Watching from afar this week the VALA Tech Boot Camp in Melbourne and the Radical Librarians Collective meeting in Glasgow, it was interesting to see sessions at both about data privacy and security. Have a look at the Twitter feeds for the hashtags #valatechcamp and RadLib17 to see participants’ live tweeting.
I try to teach students about data security in my tech unit, but it is very difficult to know how in-depth the material should be.
On one hand, some of this is quite technical and many of my students will go on to become managers, rather than hands-on tech practitioners.
On the other hand, we deal in information. For others. With an ethic to protect, preserve and maintain access to records and archives.
I am not going to pretend that decision of WHAT to protect and preserve is totally apolitical. I do think that knowing that “unfortunate” and “uncomfortable” documents will be preserved and accessible to citizens decreases authoritarianism; and gives future generations opportunity to not repeat mistakes of previous ones.
To carry out the day-to-day activities of protection and preservation, librarians, records managers and archivists need to be aware of, and vocal about, information policy. They need to understand digital security to do this.
For example, we need sufficient technical understanding to know why Teresa May’s recently-expressed desire to weaken cryptography of private messages on third party sites to allow access for law enforcement agencies is an idea likely to ultimately decrease freedoms and cause greater opportunity for illegal activity. And why the rest of the world is laughing at our Australian Prime Minister today.
One of the points coming from the Radical Librarians meeting is that anyone who claims that they have “nothing to hide, thus nothing to fear” from measures that erode digital privacy, is probably occupying a privileged position. People in minority groups tend to be affected more by surveillance. This is one of the reasons I have my students answer a question about whether there are some groups of people who would particularly benefit from being shown how to use the TOR browser in a public library.
(Check out the extraordinary responses to Yassmin Abdel-Magied’s post on her personal Facebook page “lamenting war in general, on a day predetermined to be about lamenting specific wars” (very nicely encapsulated in the linked article). If I had posted the same as Yassmin, probably if Malcolm Turnbull had posted the same, I do not think my or his digital footprint would be scrutinised in quite the same way, and certainly the real-life personal repercussions would not be the same ).
So … what are some of the basics that information professionals should know about? I do not cover all of these in my classes ( I do many). Some of these points were compiled from watching the tweetstreams of the two events earlier in the week.
1. Search engines.
- Also track your usage, and pass this on to third parties. Use TOR browser instead and have this installed on machines available for public access.
- At the very least, unless you have a good reason for your search history to be stored in your browser, use the Private mode for all web activity. (This does not stop the browser from sending information about who you are about other sites, or network administrators from knowing you are going there, but does stop the desktop software from creating a readable log that you have been there).
- Make sure that all your organisation’s websites, and products that your users access through third-party vendors, are using using transport layer security (They will have https , instead of “http:” at the start of the URL).
- I get students to look at Firesheep and advise what a library could do about to protect the privacy of users on their public wifi network if another user on the network is using something like this (A: Not much. Educate your users about going to http: sites on public networks)
4. Share knowledge with your community.
- Consider hosting a Cryptoparty to help your community understand how to stay secure online. If you don’t know enough know to do this, learn.
- If your product allows you to view passwords, unencrypted, in a field in your database, ask your vendors to alter this.
- If your vendor’s response to a “lost password” request is to email the plain text password to a user (hello Springshare), instead of sending a reset link to a verified email address, ask them to change this.
6. Passwords 2.
- Know how to create a secure password. Password management software (e.g. KeePassX ) can generate secure passwords and store passwords so you do not have to have “easy to remember” passwords, and can, crucially, have different passwords for each system you use.
7. Know system vulnerabilities and demand change.
8. Think first .
- Don’t do dumb things that compromise your own or your users’ data security. Chris Cormack made this point wonderfully in his VALATechCamp presentation. Have a look at his slides about Securing your Library Management System from his VALATechCamp session, especially the last one.
You may also be interested in following up the Library Privacy Toolkit at the Library Freedom Project ….
… and keep an eye on what is coming out of the Electronic Frontier Foundation, and the Australian-based Electronic Frontiers Australia .