A New Privacy Framework For You

Welcome to this week’s Tip of the Hat!

The National Institute of Standards and Technology recently published version 1.0 of their Privacy Framework. The purpose of the framework is to create a holistic approach to manage privacy risks in an organization. The Framework is different from other standards in such that the goal is not full compliance with the Framework. Instead, the Framework encourages organizations to design a privacy program that best meets the current realities and needs of the organization and key stakeholders, such as customers.

The Framework structure is split into three parts:

  • The Core is the activities and outcomes for protecting privacy in an organization. These are broken down by Function, Category, and Subcategory. For example:
    • Identify-P (the P is there to differentiate from NIST’s Cybersecurity Framework) is a Function in which the organization is developing an organizational awareness of privacy risks in their data processing practices.
    • A Category of the Identify-P Function is Inventory and Mapping, which is taking stock of various systems and processes.
    • The Subcategories of the Category are what you would expect from a data inventory: what data is being collected where, when, how, by who, and why.
  • The Profile plays two roles – it can represent the current privacy practices of an organization, as well as a target set of practices for which the organization can aim for. A Current Profile lists the current Functions, Categories, and Subcategories the organization is currently doing to manage privacy risks. The Target Profile helps businesses figure out what Functions, Categories, and Subcategories should be in place to best protect privacy and to mitigate privacy risk.
  • The Implementation Tiers are a measurement of how the organization is doing in terms of managing privacy risk. There are four Tiers in total, ranging from minimal to proactive privacy risk management. Organizations can use their Current Profile to determine which Tier describes their current operations. Target Profiles can be developed with the desired Tier in mind.

Why should libraries care about this framework? Libraries, like other organizations, have a variety of risks to manage as part of their daily operations. Privacy risks come in a variety of shapes and sizes, from collecting more data than operationally necessary and not restricting sharing of patron data with vendors to lack of clear communications with staff about privacy-related policies and procedures. Some organizations deal with privacy risks through privacy risk assessments (or privacy impact assessments). The drawback is that the assessments are best suited for focusing on specific parts of an organization and not the organization itself.

The Privacy Framework provides a way for organizations to manage privacy risks on an organizational level. The Framework takes the same approach to privacy as Privacy by Design (PbD) by making privacy a part of the entire process or project. The Framework can be integrated into existing organizations, which is by design – one of the criticisms of PbD is the complications of trying to implement it in existing projects and processes. The flexibility of the Framework can mean that different types of libraries – school, academic, public, and special – can create Profiles that both address the realities of their organization as well as creating Target Profiles that incorporate standards and regulations specific for their library. School libraries can address the risks and needs surrounding student library data as presented in FERPA, while public libraries can identify and mitigate privacy risks facing different patron groups in their community. The Framework also allows for the creation of Subcategories to cover any gaps specific to an industry or organization not covered by the existing Framework, which gives libraries added flexibility to address library industry-specific needs and risks.

The flexibility of the Framework is a strength for organizations looking for a customized approach to organizational privacy risk management. This same flexibility can also be a drawback for libraries looking for a more structured approach. The Framework incorporates other NIST standards and frameworks, which can help ease apprehension of those looking for more structure. Nonetheless, libraries that want to explore risk management and incorporate privacy into their organization should give NIST Privacy Framework some consideration.

Data Discounts

Welcome to this week’s Tip of the Hat!

At LDH we have been known to have a sweet tooth – there are always four to five different types of sweets within reach of the office desk. Therefore, it shouldn’t come to a surprise to our newsletter readers that when presented with the option to get a free cup of Heart Eyes (red velvet cookie dough, white chocolate chips, and heart sprinkles) from a local edible cookie dough vendor, LDH took full advantage of the opportunity to indulge.

The free cup of dough came with a catch, though. The free dough was part of a grand opening celebration for a co-working space. To receive the free dough, you had to give your email address to the co-working space company. Here we have a dilemma – what are the privacy tradeoffs that I’m willing to make for cookie dough?

Multiple times a day we find ourselves asking similar questions – what are the privacy tradeoffs that we’re willing to make for discounts at our favorite store, or a particular brand, or other business? What are the privacy tradeoffs you’re willing to make for everyday items or essential services? A recent opinion piece in The New York Times illustrates this tradeoff with a fictionalized company that finds its inspirations from many different sources, from grocery store loyalty cards to checking in at a store location or posting a brand marketing hashtag on social media. The story also touches on how surveillance and tracking disproportionally affect vulnerable populations, such as those who can’t afford basic services without giving up their data to receive a discount. A real-life example of this happened to LDH. We received an offer from our health insurance company to sign up for a discounted Amazon Prime account that was only available to those receiving insurance through the state health insurance marketplace (we declined the offer).

You can choose to not trade your data for discounted goods and services, though it is getting harder to avoid this data transaction when paying for goods and services, or if you interacted with a business through their website or social media. Even going to a physical store location can involve a data transaction if the business is using beacons to seek out your mobile phone WiFi or Bluetooth signal or using facial recognition technology at their store. If the only way that you can afford health or car insurance is to install a tracking device in your car or to provide data from your health app, then your data is paying for that cash discount.

Currently, you have limited options to protect your privacy when dealing with health and car insurance companies. For other businesses, though, there are some ways you can limit how much data you give to them:

Using one or more of these strategies can limit the amount of personal data collected on you by the business while still receiving the financial incentives provided by the company.

Going back to our “free” cookie dough situation, the co-working space company did get an email address (used for promotions) from us, but nothing more, even though the email form included fields for name, address, and phone number. We got our cookie dough, the company got an email address that will promptly toss their promotional emails into a filtered folder, followed by an unsubscribe request. The things that we will do for free cookie dough…

NISO Cybersecurity webinar, February 12th

Come join LDH and others on Wednesday, February 12th, for a webinar discussion on cybersecurity!

NFAIS Forethought: Cybersecurity: Protecting Your Internal Systems
Every organization, as a standard course of action, should be implementing protection policies and updating protective measures surrounding their confidential data and internal systems. Phishing and malware are a constant threat. As a response, reliable cybersecurity requires an integrated approach in ensuring the safety of networks, devices, and data. How should enterprises and institutions be thinking about their cybersecurity needs? What basic requirements should be in place? What guidelines or best practices exist? What are the best resources? This roundtable discussion will bring together experts active in the field to address these and other questions.

Confirmed participants in this roundtable discussion include: Daniel Ayala, Founder, CISO/Chief Privacy Officer, Secratic; Blake Carver, Senior Systems Administrator, LYRASIS, Becky Yoose, Principal, LDH Consulting Services; Hong Ma, Head, Library Systems, Loyola University of Chicago; Wayne Strickland, Acting Associate Director at Department of Commerce, National Technical Information Service; Christian Kohl, Principal, Kohl Consulting.

NISO members can attend the webinar for free; non-members can also register for the webinar at https://www.niso.org/events/2020/02/nfais-forethought-cybersecurity-protecting-your-internal-systems. We hope to see you there!

Privacy Film Party

Welcome to this week’s Tip of the Hat!

Even if the groundhog in your area didn’t see their shadow yesterday, we in the Northern Hemisphere still have a long winter ahead of us. How will you spend the long winter nights for the next few months? Might we suggest that you stay inside where it’s warm and watch a film? Better yet, make that film about privacy! Here are some privacy film recommendations depending on what you’re looking for:

For library programming about data and privacyScreening Surveillance [Content warning – suicide, mental health illness] is a grant-funded project to raise awareness around big data and surveillance. The project produced three short films – 10 minutes in length each – approaching specific issues of data sharing, data ownership, and sensor and facial recognition software. These three short films come with facilitation guides that help audiences process and discuss the specific issues raised in each film.

For a succinct introduction into general privacy concepts Privacy International’s Privacy 101 is a series of short animated videos introducing viewers to the concept of privacy as well as various topics in privacy, including metadata, big data, and data protection. These videos are a good way to acquaint someone with privacy concepts, in short, bite-sized portions. These videos are short enough that you can use these videos in staff training or discussions around privacy, as well as any public programming around data security and privacy.

For when the college instructor gives you the entire class session to teach their class about privacyThe Power of Privacy by The Guardian is a 30 minute documentary about the major challenges to privacy in the digital age. The film provides a balance between the historical “how did we get here?” and the present and near-future realities of data privacy. Library workers have choices in using this film to teach privacy, either by choosing to show segments to focus on specific topics, like phishing or IoT, or show the entire film for a holistic view of the current issues around data privacy.

For the library worker who is trying to navigate student privacy – Student privacy is governed by additional regulations, such as FERPA, which makes protecting student patron privacy more complex in academic and school libraries than in other libraries. The School Safety and Privacy video series from Future of Privacy Forum delve into this complex topic, including approaching the creation of policies, digital equity, facial recognition in schools, and how to talk to administrators and leadership about privacy matters.

BONUS! If you want more videos on student privacy, The Student Privacy Resource Center has a playlist to meet your additional student privacy video needs.

Finally, an artistic philosophical video for your night offPhilosophy Tube’s video on Data [NSFW – language, adult topics] gets into data, surveillance, algorithms, machine learning, structural inequality, targeted advertising, monetization of data, consent, notice, data rights, and how technology shapes society and how society shapes technology (phew!). All of this takes place in a 30-minute discussion-turned-machine-learning-simulation between a bouncer and a person in front of a nightclub.

There are plenty of other videos and films on privacy not covered here, but these recommendations are just a start. If you have a privacy-related film or video that you like, reply to this email and we’ll provide a list of subscriber-recommended videos in a future newsletter.

Two Reasons to Celebrate Privacy This Week

Welcome to this week’s Tip of the Hat! This week marks two important dates. The first date is this Tuesday! Data Privacy Day is a worldwide event to raise awareness as well as promote data privacy practices. Some last-minute ideas to celebrate #DataPrivacyDay at your library can include:

  • Posts to your library’s blogs, news feed, or social media about how patrons can protect their privacy online and at the library. Not sure what to share with your patrons? The User Tools section on the Choose Privacy Everyday is a good place to start.
  • If you need a last-minute book/material display for your library, here is a list of materials from the Library Freedom Institute to help you seed your public display.
  • Cookies for your staff – with a catch, of course. If your library has a staff room or area, bring in some cookies to share and place some information about web trackers and cookies alongside the actual cookies.
  • Consider distributing How Did We Get Here?: A Zine About Privacy at the Library at your library, and have a brown bag lunch (or better yet, provide lunch) discussion about privacy practices at the library.
  • If you work with students, or if you have a student in your household (or if you’re a student yourself!), read up on students and privacy at https://studentprivacy.ed.gov/.

The second date marks the first anniversary of LDH Consulting Services! We launched at Midwinter 2019, aiming to provide libraries and library vendors guidance on all things library data privacy. It’s been a busy year getting the word out at our first ALA Annual, as well as word of mouth and this newsletter. This first year saw many training sessions, legislation reviews, and even a guest lecture or two! Thank you to everyone – our clients, supporters, newsletter subscribers – for helping LDH through the first year. We hope to serve the library and vendor community in protecting patron privacy for years to come.

Speaking of serving – LDH is still accepting projects and clients for Summer and Fall of 2020. We have a variety of training offerings for staff, including data lifecycle management, vendors and privacy, privacy impact assessments, and implementing privacy at your organization. LDH can also help you keep track of developing data privacy regulations in your state! With California’s new data privacy law in effect, many other states are looking to implement similar laws that can impact how libraries do business with vendors concerning patron privacy. If your organization needs that initial push in adopting best privacy practices or a review of existing privacy policies and practices, LDH is more than ready to help with that push.

The majority of our clients come to LDH through word of mouth, so we appreciate you all telling your colleagues about LDH and our services!

All Things Privacy At #alamw20

Welcome to this week’s Tip of the Hat! Are you prepared for ALA Midwinter in Philadelphia this week? If not, you’re not alone. LDH is ready to help you get the most out of #alamw20!

Before You Go

Here are some reminders as to how to protect your privacy while traveling and conferencing:

VPN? Check. AC wall charger or power bank for the phone? Check. Mental reminder to take off the conference badge outside of conference spaces? Check!

In the Exhibit Hall

Booth #1823 – Stop by and get a sneak peak of the upcoming Privacy Field Guides! These guides cover a variety of topics, including privacy audits and the data lifecycle.
Booth #864 – The Library Freedom Project will be answering any questions about the Institute (applications due February 10th) as well as handing out resources about protecting privacy at your library and community.

In the Schedule

Sunday, January 26th seems to be the day for privacy at Midwinter:

Intellectual Freedom Committee (IFC) Privacy Subcommittee Meeting; 8:30 AM – 10:00 AM; Room 111-A
Learn more about the current projects going on in the Privacy Subcommittee! You don’t have to be a member to attend the meeting.

Data and Diversity: Navigating the Ethics of Demographic Data in Inclusive Community Collections; 1:00 PM – 2:00 PM; Room 203-AB
Abstract: Librarians building local collections want to represent the diversity of their communities. When we use information about people’s identities to assess a collection’s inclusivity, how do we protect people’s privacy and respect their autonomy? We’ll discuss how we addressed these questions for local digital music collections at public libraries in Seattle and beyond.

We’ll share best practices we created, how we developed those practices, and how we continue to adapt them. We present our work with community data as a template for engaging with the complex and evolving issues facing librarians in an era of rapid technological and societal change.

LITA Top Tech Trends; 1:00 PM – 2:00 PM; Room 122-A
LITA’s Top Tech Trends is always a popular event, and privacy and security will most likely make their way into the panel discussion.

Data Abuse: Is There a Sustainable Solution to Help Notify Users of Egregious Data Abuses?; 4:00 PM – 5:00 PM; Room 204-C
Abstract: How can patrons easily understand the extent of data collection that results from their use of electronic resources? Often, the resource provider just wants to confirm a patron’s institutional affiliation, but some vendors require that users create an account, subscribe to a newsletter, or provide demographic information. At Cornell University Library, staff are exploring options for helping patrons easily understand data collection from electronic resources – a system that can be supported, shared, and used by all. In this discussion, we will explore our ideas so far, and seek input on how to make such a service sustainable.

LDH will not be at Midwinter this year, but we plan to be at Annual in Chicago. We hope to catch you then! In the meantime, safe travels to Philly, and enjoy all the privacy offerings Midwinter has to offer.

Who Knows, Who Decides, and Who Decides Who Decides

Welcome to this week’s Tip of the Hat!

Shoshana Zuboff’s book The Age of Surveillance Capitalism provides a comprehensive overview of the commodification of personal information in the digital age. Surveillance capitalism is a specific form of capitalism that focuses on using personal data to predict and control user behavior. Zuboff’s analysis of surveillance capitalism centers around three questions:

  • Who knows?
  • Who decides?
  • Who decides who decides?

In the book, Zuboff provides some context to the questions:

The first question is “Who knows?” This is a question about the distribution of knowledge and whether one is included or excluded from the opportunity to learn. The second question is “Who decides?” This is a question about authority: which people, institutions, or processes determine who is included in learning, what they are able to learn, and how they are able to act on their knowledge. What is the legitimate basis of that authority? The third question is “Who decides who decides?” This is a question about power. What is the source of power that undergirds the authority to share or withhold knowledge?

Zuboff offers answers to these three questions in her book: “As things currently stand, it is the surveillance capitalist corporations that know. It is the market form that decides. It is the competitive struggle among surveillance capitalists that decides who decides.” While the current prognosis is grim according to Zuboff’s analysis, the three questions are a powerful tool in which one can discover the underlying power structures of a particular organization or culture.

An interesting thought exercise involves applying these three questions to the library. On a lower level, the data lifecycle provides some answers to “Who knows?” concerning access to patron data as well as the publication and disclosure of data in reports, data sets, and so on to third parties. The “Who decides?” question goes beyond the data lifecycle and ventures into the realm of data governance, where decisions as to who decides the data practices of the library are made. However, the answer goes beyond data governance. Library use of third-party tools and services in collecting or processing patron data bring these third parties into the realm of “Who knows?” as well as “Who decides?” The third-party can adjust their tools or products according to what best serves their bottom line, as well as providing a tool or product that they can market to libraries. Third parties decide what products to put out to the market, and libraries decide which products meet their needs. Both parties share authority, which leads this thought experiment closer to Zuboff’s analysis of the market as the decider.

That brings us to the third question, “Who decides who decides?” Again, our thought experiment starts to blend in with Zuboff’s answer to the same question. There is indeed a struggle between vendors competing in a niche market that has limited funds. We would be remiss, though, if we just left our analysis pointing to competition between third parties in the market. Part of what is driving the marketplace and the tools and services offered within are libraries themselves. Libraries are pressured to provide data for assessment and outcomes to those who directly influence budgets and resources. Libraries also see themselves as direct competitors to Google, Amazon, and other commercial companies that openly engage in surveillance capitalism. Instead of rejecting the methods used by these companies, libraries have to some extent adopted the practices of these perceived market competitors to keep patron using library services. A library on this path could find themselves upholding surveillance capitalism’s grasp in patrons’ lives.

Fitting this thought experiment into one newsletter does not give the questions the full attention they deserve, but this gives us a place to start thinking about how the library shares some of the same traits and qualities found in surveillance capitalism. Data from patron activities can provide valuable insight into patron behaviors, creating personalized library services where yet more data can be collected and analyzed for marketing purposes. It’s no surprise that data analytics and customer relationship management systems have taken off in the library market in recent years – libraries believe that there is a power that comes with these tools that otherwise wouldn’t be accessible through other means. Nonetheless, that belief is influenced by surveillance capitalists.

Decided for yourself – give Zuboff’s book a read (or listen for the audiobook) and use the three questions as a starting point for when you investigate your library’s role in the data economy.

Privacy Tech Toolkit: Tor

Welcome to this week’s Tip of the Hat!

A new year brings New Year resolutions. If you resolved to adopt better privacy practices and tools, you’re in luck! This week’s newsletter continues our exploration of the Privacy Tech Toolkit with the Tor browser and network.

Tor Basics

Tor enables users to anonymously browse and communicate online through two main parts. The first part is the Tor network, a worldwide network of servers. These servers serve as relays, sending encrypted information to randomly selected relays, masking the location of the user of the network. “Tor” stands for “the onion network” because this relay process resembles layers of an onion – each relay decrypts one layer of encryption and sends the rest off to the next relay for the next round of decryption. This routing masks both the source and destination locations of the online traffic. This is similar to a VPN in such that you can hide your actual location. The Electronic Freedom Foundation illustrates how the Tor network works with the following illustrations:

Three diagrams showing how Tor works. The first diagran shows the initial request to the tor directory server. The second diagram shows the random path through the tor relays to transmit the information. The third diagram shows a different relay path when the requester comes back to request the same information at a different time.

End-users can access the Tor network with the Tor browser. The browser is based on Firefox and comes with the NoScript plugin already installed. You can install the Tor Browser on all major operating systems as well as install the browser on a USB stick or SD card for when you are traveling or won’t have access to your computer.

Tor Considerations

Instead of accessing the internet through a single private network in the case of a VPN, Tor uses a distributed relay network that shifts your “location” every time you connect to the network. Tor is open source and is free to the public, but there are some considerations when choosing to use Tor for online browsing and communications:

  • Speed – the Tor network has more users than relays, as well as high user demand, which means slower browsing speeds on Tor than on other networks.
  • The Good and Bad of Blocking and Tor
    • Bad – some websites block the IP addresses of Tor exit relays (the last server in the relay chain). Those sites will need to be accessed outside of Tor. To add insult to injury, some sites block both Tor AND VPN access, making it near impossible to use those sites without having your location and activity wide open to those sites.
    • Good – because of the Tor network’s ability to route traffic through several relays worldwide, Tor can bypass government or other types of geo-blocks on certain websites, making Tor a necessity for those living in areas of the world that restrict access to the web.
  • Onion addresses – some websites, on the other hand, have onion addresses that can be accessed through the Tor browser. For example, you can access the BBC News website at https://www.bbcnewsv2vjtpsuy.onion/.
  • Anonymity – Tor provides an additional level of anonymity for online communications and browsing with the distributed relay network and browser; however, your actions can still give your location and identity away to third parties. If you log into a service that is connected to your real-world identity through Tor, then the site knows that it’s (most likely) you. Some users use Tor for specific purposes to avoid being identified while on Tor, staying away from logging into services connected to real-world identities. You can use Tor to search online without those searches being tied back to any accounts that are open in other browsers outside of Tor.

Tor @ Your Library

Some libraries include the Tor browser as part of the public computer image, while other libraries allow for patrons to install the Tor browser on the public computer (which then is wiped after the user session). Several libraries also advertise the option to run the Tor browser off of a USB stick to patrons who want to use Tor on public computers.

Several libraries are going beyond offering Tor access to public computers by becoming a relay, increasing the Tor network’s capacity to meet user demand. The Kilton Public Library in New Hampshire was the first public library in the US to host a Tor relay as part of the Library Freedom Project’s Tor Exit Relay Project. The project was not without controversy, but in the end, the public library was allowed to keep the relay.

Tor And Other Privacy Tools And Practices

If you need an anonymous way to browse the internet, Tor is one of your best bets. While some people opt to use both Tor and a VPN at the same time for additional security and privacy, most use one or the other when they need to have a private and secure way to browse and communicate online. Again, each tool has its strengths and weaknesses in protecting your privacy and choosing which one to use depends on your situation. Tor and VPNs are widely known tools, but there are many other tools to cover in our Privacy Tech Toolkit – stay tuned!

Thanks to subscriber Kristin Briney for the topic suggestion!

Give The Gift of Privacy

Welcome to this week’s Tip of the Hat! This is our last newsletter of the year – the Executive Assistant is on Holiday Break. We’ll be back on January 6th with the first newsletter of 2020.

Before we head out for the year, give the gift of privacy this holiday season:

Happy holidays from all of us at LDH, and we’ll catch you in 2020!

A black cat with a brown hat sticker placed on her side.

Safe Travel for the Holidays (Guest Post)

Welcome to this week’s Tip of the Hat! Many of you will be traveling the next couple of weeks, which might involve flying to your destination. This week we bring you a guest post from Joe Reimers, Sales Engineer at III, about how to protect your privacy at the airport. Joe also writes about traveling tips and tricks at https://flyinfrequently.wordpress.com.


Holiday season is once again upon us, and for a number of us, that means air travel. For some, it’s another opportunity for grand adventure; for others, it’s an ordeal to be endured so we see family, friends and loved ones. For all of us, it’s another way for our personal data to be exposed to others.

Airports are public places where there is no reasonable expectation of privacy – you are always being observed and recorded. TSA and other law enforcement have the authority to search you and your bags. On domestic flights they may not search the contents of your phone or laptop (this is still unsettled law on inbound international flights), but they can require that you turn those devices on to prove that they are what they appear to be. Note that you don’t need to authenticate in, they just need to see the login screen. Air travel, like banking, is very, very closely tied to your legal identity – you can’t board unless the names on your ticket and ID match exactly, and the government can and does look at who is traveling where.

With this in mind, the privacy-minded traveler can prepare themselves accordingly. First and foremost, don’t bring anything you really don’t want other people to see or handle. Bringing some personal stuff is unavoidable, but I’ve found that when packing clothes in packing cubes or see-through bags, clothes that are obviously clothes are generally left alone. Another consideration is your ID – you’re going to need it at multiple times at the airport, typically when checking a bag and at the security checkpoint. You’ll want to keep your ID ready along with your boarding pass, but otherwise I try to keep it out of sight as much as possible. If you’re flying with a passport, it’s generally OK to keep out, but keep it closed and away from prying eyes.

A number of airports are now starting to use biometrics as a way to verify identification. I have very, very mixed feelings about this. The advantages are undeniable: things move quicker and you have less paperwork to keep track of (CLEAR + TSA Pre-Check at JFK or Atlanta is the difference between clearing security in 5 minutes vs. half an hour or more.) The disadvantages are also undeniable: the government gets regularly updated data about you and what you’re doing, and they don’t have to be transparent about how this data gets used. The same is true of third-party companies like CLEAR. And if there’s a data breach, well… What’s critical for you as a traveler is to understand that you cannot be compelled to submit to biometric identification. It can appear that there’s no choice but to use biometrics, but neither the airlines nor the government can legally compel its use.

Next, let’s talk boarding passes. To a skilled identity thief, boarding passes are treasure troves. They provide your full legal name as it appears on your ID. They provide hints about your frequent flyer information and status – frequent flyer miles are common targets for theft! They also contain your PNR (Passenger Name Record) and ticket number, which allow thieves to do fantastic damage. But the real danger is in the 3D barcodes (or QR codes on electronic boarding passes), which store a lot of this data in plain “text” rather than masked or by reference. If you have a paper boarding pass, protect it as you would an ID card, and destroy it the same way you’d destroy a credit card statement – not in an airport or hotel trash bin!

Now on to tech toys. Airports are public spaces where threat actors have lots of opportunity to get up to lots of mischief. It’s safe to assume that both airport WiFi and USB charging ports are compromised – even in airline clubs. Fortunately, these are easily countered with wall plug adapters and the use of VPN. Please also bear in mind that airports are public places with lots of people around. I’ve heard more than my share of “personal” phone calls. Headphones are a Very Good Thing but people tend to speak louder when wearing them. Calls aren’t always avoidable, but I strongly recommend keeping them short and light on private details until you’re someplace a bit further from prying ears.

Ultimately protecting yourself while at the airport boils down to two things: plan ahead, and stay alert. With a little bit of preparation and a little bit of awareness, it’s quite possible to keep your personal information and identity pretty safe while traveling. While you can’t control everything, controlling those things you CAN control can make all the difference.


Thanks again to Joe for the guest post! If you have an idea for a guest post, email us at newsletter@ldhconsultingservices.com.

Last Week In Library Privacy: Evernote, LFI, and an Amendment to Weaken MI Library Privacy Law

Welcome to this week’s Tip of the Hat! Last week was a busy news week, and you might have missed an important update that could affect your library. Here are some of the major privacy news updates that you might have missed.

Evernote and law enforcement requests

Last week Motherboard reported that Evernote gave user data to law enforcement as part of a drug investigation. The company received a warrant from the Drug Enforcement Administration requesting user data, including notes that have been recently deleted by the user – the article noted that Evernote still retains data deleted by the user for some time.

While the case itself is not connected to a library, many library staff use Evernote and other cloud products for work, including creating work documents, spreadsheets, and presentations to share with other library staff. Also, staff use cloud products such as Google Forms and SurveyMonkey to collect patron information. Limiting the amount of patron data in cloud products can reduce the risk of that data being handed over to other third parties such as law enforcement. If you decide to use a third-party cloud product such as Evernote, review their law enforcement request policies and other policies surrounding the sharing of user data to other third parties.

Michigan library patron data law challenge

Michigan lawmakers are considering changing state library privacy laws. Senate Bill 611 seeks to amend existing law to allow for library directors to release patron information to law enforcement without a court order. The following text is the change that would allow for such disclosure:

A library may disclose library records without a court order or the written consent described in subsection (2) under any of the following circumstances:

(a) Upon the request of a law enforcement officer who is investigating criminal activity alleged to have occurred at the library or if the library requests the assistance of a law enforcement officer regarding criminal activity alleged to have occurred at the library, the library may disclose to the law enforcement officer any library record pertinent to the alleged criminal activity. The library director and any other person designated by the library board or commission is authorized to determine whether to disclose library records subject to this subdivision. The library is not required to release library records under this subdivision and may require the law enforcement officer to obtain written consent or an order of the court as required in subsection (2)

The law also allows for additional disclosures of patron information to third parties, such as collection agencies.

If you are a Michigan library and concerned about this bill, please contact your state representative and senator about your concerns.

(Thank you to OIF and Erin Berman for notifying us about this story!)

New web tracking guide

The Electronic Freedom Frontier (EFF) published Behind the One-Way Mirror, a comprehensive guide to web tracking. This guide goes into depth about the multitude of tracking methods, including mobile, web, and real-world user tracking. For readers who enjoyed the Web Cookies newsletters, this is a perfect resource to further explore the topic in depth.

LFI 2020 applications now open

The Library Freedom Institute is now accepting applications for its third cohort! This four-month institute allows library workers to learn more about privacy and libraries and to become privacy advocates in their libraries and their communities. If you are curious to learn about what all is covered in the Institute, you can view the course materials and resources for previous cohorts on the Library Freedom Project’s wiki. The third cohort is set to start in March 2020, and applications are due February 10th, 2020.

Ransomware – tell us your story

Libraries are no strangers to being the target of ransomware attacks. LDH is teaming up with Blake Carver to present “Held at Ransom: How Libraries Can Best Defend Against and Recover From Ransomware Attacks” at ALA Annual 2020 in Chicago. We are looking for your stories of dealing with ransomware at your library! We hope to gather information and stories that can help other libraries better prepare for ransomware attacks, as well as give them hope that there are ways to recover from the attacks. If you have a story to share, please fill out the form at https://forms.gle/i6J4vAN23GMR3Ez59.