Don’t Forget About Privacy While Turning Back The Clock

Last weekend was when we finally got our one hour back (for those of us still observing Daylight Savings Time [DST] in the US). Instead of sleeping in, though, we are barraged with public service announcements and reminders to spend that hour taking care of things that otherwise get ignored. That fire alarm battery isn’t going to change itself! Like #DataSpringCleaning, the end of DST is a great opportunity to take care of privacy-related things that we’ve been putting off since spring.

What are some things you can do with the reclaimed hour from DST?

  • Choose and sign up for a password manager – If you’re still on the fence about choosing a password manager, check out our post about the basics of selecting a manager. Once you get past the inertia of selecting a password manager, switching to a password manager becomes a smoother process. Instead of switching all your accounts to the password manager at once, you can enter the account information into the manager when you sign into that specific account. Using the password manager’s password generator, you can also use that time to change the password to a stronger password. And while you’re logged in…
  • Set up multifactor authentication (MFA) – You should really turn on MFA if you haven’t already done so for your accounts. Use a security key (like a YubiKey) or an authenticator app for MFA if possible; nevertheless, the less secure versions of MFA – SMS and email – are better than no MFA. Read about MFA on the blog if you’re curious to learn more about MFA.
  • Review privacy and security settings for social media accounts – Social media sites are constantly adding and changing features. It’s good to get into the habit of checking your social media account settings to make sure that your privacy and security settings are where you want them to be. Another thing you might want to check is how much of your data is being shared with advertisers. Sites like Facebook and Twitter have account setting sections dedicated to how they use your data to generate targeted ads.

Your library also has a reclaimed hour from DST. What can you do at work with that reclaimed hour?

  • Review the privacy policy – It never hurts to review the privacy policy. Ideally, the privacy policy should be updated regularly, but sometimes even having a review schedule in place doesn’t necessarily guarantee that the review actually gets done. If the policy missed its regularly scheduled review, it might be worthwhile to push for the overdue review of the policy to ensure the policy’s alignment with current professional standards, codes, and legal regulations.
  • Check your department or team procedures against the privacy policy – Your department work procedures change regularly for various reasons, such as changes in technology or personnel. These changes might take these procedures out of alignment with the current privacy policy. Relatedly, an update to the privacy policy might need to be reflected in changes to the procedure. Review the two sets of documents – if they’re not in alignment, it’s time to set up a more formal document review with the rest of the department. Now is also an excellent time to set up a schedule for reviewing procedures against the privacy policy (as well as privacy-adjacent policies) on a regular basis if such a schedule doesn’t already exist.
  • Shred paper! – Take time to look around your workspace for all the pieces of paper that have sensitive or patron data. Do you need that piece of paper anymore? If not, off to the office shredder it goes. Grab a coffee or a treat on your way back from the shredder while you’re at it – you earned it ☕🍫

We won’t judge you if you ultimately decide to spend your reclaimed hour sleeping in (or changing that fire alarm battery). Nevertheless, making a habit of regularly checking in with your privacy practices can save you both time and trouble down the road.

Cybersecurity Awareness Month News Update: School Cybersecurity, Passwords, and Crying “Hack!”

A small gray tabby kitten paws at the Mac laptop screen displaying the Google search home page, with its hind paws standing on the keyboard.
Image source: https://www.flickr.com/photos/tahini/5810915356/ (CC BY 2.0)

There’s never a dull moment in Cybersecurity Awareness Month, with last week being no exception. Here are some news stories you might have missed, along with possible implications and considerations for your library.

K-12 cybersecurity bill signed into law

You might remember reading about a new federal cybersecurity bill being signed into law. You remembered correctly! On October 8th, the K-12 Cybersecurity Act of 2021 was signed into law. The Act doesn’t have a set of standards to comply with for schools looking for such a list. Instead, the Act tasks the Cybersecurity and Infrastructure Security Agency (CISA) to study cybersecurity risks in K-12 educational institutions and what practices would best mitigate cybersecurity risks. The recommendations will be published along with a training toolkit for schools to use as a guide to implement these recommendations at their institution.

School libraries collect and store student data in several ways – the most common example being the patron record in the ILS. School libraries also heavily rely on third-party content providers, which in turn collect additional student data on both the library’s side and the third-party vendor’s side. School library workers, stay tuned for updates on the study and recommendations! While it’s unsure if the study will include school library systems and considerations into assessing cybersecurity risks, it’s more than likely that any recommendations that come from the study will affect school libraries.

Sharing all the passwords

You should be using a password manager. You might already be using one for your personal accounts, but are you using a password manager for work? If you’re still sharing passwords with your co-workers through spreadsheets or pieces of paper, it’s past time for your library to use a password manager. Several password managers, such as LastPass and Bitwarden, have business or enterprise products that are well-suited for managing passwords in the office. Not all password managers can share passwords and other sensitive information outside of the app, particularly if the other person doesn’t have an account with the same manager that you are using. There will be times where you want to share a password with someone outside your organization – a typical example is when a vendor needs to log into a system or app to troubleshoot an issue. But, for the most part, the password manager only supports secured sharing between people with accounts in the organization, so you’re stuck with sharing passwords in less secure ways.

However, if you are a 1Password user or your library uses 1Password’s business product, you no longer have this problem! 1Password users can now send account login information – including passwords – to anyone, including those who do not have a 1Password account. This new feature allows 1Password users to create a sharable link, with options to restrict sharing to specific people (email addresses) and when the link expires (anywhere between 30 days to after one person views the link)— no more calling the vendor, no more having staff email passwords in plaintext. Nonetheless, if your library wants to make use of this new feature, it’s best to give staff guidance as to how to create the links, including how to restrict access and expiration settings, along with training and documentation.

When a “hack” isn’t a hack

This news update is more of a “cybersecurity education 101” than news, considering the level of 🤦🏻‍♀️ this story contains. A very brief overview of what happened in Missouri last week:

  1. A reporter from the St. Louis Post-Dispatch found that a Department of Elementary and Secondary Education’s website contained the social security numbers (SSNs) of school teachers and administrators for the public to access through the HTML source code for the site.
  2. The newspaper notified the department about the security flaw, and the department took down the site in question.
  3. After the site was taken down, the newspaper published a story about the exposed SSNs on the now-defunct site.

Okay, so far, so good. Someone found a serious cybersecurity issue on a government website, reported it to the department, and waited to talk about the issue until the issue was addressed publicly. That’s pretty standard when it comes to disclosing security flaws. Let’s move on to the next item in the summary.

  1. The Governor of Missouri and other government officials responded to the disclosure, saying the reporter was a hacker and that the “hacker took the records of at least three educators, decoded the HTML source code, and viewed the social security number of those specific educators.”

🤦🏻‍♀️

There is a difference between hacking and exposing personal data on a publicly accessible website. The system was hacked if the reporter bypassed security measures to obtain sensitive data in an internal system, such as using stolen account logins to access the system. If the reporter clicks on the “View Source” menu option in their browser and finds sensitive data right in the source code of a publicly accessible website, you have a security vulnerability resulting in a data leak!

The takeaways from this story:

  1. Do not hard-code sensitive data in your code. This includes passwords for scripts that need to access other systems or databases.
  2. Review locally-developed and third-party applications that work with sensitive data for potential data leaks or other ways unauthorized people can improperly access the data.
  3. Do not punish the people who bring security issues to your attention! Like we discussed in our Friendly Phishing post, punitive actions can lead to a reduction in reporting, which increases security and privacy risks. Other reporters or private citizens who are watching the Governor take action against the reporter might be dissuaded from reporting additional data security or privacy issues to the state government, increasing the chance that these issues will be exploited by bad actors.
  4. If the data was sitting on a publicly available site for someone to access via F12 or View Source on their browser, it is not a hack. Let this be a lesson learned, lest you want to end up being ratio’ed like the Governor of Missouri on Twitter.

LastPass and Clubhouse and Virginia, Oh My!

A grey tabby cat curled up and sleeping between newspaper sheets.
It’s hard to get started on a Monday morning… image source: https://www.flickr.com/photos/cyawan/2325855567/ (CC BY 2.0)

A lot happened in the privacy world last week! Let’s go over a couple of news items that affect libraries and library patrons alike.

LastPass Free Tier Woes

The popular password manager LastPass announced changes to their free tier accounts last week that could leave many libraries and library patrons scrambling for an alternative. Starting March 16th, LastPass will require free account users to choose where to use LastPass: mobile or computer. Free account users will also lose access to email support to troubleshoot any problems with the password manager.  For many free tier account users, being forced to choose to have their primary password manager only installed on one platform severely limits the usefulness and protection of their chosen password manager.

If you have a LastPass free tier account and don’t want these restrictions, your options are limited:

  • If you have room in your budget and want to stay with LastPass, you can upgrade to a paid account. This option not only avoids migrating your passwords to another manager and instead unlocks additional features, such as encrypted file storage. While we’re used to having “free” accounts, it might be time to make peace with the fact that it’s time to start paying for password managers.
  • You can migrate to another password manager. There are several choices in the marketplace; however, not many have free tier accounts, which means you might end up paying for a password manager anyway. Bitwarden, an open-source password manager, does have a free tier account that allows for syncing between multiple devices if you need a free account. KeePassXP is another free option for the more technically-inclined who can self-host their password manager.

You can read more about the basics of password managers in our Obligatory Password Manager post from April 2020.

Clubhouse Is Not Your Library’s New Social Media App

So… Clubhouse, that new shiny app that everyone’s talking about. You’re curious about it, aren’t you? You’re wondering if you can add it to the family of social media accounts for your library when you get an invite to join.

Let us stop you right there.

In addition to being exclusive to iOS, being inaccessible, and being a free-for-all for harassment, Clubhouse’s privacy practices are almost non-existent. Literally – the privacy policy did disappear for a while! Nonetheless, the privacy policy is up, and it’s one of the more invasive privacy policies that should make you pause before using the product for any library program, service, or process. We’ve rounded up several articles that describe these invasive data privacy practices in detail:

Some folks will say that other social media companies engage in some of the same practices. However, the overall poor quality and construction of the privacy policy combined with privacy practices that violate several privacy laws in the US and the EU,  the best way to protect patron privacy while using Clubhouse at your library is to not use Clubhouse.

Virginia Getting a New Data Privacy Law?

Virginia libraries! You might have heard about a new data privacy bill that currently sits on the governor’s desk at the time of this writing (it might be signed by the time this post is published!). What is the library tl;dr of the Virginia Consumer Data Protection Act?

  • The bill provides similar data rights as California’s two new privacy regulations, CCPA and CPRA, including rights for consumers to request access and deletion of personal data, as well as the right to opt-out of businesses selling their data.
  • The bill’s scope is also similar to CCPA’s and CPRA’s scopes, targeting for-profit businesses doing business in the state who meet certain thresholds, such as controlling or processing data from 100,000 consumers. Non-profits and higher education institutions are exempt.

Once this bill is signed into law, library vendors who do business in the state and meet the scope thresholds will need to comply with the new law. Library vendors who already comply with CCPA have a head start, but libraries might find themselves with vendors who have to play catchup. It might be time to start reviewing contracts and vendor privacy policies as well as the Act to determine what data rights your patrons have and how they can exercise those rights with those vendors.

LDH in The News

LDH is proud to announce that our founder, Becky Yoose, will give the Keynote Address at the Evergreen International Online Conference on May 25th, 2021! This annual conference draws Evergreen users, developers, advocates, vendors, and others interested in the Evergreen ILS or open-source software community from around the library world and beyond. This year’s conference is online and registration is now open! If you want to join in on the presentation fun, the call for proposals is open until March. We look forward to seeing you at the conference!

The Obligatory Password Manager Newsletter

We regularly get asked at LDH about password managers: what they are, if people should use them, and which ones to use. While there is some consensus in the information security world about password managers, there is still some debate – if you ask three security experts about password managers, you will get at least five answers. Today we’ll add to the mix and answer the most frequently asked questions about password managers.

What is a password manager?

At its core, a password manager is a software application that generates, stores, and retrieves passwords and other login information for various accounts. These passwords are accessible through the manager via a master password or passphrase. Think of a password manager as a vault – the vault has your passwords and you gain access to the vault through a combination that you and only you know.

Should I use a password manager?

Yes! Password managers are a great way to help you secure your online accounts. Password managers do the remembering of (almost) all the passwords for you, so you can break the bad habits of reusing passwords for multiple accounts or using weaker passwords that you can remember from memory – both habits put you at higher risk of having your account compromised. Some password managers can automatically change your passwords for you, as well as the ability to generate stronger passwords for each of your accounts. Another benefit of password managers is that you can securely share passwords for family accounts with others in your family (as long as they too use a password manager).

The one password that you have to remember is the master password to get into your manager. To create a strong password that you are likely going to remember, I recommend creating a passphrase. You can generate a strong passphrase through Diceware.

Are they safe?

Safety usually comes up when someone asks about password managers, and for good reason. This is a software application that could potentially have information for your financial accounts, your social media accounts, your shopping accounts, your medical accounts, and so on, and if that application has a data breach or leak, you are at high risk for identity theft at best. There is the fact that some password managers have had breaches in the past, the most prominent one being LastPass. You might also have read news stories about how other password managers might be vulnerable to breaches.

Nonetheless, for most folks, the risks associated with the use of a password manager are far less than using weaker passwords or reusing passwords. This gets into your threat model – what are the most realistic risks in terms of who wants your data, why they want your data, and how they’ll get your data. This is a risk assessment where you not only need to consider the severity of if the risk is realized but also the likelihood that a risk will be realized. Yes, a password manager might be breached, but the likelihood of a well-known password manager being breached is lower than a breach of an account that uses a weaker password or a password that was used by another account that was part of another breach or leak.

[A gentle reminder that using a weak password or reusing a password for your master password for the password manager also puts you at the same level of risk as not using a password manager at all!]

If you’re still wary of using a password manager, there are a couple of strategies I’ve encountered from my discussions with others that can mitigate some risks, including using multiple password managers to store different types of passwords and other sensitive information, or only use their password manager to manage passwords, and not store any other information, like security question answers and payment information.

Which password manager do you recommend?

It depends on your needs.

Some people use their browsers to manage their passwords, but that limits users to the browser that they are using. To get the full benefit, I recommend using a password manager separate from an individual browser’s password vault.
In general, you want to use a password manager that:

  • Uses strong encryption to store and to sync data in and between clients and apps
  • Offers secure cross-platform compatibility (desktop, mobile device) for all the platforms that you use in your daily life
  • Has an established reputation in the password manager world

The question of paid versus free accounts sometimes comes into the conversation. Several password managers have a free plan, while other password managers are free open source software. It depends on your needs and your comfort level when it comes to if you want to stick with a free plan/manager or move to a paid plan.
With all that said, here are some password managers to check out:

Are there alternative ways to store passwords outside a password manager?

There’s always this. ;c)

Special thanks to newsletter subscriber Chris Reimers and the folks in the ALA LITA/OIF webinar last week for the newsletter topic suggestion!

Recording now available for remote work and data privacy

If you missed last week’s “A Crash Course in Protecting Library Data While Working From Home”, don’t worry – we recorded the session! You can access the recording and transcript of of last week’s webinar in Google Drive. Resources and handouts for the webinar can be access at https://is.gd/LDH_RemotePrivacy.