2013-10-03

Who’s watching librarians and library patrons, and can we stop them?

Teaching from the real world is pure joy most of the time. Students love it when they see something from class in the pixels of library journals and magazines, the mass media, or the technology press. Most of the time, discussing change while it’s happening is a visceral lesson in professional adaptability and continuous learning. However, I could have done without having to teach technology-related privacy issues to my “Digital Trends, Tools, and Debates” students in the shadow of the NSA’s newly-revealed surveillance practices.

Those who watch my Twitter feed have lately endured many 140-character howls of helpless dismay as I read the tech press in the late afternoons. Leaving that anger aside as I wrote and recorded lectures nearly broke me. Boiling immensely complex facts based on technologies no less complex into a snappy and comprehensible lecture is hard enough, but it’s a challenge I’m well-used to; disciplining myself to avoid bursting into spittle-flecked rants was the hard part.

As I always do, I explained to my students why I chose to teach them about this. My own visceral outrage aside, the simplest reasons call back to parts of the ALA Code of Ethics:

II. We uphold the principles of intellectual freedom and resist all efforts to censor library resources.

III. We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.

V. We treat co-workers and other colleagues with respect, fairness, and good faith, and advocate conditions of employment that safeguard the rights and welfare of all employees of our institutions.

VI. We do not advance private interests at the expense of library users, colleagues, or our employing institutions.

What price intellectual freedom and freedom to read, never mind privacy and confidentiality, when the NSA has built weaknesses into security standards and frameworks that could help other snoops grab every byte passing through a library computer, or over the library wireless network? When Amazon tracks library checkouts to Kindle devices, creepily attaching buy-this-book come-ons to due-date notices? When any number of commercial data warehouses track patron information behavior on the computers and Wi-Fi networks libraries provide?

The Internet in general and the web in particular have become Jeremy Bentham’s panopticon. That panopticon unquestionably surveils us and our patrons. If libraries are truly to be the privacy-protecting, commercial-free civic spaces they aim to be, shouldn’t we librarians extend the principles of the ALA Code of Ethics to digital environments as well? What would that take?

The scope of the problem

This isn’t only about circling library wagons against the NSA. Who surveils library staff computers? In many K-12 environments, the answer is obvious, and in some ways troublesome. To my surprise, however, schools are not the only library environment where employer surveillance may appear. When I asked, several librarians in academic and public libraries privately voiced suspicions to me that either library IT or the IT establishment in the library’s parent organization was logging behavior on work computers. Even more troublesome: they did not know what was and wasn’t logged, had no available policy on the question, and could not find out more. I don’t find this uncertainty indicative of what the Code of Ethics terms “respect, fairness, and good faith.”

My entirely unscientific and not-to-be-relied-upon information gathering for this column suggested that surveillance may be more common when library IT is not controlled by the library. This makes intuitive sense. Not only do many corporate, government, and academic IT centers not share library ethics, they operate under different constraints and directives. A library, for example, can push back against overreaching copyright enforcement directives; we understand fair use and consider fair-use advocacy part of our mission. When the RIAA, a major serials publisher or aggregator, or similar copyright-owner interests lean on IT, however, IT has little choice but to make the problem go away with minimal hassle and minimal legal risk to the larger institution. This is liable to mean surveillance (in the form of log monitoring at minimum) and no-longer-neutral web access.

As for warding off surveillance from private interests, I’ve been teaching my Digital Trends students about the commercial web-tracking establishment and available techniques to defeat it for years. When I asked Twitter and FriendFeed whether any libraries had defended against this surveillance by adding anti-tracking plugins to the web browsers in stock patron or staff computer configurations, however, I came up completely empty. I found that both unexpected and troubling. I would dearly love comments here from librarians who have considered this issue and implemented privacy-protecting measures in their libraries!

Ignorance is part of the problem, certainly. My own wake-up call came a couple of weeks ago, when I interviewed Brendan O’Connor, a student in the UW-Madison School of Law, about the cheap, Tarot-deck-sized Wi-Fi surveillance box he calls the “F-BOMB” along with its monitoring system CreepyDOL, built as a proof-of-concept assessment of the privacy threats involved in much normal everyday network use. Before talking to Brendan, I hadn’t any notion how much data Wi-Fi-enabled devices such as laptops, tablets, and smartphones regularly and unstoppably leak, nor how oblivious to personal-data leakage many websites (including librarian favorites such as newsfeed readers) are. Supposedly I teach technology! If there’s this much I don’t know, when I make constant and regular effort to keep up with technology-related privacy issues, I can’t help but be concerned about the level of awareness in librarianship generally. How can we decide what to do about a phenomenon we don’t understand?

What to do?

That we as a profession have a duty to advocate with legislators and technology providers for better privacy protection in communication protocols, on websites, and in mobile platforms seems beyond question. Frustrated with the stalemate he perceives in the technology establishment around personal privacy, Brendan O’Connor suggested to me that privacy protection could be usefully framed as a consumer safety issue. I think that is a promising approach, but I see no reason standard library ethical stances around personal privacy as an inescapable component of intellectual freedom and citizenship cannot make themselves heard as well. Available fixes are highly technical, of course, but the needed advocacy to force the technology establishment into making those fixes relies on exactly the sort of ethical suasion that libraries and their professional organizations excel at.

What immediate technical fixes could libraries implement? When I brought up browsing privacy on FriendFeed, librarian Aaron Tay of the National University of Singapore wondered whether I was advocating that all libraries place their computers on the (possibly NSA-compromised, but still best-of-breed) TOR anonymizer network. I’ve used TOR now and then, so I know it stresses bandwidth and degrades the apparent responsiveness of web browsing somewhat; I don’t doubt many of our patrons would find this an unacceptable tradeoff. Stephen Francoeur of Baruch College noted that anti-tracking browser plugins, if poorly chosen or poorly configured, could block cookies that some websites require in order to function properly. Both critiques have merit.

To my mind, libraries can consider a continuum of responses, with universal TOR implementation, perhaps allied with a draconian Javascript-killer like NoScript that is known to break many websites, on the extreme (and doubtless unfeasible) end. On the other end of the continuum lies pure education: block nothing, explain everything. The website “Terms of Service; Didn’t Read,” which grades the quality of the privacy policies at many commonly-used websites, offers a plugin for many popular browsers (Internet Explorer excluded, unfortunately) that puts its grades right in the browser interface for perusal. Some anti-tracking plugins, Ghostery for example, can be configured not to block, but to display information about which trackers are active during a web browsing session. I encourage everyone who works in libraries to investigate and test these plugins, at home if not at work! Let us share what we learn, so that librarianship as a whole starts to frame a digital-privacy strategy.

Where is the middle course? The “Do Not Track” browser preference, lackadaisical though support for it is, is worth triggering by default just as a statement of intent. Anti-tracking plugins are well worth considering for library staff and patron machines also. I’ve been using them for some years, and hardly ever notice browsing problems. On the rare occasion a site does break, the fix is generally a two-click temporary disabling of the anti-tracking plugin for that site, something I hope could be relatively easily taught to reference and tech support staff. Wi-Fi security is rather weak still, and its implementation unquestionably creates tech support issues, but with a heavy heart I confess it now seems preferable to open access points to me.

As for surveillance closer to home, at a minimum, libraries owe their staff transparent policy and procedure. Even libraries with no choice but to surveil staff, as in many schools, should be straightforward about what is happening. Even libraries who don’t control their own computers can challenge IT to be transparent and to protect privacy whenever possible. We can at least avoid turning into mini-NSAs, hiding snooping behind silence and obfuscation!

It is true that some anti-tracking technologies create browsing hassles. It’s also true that institutions we favor and rely upon, such as news media, themselves rely on tracking to improve their balance sheets as they move online. Finally, it’s true that some digital invasions of privacy are well beyond our control.

As I thought about all this, though, I found myself repeating “not in libraries, not here” over and over again under my breath. The NSA may, legally or no, track the web traffic of foreign nationals, catching many American citizens in the backwash, but not here. Advertisers may compile behavior portfolios for promiscuous sale, but not here. Social media may track their users across the entire web, but not here. Digital panopticons may spring up like weeds, but not here. Not here. Here, in libraries, privacy should be the default.

I am grateful to Myron Groover, the Library Society of the World, and Twitter correspondents who wish not to be named for giving me examples of library-computer surveillance and helping me shape my thinking. I am not affiliated in any way with the websites or browser plugins mentioned herein, except as a user and classroom demonstrator.

Show more