Slide 1

Choose Privacy Week - May 5, 2014

Eric StroshaneNorth Dakota State Libraryestroshane@nd.gov@ericstroshane

Defense Against the Digital Dark ArtsI do library development work for public libraries throughout North Dakota. As you probably imagine, these are primarily small and rural libraries with modest funding and limited staffingToday Im going to be talking about steps we all can and should take to better safeguard our patrons privacyThese things are within reach, even for those of us with limited resourcesNote: my slide deck is available online, so dont worry about writing down the websites on them!1

Panel from Zach Weinersmiths Saturday Morning Breakfast Cereal used with permission.

View this and other comics at: http://www.smbc-comics.com/Theres been a lot of news regarding online privacy since June 5, 2013Its known the NSA and FBI have been monitoring and recording tons of our personal data without warrants or meaningful oversightphone call metadata emails text messages Skype callssocial media activity

286% of internet users have taken steps online to remove or mask their digital footprints

55% of internet users have taken steps to avoid observation by specific people, organizations, or the government

From this September 5, 2013, Pew Research Internet Project report: http://v.gd/6ogCGF

As a result, people are growingly concerned about their data privacy, and thats understandable. We do a lot of really personal things onlinebanking, shopping, making donationswe share our stories, plan our travel, and find entertainmentWe seek answers to legal, medical, and other questionsAs a result, weve become eerily disembodiedIn a very real sense our habits, curiosity, memories, and in some cases our anatomy, are distributed onlineDigital privacy matters because these threads can be tied together or taken out of contextand associated with us in ways we never intended or imagined3

September 1, 2009, Unshelved strip by Bill Barnes and Gene Ambaum used with permission.

Visit www.unshelved.com for more free comics and books about libraries!People share a lot of things online, which can be problematic in its own right, but what Im going to talk about today is unintentional sharing through tracking & surveillanceWhile people may not trust google or their government with their data, they do trust librarianslibrarians have always made a point of safeguarding patrons privacy and defending their intellectual freedomWe even enshrined it in the ALA code of ethics, where it states: We protect each library users right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired, or transmitted.4January 20, 1953 - Joseph McCarthy becomes chair of the Senate Permanent Subcommittee on Investigations

June 25, 1953 The Freedom to Read Statement is officially adopted by the ALA Council and the AAP Freedom to Read CommitteeThis isnt always easy

I put this slide up b/c I dont believe these dates are coincidentalMcCarthy trials and HUACs anti-Communist investigations had been going on for several years before 53When McCarthy became the Permanent Subcommittee on Investigations Chair, he started investigating govt employees, He ordered examinations of the card catalogs of all the libraries overseen by the State Dept.He went before the press to recite a list of supposedly pro-communist authors, prompting book burningsIt was a revelation for me when I put these two dates togetherFreedom to Read was no longer simply a very fine Statement of ideals, it was a courageous responseMake no mistake--in 1953, it was a revolutionary act to assert that It is in the public interest for librarians to make available the widest diversity of views and expressions, including those that are considered dangerous by the majority.5Proud History of Librarian ResistanceDECAL aka Library Awareness (1973-1976, 1985-?)

CIPA (2000-)

USA PATRIOT Act (2001-)

SOPA/PIPA (2011 - 2012)

CISPA (2011 - 2012, reintroduced in 2013)These are programs, laws, and bills librarians have taken collective action againstDECAL stands for DEvelopment of Counterintelligence Among Librarians FBI program that came to light in the mid 80sAgents bracing NYPL emps to report suspicious people & behavior to the FBIBeing librarians, they reported the agents behavior to the NYLA & the ALA Subsequent exposure led to widespread outrage, a front-page article in the NYTimes (September 18, 1987), and a congressional hearing on the FBIs activitiesLibraries nationwide adopted Search Warrant Guides so wed know what to provide and when, and what to protectCIPA (Childrens Internet Protection Act) despite the unfavorable SC decision in the ALA lawsuitgave us deep insight into the ways in which internet censorship depends upon internet surveillanceThe PATRIOT ACT, particularly the library records provision (Section 215) and the FBI authority to demand records w/o prior court approval and with a perpetual gag order (Section 505) gave us all a reason to update our Search Warrant Guides and record retention policies to protect patrons as much as possible noteworthy that one of the few successful challenges to the gag order provision was a lawsuit initiated by librarians (the Connecticut Four) with the support of their library consortiumThe successful online protests of SOPA, PIPA, and CISPA that many of you listening probably took part in taught us that we can defeat unjust bills before they become unjust laws and it showed us a new way to protest successfully and new partners to organize with6

Image in the public domain in the United StatesRights status unclear; image used at great personal riskFor me, this tradition of resistance borders on the sacred.I mention these events and the actions librarians have taken as a point of professional pride and also as a reminder that courageous resistance is still needed7

Panel from Randall Munroes xkcd licensed under CC BY-NC 2.5

View this and other comics at: https://xkcd.com/ Why? WellBeyond our great ethical foundation regarding privacy issues,And despite the fact that we have certain legal and policy safeguards in place, such as: Constitutional provisions for free and anonymous speech and safeguards against unreasonable search and seizure,laws addressing library patron record confidentiality in all 50 states,and the privacy policies of the libraries we all work in, the fact remains: Our legal framework and electronic offerings have not kept pace with evolving digital privacy needs, And this failure borders on complicity in the burgeoning surveillance apparatus8I dont try to describe the future, I try to prevent it.

- Ray Bradbury

Quote from Roger Moores article At 80, Ray Bradbury Still Fighting the Future he Foresaw, available at: http://v.gd/pLPkgP

In recent years, weve learned that the internet filters school and public libraries use to comply with CIPASuch as: M86, Blue Coat, SmartFilter, Netsweeper, and WebsenseHave also been used by oppressive regimes in nations like Syria, Yemen, Iran, Bahrain, Burma, China and many othersTo monitor civilian populations, control the flow of information, and identify and locate dissidents

In other words, thanks to CIPA, librarians understand how surveillance and censorship are intertwinedhow internet censorship is only possible through surveillance, andthat at a fundamental level, surveillance is an act of censorship9Dave Hoffmans Internet VS Privacy A Helpful Venn Diagram, licensed under CC BY 2.0 from http://v.gd/Yp9Ujj

Many of us here may be hamstrung in terms of CIPA-compliance, but there are other areas where we can and need to address this disconnect betweenthe principles we hold dear and the services we provideThere are a lot of parties potentially watching our usersIts our responsibility to make watching them as difficult as we can10All Data You Generate Is PersonalMobility patterns

Browser fingerprints

Search habits

MetadataOn the face of it, that isnt easyPart of the difficulty stems from the fact that so many things that contain personal information dont seem at all personalWeve seen stories demonstrating how people can be identified based only on their search historyStudies showing that knowledge of as few as four locations someone frequents is sufficient to uniquely identify them >90% of the timeThere are 7.13 billion people on the planetThats a surprisingly small barrier to identification

Much of this exposure can be minimized by modifying our behavior, understanding how observation occurs, and making changes to our computers and web browsersMinor changes can restore our labs to places where information can be more freely and privately sought11

Photo by Eric Stroshane, used with permission.[pause]

In other words, its time for us to leave the Surveillance State12

Pervasive, end-to-end encryption can quickly make indiscriminate surveillance impossible on a cost-effective basis. The result is that governments are likely to fall back to traditional, targeted surveillance founded upon an individualized suspicion.

- Edward Snowden

Snowdens full testimony to the European Parliament (pdf): http://v.gd/0MCQggShirt available from: http://v.gd/35zt6R and join team Edward.

Key takeaway:in order to defeat mass surveillance online, we need only put up enough resistance to make it cost-prohibitive13The Digital Dark ArtsCasual leaks from sharing computers

Spyware and adware

Third party cookies

Keyloggers

Packet sniffing and inspection

Detail from katefarrars Dark Mark Wallpaper, licensed under CC BY-NC-ND 2.0 from: http://v.gd/11oxtb In order to do this, we need to gain a better understanding of the Digital Dark Arts And basic defense against them This slide lists risks users of shared computer spaces are exposed toIll now address them one-by-one14

Panel from Scott Meyers Basic Instructions, used with permission.

View this and other comics at: http://basicinstructions.net/

By simply sharing a computer and browser, we risk a lot of unintentional exposure of personal informationCan include: saved passwords, browser history, temporary internet files, stored cookies, and jump lists of recently opened documents

We can address shared browser leakage by configuring them to always open in private browsing or incognito modeAddress shared computer leakage by setting up a GUEST ACCOUNT for use by our patronsTaking it a step further, you can also use a: Steady state/Deep Freeze product (medium and large libraries)CCleaner (ranges from free to cheap, depending on # of machines)15Malware: software installed against your will with bad intentions

Spyware: malware that monitors and reports on your activities

Adware: spyware that injects adsAnother problem we face is the accidental installation of Spyware on PACs

Guest account/steady state solution help deter rogue software installationBuilding on that, you can cut off channels of infection by using the AdBlock Plus browser extensionA number of infections come from folk clicking on random things they see on sites of dubious reputeThe easiest way to prevent random things from being clicked on is to prevent them from appearing

EMET16

Visualize tracking cookies with Mozillas Lightbeam extension (Firefox): https://www.mozilla.org/en-US/lightbeam/

Detail from Delicious cookie! image by Andres Moreno, licensed under CC BY 2.0 from http://v.gd/Sv5QJZ Cookies are bite-sized data chunks sent from websites and stored in your browserThey get set by sites you visit and by the 3rd party sites whose content they host3rd p content = ads, social sharing buttons, embedded images, videos, scripts, etc.Some cookies are mundane and useful in the short term (authentication) Others are worrisome, like persistent cookies that might be identifyingAnd tracking cookies set or monitored by 3rd party sites Tracking cookies compile records of your personal browsing historyGive companies the capacity to sell a highly targeted advertising capabilityBruce Schneier: free service in exchange for psychological manipulation business modelWhat you see: 717 3rd party sites tracking me after 90 minutes of casual internet use (clean install, one extension)

Adblock Plus limits one avenue of 3rd party cookie exposurePrivate browsing and incognito mode will ensure session history (including cookies) isnt keptBuilding on that: install a tracking blocker browser extensionDisconnect OR Ghostery (EFFs Privacy Badger, still in Alpha)Changing browsers default search engine to someone like DuckDuckGo, who dont track or own an ad agency17

Licensed under GNU Free Documentation License 1.2 from: http://v.gd/bWK1n0 Keyloggeranything that records keystrokessoftware (spyware or direct install) sends to remote serveror hardware PICTURED; relatively affordable (~$55, incl. s/h); or easy to make; (USB & PS/2) stores data in the devicePublic computers are easy access/high use targets; great keylogger ROI

Redress: Guest Account and steady state help prevent installation of software keyloggersFight software with software: Zemanas AntiLogger FreeTo manage hardware keyloggers, pull the plug on themEducate staff; make monitoring procedural18

Licensed under CC BY 3.0 US, from: https://www.eff.org/pages/tor-and-https Unencrypted datathat which is transmitted over HTTP instead of HTTPSIs easily viewed by:Anyone on the same network (packet sniffing and inspection)A number of other parties, including your ISP and our friends in the NSAWhile some sites have started employing HTTPS by default, many that offer HTTPS have notInstalling (EFFs) HTTPS Everywhere browser extension to force an HTTPS connection when available helps ensure that patron data is encrypted whenever possible19

Encrypto Patronum! Test how a browser handles SSL/TLS: https://howsmyssl.com

Test a sites SSL/TLS configuration: https://www.digicert.com/help/

Get certified! Implement HTTPS on your sites: DigicertSSL.comStartSSLOr from a host of other cert authorities!If you have control over your own website &/or catalog, do what it takes to make HTTPS available and enabled by default

(Note: fully updated IE doesnt pass the howsmyssl.com browser test. Fully updated Chrome and FF do.)20Challenge Vendors to Reset the NetPlace statements in RFPs requesting potential partners to use HTTPS by default

Contact current vendors and request they enable HTTPS by defaultIn the wake of Snowden revelations, theres been a robust response from companies like Wiki, Goog, Face, Yahoo, & Twit to enable HTTPS by defaultWe need to demand our business partners follow suitAs of right now major vendors of DBs, catalogs, and discovery solutions (EBSCO, ProQuest, Gale, OCLC, Credo, Britannica, LearningExpress, etc.) are not offering HTTPS at all, much less by defaultI dont believe our vendors arent encrypting user data because its technologically or economically daunting to do soIts not I believe its solely because we, their customers, have not been asking them toIts time we started21CPW Programming Guide - Usable 52 weeks per year! http://v.gd/LukU9J (pdf)

Programming ideas from Cory Doctorow:http://v.gd/nbQTbF (YouTube)So thats the technology side. For the behavior side, libraries should:Offer Privacy Programming for all agesTeach patrons about risky privacy behavior online, the tradeoffs of interacting with any internet service, the steps they can take to protect themselves, the value of being anonymous22Elected officials directory: http://www.usa.gov/Contact/Elected.shtml

House staff directory: http://staffers.sunlightfoundation.com/

Librarians are great activists, we know this. We also know there are still laws out there with serious online privacy implications & that there are always other bills coming down the pikeI encourage you to contact your legislatorsIn all likelihood, the response will be a form letter or something utterly off topic, but dont stop. If its important to you, they need to hear it from you. And if they hear it from enough of us, they may start to truly listen.

[Problem laws: CIPA, PATRIOT ACT, FISA Amenedments Act (Foreign Intelligence Surveillance Act), ECPA (Electronic Communications Privacy Act), CFAA (Computer Fraud and Abuse Act), Executive Order 12333]23American Civil Liberties Union

Center for Democracy and Technology

Electronic Frontier Foundation

Freedom of the Press Foundation

OpenNet Initiative

Sunlight Foundation

If youre interested in learning and doing more, these organizations have a wealth of valuable information and resources you can tap into and act on!24Base PAC RecommendationsWindows Settings:Enable the Guest accountBrowser Settings:Always open in Private/Incognito mode (for Chrome, add the -incognito flag to the shortcut)Change default search provider to DuckDuckGoBrowser Extensions:AdBlock Plus Disconnect or GhosteryHTTPS EverywhereFor Chrome, be sure to check Allow in Incognito for these!Software:Zemana AntiLogger FreeCCleaner or a steady state/deep freeze product

Summary of my base recommendations for public access computers25Questions?Contact: estroshane@nd.gov | @ericstroshane

Slides: http://v.gd/yaFAH8

Playlist: http://v.gd/H7cbAC (theyll know you listened)

26