Transcript

Davis: Welcome back. This is the fifth and final episode in our first series of training videos from NYC Digital Safety. My name is Davis, I’m joined by Erin. We’ve talked so far about how and why our data gets compromised, how we can hopefully protect ourselves from such a fate, and what to do if that has happened to you.

So now it’s time to talk about libraries, which is my favorite subject and I know, Erin, it’s one of yours as well. So, Erin, as a library worker yourself, what do you do to raise awareness about these issues?

Erin: Thanks Davis. Privacy is my passion within libraries, and I think it’s, you know, really important that we all understand, you know, this ethical value that we have and figure out how we can help our users understand it and protect their privacy to the best of our ability. And so in my role as Chair of ALA’s Privacy Subcommittee, I really work with our team to create resources and policies that assist libraries of all types and their workers to understand these issues. We have a great website. You can visit chooseprivacyeveryday.org, and that has a blog and it has a weekly news roundup that can actually help library workers stay on top of these privacy-related issues and so that they can then help inform their patrons as well and stay current.

It’s really important that we all understand this ethical value that we have and figure out how we can help our users understand it and protect their privacy to the best of our ability.

Davis: Thank you so much for all the work that you do around these topics. In addition to chooseprivacyeveryday.org, what other resources do you recommend for library workers?

Erin: Yeah, thanks. There’s actually a lot of great stuff out there. I think library workers that have a passion or even kind of a passing interest in privacy should go check out the Library Freedom Institute. There’s a ton of resources, and they run regular in-depth cohorts for library workers to learn all of the ins and outs of privacy, including how to become a privacy advocate. So you can help raise awareness about privacy issues too.

The New York City Digital Privacy and Security courses are also a fantastic resource for those of you who want to sharpen their privacy skills.

And there’s also a few resources that library workers may want to point patrons to when they want to learn more on their own about how to improve their privacy online. So the first one i’ll mention is the EFF Surveillance Self-Defense Course. That’s a really fantastic resource, and people can kind of dig in and figure it out.

And patrons who want to get a toolkit that’s designed for their particular needs should check out the Virtual Privacy Lab from the San Jose Public Library. That was one of my actual first privacy project that I worked on. People can answer some short questions about their own needs online and they’ll get a custom toolkit with privacy resources where they can go take action.

Davis: So back when you were working with the public as a frontline library worker, what were some questions about privacy that you heard from patrons?

Erin: Yeah, I think probably the most common thing is, “hey, what’s my password?”

You know, helping someone load Kindle books onto their device and they’re like, “well, I don’t know what my password is, can you just tell me what it is?” You know, my experience is, the vast majority of people don’t actually want to attend a cybersecurity or privacy workshop at the library unless they already have an interest in it, so that to me means one of the best ways to impart that knowledge is in these like bite-sized chunks when the opportunity arises.

So if you’ve got this question like “what’s my password,” well, it’s a great opportunity to talk about someone with password hygiene. Maybe you talk to them about password managers. You could even, you know, show them the tutorials and show them how to get set up with that.

If you’ve got this question like “what’s my password,” well, it’s a great opportunity to talk about someone with password hygiene.

I also find that patrons will often ask library workers for help filling out forms with sensitive information. They may want help filling out their tax forms, or their form for food stamps, or government assistance of some kind. That’s a really great opportunity to talk about not giving away information to strangers, even if it’s your beloved neighborhood library worker. You can introduce these concepts about data minimization here, and you can discuss, you know, how do you keep your personally identifiable information safe and private? So you know, things like if they’re on a computer working on these documents talking to them about, you know, not getting up and leaving the computer with the screen on with all of their personal information on there for anyone who walks by can grab.

Davis: You do amazing work when it comes to privacy and libraries. You’re one of my heroes on the topic, so thanks for all of that.

I want to give you some time to talk about your current project that, by the time these videos, come out will be available for people to use. So could you share a little bit about the Privacy Field Guides that you’ve been writing?

Erin: Thank you so much, Davis, I really appreciate. It’s always a pleasure working with you and talking about privacy. I enjoy it immensely.

And so, yeah, the field guides. I am super stoked about this project. They are a brand new resource that is available to all library workers from public to academic to school libraries, and each of these seven guides actually covers a different privacy related topic. And the guides were actually designed with the assistance of a graphic design team because we wanted to make them really vibrant, easy to use, something that you can pick up or look at online, and just go.

So myself and my project co-lead Bonnie Tijerina from Data + Society, we actually found that the most common thing that people wanted in the library world were actionable tools to help them with privacy issues. Not everyone, you know, needs to be a privacy expert, or wants to be a privacy expert, and so these guides aren’t designed to turn you into a privacy expert. They’re designed for you to tackle these real world issues and create a more private experience for your users, and to really uphold and live out those ethics and values of privacy within the library world. So the topics actually cover digital security basics, non-tech privacy, how to talk about privacy, data life cycles, privacy audits, privacy policies, and vendors of privacy. So what you’ll find in each of the guides is like a short bit of information and then actually an exercise to guide you through the practice of doing things related to that topic. So you can actually find those guides on ALA’s website, or you can also find them through that chooseprivacyeveryday.org website.

Davis: Thank you and I hope you don’t mind if we also link to them from the NYC Digital Safety digital as well because those sound super useful, and I’m glad you’re doing this work.

So Erin, I want to just tell our viewers that you’ll be back for our final series of training videos, where we talk specifically about libraries and privacy in even greater depth than we are right now. So I look forward to welcoming you back then. I want to thank our funding partner, The Mayor’s Office of the Chief Technology Officer, our colleagues at the New York Public Library, Brooklyn Public Library, and Queens Public Library. And I want to thank all of you for sticking with these videos and we’ll talk to you again soon.

Transcript

Davis: In our first episode, I mentioned that I bought one tiny measly tote bag online, and then literally three days later got a message saying that my password had been leaked as well as my email address. I know it’s super common, so I wanted to talk about what should we do if our information is already out there. So, Erin, first and foremost, is there any way that our viewers can tell if their information’s been leaked at all?

Erin: Yeah, for sure. Thanks, Davis. I also had bought a t-shirt on that same site so we right there with you on having that exposed. Luckily, I use a unique password for everything so I wasn’t worried about my email address being linked to the same password that I use to access my email, so that was good. Now, most of us have probably had our data leaked out there. If you’ve been online at all in the last, you know, five to ten years, you’ve probably had it leaked, so I recommend going and checking the website haveibeenpwned.com. And that site will actually tell you if your email and your phone number have been found in a known breach.

Most of us have probably had our data leaked out there. If you’ve been online at all in the last, you know, five to ten years, you’ve probably had it leaked.

There are also several dark web scanners out there that you could look up. And you can again check to see if your information has been found in a known data dump file associated with the breach.

Now, with GDPR and with a lot of the state privacy laws, companies are now required to notify you if your information been breached. So that way at least you’ll at the very least know what information of yours has been compromised.

Davis: Thank you. So let’s say, like with your t-shirt and my tote bag, that we know that our information is out there. What’s the first step that someone should take if they find themselves in a similar situation?

Erin: For sure, and I think that’s why that website’s really helpful or those emails from the companies letting you know what information, because it’s important to understand what was leaked. In this case our emails were exposed so we should both be on higher alert for those phishing schemes. If your phone number was part of that breach, then be on the lookout for a fraudulent text message or even a phone call.

You know, phishing can happen through text as well, it’s called smishing and I actually had that happen to me recently. I got a text message from Bank of America saying that my EDD prepaid debit card was suspended and that I needed to click on this link to reactivate it.

Well, I don’t have a Bank of America prepaid debit card, so that was a pretty big hint to me. The second was that the link was actually from a tiny URL, and that’s probably not used by a major corporation. So I did a quick internet search just typed in “Bank of America text message scam” and it led me to a news article from 2021 that explained exactly what I had experienced.

Davis: Yeah, sadly that sounds like a perfect phishing scheme for someone who’s a part of a vulnerable population, so that’s a real bummer. So I think it’s important for us as library staff to understand these things. So what if in fact your credit card had been lost in a leak? That, you know, you happen to know that your Visa card or whatever was compromised?

If your email’s been hacked, then, again, the first thing you want to do is change your password.

Erin: Yeah, if your credit card’s part of the part of the leak, then I think the best path would be to actually just close that account right away. So call your credit card company let them know that your credit card number has been compromised and get a new card issued to you. If your password was also exposed to your bank, so it’s like your credit card number and your bank account or something along that, make sure to go in change your password. And if you don’t have that multi-factor authentication set up yet, turn that on for any of your accounts where your credit card is linked, and you’re able to do that as well.

Davis: Thank you. We’re talking about multi-factor, so maybe we can talk about some common internet services so what about email? How do you know your email has been hacked, and what should you do if you find it has been?

Erin: Yeah if your email’s been hacked, then, again, the first thing you want to do is change your password. And if you don’t have that multi-factor authentication set up, do it now. I know I’ve said that several times in this series, but it is really important to set up multi-factor authentication.

And it’s possible that your email’s been cloned, so you might not see sent messages coming from it, but you may be notified because people that you have in your contacts list have gotten phishing emails. I’ve had this happen to me before. And they just send out basically spam messages or phishing messages to everybody on your contacts list. It sucks, it’s embarrassing, but it’s okay, just make sure you check in with people let them know that you’ve been hacked, and tell them not to respond to any of the messages that they receive from you.

If you don’t have that multi-factor authentication set up, do it now. It is really important to set up multi-factor authentication.

Davis: Thank you. What about social media accounts?

Erin: So, again, I think the most common indicator of the social media hack is that your messenger app has been sending those phishing or spam messages to all your contacts. Actually, my friend on Facebook had — his dog had a Facebook account, and his dog was sending messages to to all of our friends saying like, “Hi, how are you? I need some money,” and so it was a little humorous to watch the dog engaging in these spam conversations.

But, you know, it’s kind of similar to your email when your social media account’s been hacked. And you want to go in change your password, set up multi-factor authentication, notify all your friends not to respond to messages.

There is a possibility, though, in those instances if your account’s been taken over, you may lose access to that, and it may be a real pain to gain access again. It’s possible you may have to contact customer support. You may have to show your photo identification to show that you are the real user of that account, because sometimes when you do get hacked on your social media accounts it’ll trigger or your friends will report, you know, people it’s contacted will report spam and it may lock down your access to that account.

Davis: Yeah, that sounds like a pain. So protecting our passwords might be one way to sort of avoid this from jump. So I wondered, what is a tip you have for writing a good password?

Erin: So I actually think, you know, again, using that password manager is your best way to write a good password because you can create randomized passwords and those are the hardest to guess. Now, if you’re not going to do that, there’s some accounts we can’t use a password manager. The example I have for myself on that is, actually, my work account. In order to log into my computer, in order to log into my VPN, and all of that, I have to have a good strong password. And that’s when I really want to be strong. I don’t want anybody to be able to access that account. I’m traveling with my laptop oftentimes, you know, you don’t want to get stolen or something like that. So instead of thinking about passwords, I would think about pass phrases.

Using that password manager is your best way to write a good password because you can create randomized passwords and those are the hardest to guess

So think about, you know, some words that have some kind of meaning to you that you’ll remember. But that don’t have anything to do with you personally so don’t use names or birthdays or street addresses or any kind of personally identifiable information. But you know, string together a set of words, add some numbers, add some symbols into there, and that’ll kind of give you a good set. You want it to be long, so think about something that’s maybe 12 to 16 to 18 characters long. I know that’s a lot, but if you think about it, it’s like typing a sentence.

So think about that, type it out, make it, you know, unique for you. And you can also — there’s some websites out there where you can check to see what. It doesn’t store your password or anything like that, but you can kind of see how long it would take to get your password cracked by a brute force attack.

And the other thing is that, you know, when passwords are originally being created, we were told to, like, “oh we’ll replace an i for a one and an o for a zero and that’ll really make it stronger.” That doesn’t actually make a difference anymore when you’ve got those brute force attacks. Those are common enough, you know, switching around that. They take that into account. So, you know, add some some numbers or symbols into that passphrase and you should have something that’s pretty strong and hard to break.

Davis: Yeah, thank you. I remember going to an art exhibit once where someone had bound this master list of all the LinkedIn passwords that had been breached, and I was like I wonder if mine’s in here. And sure enough it was. I had done that thing where I swapped letters for symbols, and it was pages and pages and pages of my same password with that same thing. And then I realized, for real, that that swap does not work at all, and that my password was actually extremely weak. So, yeah, let, that be a lesson to me for the future.

Thank you so much for those excellent tips, Erin, and we’ll see you in our next video where we talk about libraries. That’ll be fun. So we’ll see you then.

We all need to take steps to protect our data from prying eyes. Let's hear from an expert on their top tips for keeping your information safe.

 

Transcript

Davis: Welcome back, everybody. In our last video, we heard a lot about hacking and who’s behind it, and how our data is getting stolen and shared on the dark web. And in this video, let’s talk a little bit about prevention. My name is Davis. I’m joined here by Erin, and my first question for this video for you, Erin, is: what is your number one tip to help people prevent this from happening to them?

Erin: Thanks, Davis. I think my number one tip is actually to practice something called data minimization. So this is really just us being selective about what data we give out and where we give it out and and all of that. And so a good example, for me, would be signing up for a loyalty card program. Do you want to give over your actual phone number or email or your real name and birthday?

I think everyone’s got to do their threat assessment for themselves to determine what level of information are they comfortable sharing. So what I would do is, every time you’re getting ready to share a piece of personal information, just ask yourself, am I okay with this information being sold on the dark web? Because it might be and that might be okay, but you need to just be conscious about what you’re sharing, who you’re sharing it with, and if you’re comfortable with sharing it.

Davis: Thank you very much. I think it’s true that people’s risk assessments for themselves are very different, and I also want to just flag here that marginalized communities often suffer greater consequences from data breaches and and all that stuff that’s happening. So as you’re working with patrons, that’s a good thing to be aware of, I think.

I also think that, much like other large-scale social issues — climate change, capitalism — oftentimes it falls on the shoulders of individuals to take precautions where these things are happening on a collective level. So I wondered, is anything being done on that collective level that you can share with us that could sort of provide us with some hope?

Erin: I don’t know how much hope I can share and provide. I mean, there are lots of organizations and lawmakers, you know, out there trying to do this work and trying to improve online security and privacy. The amount that they’re successful in that is debatable. I think the Electronic Frontier Foundation — EFF — is really a fantastic organization. They do a lot of lobbying and fighting for changes the legal system. In the E.U., they passed a few years ago GDPR, which is a really sweeping privacy regulation.

Now the United States, though, doesn’t have any online privacy laws that impacts everybody. There are some that are specific for minors and students, but instead here in the U.S., we have this piecemeal system where various states keep on adopting their own laws. But none of these laws are really fantastic. They help, but they have a lot of good intentions and the outcomes of those aren’t always fantastic.

So, for instance, you may have seen in the last year or so these cookie banners that pop up all over every single website. And that’s to be in compliance with GDPR and some of the other privacy laws that are out there. But, you know, the companies designed them to be pretty confusing. They pop up on every site and most of them you have to click like four times to turn off the cookies. And then even then you’re not sure if you actually turn them off or turn them on. I’ve talked to multiple people who work in the privacy realm within libraries, and all of us are pretty probably like you, which is just frustrated by it and so we just give up and don’t do anything. And that’s kind of the whole point. It’s this illusion of control, but again it puts that burden on you as the user to change that.

Ultimately the the online world is paid by advertising, and the only way that that advertising has any value is if your data is freely given over. There are organizations working on it and creating laws. but it seems like as fast as they create laws. these businesses are also creating ways to kind of follow the letter of the law, but not really change their practices very much as far as how their your data is collected. That’s at least what I’m seeing out there.

Davis: Yeah, that sadly makes a lot of sense. I’m going to just make a little sneak preview and say that in a future series, we’ll be talking about advertising and how and why those ads follow us along the web and what it means for our data, and what it reveals about our data. So it sounds like, in the absence of any collective response, we do as individuals need to keep plugging away at these things. So I wondered if you could just share more tips with us while we’ve got you here.

Erin: Yeah, for sure. I think my next tip would be to have good password hygiene. The best way to do this is to utilize a password manager. I think if you’re not using one already, there are several good companies out there. I highly recommend doing that. That allows you to actually utilize the random password feature. None of us can be expected to remember all of our passwords that we have out there. And because of that, it leads us to creating really simple passwords, and those are really vulnerable to these like brute force attacks, where there’s a password cracker and it’s just going in to guess those really easy passwords. If you set up a password manager, it takes some time and patience to get it set up, but it’s really worth it at the end.

I was able to take my mom and and go from her deck of index cards that had all of her passwords on it to getting her set up in a password manager. I have access to her master password so I can help with that. And so there are pathways to help people get set up with something like that, which is a much more secure system.

I also recommend setting up multi-factor authentication. This is especially important for any accounts that you have that have sensitive information. Multi-factor authentication means that just your password alone isn’t enough to gain access. Oftentimes, you’ll log into your email, for example, but then you also have to have your fingerprint, a biometric, or your face, or it’ll send you a text and then you have to enter a code. It usually means like you have to have your phone in an unlocked in addition to having just your email password, so if someone gains access to that password they still can’t gain access to your account.

I recommend using that for your email, your banks, your social media accounts, so that nobody will actually be able to gain access fully to your account even if you have your data breached.

And the last is to really understand what phishing and smishing is all about and how to avoid falling victim to it.

Davis: Thank you, and, yeah, we’ll be talking about smishing and fishing in a future video series as well. So stay tuned for that. So, unfortunately a lot of us already have our information out there on the web, so in our next video we’ll be talking about what happens if your data’s been stolen and you find out about it. Say, your bank contacts you, or you notice that there’s been nefarious activity on your social media profiles. So we’ll be back for an episode on that, so stay tuned.