folks become overwhelmed as to what they should be doing at work to protect patron privacy. Libraries, in particular, have many bases to cover when it comes to implementing privacy best practices, ranging from electronic resources, public computing, websites, and applications. Where does one start?

In 2016, the ALA Intellectual Freedom Committee published the ALA Library Privacy Guidelines, aimed to help libraries and vendors in developing and implementing best practices surrounding digital privacy and security:

  • E-book Lending and Digital Content Vendors
  • Data Exchange Between Networked Devices and Services
  • Public Access Computers and Networks
  • Library Websites, OPACs, and Discovery Services
  • Library Management Systems
  • Students in K-12 Schools

There is a lot of good information in these guides; however, we run into the same overwhelming feeling when reading all the guides, not knowing where to start. Enter the checklists!

To give folks direction in working through the Library Privacy Guidelines, volunteers from the LITA Patron Privacy Interest Group and the Intellectual Freedom Committee’s Privacy Subcommittee created Library Privacy Checklists for each corresponding Guideline. Each checklist is broken down into three sections:

Priority 1 lists best practices that the majority of libraries and vendors should take with minimal additional resources. These practices are a baseline, the minimal amount that one needs to do to protect patron privacy.

Priority 2 are practices that will require a bit more planning and effort than those in the previous section. These practices can be done with some additional resources, be it in-house knowledge/skills or external vendors or contractors. Depending on the checklist, many libraries and vendors can implement at least one practice in this section, but some might not be able to go beyond this section.

Priority 3 are practices that require a higher level of technical skill and resources to implement. For those libraries and vendors that have the available resources, this section gives guidance as to where to focus those resources.

These checklists break the ALA Library Privacy Guidelines down into prioritized, actionable tasks for libraries and organizations to use when trying to align themselves with the Guidelines. The prioritization helps those organizations with limited resources to focus on core best privacy practices as well as giving more resourced organizations guidance as to where to go next in their privacy efforts. These checklists can also be used as a foundation for conversations about overall privacy practices at an organizational level, which could turn into a comprehensive privacy program review. There are many ways one can use these checklists at their organization!

The checklists were published in 2017; nevertheless, even though the technological landscape rapidly changes year to year, many of the practices in the checklists are still good practices to follow in 2019. Take some time today to visit revisit the checklists, and think about how those checklists can help you address some of your organization’s privacy questions or issues.