{"id":14806,"date":"2016-12-06T15:29:58","date_gmt":"2016-12-06T15:29:58","guid":{"rendered":"http:\/\/www.megalextoria.com\/wordpress\/?p=14806"},"modified":"2018-07-23T03:43:50","modified_gmt":"2018-07-23T07:43:50","slug":"librarians-act-now-to-protect-your-users-before-its-too-late","status":"publish","type":"post","link":"https:\/\/www.megalextoria.com\/wordpress\/index.php\/2016\/12\/06\/librarians-act-now-to-protect-your-users-before-its-too-late\/","title":{"rendered":"Librarians, Act Now to Protect Your Users (Before It\u2019s Too Late)"},"content":{"rendered":"

Books checked out from a library and terms searched on library computers can reveal a teenager\u2019s questions about sexual orientation, a neighbor\u2019s religious leanings, or a student\u2019s political interests. Libraries across the country, particularly public libraries, make it part of their mission to serve the most vulnerable and underserved user groups, including users who are homeless, unemployed, or recent migrants or refugees. And when government agents come looking, these library users need librarians to\u00a0have their back.<\/a><\/p>\n

Libraries and librarians\u00a0have long been<\/a>\u00a0stalwart guardians of the rights of free expression and inquiry. As part of their\u00a0profession<\/a>, librarians protect their users\u2019 ability to access even the most controversial information and ideas free from government scrutiny. Since the passage of the Patriot Act in particular, librarians have\u00a0purged user records<\/a>\u00a0when necessary to fight against unconstitutional government demands and\u00a0pushed back<\/a>\u00a0against (unconstitutional) National Security Letters (NSLs). Librarians also stood with EFF and the ACLU when we worked to pass the California Reader Privacy Act<\/a>\u00a0in 2011.<\/p>\n

With the recent election of President-elect Donald Trump, many libraries are rightfully worried about a renewed threat to their users\u2019 privacy. If the incoming administration sticks to its promises to identify and deport millions of people<\/a>, monitor individuals<\/a> based on their religious beliefs, and expand libel laws<\/a>, for example, libraries could receive unprecedented government requests for information on their users.<\/p>\n

To that end, we recommend libraries ensure they\u2019re taking the following steps as soon as possible to protect their users\u2019 intellectual privacy. In addition, libraries have to think beyond their own actions and take steps to ensure that all of their third-party vendors provide the same level of protections to users that libraries themselves do.<\/p>\n

1. Limit collection and retention of user information<\/h3>\n

The less information you collect about your users, the less you have to surrender. The best policy is to collect the minimum amount of information necessary to provide a particular service, and don\u2019t retain that information any longer than necessary. For example, delete check-out information as soon as a book is returned. Further, make a regular habit of purging your logs (including circulation records, event attendance records, computer use and activity logs, search records, Wi-Fi connection logs, database searches, etc.) using a\u00a0secure<\/a> deletion<\/a><\/u> utility. If you do need to retain certain records\u2014for example, usage records for resource allocation or funding advocacy\u2014then follow best practices to de-identify and anonymize them to the greatest extent possible.<\/p>\n

When you do collect user information, make sure your users are notified about that information collection and offered the option to affirmatively opt in. Further limit data collection by allowing pseudonymous or anonymous use of library services wherever possible. For example, allow people to use library computers without a personalized login, and don\u2019t require logins on library web services unless it\u2019s necessary to access a user account. Similarly, leave the library Wi-Fi\u00a0network open, don\u2019t keep logs of IP addresses, and ensure your network deletes connection logs immediately after log-off.<\/p>\n

Make sure library operated websites and services aren\u2019t logging user IP addresses, and if so, purge them quickly and regularly. Educate users about any differences between services provided in the library versus those services accessed remotely\u2014for example, services accessed via library computers will only see the library\u2019s IP address, while remotely accessing services can expose a user’s own IP address.<\/p>\n

2. Maintain policies and procedures for responding to government requests and for notifying users of requests received<\/h3>\n

Communicate with users about how you will respond to requests for their information. Government requests for information may come in a variety of forms, from simple requests without a warrant or court order, to subpoenas, warrants, and NSLs. Policies must clearly dictate how library staff should respond to each of these requests. Make sure your staff knows how to handle requests for user information.<\/p>\n

Note that, without a warrant, court order, or NSL, libraries are generally not required to provide user information, and may refuse to comply. While search warrants may be carried out immediately, all government requests for information may be examined by library counsel for legal defects. If you receive a request for patron information you should contact an attorney. EFF stands ready to help libraries sort through their options when they receive suspect legal process.<\/p>\n

Policies should also address how and when users will be notified of government requests for information. In response to government requests accompanied by a gag order, some libraries, like the Internet Archive<\/a> and the Library Connection, have fought to lift the gag. Again, EFF stands ready to assist.<\/p>\n

3. Maintain accurate, accessible privacy policies, and notify users when they change<\/h3>\n

A library\u2019s privacy policy should, at a minimum, tell users what types of information are collected, how long that information is stored, how it may be used, and who may access it under what conditions. Users should be immediately notified of any changes to library privacy policies, and should have an opportunity to opt in to continued use of affected services.<\/p>\n

But the library\u2019s privacy policy alone may not cover all of the catalogs, databases, e-books, checkout systems, and other third-party services a user may encounter in the library. At a minimum, users should be alerted when they are interacting with a third-party vendor, and should be notified of those vendors\u2019 privacy policies. Libraries should also allow users the opportunity to affirmatively opt in to services that do not allow the same privacy protections as the library\u2014or, even better, wherever possible libraries should require third-party vendors to match their privacy practices. (See EFF\u2019s\u00a0privacy policy<\/a>\u00a0as an example.)<\/p>\n

4. Use HTTPS for your whole website at all times, and push your vendors to do the same<\/h3>\n

While many libraries already use HTTPS on parts of their websites, this strategy is\u00a0ineffective<\/a>\u00a0at securing user information. Use a service like\u00a0Certbot<\/a>\u00a0to migrate your entire<\/em> website to HTTPS, and push your third-party vendors\u2014including e-book vendors\u2014to do the same. Without such protections, your users\u2019 information may be at risk in-transit and vulnerable to anyone logged onto the same network.<\/p>\n

In addition, you should limit the use of cookies used to track users\u2019 preferences and activities. If your website does use cookies, allow users to affirmatively opt in to accept the cookie. Don\u2019t condition access to your site on acceptance.<\/p>\n

5. Secure library computer browsers<\/h3>\n

Unsecure browsers can leak information about what users are doing online\u2014including the searches they run and websites they visit\u2014providing a\u00a0detailed picture<\/a>\u00a0of their online activity.\u00a0Library computers should default to browsers with built-in privacy protections, like Mozilla Firefox or Google Chrome. Enable privacy-protective tools and extensions like EFF\u2019s\u00a0Privacy Badger<\/a>\u00a0and\u00a0HTTPS Everywhere<\/a>, and update both the browsers and extensions whenever an update becomes available.<\/p>\n

6. \u00a0Require third-party vendors to match library privacy practices for patron data<\/h3>\n

As noted above, libraries today use an increasing number of third-party vendors who have access to user data. Libraries must work to ensure that their third-party vendors adopt practices and policies in line with libraries\u2019 own privacy policies. Third-party services can track, collect data about, and analyze user behavior\u2014and that information can in turn be demanded by law enforcement. This can include highly sensitive user information, like name and account identifiers, IP addresses, demographic information, search history, and reading history.<\/p>\n

Librarians can also take control of how they use and present third-party services, including configuring default settings in as privacy-protective a manner as possible and conducting regular reviews of privacy practices and options.<\/p>\n

In addition, analytical and behavioral profiling services can pose particular risks for users\u2014producing detailed records of users\u2019 identities, reading habits, and behaviors. Avoid allowing these services to access user information without obtaining users’ explicit, opt-in consent.<\/p>\n

Looking to libraries<\/h3>\n

As the new administration takes office in January, we will need librarians more than ever. We need them to safeguard our access to information and our intellectual privacy. We need them to limit the amount and specificity of data available about users. We need them to fight back against government requests for user information.<\/p>\n

And now it\u2019s essential that all librarians go beyond these crucial steps to consider the full range of threats to their users\u2019 privacy, and act to protect that privacy in a changing environment. We applaud libraries for the work they\u2019re already doing, and urge the entire library community to take additional action before it\u2019s too late.<\/p>\n

Source: Librarians, Act Now to Protect Your Users (Before It\u2019s Too Late) | Electronic Frontier Foundation<\/a><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Books checked out from a library and terms searched on library computers can reveal a teenager\u2019s questions about sexual orientation, a neighbor\u2019s religious leanings, or a student\u2019s political interests. Libraries across the country, particularly public libraries, make it part of their mission to serve the most vulnerable and underserved user groups, including users who are homeless, unemployed, or recent migrants or refugees. And when government agents come looking, these library users need librarians to\u00a0have their back. Libraries and librarians\u00a0have long been\u00a0stalwart guardians of the rights of free expression and inquiry. As part of their\u00a0profession, librarians protect their users\u2019 ability to access even the most controversial information and ideas free from government scrutiny. Since the passage of the Patriot Act in particular, librarians have\u00a0purged user records\u00a0when necessary to fight against unconstitutional government demands and\u00a0pushed back\u00a0against (unconstitutional) National Security Letters (NSLs). Librarians also stood with EFF and the ACLU when we worked to pass the California Reader Privacy Act\u00a0in 2011. With the recent election of President-elect Donald Trump, many libraries are rightfully worried about a renewed threat to their users\u2019 privacy. If the incoming administration sticks to its promises to identify and deport millions of people, monitor individuals based on their religious […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15],"tags":[2276,2275,1035,1374],"class_list":["post-14806","post","type-post","status-publish","format-standard","hentry","category-news-and-politics","tag-librarians","tag-libraries","tag-library","tag-privacy"],"_links":{"self":[{"href":"https:\/\/www.megalextoria.com\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/14806","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.megalextoria.com\/wordpress\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.megalextoria.com\/wordpress\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.megalextoria.com\/wordpress\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.megalextoria.com\/wordpress\/index.php\/wp-json\/wp\/v2\/comments?post=14806"}],"version-history":[{"count":0,"href":"https:\/\/www.megalextoria.com\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/14806\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.megalextoria.com\/wordpress\/index.php\/wp-json\/wp\/v2\/media?parent=14806"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.megalextoria.com\/wordpress\/index.php\/wp-json\/wp\/v2\/categories?post=14806"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.megalextoria.com\/wordpress\/index.php\/wp-json\/wp\/v2\/tags?post=14806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}