Thursday, March 19, 2015

Constant Vigilance, by Galen Charlton


Constant vigilance! CONSTANT VIGILANCE!

Mad-eye Moody’s catchphrase in Harry Potter and the Goblet of Fire expresses his view of the primary requirement to defend against the Dark Arts: continually paying attention to potential threats.
Moody’s dictate is something I keep in mind as I do my job. Many of us run catalogs and discovery systems and are audacious enough to put them on the web, for anybody to search. Absolutely anybody – including the script kiddies, crackers, and botnet operators could take our servers over for their own ends – or simply vandalize them for the lulz.

That’s a threat that the people behind every public-facing server must either attempt to prevent or ignore, of course. But in libraries we’ve also taken upon ourselves a greater responsibility: to safeguard the privacy of our patrons.

Reader privacy isn’t something to take lightly, unless we choose to take our profession lightly. The freedom to read, one of our core tenets, is curtailed if the reader has to worry about somebody looking over their shoulders or judging them. The freedom to read can sometimes be a life-or-death matter. I’m not just talking about readers in war zones or politically unstable areas: a teenager trying to figure out their place in life, or their very sense of self may find succor in a library; to have what they are reading to find themselves be revealed to the wrong people can be deadly. It’s not always a life-and-death matter, of course, but it’s sufficient to recognize that what a patron is reading is nobody ’s business but their own.

Here are some ways to protect patron privacy that I, a library technologist who also wears the hats of programmer, system administrator, and manager, have learned along the way. (There’s a lot more to each of these ideas, but I wanted to give you an overview.)

There’s no point in giving up. It’s commonly expressed that privacy is either dead, impossible to protect, or unwanted. No! It has become more difficult to protect; modern software and the urge to automate all the things and store all the data makes it easier to gather and collate information about people and their activities. Libraries can resist that, though. And if you think that teens don’t care about privacy, you’re wrong. (For research, click the danah boyd link below.)

Think carefully about what data you collect. For instance, U.S. libraries should never be in the business of collecting Social Security Numbers. If a public library’s policy for establishing proof of residence requires gathering SSNs, it’s time to go to the library board and get that changed.

Protecting confidential data – or losing it - depends on people. There are lots of technical and software measures that can hide, destroy, or encrypt patron information -- but they can be for naught if a clerk isn’t trained to refer every law enforcement request to the appropriate administrators.

There is a lot to learn. Here’s one example: it’s a terrible, no good, very bad thing if a patron calls up the circ desk, tells you that they’ve forgotten their password, and for you to be able to tell them what it is. Don’t know why? Read up on “password hashing.”
There is a lot to teach. Like it or not, one of the roles that many libraries serve is as community tech support. This is also an opportunity: via programs, classes, and one-on-one interactions, you can help patrons learn to better protect themselves online.
You will mess up. Some libraries have had their patron databases breached; many others have had their OPAC servers get pwned. Some libraries have kept too much circulation data and had to hand it over to law enforcement for dubious fishing expeditions – and worst of all, they can be legally bound to say nothing.

This is why I say protecting reader privacy is an ongoing, continuous improvement project. Aim to get better incrementally, learn from your mistakes, and take heart: even Mad Eye Moody’s vigilance failed him, but in time he was freed and able to continue his fight against Voldemort. Don’t take it just from me. Some folks to read on the topic: Alison Macrina of the Library Freedom Project, danah boyd, Barbara Fister, Gary Price, Eric Hellman, and as well as folks outside of the library profession such as Latanya Sweeney. Want to join the discussion? Subscribe to the LITA Patron Privacy Technologies IG’s mailing list. There are also numerous resources available; a good starting point is ALA’s Privacy Toolkit.

And remember... constant vigilance!

Galen Charlton is a developer and manager at Equinox Software, where he spends his time helping libraries to use and improve the open source integrated library systems Koha and Evergreen. He was named an LJ Mover & Shaker in 2013, which he took as an opportunity to sneak Tux the Penguin onto the pages of Library Journal. He can be found on Twitter as @gmcharlt; if you want to send him an encrypted message, check out


  1. (argle bargle blogger just ate my comment - trying again)

    What are you thoughts on the "reading history" function available to be enabled in some library catalogs? MPOW has a no-way policy, my public library system has enabled it on an opt-in basis (I personally opted in, understanding more or less what risks I was taking, and weighing that against my desire to be able to look back to see what I read and when.)

    1. I think functionality to let users retain and manage their reading history (and hold request history, and so forth) is fine provided that it's implemented well.

      What does that mean for me?

      First, it should be opt-in, and should give users the ability to make informed consent without being patronizing about explaining the risks. (What the specific risks are will vary from place to place, of course.)

      Second, it should give the user full, granular control over their data. That means that the user should be able to delete all of their reading history at will -- or just parts of it. The data should be transportable: in other words, the user should be able to get an export of their reading history at will in a variety of useful formats. (Possibly bonus points if a user could *import* their reading history from another library -- I'm now wondering if anybody has ever had a patron ask for that.)

      Third, it should be implemented so that nobody can just snoop on it. For example, all library catalogs and discovery systems should implement HTTPS -- ideally, across the board, but at the very least, in all parts of the web interface that display data that's linked to a particular user while they're logged in.

      Fourth, if the catalog offers APIs that would allow a user to use a third-party services (e.g., Library Elf or online citation managers) to do something interesting with their reading history, the user should be able to grant and revoke third-party access at will.

      Fifth, the library should have policies in place. It should be clear to library users what is going on with their data; it should be clear to the library what to do in the event of a data breach.

    2. Thanks Galen. Any library considering a reading history option would do well to consider what you've brought up, and I'm going to take these questions to my local public library to see if they can answer them. If they can't, it's possible I'll opt out of using that feature in the future.