Privacy is Precious

PRIVACY
IS
PRECIOUS

Patron Data RIghts
and ResponsIbIlItIes

Bryan NeIl Jones | Tess WIlson
LIbrary Freedom Project

LIbrary Freedom Project

LIbrary Freedom InstItute

Agenda & HousekeepIng

EthIcs (10:30-11:20)

Security (11:30-12:30)

Lunch (12:30-1:30)

Threat Models (1:30-2:20)

PractIcal MagIc (2:30-3:20)

Wrap-up (10 mIn)

A vegan

and

a nihilist

walk into
a bar.

ETHICS

Ethics
need to be
considered
upon
ideation

UN DeclaratIon
of Human RIghts

7) Code of Ethics for Librarians and Other Information Professionals, Item 3: Librarians and other information workers respect personal privacy, and the protection of personal data, necessarily shared between individuals and institutions.The relationship between the library and the user is one of confidentiality and librarians and other information workers will take appropriate measures to ensure that user data is not shared beyond the original transaction. Librarians and other information workers support and participate in transparency so that the workings of government, administration and business are opened to the scrutiny of the general public. They also recognize that it is in the public interest that misconduct, corruption and crime be exposed by what constitute breaches of confidentiality by so-called ‘whistleblowers’.

IFLA Code
of EthIcs
for LIbrarIans &
Other InformatIon
Workers

US ConstItutIon

Amendment #1

US ConstItutIon

Amendment #4

ALA Code of EthIcs

Article #3

ALA BIll of RIghts

Article #7

iLA CommIttee
Charge

NLA Intellectual Freedom Manual

ETHICS

& THE LAW

15) Iowa Code Title 1 Section 22.7 Confidential records, "public records shall be kept confidential, unless otherwise ordered by a court, by the lawful custodian of the records, or by another person duly authorized to release such information. The records of a library which, by themselves or when examined with other public records, would reveal the identity of the library patron checking out or requesting an item or information from the library. The records shall be released to a criminal or juvenile justice agency only pursuant to an investigation of a particular person or organization suspected of committing a known crime. The records shall be released only upon a judicial determination that a rational connection exists between the requested release of information and a legitimate end and that the need for the information is cogent and compelling."

ia - pretty much

ne - maybe

warrant

no warrant

WHAT!

subpoena

natIonal
securIty
letter

WHAT!

Remember two thIngs:

more prIvacy
= more work

consIder the source

FLOSS

Free / LIbre
Open Source
Software

Free as In Freedom:

Run

EdIt

ContrIbute

What does
this have to do
with libraries?

yam
emphasIze
vIdeo
shanty
halves
poncho

prIvacy
&
securIty

POLP!

prIncIple
of least
prIvIlege

PII

Personally
IdentIfIable InformatIon

AnonymIze
It!

ENCRYPTION

HTTPS://

VPNs
VIrtual PrIvate Networks

yr pw Is bd

"dIceware"

KeePassXC

LastPass, etc

Is thIs okay?

Two Factor AuthentIcation
2FA

FreeOTP

YubIkey, etc.

THREAT MODELS

PRIVACY IS DEAD

Can i have your password?

The

Privacy

PARADOX

HOW DID WE
GET HERE?

dark patterns

55) Phones are fundamentally insecure. If you are using a phone your phone company knows your general location at all times. And we know now the sell this info. The text function in your phone is unencrypted unless you use a special app. We know on Android many apps collect data even without you knowing. Apple isn't open source so it is harder to study. A lot of apps have remote microphone access. The phone knows when you sleep, when you poop, who your friends are, who you work with, that what you think about, what music and tv shows you like, what porn you like, what church you feel guilty about not going to, and if you wear a fitness tracker it knows when you dream, it knows a lot more. No one has more info about you than your phone. Not your doctor, not your mom, not your spouse. Well, maybe Google if your phone was made by Google. DMCA makes it illegal for you to root your phone. You are only allowed to root your phone and change its software because of a special exception to DMCA determined by Librarian of Congress as recommended by the Register of Copyrights.

Phones are a dumpster fire.

What is bad
about it?

malware / phishing / doxing

What does
this have to do
with libraries?

crappy vendor contracts

public internet

public nets

I'll just leave
this here.

What can we
do about it?

DuckDuckGo

Tor Browser

Wipe'em!
Wipe'em good!

gnarly vendor contracts

Google Analytics

Turn off 'Display Features'

Turn off 'Remarketing'

Turn off 'Advertising Reporting'

Anonymize IP settings

Set the data retention
to the shortest period

Make opting-out
as easy as possible

THE SEQUEL

What you collect & why

Who you share it with

How you protect it

Make "opt-in" the default

Make "opt-out" easy

"Privacy policies are legal statements to get us out
of our ethical obligations."

Ethics
need to be
considered
upon
ideation

78) Communities trust libraries. If we don't protect patrons' privacy we violate that trust. Not only in digital spaces. The physical space of the library should be a non-surveilled space. You might hear that privacy is dead. This ship has sailed. Well, can I have your password? Climate change is bad, does that mean we are going to stop? A few high profile men have brought to justice for sex crimes, does that mean we've solved the problem of sexual violence? Grand juries rarely recommend charges against the police. Does that mean were going stop fighting for justice in our communities? We're libraries. We fight. I love and respect my mom. She's a senior citizen with a high school education. She uses an Android tablet that no longer gets security updates. She doesn't deserve annoying, misleading ads. She does not deserve her 4th amendment rights violated for ads. She does not deserve malware, identity theft, fakes news or a loan with criminally bad terms. More importantly she has a human right not be surveilled.

I love and
respect my mom.

i don't know where
to put this slide.

Choose prIvacy everyday!

bryan.n.jones@nashvIlle.gov
tesskwIlson@gmaIl.com

YOUR PRIVACY
IS PRECIOUS

BONUS DISC

Operating
Systems

Linux

Apple

Settings > Privacy

Settings > Privacy

Phones,
Oh, Phones

Purism Librem5

Lineage OS

F-Droid

Know your settings

Android

iOS

PASSWORDS
AGAIN

"diceware"

KeePassXC

LastPass, etc

Two Factor Authentication
2FA

FreeOTP

Yubikey

MORE
ENCRYPTION

HTTPS://

VPNs
Virtual Private Networks

Disk Encryption

LUKS
Linux Unified Key Setup

FileVault
(OSX)

BitLocker
(Windows)

Veracrypt

iOS

Android

desktop BROWSERS

Tor Browser

Know your settings

Firefox

Privacy Badger

HTTPS Everywhere

uBlock Origin

Multi-Account Containers

Brave

PHONES

Signal

Orbot
(Android)

Tor Browser
(Android)

Onion Browser
(iOS)

LIbrary Freedom Project

LIbrary Freedom InstItute

Agenda & HousekeepIng

A vegan and a nihilist walk into a bar.

ETHICS

Ethics need to be considered uponideation

UN DeclaratIon of Human RIghts

IFLA Code of EthIcs for LIbrarIans & Other InformatIon Workers

US ConstItutIon

US ConstItutIon

ALA Code of EthIcs

ALA BIll of RIghts

iLA CommIttee Charge

NLA Intellectual Freedom Manual

ETHICS

& THE LAW

ia - pretty much

ne - maybe

warrant

no warrant

subpoena

natIonal securIty letter

Remember two thIngs:

more prIvacy = more work

consIder the source

FLOSS

FLOSS

Free / LIbre Open Source Software

Free as In Freedom:

Run

EdIt

ContrIbute

Share

What does this have to do with libraries?

yam emphasIze vIdeo shanty halves poncho

prIvacy & securIty

POLP!

prIncIple of least prIvIlege

PII

Personally IdentIfIable InformatIon

AnonymIze It!

ENCRYPTION

yr pw Is bd

"dIceware"

KeePassXC

LastPass, etc

Is thIs okay?

Two Factor AuthentIcation 2FA

FreeOTP

YubIkey, etc.

THREAT MODELS

PRIVACY IS DEAD

The

Privacy

PARADOX

HOW DID WE GET HERE?

dark patterns

What is bad about it?

malware / phishing / doxing

What does this have to do with libraries?

crappy vendor contracts

public internet

public nets

I'll just leave this here.

What can we do about it?

DuckDuckGo

Tor Browser

Wipe'em! Wipe'em good!

Google Analytics

Turn off 'Display Features'

Turn off 'Remarketing'

Turn off 'Advertising Reporting'

Anonymize IP settings

Set the data retention to the shortest period

Make opting-out as easy as possible

THE SEQUEL

What you collect & why

Who you share it with

How you protect it