COVID-19 Updates And More Privacy Considerations

Welcome to this week’s Tip of the Hat, everyone.

It’s been a week for many of us as COVID-19 rapidly changed both work and personal lives. During the last newsletter, public events were still going on, schools and libraries were still open, and we were not in a pandemic. This newsletter is being composed in a completely different world in Seattle – closed schools and libraries, canceled events, and the realization that COVID-19 is much more widespread than previously thought.

This week, many libraries are closed to the public, while other libraries that are still open are being pressured to close to protect the health of their staff. This means staff might be working from home for the first time, or are trying to move in-person library instruction online. The Library Freedom Project provides a good list of privacy considerations for online instruction. Academic and school libraries should also be aware of the updated guide on FERPA and COVID-19 and how student privacy is impacted by the COVID-19 pandemic. In the general world, healthcare professionals, as well as employers, are struggling to find a balance between personal privacy and disclosure in the context of HIPAA regulations.

The rapid developments of last week also presented a challenge – how do you protect privacy while at the same time keeping up with changes at work? Many work from home arrangements were hastily put together with less than 24 hours’ notice, leaving IT departments scrambling to figure out if VPN or other remote access to staff systems can handle the increased user traffic, but at the same time might not realize that the remote access method has a vulnerability, such as an unknown open port, or even providing access to internal applications without special logins or IP restrictions. IT staff should ensure that only staff can access work systems and network drives, including requiring VPN use to access these places as well as additional authentication and user access rules. In short, IT staff have their work cut out for them in the next few weeks. Nonetheless, there have been many guides published in the last week, like this one from NC Department of Information Technology, for people working from home and what they can do to protect their digital privacy and security.

On the public services side, online communications between staff might take a variety of forms, from an increased number of emails to online web conferencing. If the organization doesn’t offer an online group collaboration platform, like Microsoft Teams, staff might take to free third party applications, such as Slack, Discord, or your tried and true suite of Google products. Patron privacy might be compromised if patron data is shared on unsecured applications, as well as places that are subject to a public records disclosure request. Therefore, it’s a good time to remind everyone to keep patron privacy in mind in working from home, including limiting storing and communicating patron data to secure communication channels controlled by the organization.

It’s impossible to keep track of every COVID-19 development, and libraries have struggled to respond to these changes. With more libraries closing and trying to keep staff busy, we cannot forget that the choices we make during the COVID-19 pandemic will have long-lasting consequences on data privacy for some time to come. It’s hard to step back and take a breath to reassess where everything stands on patron privacy, but it’s worth the effort to take a few moments to go through the library’s response so far and ask how each response might put patron privacy at risk.

COVID-19: Resources and Privacy Considerations

Welcome to this week’s Tip of the Hat!

Some of you might already know that LDH is based out of Seattle. Seattle has been in the news with the recent COVID-19 cases and deaths in the area. We at LDH are staying relatively healthy (outside of it being allergy season in town). Nonetheless, some of you have also been impacted by COVID-19, including institutional travel restrictions, dusting off the disaster policy and procedures, and fielding questions from both staff and patrons about what will happen when there’s an outbreak of COVID-19 in your area.

There’s a lot of information out there regarding COVID-19 and what you should do to help slow the spread of the infection. Some sources include:

The most important things to keep in mind during this time:

  • WASH YOUR HANDS WITH SOAP AND WATER. It doesn’t matter if it’s hot or cold water. There are several memes out there with lists of songs you can sing for about 20 seconds, be it Happy Birthday, the opening trumpet solo in Mahler’s 5th, or the chorus to this song.
    Hand sanitizer (store-bought, not homemade) is also an option, but not as effective as washing your hands with soap and water. [1]
  • Cover coughs and sneezes using your elbow or tissue (then throwing the tissue away).
  • If you are able, stay home if you are sick. This is not an option for those who do not have paid sick time, or if there’s a lack of coverage at work. If you do have the privilege to stay home, do so.
  • Extra cleaning of any hard surfaces as well as public or shared areas, such as open offices and break rooms.

COVID-19 has also brought up some good reminders and discussions surrounding privacy in a time of a possible pandemic:

Here are a few more articles surrounding the COVID-19 and the possible long-term implications to privacy regulations and public discourse:

Stay safe and healthy in the coming weeks!

[1] You would be surprised by the number of people who do not wash their hands regularly; this is something you should be doing anyway in normal circumstances. Hence, the shouting. Forever shouting about the washing of hands.

Privacy Tech Toolkit: VPNs

Welcome to this week’s Tip of the Hat!

Data breach and website hacking stories are (sadly) commonplace in the news. But what happens when the hack in question did not involve a single site, but your entire browsing history, complete with sensitive data, while you were logged into what was supposed to be a secure and private connection? With the recent breach with three VPN services – NordVPN, TorGuard, and Viking VPN – customers might be looking at that reality.

Some of you might be scratching your heads while reading the reports, though. Not everyone is familiar with VPNs, how they work, why they matter, and when you should use one. In this newsletter, we’ll cover the basics of VPNs, including how you can use them to protect your online privacy.

VPN Basics

A virtual private network (VPN) is a network of computers that provide access to the internet from a private network. Let’s use your work’s VPN service as an example. You are traveling with your work computer and you need to log into a work application. The problem is that the application can’t be accessed by computers outside the office. That’s where the work VPN comes in. You open your VPN client and log into the VPN service, creating a connection between your computer and the office server running the VPN service. This connection allows you to use the internet from that office server, making it appear that you are back in the office. Your computer can then access the work application now that the application thinks that your computer’s location is at the office and not in a hotel room.

Typically, the VPN connection is secure and encrypted, which makes VPN use essential for when you are connecting to public WIFI connections. Being able to change your location by using a server in another part of the world can also help protect privacy by placing you in a location other than the one you’re currently at. This comes in handy when trying to access sites that are geo-locked (sites that you cannot access outside of a certain geographical area, such as a country). Then there is the privacy component. A VPN can provide privacy protection for browsing history, current location, and web activity. Overall, VPNs can provide a secure and private space for you to browse the web away from those who want to track your every online move, be it some random person running Wireshark on a public network, your internet service provider looking for data for targeted advertising purposes, or possibly even the government (depending on your location).

VPN Considerations

A private and secure connection to the internet can protect online privacy, but as we found out last week, VPNs themselves are susceptible to breaches. This might cause some to wonder if VPNs are still a good choice in protecting online privacy. While VPNs are still an essential tool in the privacy toolkit, you still have to evaluate them like any other tool. There are some things to look for when choosing a VPN for work or personal use:

  • Encryption, protocols, and overall security – is the connection between your computer and the VPN server encrypted? You also have to consider the processes used in the actual creation of the tunnel between you and the VPN server. You might run across a lot of protocol terminology that is unfamiliar. NordVPN has a good post explaining various security protocols to help you wrap your head around VPN protocols.
  • Activity logs – is the VPN service keeping a log of activity on its servers? You might not know if your work VPN keeps a log of user activity, so it’s safer to use a separate VPN service than your work VPN for any personal use. No logs mean no record of your activity and your privacy remains intact.
  • Location – What server locations are available so you can access geo-blocked sites? Do you need your computer’s location to be at a specific IP address or location for work?
  • Price (for personal VPN use) – Never use a free VPN service. They are the most likely to log your activity as well as sell your data to third parties.

VPNs @ Your Library

Most likely you have access to a VPN service at work. While the technical aspects of work VPN are relegated to the IT and Systems departments, there is the question of who can use a VPN. Some libraries do not restrict VPN use to certain types of staff while other libraries only allow those who travel for work or do remote work to use VPN. A potential risk with work VPNs is when staff change roles or leave the organization. Auditing the list of users who have VPN access to the system will help mitigate the risk of unauthorized access to work systems by those who no longer should have access.

Your library provides internet access to patrons, so how do VPNs fit into all of this? First, we have WIFI access. Your library’s WIFI is a public network and patrons who want to protect their privacy might use a VPN to protect their privacy. Can your patrons use their VPN service while connected to the WIFI? Your desktop computers are another place where patrons are using a public network, but many public computers don’t allow patrons to install software, including VPN clients. There are ways to configure the public network to break the ties between one IP address and one computer, so web activity cannot be traced back to a single computer user based on IP alone.

VPNs And Other Tools In The Privacy Tech Toolkit

VPNs are just one way to protect your privacy online. There are many other ways you can protect privacy, including Tor and other types of proxy servers. Sometimes folks use multiple tools to protect their privacy; for example, some folks use both a VPN service and the Tor browser. Each tool has its strengths and weaknesses in protecting your privacy, and choosing which one to use depends on your situation. We’ll be covering other tools in the Privacy Tech Toolkit soon, so stay tuned!