Week Roundup – In The News and What Would You Do?

Welcome to this week’s Tip of the Hat! Last week was a busy week. Here’s a recap of what you might have missed.

LDH in the News

What Would You Do?

One public library in New Jersey has been finding various ways to support their community while the library building is closed, but one strategy has started a debate on Library Twitter – using patron data to do welfare checks:

Recently, the Library decided to take more direct action to help the Roxbury community. Armed with its enormous patron database, library staffers are going through the list and, literally in descending order, calling the oldest and most vulnerable of Roxbury’s residents to inquire on their well-being, let them know someone cares and will listen, and when need be to connect them to vital resources to get them through this difficult time.

The article goes on to describe how this strategy led to an increase in requests for masks to be distributed by the library.

While this single instance seems to have had a positive outcome, the use of the data collected by the library to do wellness checks brings up the question of “we could, but should we?” concerning using patron data in this manner. Some of the issues and considerations brought up on Library Twitter include:

  • Scope creep – several library workers serve as de facto social workers in their communities. How can libraries in this position support their community while working with local community organizations and local government departments who are better suited for social work? How can this work be done while honoring patron privacy?
  • Data quality – the article stated that the library staff used the age listed in the patron database. How reliable is that data? ILS migrations and even the move to an automated library system can introduce data quality issues in the patron record, including age.
    • For example – one library that moved from a paper-based system to an ILS in the mid-1990s still found patrons whose birthdays were listed as the date of the migration years later.
  • Notice and consent – patrons have certain expectations when giving data to libraries. Some of these expectations come from what the library states in their privacy and confidentiality notices, as well as other communications to patrons from the library. It’s safe to say that libraries don’t list “wellness checks” in their patron privacy notices as one potential use of patron data. This gets into the issue of using data outside of the stated purposes when the data was exchanged between the patron and the library. Recent data privacy legal regulations and best practices address this by requiring businesses to inform about the new use and to get affirmative consent before using the data for said new use.

There are some other items brought up in the Twitter discussion, such as different expectations from patrons, the size of the community, and patron-staff relationships. Some patrons chimed in as well! Like many other real-world data privacy conundrums, this one is not as clear cut in terms of how to best approach addressing the issue at hand – making sure that patrons in under-supported or vulnerable community groups get the support that they need.

We want to hear from you – what would you do in this situation? Email us at newsletter@ldhconsultingservices.com and we’ll discuss the results in a future newsletter. We will not post names or institutions in the newsletter results, so email away and we’ll do the rest to protect your privacy as we discuss patron privacy. Let us know what you think!

#dataspringcleaning, Home Office Edition

Welcome to this week’s Tip of the Hat!

The trees outside the LDH office are now covered in leaves, the tulips and daffodils are blooming, and the grass has started growing again. All of which means one thing – allergy season Spring Cleaning Season! Or, as we at LDH like to call it, #dataspringcleaning season.

We covered the basics of #dataspringcleaning in a previous newsletter; however, determining if your data sparks joy might be a challenge this year given the state of current affairs. For this year’s #dataspringcleaning season, here’s a short cleaning list for your newly minted home office to help you in your data cleaning efforts.

Paper documents

Shred! If you don’t have a shredder at home, you have a couple of options:

  • Store documents for shredding at the office in a secured place in your home away from housemates.
  • Buy a shredder for your home. Look for a shredder that can shred at or above Level P-4. Having a shredder at home not only helps you protect patron privacy but also your privacy now that you have a convenient way to shred your personal documents and files.

Shredded paper should not go into your recycling bin – it’s most likely that your recycling center cannot accept shredded paper. In King County (where LDH is located) residents are instructed to use shredded paper for composting. You can also take a few handfuls of shredded paper to top off any garbage cans before closing up the garbage bag when you take the garbage out. Check with your local solid waste and recycling departments in your local area for more guidance about disposing of shredded paper.

Electronic equipment

  • Store patron data on work storage or equipment when necessary. Do not use personal hard drives, flash drives, or other personal storage devices to store patron data.
  • Do a quick data inventory of any personal cloud storage services you use, such as Google Drive or Evernote.
    • What patron data do you have stored in those services?
    • Can you migrate that data to work storage?
    • What data do you need to keep, and what data can be deleted?
  • If you have your work computer at home, now would also be a good time to do a data inventory of what’s stored on the local drive.
  • Remember, deleting a file doesn’t mean that the file is deleted! There are many programs available to help you permanently delete files.
  • If you do end up having to retire a physical disk or drive that held patron data, what tools do you have in your home toolbox? You most likely have a hammer, but you can also get creative depending on what’s available… we’ve mentioned power drills before, but perhaps you might want to try out the nail gun. Remember – safety first!

#dataspringcleaning at home is a good way to spend the time between meetings or to begin or end your workdays at home. A little bit of cleaning each day adds up to help protect patron privacy 🙂 Happy cleaning!

The Obligatory Password Manager Newsletter

We regularly get asked at LDH about password managers: what they are, if people should use them, and which ones to use. While there is some consensus in the information security world about password managers, there is still some debate – if you ask three security experts about password managers, you will get at least five answers. Today we’ll add to the mix and answer the most frequently asked questions about password managers.

What is a password manager?

At its core, a password manager is a software application that generates, stores, and retrieves passwords and other login information for various accounts. These passwords are accessible through the manager via a master password or passphrase. Think of a password manager as a vault – the vault has your passwords and you gain access to the vault through a combination that you and only you know.

Should I use a password manager?

Yes! Password managers are a great way to help you secure your online accounts. Password managers do the remembering of (almost) all the passwords for you, so you can break the bad habits of reusing passwords for multiple accounts or using weaker passwords that you can remember from memory – both habits put you at higher risk of having your account compromised. Some password managers can automatically change your passwords for you, as well as the ability to generate stronger passwords for each of your accounts. Another benefit of password managers is that you can securely share passwords for family accounts with others in your family (as long as they too use a password manager).

The one password that you have to remember is the master password to get into your manager. To create a strong password that you are likely going to remember, I recommend creating a passphrase. You can generate a strong passphrase through Diceware.

Are they safe?

Safety usually comes up when someone asks about password managers, and for good reason. This is a software application that could potentially have information for your financial accounts, your social media accounts, your shopping accounts, your medical accounts, and so on, and if that application has a data breach or leak, you are at high risk for identity theft at best. There is the fact that some password managers have had breaches in the past, the most prominent one being LastPass. You might also have read news stories about how other password managers might be vulnerable to breaches.

Nonetheless, for most folks, the risks associated with the use of a password manager are far less than using weaker passwords or reusing passwords. This gets into your threat model – what are the most realistic risks in terms of who wants your data, why they want your data, and how they’ll get your data. This is a risk assessment where you not only need to consider the severity of if the risk is realized but also the likelihood that a risk will be realized. Yes, a password manager might be breached, but the likelihood of a well-known password manager being breached is lower than a breach of an account that uses a weaker password or a password that was used by another account that was part of another breach or leak.

[A gentle reminder that using a weak password or reusing a password for your master password for the password manager also puts you at the same level of risk as not using a password manager at all!]

If you’re still wary of using a password manager, there are a couple of strategies I’ve encountered from my discussions with others that can mitigate some risks, including using multiple password managers to store different types of passwords and other sensitive information, or only use their password manager to manage passwords, and not store any other information, like security question answers and payment information.

Which password manager do you recommend?

It depends on your needs.

Some people use their browsers to manage their passwords, but that limits users to the browser that they are using. To get the full benefit, I recommend using a password manager separate from an individual browser’s password vault.
In general, you want to use a password manager that:

  • Uses strong encryption to store and to sync data in and between clients and apps
  • Offers secure cross-platform compatibility (desktop, mobile device) for all the platforms that you use in your daily life
  • Has an established reputation in the password manager world

The question of paid versus free accounts sometimes comes into the conversation. Several password managers have a free plan, while other password managers are free open source software. It depends on your needs and your comfort level when it comes to if you want to stick with a free plan/manager or move to a paid plan.
With all that said, here are some password managers to check out:

Are there alternative ways to store passwords outside a password manager?

There’s always this. ;c)

Special thanks to newsletter subscriber Chris Reimers and the folks in the ALA LITA/OIF webinar last week for the newsletter topic suggestion!

Recording now available for remote work and data privacy

If you missed last week’s “A Crash Course in Protecting Library Data While Working From Home”, don’t worry – we recorded the session! You can access the recording and transcript of of last week’s webinar in Google Drive. Resources and handouts for the webinar can be access at https://is.gd/LDH_RemotePrivacy.

More Zoom Updates and Free Webinar About Remote Work and Data Privacy

Welcome to this week’s Tip of the Hat!

Zoom has had one of those weeks. Since we last wrote about Zoom’s privacy issues last week, the number of additional privacy issues has skyrocketed. It’s gotten to the point where there are news articles just trying to keep track of all these updates. Even those articles are struggling to keep up. On March 31, TechCrunch published an article that listed the known privacy issues at that time, including the misleading advertising of true end-to-end encryption for voice chats, but the article came out a day before an article about zero-day bugs found by an ex-NSA hacker that could allow access to passwords and webcam/mic control if someone had physical access to the computer. Then the next day we learned that Zoom leaked LinkedIn data to other users. Additional reports suggest that Zoom is a very good target for intelligence gathering and interceptions for various governments.

Like we said – it’s hard to keep up with all the updates! Security expert Bruce Schneier’s writeup on Zoom is the most up to date list at the time of this writing.

The best option, in this case, is not to use Zoom, right? Unfortunately, it’s not that clear cut. A conversation on Twitter about Zoom brought up the point that Zoom fairs better than other web conferencing software in terms of screen reader access. While Zoom might be a hot mess when it comes to privacy, it still provides access to those who otherwise wouldn’t have it with other options. Workplaces complying with privacy and accessibility regulations find themselves in a tightrope act with trying to protect employee and patron privacy while at the same time provide tools that their staff can use. Zoom announced that they are addressing the privacy and security issues, which if the company follows through on their promise would solve the issue in the short term. The longer-term issue remains, however, with web conferencing software that have better privacy practices are not accessible for users, including for library workers.

For now, the best you can do is to lock down your Zoom meetings as much as possible and to review user and administration settings to ensure that all privacy and security settings are enabled. Some universities have created publicly accessible guides to more secure Zoom meetings, such as this guide from the University of Washington, as well as FAQs on privacy and security, that can help you formulate messaging to library staff about using Zoom.

Webinar on remote work and data privacy, April 9th

LDH Consulting Services is proud to sponsor this week’s LITA webinar “A Crash Course in Protecting Library Data While Working From Home”. This free webinar will provide strategies and actions in protecting patron privacy for library workers working from home, as well as some of the longer-term implications to patron privacy with libraries moving all essential operations and patron services online for the foreseeable future. Attendees will have the opportunity to share what they are doing to protect data privacy while working from home. Register today!

Zoom and Privacy at the Library

Welcome to this week’s Tip of the Hat!

The amount that you spent web conferencing has most likely increased exponentially in the last few weeks. Library workers working from home now rely on web conferencing software for daily operations, including meetings and check-ins with other colleagues. With this shift to web conferencing, though, comes a shift in the level of risk to patron privacy.

Most libraries rely on third party web conferencing software which, like any other third-party vendor, brings its own set of risks to patron privacy. However, when you fundamentally change library operations to embed a third-party application into almost all parts of core operations, the existing privacy risks of that application change dramatically. You also introduce new risks into the mix! It’s already hard to keep up with all the risks to patron privacy in normal operations, and a rapidly changing work landscape compounds matters.

Let’s take Zoom, for example. Many libraries and library vendors use Zoom as their primary web conferencing application before the COVID-19 outbreak. That number only increased as many workplaces went remote, with many workers relying on their institutional Zoom accounts for both professional and personal online meetings. Other workers took advantage of Zoom’s generous free plan. What was once a tool used for webinar presentations and professional organizational group meetings, Zoom has become a lifeline for many remote library workers to stay connected to the library world for the foreseeable future.

With the increased use of Zoom came increased scrutiny of the application from the increasing number of remote workers in several industries. Soon after the shift to remote work started in earnest across the US, news media started reporting on privacy and security concerns with Zoom. One of the earlier news reports described Zoom’s “attention tracking” function, where an administrator can keep track of meeting participants who clicked away from the Zoom window. This level of tracking by the meeting organizer does not reach the level of other tracking software used by businesses to monitor employee productivity, but this tracking can still encroach on employee privacy. “Zoombombing” – the act of gatecrashing a public Zoom meeting and bombarding it with inappropriate material or attacks – is also on the rise, compromising the security of business and other meetings held by users who are newer to the platform.

Zoom’s data privacy practices have received increased scrutiny in the last week with the mass movement to remote work. In the same article about “attention tracking”, the reporter also touched on Zoom’s privacy policy’s vague language around selling personal data. The privacy policy has since been updated to remove the first sentence which caused the most concern, but the vague last sentence in the paragraph remains – “So in our humble opinion, we don’t think most of our users would see us as selling their information, as that practice is commonly understood.” – which is still a privacy concern. In addition, Zoom’s iOS App was sending user information to Facebook, which again wasn’t made explicitly clear in the privacy policy. Zoom released a statement that they will change the app to no longer send this information, but Zoom’s overall privacy practices and policies remain unchanged as described in this Twitter thread.

Your library might be using Zoom for business meetings, or it might be using Zoom for library programs, such as delivering online programs (like storytime or classes) or research/reference services. In both cases, Zoom might be collecting and processing patron data for their business purposes, increasing the risk of a privacy breach. You can take some actions to mitigate the new risks to patron privacy from using Zoom:

  • Use Zoom’s end-to-end encrypted chat feature [Update – the E2EE feature turned out to be false advertising.]
  • Limit the amount of patron data disclosed in Zoom, including text chats
  • Do not record video, voice, or text chats that involve patron data, including services to patrons conducted over Zoom
  • Do not share files with patron data over Zoom’s filesharing feature
  • Review privacy and security settings on the administrator, organizer, and user levels
  • Follow best practihttps://lifehacker.com/how-to-prevent-jerks-from-ruining-your-zoom-meetings-1842453487ces to prevent Zoombombing, including enabling the waiting room feature, limiting screen-sharing and voice controls (muting participants by default when they join), and locking the session when all attendees have arrived.

Limiting patron data disclosure on third-party applications is a challenge for a remote workforce. Choosing third-party applications with strong privacy and security practices is one of the best ways to mitigate privacy risks. Taking the time to assess privacy and security during a major global health crisis, nonetheless, doesn’t come naturally if you are not used to making critical privacy decisions under pressure. Settling into the new normal provides the opportunity to reassess data privacy and security practices in the workplace, including mitigating expanded or new risks to patron privacy. In the case of Zoom, limiting the amount of patron data transmitted through the application as well as making full use of privacy and security settings can help mitigate these privacy risks.

Doxing: How to Protect Yourself and Patrons

Welcome to this week’s Tip of the Hat!

The Executive Assistant has her paws full this week with rescheduling and shifting various project timelines around thanks to recent events. She was batting objects off of ledges redoing Gantt charts when she came across a small list of privacy-related things to do on a rainy day and promptly knocked the list off the pile and onto the floor. While this is not a rainy day, a few of us could use a distraction, so what can be a better distraction than protecting your privacy?

Today we’ll explore doxing: what it is, how it can harm you and your patrons, and what you can do to protect yourself and patrons from being doxed.

Doxing and You

Doxing is the act of publishing private or otherwise identifying information about a person to the public. This can include your home address, phone number, private email address, or bank account details, but it can also involve publishing private information about those close to you, like family members, along with your private information. Most times doxing is used as a tactic to intimidate or to harm a person or their loved ones – an infamous example of doxing in action is Gamergate, where online harassers doxed several games journalists, researchers, and others in the gaming industry.

Being doxed can mean a stranger showing up at your home or otherwise harassing you as you try to go about your daily life, but it can also mean that your identity can be stolen. With just a few pieces of private personal information, you can social engineer your way through customer service staff and help desk representatives to get access to critical accounts, potentially destroying the financial and reputational aspects of a person’s life in the process.

How to Dox Yourself (@ the Library)

The scary part about doxing is that anyone with little time and effort you can get access to private information. The New York Times recently published a guide on how to dox yourself, describing the various places where you can find information that you thought was not available to the public. Search engines, social media, and data brokers are all potential sources for doxers looking for your private information. Take some time to study their resource guide and perform some searches on your favorite search engine. You might be (un)pleasantly surprised as to what you can find about yourself.

Libraries are not exempt from being potential targets for doxers to gain information about a person. Library patrons routinely contact library staff with requests or questions about their patron account or another person’s patron account. What can be in the patron record that can potentially be used to dox someone? Legal name, home address, and birth date are three pieces of patron data that come to mind. Chances are, though, that your patron record includes much more, including telephone numbers, email addresses, and even government or organization-issued identification numbers, such as driver’s license numbers or student or employee id numbers.

Library workers also face the possibility of being doxed and harassed. An article by American Libraries recounted the experiences of two library school professors who were doxed for their research on racial microaggressions in academic libraries. Library workers are subject to the same harassment and doxing that their patrons face in daily life, as documented in the article. Any private information of both patrons and library workers is fair game to a doxer, even at the library.

Dox Defenses

How can you protect yourself and others from doxing?
On the personal front:

On the library front, review policies and procedures surrounding patron data confidentiality, particularly surrounding requests to disclose patron information:

  • Do you have a procedure in place to verify the patron’s identity if they request access to information in their patron record? What are the procedures regarding identity verification in-person versus over the phone versus online?
  • What information is used in the verification process?
  • What information do you disclose in the patron record in person? Over the phone? Online?
  • What is the procedure when the patron doesn’t have this information for verification?
  • What is the procedure if the patron requests access to another patron’s record?

Employee information also needs protection; however, a different set of regulations, policies, and procedures apply. Check with your human resources staff as well as legal counsel to determine what information is private, what is public, and when employers are allowed to disclose employee information to others.

Doxing is scary and can lead to harassment and other dangerous situations. The best personal defense against doxing is to be proactive in limiting the amount of private information a random person off the street can access through a data broker, your online presence, or other places where private information can be accessed by someone with a little bit of time and resources. The best library defense is making sure that there are policies and procedures in place for verification of the patron’s identity before disclosing patron information in certain situations, as well as protecting the privacy of library worker information, be it from not publishing private information such as home addresses to protecting the data from unauthorized access.

COVID-19 Updates And More Privacy Considerations

Welcome to this week’s Tip of the Hat, everyone.

It’s been a week for many of us as COVID-19 rapidly changed both work and personal lives. During the last newsletter, public events were still going on, schools and libraries were still open, and we were not in a pandemic. This newsletter is being composed in a completely different world in Seattle – closed schools and libraries, canceled events, and the realization that COVID-19 is much more widespread than previously thought.

This week, many libraries are closed to the public, while other libraries that are still open are being pressured to close to protect the health of their staff. This means staff might be working from home for the first time, or are trying to move in-person library instruction online. The Library Freedom Project provides a good list of privacy considerations for online instruction. Academic and school libraries should also be aware of the updated guide on FERPA and COVID-19 and how student privacy is impacted by the COVID-19 pandemic. In the general world, healthcare professionals, as well as employers, are struggling to find a balance between personal privacy and disclosure in the context of HIPAA regulations.

The rapid developments of last week also presented a challenge – how do you protect privacy while at the same time keeping up with changes at work? Many work from home arrangements were hastily put together with less than 24 hours’ notice, leaving IT departments scrambling to figure out if VPN or other remote access to staff systems can handle the increased user traffic, but at the same time might not realize that the remote access method has a vulnerability, such as an unknown open port, or even providing access to internal applications without special logins or IP restrictions. IT staff should ensure that only staff can access work systems and network drives, including requiring VPN use to access these places as well as additional authentication and user access rules. In short, IT staff have their work cut out for them in the next few weeks. Nonetheless, there have been many guides published in the last week, like this one from NC Department of Information Technology, for people working from home and what they can do to protect their digital privacy and security.

On the public services side, online communications between staff might take a variety of forms, from an increased number of emails to online web conferencing. If the organization doesn’t offer an online group collaboration platform, like Microsoft Teams, staff might take to free third party applications, such as Slack, Discord, or your tried and true suite of Google products. Patron privacy might be compromised if patron data is shared on unsecured applications, as well as places that are subject to a public records disclosure request. Therefore, it’s a good time to remind everyone to keep patron privacy in mind in working from home, including limiting storing and communicating patron data to secure communication channels controlled by the organization.

It’s impossible to keep track of every COVID-19 development, and libraries have struggled to respond to these changes. With more libraries closing and trying to keep staff busy, we cannot forget that the choices we make during the COVID-19 pandemic will have long-lasting consequences on data privacy for some time to come. It’s hard to step back and take a breath to reassess where everything stands on patron privacy, but it’s worth the effort to take a few moments to go through the library’s response so far and ask how each response might put patron privacy at risk.

COVID-19: Resources and Privacy Considerations

Welcome to this week’s Tip of the Hat!

Some of you might already know that LDH is based out of Seattle. Seattle has been in the news with the recent COVID-19 cases and deaths in the area. We at LDH are staying relatively healthy (outside of it being allergy season in town). Nonetheless, some of you have also been impacted by COVID-19, including institutional travel restrictions, dusting off the disaster policy and procedures, and fielding questions from both staff and patrons about what will happen when there’s an outbreak of COVID-19 in your area.

There’s a lot of information out there regarding COVID-19 and what you should do to help slow the spread of the infection. Some sources include:

The most important things to keep in mind during this time:

  • WASH YOUR HANDS WITH SOAP AND WATER. It doesn’t matter if it’s hot or cold water. There are several memes out there with lists of songs you can sing for about 20 seconds, be it Happy Birthday, the opening trumpet solo in Mahler’s 5th, or the chorus to this song.
    Hand sanitizer (store-bought, not homemade) is also an option, but not as effective as washing your hands with soap and water. [1]
  • Cover coughs and sneezes using your elbow or tissue (then throwing the tissue away).
  • If you are able, stay home if you are sick. This is not an option for those who do not have paid sick time, or if there’s a lack of coverage at work. If you do have the privilege to stay home, do so.
  • Extra cleaning of any hard surfaces as well as public or shared areas, such as open offices and break rooms.

COVID-19 has also brought up some good reminders and discussions surrounding privacy in a time of a possible pandemic:

Here are a few more articles surrounding the COVID-19 and the possible long-term implications to privacy regulations and public discourse:

Stay safe and healthy in the coming weeks!

[1] You would be surprised by the number of people who do not wash their hands regularly; this is something you should be doing anyway in normal circumstances. Hence, the shouting. Forever shouting about the washing of hands.

That Little Driver’s License Card…

Welcome to this week’s Tip of the Hat!

A driver’s license card is the first document many people use to prove their identity, be it at work, or the bank, or the airport. The card has key information needed for organizations and institutions: name, date of birth, address, photo, and the illustrious driver’s license number. Driver’s license cards can be a convenient form of identification, but it can also be a convenient way for your patrons’ identities to be stolen if your library is not careful in its handling of the card’s information.

As part of the library card registration process, many public libraries require some form of identification with a current address to confirm the patron’s home address. These libraries almost always accept driver’s license cards as one form of identification. But what do libraries do with the information on the card? Some record the driver’s license number in the patron record, while others take a photocopy scan of the card (yes, this has happened!). Several libraries use specially programmed barcode scanners to automatically populate the fields in the patron record from the information provided from the driver’s license barcode.

Each method carries its level of risk to the library patron’s privacy. Storing driver’s license numbers in the patron record or other places can open the patron up to identify theft if the library’s systems or physical spaces are compromised. There are various ways to compromise a physical or electronic space. We are familiar with the story of a person breaking into the system to steal information, but sometimes it is a staff person who steals the information. We also can’t forget that a leak is as damaging as a breach – sometimes staff leave the patron record up on the screen at public service desks, or a report printout is left on a desk for anyone to see or take.

Overall, the best way to mitigate the risk of a breach or leak of driver’s license numbers is to not collect or store driver’s license numbers. In the collection stage of the patron data lifecycle, we decide what data to collect. The data you collect should be tied to a specific, demonstrated business need at the point of collection. If you are collecting driver’s license numbers as a way to verify patrons and addresses, what are the business needs for collecting and storing that number in the patron record? You can achieve the same business need by other means, including creating a process of validating the patron record information with the identification without recording additional personal information in the record. Another consideration is that while driver’s license cards are a convenient form of identification, the card might have a name that the patron no longer uses and might have other outdated or incorrect information, including address information if the state does not mail a new card when there is an address change. Finally, not all patrons have driver’s license cards, and your patron registration policies and procedures need to accommodate this reality.

Even if you don’t collect or store the driver’s license number, there are still ways in which the library might inadvertently collect more patron information than they need from the card. Scanning driver’s license barcodes to auto-populate patron registration forms and records can save time in data entry, but be aware that these barcodes carry much more information than what is presented on the card, including gender and even Social Security Numbers. The software that you use to scan the barcodes should only record the information needed for the patron form and not store the additional information in the barcode. Your software vendor should have information about how they treat this extra data; if they do not, then the vendor product is a potential security risk for the library and the patrons which needs to be addressed with the vendor.

No matter how your library handles driver’s license cards, your library should be actively reviewing privacy practices on a regular basis. In 2019, the Contra Costa County Library System decided to stop collecting driver’s license numbers and purged existing numbers from their patron records. This decision came just at the right moment – the library system suffered a ransomware attack at the beginning of 2020. While recent reports state that no personal data was compromised, the risk of identity theft to library patrons would have been much greater if the driver’s license numbers were still stored at the library. In short, it’s never too late to review policies and procedures around patron address verification at your library!

Hat Tip: Latanya Sweeney, Ph.D.

Welcome to this week’s Tip of the Hat!

Many of you might be preparing the last public displays for Black History Month or setting up the first set of Women’s History Month displays. If you need to add one more person to feature in either or both displays, or if you wish to know more important black women in STEM, you’re in luck! Today’s newsletter is a quick introduction to one of the major players in the data privacy field, Latanya Sweeney, Ph.D.

Latanya Sweeney is a Professor of Government and Technology in Residence at Harvard University and the founding director of Harvard’s Data Privacy Lab. She is also the first African American woman to receive a Computer Science Ph.D. from MIT. Sweeney made many major contributions to the technology field, but the most well-known contribution for privacy professionals is Sweeney’s work on k-anonymity. Her work on the re-identification of individuals through data has prompted a shift in many in the privacy field in reassessing the concept of anonymization. For example, in a study published in 2000, Sweeney found that 87% of the US population can be identified based on zip code, gender, and date of birth. Health data is also an area in which Sweeney has shown again and again how easy it can be to re-identify data that used certain anonymization methods.

Other parts of Professor Sweeney’s work delves into how data can be used to discriminate, including her work on the discrimination found in online ad delivery. The projects page for the Data Privacy Lab and the various tools on the home page shows the vast array of research areas under the guidance of Sweeney’s direction of the Lab.

Did we also mention that she was also the Chief Technologist at the FTC in 2014?

Some recent talks and panels include:

We leave you with an excerpt from a 2007 interview from Scientific American where many can appreciate Sweeney’s approach to privacy:

[Walter] Why is privacy versus security becoming such a problem? Why should we even care?

[Sweeney](Laughs) Well, one issue is we need privacy. I don’t mean political issues. We literally can’t live in a society without it. Even in nature animals have to have some kind of secrecy to operate…. There’s a primal need for secrecy so we can achieve our goals.

Privacy also allows an individual the opportunity to grow and make mistakes and really develop in a way you can’t do in the absence of privacy, where there’s no forgiving and everyone knows what everyone else is doing… With today’s technology, though, you basically get a record from birth to grave and there’s no forgiveness. And so as a result we need technology that will preserve our privacy.