Comments and links from the WebEx chat, Virtual Meeting, May 7, 2015

05/07/2015    10:43:30 AM    from gary price to Host (privately):
 "A Survey on Privacy and Security in Online Social Networks"
Research from Florida St.
From an ACM publication (not sure if it's a published version or preprint)
http://arxiv.org/pdf/1504.03342.pdf
 
05/07/2015    11:04:30 AM    from NISO HQ to All Participants:
from Gary Price: Hackers Breached Wyoming’s Statewide Catalog “WYLDCat” in Early October
http://www.infodocket.com/2014/11/10/hackers-breached-wyomings-wyldcat-catalog-in-early-october/
 
05/07/2015    11:05:05 AM    from NISO HQ to All Participants:
from Christopher Harris: Are you familiar with the recently released Principles for Student Data Privacy? http://studentdataprinciples.org/ AASL, the ALA School Division, was one of the supporters along with CoSN and pretty much everybody else in the education sphere.
 
05/07/2015    11:27:13 AM    from Christopher Harris to All Participants:
Funny story...one of our two ILS services we provide to schools has a very nice toggle option for librarians to turn circulation history on or off that doesn't do a thing. The records are still maintained in the back end unless you do some super-secret code work.  
 
05/07/2015    11:29:05 AM    from Laura Quilter to Host (privately):
Listing to Peter @ NYPL discussing possibilities for letting users search & browse & delete from their own histories. Occurs to me that this is a great opportunity to also TEACH users, conscious-raising exercise, about taking charge of their own data. If we do it right, then they can come to expect this level of control over Facebook, Google, etc. 
 
 
05/07/2015    11:30:42 AM    from Peter Murray to All Participants:
Credit Card Data Is Less Anonymous Than You Think [on deanonymizing data problems] | MIT Technology Review http://www.technologyreview.com/article/536501/data-sets-not-so-anonymous/
 
05/07/2015    11:40:25 AM    from NISO HQ to All Participants:
from Wendy Ellis: In terms of circulation, depending on how a library backs up data and gets rid of those backups, if the libraries' policy is to remove patron data the day after a return, but the backup is kept longer, the data could potentially be recovered.
 
05/07/2015    11:45:25 AM    from Eric Hellman to Host (privately):
Should point out that most catalog are operated in such a way that complete browsing histories are spewed to many places. It's fantastical thinking these days to imagine that clicktrails are not retained in the network. Where do we draw the line??
 
05/07/2015    11:54:18 AM    from Richard Entlich to All Participants:
Peter Brantley mentioned the issue of what patrons understand about what happens to their use data. I have two citations (which I'll send separately) relevant to that issue that suggest what kinds of obstacles exist in terms of users' understanding of library policy and users' level of concern about what might happen to their use data:
From the Chronicle of Higher Education back in 2012
http://chronicle.com/article/As-Libraries-Go-Digital/135514
For a brief time, Harvard ran a Twitter feed that revealed the titles and authors of books being checked out. The timing of the tweets was randomized so they wouldn't correspond directly to the time of the transaction.Nevertheless, the service had to be suspended when patrons expressed concern "that someone might somehow use other details to identify the borrowers."
 
 
05/07/2015    11:56:39 AM    from Richard Entlich to All Participants:
Second citation on patron education issues:
From Library Journal, in April 2015
http://lj.libraryjournal.com/2015/04/industry-news/faculty-rallies-to-support-university-of-oregon-archivist
This article discussed the recent case at the University of Oregon in which an archivist was fired after releasing unfiltered emails from the university's presidential archives to a faculty member who had requested them.
At one point after receiving the archives, the faculty member received a letter from the university's senior vice provost for academic affairs saying that the material had been provided to him in violation of law and demanding that he return the USB drive on which he'd received the files, destroy any copies, and remove any of the documents that he'd posted online. In response to his receipt of the letter, the faculty member was quoted saying “I was surprised at that because I always assumed that library circulation records were confidential.”
 
05/07/2015    11:56:39 AM    from Christopher Harris to All Participants:
Richard, it is also cricital to note that younger users have VERY different perceptions on privacy than many of us in this conversation have. This is one of the things we are looking at in ALA's OITP Program on Youth and Tech. 
 
05/07/2015    11:57:46 AM    from Richard Entlich to All Participants:
Regarding the University of Oregon faculty member's perception of library policy--Of course, libraries have to know who the current borrower of circulating material is and, more importantly here, archives often have very different policies regarding retention of patron data than libraries. That distinction is undoubtedly lost on most patrons.
 
05/07/2015    12:01:21 PM    from Eric Hellman to All Participants:
Question for Ken: Why does UMich library bother throwing away weblogs to a catalog operated non-securely, over HTTP? Bad guys could be collecting all that data despite the weblogs. 
 
05/07/2015    12:01:45 PM    from NISO HQ to All Participants:
From David Weinberger: BTW, here's a proposal from our Lab about one way to make usage data shareable and usable by computers without substantial  risk of violating any user's privacy: http://chronicle.com/blogs/conversation/2014/10/07/a-good-dumb-way-to-learn-from-libraries/
 
05/07/2015    12:06:40 PM    from David Weinberger to All Participants:
The idea referenced: Compute a measure of community relevance for items by running a chosen formula on a selected set of usage metrics (checkouts, reserves, whatever) and then turn it into a distribution between 1-100. That 1-100 number then can be shared without worrying (too much) about de-anonymization. Libraries can decide on their own formula. Result: a usage metric for each work that preserves user privacy, is normalized, and is based on local values.
 
05/07/2015    12:13:11 PM    from Deborah Caldwell-Stone to All Panelists:
A Content Analysis of Library Vendor
Privacy Policies: Do They Meet Our
Standards? by Trina Magi http://crl.acrl.org/content/71/3/254.full.pdf
 
05/07/2015    12:21:10 PM    from Christopher Harris to All Participants:
Hard to talk about library privacy when IT departments are using things like http://www.sgtlabs.com/ and http://iboss.com/ as keystroke loggers with biometric identification and SSL man-in-middle decryption attacks
 
05/07/2015    12:30:10 PM    from Mike Robinson to All Panelists:
as part of measuring learning outcomes, should student ebook reading habits be included (i.e. did they read the material or how much did they read)?  Or similarily, is there evidence the student used research databases for an assignment?
 
05/07/2015    12:31:31 PM    from Ken Varnum to All Panelists:
Mike, I think that depends on the research question. Would a researcher want to know if reading x% of syllabus really led to a better grade, or just that y% of students ever read anything?
 
05/07/2015    12:32:01 PM    from Cliff Lynch to All Participants:
Mike: this is going to be a very important question. As an extreme case, consider e-textbooks that can report on their users (to whom, and in how timely a fashion?)
 
05/07/2015    12:32:38 PM    from NISO HQ to All Participants:
From Teresa Doherty: Our ILS (Alma) allows us to break the connection between patron and item borrowed (as long as there are 0 overdue fines/fees), but keeps all email notifications. These emails (courtesy, overdue, lost, payments) contain the patron name and item information, so, no privacy. Something I don't think we anticipated in our move to this system.
 
05/07/2015    12:34:35 PM    from Christopher Harris to All Participants:
Starts to remind me of the passage from "Snow Crash" about having to read an email from the organization at a certain speed because too slow and you are a lazy employee wasing money and time but too fast and you are careless and leading to risk
 
05/07/2015    12:39:06 PM    from Abigail Wickes to All Panelists:
(resending to All Panelists) this article is on a more dire example of the value of data analysis (predicting drought/famine with data) but it gets at the idea that "good enough is sometimes better than perfect" when it comes to data http://www.smithsonianmag.com/innovation/predict-famine-before-strikes-180954945/ 
 
Alison Macrina's links:
https://www.gnu.org/philosophy/free-sw.html
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
https://www.torproject.org/
https://www.eff.org/deeplinks/2015/05/what-every-librarian-needs-know-about-https
https://letsencrypt.org/
https://www.eff.org/https-everywhere
https://www.eff.org/privacybadger
http://bleachbit.sourceforge.net/
https://libraryfreedomproject.org/resources/
http://www.thenation.com/article/206561/librarians-versus-nsa
05/07/2015    12:56:35 PM    from Mike Robinson to All Participants:
teaching privacy and digital literacy classes to your patrons really makes you turn a critical eye towards your own library's privacy practices
 
05/07/2015    13:02:38 PM    from Mike Robinson to All Participants:
man in middle attack is needed by content filters to censor https web pages, i.e. to be able to filter based on url string or keywords in the content
 
05/07/2015    13:05:47 PM    from Deborah Caldwell-Stone to All Participants:
Looping back to the patron education issue ...San Jose is developing online games to teach privacy ..another Knight grant recipient: https://chooseprivacyweek.org/?p=1094
 
05/07/2015    13:09:46 PM    from Eric Hellman to All Participants:
Obviously Tor can't be used with IP-Authenticated resources.
 
05/07/2015    13:12:02 PM    from Eric Hellman to All Participants:
Libraries should check that their license agreements allow them to strip the web beacons needed by advertising in their resources.
 
05/07/2015    13:12:03 PM    from Mike Robinson to All Participants:
tor would make you look off-campus/at home so then whatever remote login (ezproxy etc) would provide access
 
05/07/2015    13:14:05 PM    from Eric Hellman to All Participants:
I've seen cases where academic libraries accidentally leak catalog clicks to Amazon because cover images.