Wednesday, 21 June 2017

DataPrivacyNY, part 2: Privacy in a digital age seminar

I was very lucky to be invited by the Carnegie UK Trust to a study trip to New York on public libraries and online data privacy, which took place 15 to 19 May. In part 1 I wrote up my notes from the introductions to the topic and from a very useful meeting we had with the team at the New York Public Library.

On 17 May our group took part in a seminar entitled Privacy in a digital age which was held at the offices of the Carnegie Council for Ethics in International Affairs. The keynote speaker was Bruce Schneier, a technology security expert, with a response by Deborah Caldwell-Stone of the American Library Association (ALA) Office for Intellectual Freedom. When I first read the programme I thought: "Bruce Schneier? That sounds familiar... Isn't he the cybersecurity guy who wrote an afterword for Cory Doctorow's Little Brother?!" I may be a bit of a geek but: I was right - and his afterword, just like Doctorow's whole novel, is worth reading!

Note: the seminar was recorded - a transcript is available from the Carnegie Council, while the video of the full seminar (2 hours 12 minutes) and a highlights video (24 minutes) have also been published.

Albert Tucker from the Carnegie UK Trust was chairing the seminar. Ciara Eastell started it off with a short overview of the situation of public libraries in the UK and their role in privacy issues. She explained how public libraries are often the first and last resort for people to access online services and get support to do so. She highlighted the role of staff in providing this support, mentioning some Society of Chief Librarians (SCL) initiatives such as the training for all public library staff which accompanies the SCL Information Offer, the digital leaders training and the Innovators Network. However, privacy is not a topic staff are specifically trained on, and few UK public libraries have privacy policies.
Ciara frankly said that "the issue of data privacy is not one that ranks highly on the list of library leaders today" as austerity and budget cuts are much more pressing. 
But she also said that Newcastle Libraries [yes, that's us and fellow CryptoParty Newcastle organisers!!] are showing new possibilities regarding the potential of libraries around privacy.



Bruce Schneier started his speech by saying that all the technology around us - cameras, phones, our internet use, online communications, etc. - collects data about us. This data is increasingly easy to save and search, so much so that it is now easier to save everything than to figure out what to save. You can come back to this data later and search for specific words or patterns or incidents (this is mostly done by computers).
Bruce Schneier described metadata as data a system needs to operate. "Metadata is surveillance data", especially since "nobody ever lies to their search engine".
"Surveillance is the business model of the Internet."
Most of this data is held by corporations. We all know that the reason Facebook is free is that we are not the customer, we're the product. Data is valuable.
"Imagine if you had to alert the police every time you make a new friend... You laugh but you all alert Facebook."
The NSA and other similar organisations saw all this data being collected and thought of taking advantage of it. "Really we have a public-private surveillance partnership."
This situation has an impact on political liberty and justice, as well as causing problems of self-censorship. It also affects our security.

How do we fix this? We need security for privacy. And privacy is a part of security. We need to prioritise security over surveillance. Unfortunately secrecy means there isn't a robust debate in our society about this.
An example of this is all the talk about "encryption backdoors". Encryption backdoors are technically impossible: either you make a system secure or you make it not secure.

Our data together has enormous value to us collectively; our personal data has enormous value to us individually. Take medical data: it is very valuable for researchers when grouped together, yet sensitive for each individual when looked at separately.
"Data is the pollution problem of the information age": all processors produce it, it stays around. How do we deal with it? [I would not like to have to answer this question in an exam!!]


Deborah Caldwell-Stone then explained the position of librarians on the issue of privacy in a digital age. Librarians have a tradition of confidentiality; protecting user privacy has long been part of the focus of ALA and of the library profession.

According to a Pew research people trust their library - and use it to access to information.
Librarians are the intermediaries in the fight against surveillance. The main focus is on education, so people can make good decisions about protecting their privacy. For example, San José Public Library offers on its website a virtual privacy lab, which anyone can use to learn about privacy and generate a customised toolkit that fits their needs. The tools promoted include Privacy Badger, HTTPS Everywhere, DuckDuckGo, Tor Browser... 
"It does no good to teach someone about Tor Browser and not put Tor Browser on the libraries' computers."
Deborah Caldwell-Stone mentioned several initiatives, including:
  • the ALA's Choose Privacy Week, which is held annually in May to raise awareness of the issues and best practice among librarians;
  • the Library Freedom Project: training for librarians so they can then train their customers;
  • the Data Privacy Project at Brooklyn Public Library, which included training for librarians across New York City and is now an online course;
  • the work of Bill Marden at the New York Public Library on developing contracts with systems and resources suppliers that include privacy standards.

The seminar was then opened to questions and comments from participants; here are a few.
  • How do we make privacy a broader topic plus change perceptions of privacy as a concern reserved for "people in tin-foil hats"?
    Bruce Schneier: "Privacy is not about something to hide, it's about how I choose to present myself to the world."
  • "The privacy thing sometimes I feel I care about it more than other people do", said a participant [who wasn't me, I promise!!]
  • There is sometimes a tension with data and how useful collecting it and using it can also be for libraries.
    Deborah Caldwell-Stone recommended reading Becky Yoose's article on de-identification and patron data.
  • How can we reconcile the fact librarians are campaigning for privacy and pressure from government against privacy?
    Deborah Caldwell-Stone: it's the role of the professional association; ALA can say a lot of things that a local librarian can't. Some library directors have also been very good at pitching privacy as a bipartisan issue.
  • What should librarians do about being asked to give up one thing i.e. their or their users' information and privacy - if they want another e.g. a software product for their library?
    Bruce Schneier: "We have collectively decided that we were going to make the internet free in exchange for privacy" but we don't have to. Software and tools don't have to be built that way.
  • "I'd like to think that libraries will remain a sanctuary for privacy and freedom of information."

Closing remark from Bruce Schneier: privacy in a digital age is about changing perceptions. Librarians make powerful statements when: using warrant canaries, offering Tor Browser in libraries...



After the seminar our group got a chance for a more in-depth chat with Deborah Caldwell-Stone. She explained that for ALA the case for privacy and libraries started in 1939, with a Library Bill of Rights which included privacy in response to the situation in nazi Germany where librarians were being asked to inform the police on their customers. There have been several other cases of US librarians taking a stand for privacy since then e.g. 1950s, 1992 because of the Library Awareness Program, in 2001 in response to the Patriot Act... Deborah told us about the ALA Office for Intellectual Freedom (OIF) materials available on the topic, and made recommendations on what librarians could do.

  1. Check whether your institution has a privacy policy and whether it needs to be created or updated. OIF has a toolkit for US librarians on how to develop or revise their privacy policy.
  2. Look into encrypting your institution's own data and website. ALA has partnered with Let's Encrypt to help librarians do that.
  3. Implement best practice on different aspects of privacy in your institution. On the OIF website there are guidelines on best practice in relation to different topics e.g. e-book lending, library management systems, public access computers... For each set of guidelines there are corresponding checklists which summarise and prioritise (level 1, 2 and 3) what librarians should be looking to implement first.
    To put these measures in place you might need to figure out how to convince the chief IT person in your institution. Tip: pitch the idea in a way that benefits them e.g. it will improve security.
  4. Engage with your local community, create a place for dialogue around privacy. OIF has guides for hosting a discussion on privacy.
  5. Reach out to communities and provide opportunities for citizens to learn to protect their information.
  6. Advocate for better privacy laws, work with your legislator to change the law. Deborah described it as "grappling in the trenches with law makers and regulators"!