We're following the time-honored tradition of concluding this series of videos with resources and information you can use to keep your learning going

 

Transcript

Davis: First up, Erin, let’s talk workshops. What have you found effective when training your fellow library workers? What recommendations might you have for implementing new privacy policies. for example. or for helping colleagues stay up to date with this quickly moving topic?

Erin: I think the first thing is that you don’t need to be a privacy expert to do this work. If you’re really interested. you want to go down that rabbit hole. we’d be glad to have you. But we do have a professional and ethical obligation to protect our users privacy.

The ALA Privacy Subcommittee has been working the past few years to create resources that are easy for any library worker to use that you can uphold that commitment without needing to be an expert. So the first place I’d start is actually the ALA Privacy Landing Page, and there you’ll find state laws, privacy guidelines, questions, answers, documents, staff training, public workshops, privacy field guides, and a lot more. We’ve tried to make it a really easy to use resource for you, if you find yourself wanting to dig in more.

The Library Freedom Project is a really great place to get in-depth training, and there are a whole bunch of privacy advocates actually on Twitter that you can follow. That can help you keep up with current trends as well and what sorts of workshops have been successful.

When teaching library patrons about data privacy, I think when you’re going to have a data privacy workshop, try to make it fun. It’s not the sexiest of all topics, to be honest, and I’m not fully convinced that workshops in and of themselves are the best way to reach the most people. It’s a path for those who already have interest in learning more, so you can also find ways to integrate privacy in your daily interactions. Someone is setting a pin for the first time? Talk to them about passwords. Do they just give you their social security number in order to fill out a tax form? Time to talk about sensitive information and how to keep it secure. Integrating those little bits throughout the day, I think you’re going to reach more people than just a single workshop.

When teaching library patrons about data privacy… try to make it fun.

Davis: I once attended an event with something called a Data Detox Bar where there were folks wearing white lab coats and providing answers to questions people had about their devices and about data. Have you seen anything like this? What other non-traditional sorts of events might be useful for teaching folks about these topics?

Erin: Sounds like a pretty cool event. I haven’t seen that one in particular. I was talking to some librarians from the Netherlands, and they had hosted a game show where prizes were things like fishing rods, and they also hosted cookie parties for teens where they talked about digital security and ate probably far too many cookies. So the more opportunities you can move away from fear and into fun, the better.

Davis: What are your favorite online resources for tech topics including data privacy and information security?

Erin: For those of you who want to dive in more, the Electronic Frontier Foundation — EFF — is a great resource to stay up to date on what’s happening with privacy and security. You also may want to follow the International Association of Privacy Professionals. Personally, I really like the podcast Dark[net] Diaries. I’ve learned a ton of information security by hearing from various hackers and infosec professionals.

Davis: Thank you so much, Erin, for participating in that one but two of these video series for NYC Digital Safety. It’s been so lovely to chat with you.

And thank you to our audience for watching. I know this is a ton of information and I hope you’ll visit the product website to dig in a little bit more. We’ve tried to make it fun.

And lastly, thank you so much to my project partners at Brooklyn Public Library, The New York Public Library, and Queens Public Library. So I’m signing off. Take good care of yourselves, and take good care of your data.

Your privacy needs are mostly likely a bit different from those of your patrons. We cover how and why that is in this video

 

Transcript

Davis: Across all the series we’ve done so far, we’ve shared tips for protecting our privacy, but a lot of these tips seem to be one-size-fits-all. Reality is, our backgrounds and our socioeconomic statuses matter in these conversations.

Using myself as an example, I have my own private internet connection, I use Apple products — which means I paid for an increased level of consideration for my data privacy — and I have enough expendable income that I can pay to use a fancy app to help me manage my passwords. Plus, I’m a grown-up who has a job where I get to talk to experts like you about these things all the time.

I thought we could spend a bit of time talking through various scenarios that might affect an individual’s privacy profile, if you will. For example, unlike the general population, there are privacy laws affecting children. What should library staff know about this?

Erin: First, you are totally right about the privacy divide. You know, with 85% of the U.S. population owning a smartphone, we’re now talking less about a digital divide and more about a privacy divide. People without access to pay into the privacy ecosphere actually have to gain services by giving over their personal data. So people without the tech skills needed to safely navigate online are also more likely to become victims of phishing schemes or taken advantage in a variety of ways.

People without the tech skills needed to safely navigate online are also more likely to become victims of phishing schemes or taken advantage in a variety of ways.

Children often fall into the category of people who don’t know how to be online in a safe manner. I think it’s a total misnomer that children are born digital. These are skills we all have to learn. In order to help protect children under 13, the federal government passed COPPA, which is the Children’s Online Privacy Protection Act, and that went into effect in 2000. So COPPA includes regulations regarding privacy policies, parental consent, privacy and safety protection, responsibilities, and marketing restrictions. The reason that most social media platforms don’t allow users under 13 is, it’s really too cumbersome to operate under these regulations.

Now, libraries that provide internet access are not liable under COPPA for the data collected by the websites that children visit. COPPA also doesn’t apply to the library’s website, as it’s only a law for commercial websites. Now, library workers may find themselves needing to be able to answer questions from children or their parents about why they’re unable to access certain sites, and this is a great opportunity to find different resources that don’t collect any user data.

Davis: Gotcha. How does the Children’s Online Privacy Protection Act impact the library’s provision of third party vendors?

Erin: That’s a great question. So, while COPPA doesn’t apply to the library’s website, it does apply to any vendor that’s collecting personal information. So when entering into a contract with a vendor, you’ll want to verify that they’re actually COPPA compliant.

Davis: I know because you just told me that COPPA expires at 13, which is when teens are legally allowed to create social media accounts, for example. Meanwhile, the developing brain is underway until our mid-20s. What’s the role, in your opinion, in helping teens navigate the online world in a way that keeps their data safe?

Erin: Yeah, that’s a great point. While parts of me are envious of teens who have a camera in their pocket, I’m kind of glad social media didn’t exist when I was younger. As I mentioned earlier, none of us are born knowing how to use the internet. Just like health hygiene, we have to learn online hygiene. You have to remember the teenage brain makes them think they’re invincible. It’s all part of that growth development.

Most are probably not going to be super interested in an online safety class, unless they’re maybe also teaching white hat hacking, so first you’ll want to think about the threat assessment of most teens. They’re going to need to pay attention to different things than adults. An adult may not want their banking information exposed, while most teens don’t have a bank account to worry about. However, teens may not want anyone to have access to their social media profiles, and that’s a great opportunity to talk about password managers. Set them up with one on their phone, talk about how it makes life super easy, and they’ll be more secure from bullying attempts.

Take small moments of interaction to impart pieces of knowledge. People are more likely to take advice and change behavior when it comes from a relationship.

Online harassment is a huge problem online, and teens may be on either side of it. It can lead to major privacy violations. This framework can be used to teach about sending photos to people, or even cloud backups, and then if someone has your iCloud or Google password. they may be able to see all those selfies you took. You know, take small moments of interaction to impart pieces of knowledge. People are more likely to take advice and change behavior when it comes from a relationship rather than sitting in a class with some random library worker lecturing.

Davis: Research shows that folks from low income communities are often put at risk when it comes to internet use. For example, research done by Seeta Peña Gangadharan shows how zip codes correlate with ads for subprime mortgages, which as we know sank the economy back in 2009. We learned about that sort of thing in series two. So what can libraries do to be of service to communities who are at greater risk when their information is misused?

Erin: It’s really quite awful how targeted ads work to take advantage of people, especially when they’re at their most vulnerable. We can do the thing that we are good at, which is informing people. Letting them know what’s happening if your library is located in a low-income area, Then this is going to be even more vital.

You know, having a space where you can help people install ad blockers on their device, help them understand what to look for in phishing emails. I could even see a program similar to like a bug bounty, which is when companies give money to hackers for finding exploits. But instead, the library gives out incentives for people bringing in examples of phishing emails they got. You know, be aware of the community you’re working in, and talk to the people living there about what they’re experiencing. Let them guide you in the approaches to getting that information out.

You know, equity models of service are not one-size-fits-all, and so what one library does for their patrons around privacy is going to be different than what a different another library does in their approach.

Be aware of the community you’re working in, and talk to the people living there about what they’re experiencing. Let them guide you in the approaches to getting that information out.

Davis: I’ve noticed that a lot of the advice for shoring up your data protection strategy takes money and time, and not everyone has these things in abundance. So I’m wondering: what advice do you have for advising folks who aren’t able to spring for paid services like the ones I just mentioned? What are some low-cost ways to, say, keep track of your unique passwords or to protect your data and devices against malware?

Erin: I hate that all the burden has been placed on the end user, but that is where we’re at. There are some quick things that anyone can use which would be great for libraries to help people install: first, a lot of the password managers out there do have availability have free accounts. I use LatPass, and I actually only just started paying for it when I got my mom set up on it because it was easier for me to do a family account rather than trying to do it for her individually and it just worked out that way. But a lot of them don’t — you don’t have to pay.

Everyone using a PC needs to have anti-virus installed on their computer, and people should also update their devices regularly. So helping people turn on these automatic updates, stressing the importance of this at the library. Anytime you’re helping someone with their technology ask: “hey, can I check to make sure it’s updated?” You know, those are little moments of interjection.

You know, many times the updates are patching security vulnerabilities. You can explain that it’s like having a lock that’s broken. Yes, your door is closed, it looks like a lock is there, but all someone has to do is turn the knob to gain entry. You can help them install some browser extensions, as well, such as Privacy Badger and U-block origin. Those only take a couple seconds to install.

Libraries are places of equity, not equality. All of our libraries are different and our users have vastly different needs. There is no one-size-fits-all model for privacy.

And one of the most important things I think you can do is help people identify those phishing and smishing schemes. So once you learn it doesn’t take any extra time, don’t click on links from people you don’t know, or download attachments. If anyone asks you for money, call the person to confirm it’s them before writing a response. Honestly most hacks happen because of human error rather than the data breach information getting out there.

Davis: I know there’s a lot of interest in making sure libraries provide a consistent level of support to all patrons. How can we square that with the fact that our patrons have different situations when it comes to data privacy?

Erin: Libraries are places of equity, not equality. All of our libraries are different and our users have vastly different needs. There is no one-size-fits-all model for privacy. You have to go talk to your community, find out what issues they’re experiencing, and then tailor your resources and staff training to address those things specifically.

Davis: Erin, thanks for talking with me through these tricky topics. In our next and last video, we’ll follow the time-honored tradition of sharing resources and places to turn to for guidance so just one more to go and we’ll see you there.

We've talked about so much, but how to put these lessons into practice? We've got some tips for you!

 

Transcript

Davis: Hey Erin! We’ve covered so many topics so far, and I think we’d be remiss to leave folks hanging without some practical advice about how to put this knowledge into practice at libraries. So what’s the first thing libraries as an organization should do when it comes to organizing themselves to create better policies and practice around protecting patron privacy?

Erin: I think the first step is in starting to build a culture around privacy, and that begins with talking about privacy as part of your regular conversations around various procedures already in place at the library. Think about things like does your library have staff training about privacy? Do you do any programs for the public? Does your library have a privacy policy?

I found that the more we started talking about privacy, the more ingrained it became in the culture of our library. That being said, changing culture takes a long time, so don’t get frustrated if after six months or even a year it hasn’t become the culture of the library. It could take a long time; just keep at it. Keep talking and bringing other people in to the privacy world, and one great way to just start culture building is actually by performing a privacy audit.

The first step is in starting to build a culture around privacy, and that begins with talking about privacy as part of your regular conversations around various procedures already in place at the library.

Davis: How does a library perform a privacy audit? And also how do you use the audit findings to create an effective set of policies and procedures around data privacy?

Erin: We’ve actually created a Privacy Audit Field Guide that will walk you through the audit process. It’s going to look a little different for each library, and if you can’t do a library level audit, that’s okay. You can still do a personal one with the areas of user data that you have control over.

Essentially, you’re looking at every single piece of data that you collect about a user and asking yourself a set of core questions. What information do you collect? Why do you collect it? Do you need to collect it? How do you collect it? Who has access? What are the storage and retention policies or procedures? What are the current best practices and policies and if the data is being collected by a vendor?

You’ll also want to ask what vendor is being used is the information shared or collected by the vendor. Is the information collected by the vendor necessary for business operations? And what are the vendors privacy policies and do they align with the library’s? Finally, you want to ask what changes need to be made to ensure the privacy and security of user data.

After you ask these questions, then your library can use the ALA Privacy Guidelines and Checklist to ensure libraries align with those best practices of the industry. That’s when you start building in your policies and procedures. So knowing your baseline is an important place to start. You need to know where you are before you can decide where to go and how to get there. So you can start using findings from your privacy audit to start shaping your policies and procedures. For example, you may find that you don’t have a retention policy. Library workers have been stashing away papers with personal information on them for decades? Time to have a shredding party and create some procedures.

Davis: I want to go to a shredding party. That sounds so fun. What makes a good privacy policy, would you say? What sorts of things should it address?

Erin: The first thing that makes a good privacy policy is that it’s written in plain language. It should be simple and easy for people to understand. The federal government passed the Plain Language Act in 2010 requiring government websites to be easy to read. They created a fantastic website to help anyone write in plain language. I cannot recommend it highly enough. It’s changed the way that I do all my writing.

The first thing that makes a good privacy policy is that it’s written in plain language. It should be simple and easy for people to understand.

Next, make sure your policy is discoverable. Make it easy for your users to find in addition to read. That Privacy Policies Field Guide I talked about before will help you write your policy in addition to helping you read them. The main sections that should be included: are what information does the library collect, who has access that information, how does the library protect the privacy of students and minors, your technology practices such as https cookies data and network security, public computers and connected devices, third-party vendors — and here’s what you’ll tell people that those vendors have got different policies than the library — any surveillance used in the library, and last how the library handles requests from law enforcement.

Davis: We talk so much about data in the online world. To what extent does privacy in physical spaces come into play in the library?

Erin: I’m so glad you brought up the physical environment. Often our minds go straight to technology when we discuss privacy. Remember, though, privacy has been part of our ethical charge since 1939, way before computers. So we actually created a Non-Tech Privacy Field Guide to assist libraries and looking at their physical spaces. This is especially important because some libraries may have little to no control over the technology deployed at their locations.

Think about things like security cameras, or how the furniture is set up. Ideally cameras would not be inside the library at all. Are there places where users can sit inside the library and read a book without someone seeing the title or look at their laptop screen without someone passing by and seeing? We can also think about how our hold shelves are arranged. You know, holds slip should not include the entire name of a user. In fact, in a smaller town, even the first few letters of the first and last name can identify the person.

You may also inadvertently expose someone’s library use by talking about users. There are times when we have to disclose the identity of someone to our co-workers for safety concerns or something of that nature, but this should only be done in private and when absolutely necessary. Even speaking in generalizations about someone can clue another user into who you’re discussing, so keep conversations about users to a minimum and have them in private.

Davis: As with any sort of policy, communicating about changes is pretty key. In the case of data privacy, I think
libraries face a specific challenge because patrons have come to expect robust and speedy services, and many of those services are powered by unfettered access to user data. So any tips for how libraries can demonstrate to the public that a new privacy policy is in place? And that these policies have value?

It’s really important that all staff, and especially frontline staff who are interacting with patrons day-to-day, understand the privacy policy and that they feel confident talking about it to their users.

Erin: Yeah it’s hard because the vast majority of people aren’t going to read our privacy policies. And that’s okay. We still want to have them. And the easier they are to read, the more likely it is that somebody will be able to read it and understand it. When you do change it that’s the opportunity to talk about the library’s commitment to privacy more broadly think about publishing it in your newsletter on the home page it’s also really important that all staff and especially frontline staff who are interacting with patrons day-to-day understand the privacy policy and that they feel confident talking about it to their users.

Davis: All of this is such great advice, thank you so much Erin. If folks were interested in digging into this sort of work, where should they start in terms of resources and other guidance?

Erin: I think the best place to start is probably the newly redesigned landing page for privacy on the ALA home page. The Privacy Subcommittee has curated a great set of resources including those Privacy Field Guides for anyone to jump right in and start doing this work.

Davis: Thank you. Coming up next, we’ll talk about the ways in which data privacy impacts various groups of patrons and what library staff should know, so stay tuned.