How many vulnerabilities do library websites have?

In a study by Joanne Kuzma (European digital libraries: web security vulnerabilities. Library Hi Tech, 28(3), 2010, pp. 402-413) a web vulnerability testing tool was used to analyse 80 European library sites in four countries to determine how many security vulnerabilities each had and what were the most common types of problems.

Her analysis showed that the majority of the libraries surveyed had serious security flaws in their web applications. Indeed, the UK accounted for the highest proportion of high level (critical vulnerabilities) and medium level (moderate ranked problems that could pose some risk to web applications) security flaws.

A report by Cenzic (Web application security trends report Q3-Q4,2008) found that nearly 80% of web-related flaws were caused by web application vulnerabilities:

  • Cross site scripting (XSS)
  • Denial of service
  • Structured query language

 

In the WhiteHat security “web applications security statistics report 2016” https://info.whitehatsec.com/rs/675-YBI-674/images/WH-2016-Stats-Report-FINAL.pdf they list vulnerability likelihood by class (in descending order of likelihood). The top ones they listed for 2016 were:

  1. Insufficient transport layer protection (Not all traffic flowing between two endpoints is properly secured, which makes it possible for attackers to perform man-in-the-middle attacks)
  2. Information leakage
  3. Cross site scripting
  4. Content spoofing
  5. Brute force
  6. Cross site request forgery

Kunza holds that systems librarians should monitor security alerts from CERT and immediately install software patches and update their software to defend against attacks.

But should responsibility be placed solely on the systems librarian? It is all very well for librarians to hold privacy as one of their core values if they fail to take account of web security risks, whether through lack of awareness or some other reason.

Library procedures & privacy

I have put together a set of powerpoint slides setting out examples of how privacy impacts upon the work of libraries. The slides cover things like : physical layout of the library; co-location with other services; the procedures relating to self-service holds; the length of time users’ reading histories are retained and more. If you have other examples that I haven’t covered, do by all means get in touch (libraryprivacy @ yandex.com).   practical-examples

Privacy is a trade-off

In a library context, user’s may be more than happy to trade-in some of their privacy in return for a more tailored, personalized service; where people are actively choosing to tradeoff some of their privacy in exchange for convenience. Or the tradeoff could be between privacy and law enforcement or security.

An example of personalization in a library context would be the ability to create saved searches or alerts on information products. But would you necessarily want other people to know what these consisted of? In a corporate setting, for example, that could be incredibly valuable to a competitor.

The idea of people being willing to trade their information for convenience is known as the “privacy paradox”, whereby online users do have concerns over their privacy, and yet their own actions undermine it.

The question is whether the trade-offs involved are acceptable or not, and library users can only make an informed choice if they are fully aware of just what they are giving up and are able to balance that against the perceived benefits.

It is certainly true that some people would welcome the opportunity to tradeoff some privacy in exchange for convenience or for a more personlized experience. Last year, for example, I saw the following post on twitter:
Kate Davis ‏@katiedavis 29 Aug 2016   I want my library to exploit my borrowing data the way amazon exploits my purchasing data. Sell to me library! Sell to me!

The idea of a privacy tradeoff is discussed in an article published last year in IFLA journal, written by Sandra Garcia-Rivadulla – “Personalization vs. privacy: an inevitable trade-off?” http://journals.sagepub.com/doi/abs/10.1177/0340035216662890?etoc=

Mai’s datafication theory

#citylis Of all the theories & philosophies on privacy that I have read so far, the one that stands out for me is Mai’s datafication theory. Ever since I first read the article (“Big data privacy: the dataification of personal information” Mai , 2016), last year, this has been the theory that has made me think the most about the meaning of “privacy” in the age of big data; and especially the outdated focus on getting consent, when predictive analytics is used to generate new data based on information they already hold, but where they have made assumptions or come up with a profile of people based on probabilities using similarities they have seen with other people.

Need to shift from definitions of privacy to models of privacy (how it works)

– Surveillance model

– Capture model

And to add to the list the datafication model (data deduced by predictive analytics)

Takes things beyond consent

People may not realise how their information is used to create new information that hasn’t been volunteered. They have no control over that information.

Need to switch focus from data collection to data processing (to generate new information and knowledge)

People reveal personal information when performing everyday activities such as reading ebooks

Consent is now meaningless because it assumes that data subjects make conscious, rational and autonomous choices about the processing of their personal data

Ethical challenge isn’t over whether to collect data, rather it is about responsible use and analysis of that information.

Move from data collection (ontologically oriented) to data processing & analytics (epistemologically oriented)

Datafication model assumes data has been collected (collected, amassed, stolen, bought, hacked or otherwise acquired).

Looks at patterns of behaviour

Dataification: where data is assumed based on patterns from big data, based on probability. Consent not required, because they are working on what they have deduced or guessed for themselves.   further develops Bentham’s panopticon, seeing it as a means of exerting order and control over human populations, often through unseen forces

Personal data & algorithms

If search engines and their advertising partners gather data about someone’s internet search history and search habits; and if they then use this information to determine whether they should be offered or refused services based on that data; or if they offer them a price for something based on that information thereby instigating price discrimination; or if they build up a picture of who they think that person is based on information they have collected, and take it much further by using the power of big data and predictive analytics to infer or predict a likelihood that  the person fits into this or that pidgeon hole:

How do you know what data they are relying on

Whether it is accurate

How do you know how that data is being used

If its new derived information derived using predictive analytics what control or rights does the individual have over it, if any

How are the companies that use this information accountable

How do we get to know how the algorithms actually work

A few weeks ago I was working from home and was undertaking a piece of research on substance abuse and drug overdoses of US veterans. What on earth would anyone make of that if they were to look at my search history. At what point would I be given an opportunity to say, oh excuse me, but please be aware that this doesn’t say anything about me, it was for work, and it should be ignored when you are coming up with your sophisticated profiling?

Quotations on librarians & privacy

Over the last two years I have done a lot of reading about privacy in libraries and have been gathering quotations from a wide range of sources (from books, academic articles, the professional literature, tweets and more).   I have chosen the quotes below because they are thought provoking. They make us stop and think.  And they cover a range of issues – the role of the librarian in protecting user privacy, the values that guide us as professionals, the challenge of protecting privacy in the digital space, not just physical space etc.

“We keep talking about how libraries are heralds of privacy, but we are terrible at it” TJ Lamana @TheNewLibrarian, Tweeted 26 June 2016 https://twitter.com/thenewlibrarian/status/747116391505879040

Librarians have done a good job of protecting privacy in the print world, but in the online world they are somewhat lacking (not an exact quote for the last bit) Mike Robinson, 2016. Changing the landscape of library privacy http://www.slideshare.net/TechSoupGlobal/webinar-the-changing-landscape-of-library-privacy-20160615

“librarians talk good talk about user privacy but continue to use (and build) software that provides no protection from snooping librarians, contractors or police” and the reason he gives is that “librarians have tended to prioritise functions that make our lives easier rather than those that make library users’ lives easier” Hugh Rundle, “Zoia Horn’s library: protecting users’ privacy with Tinfoil” 3rd July 2016

“Public libraries are among the last protectors of privacy in contemporary society”            Brantley, 2014. Books and browsers

“teaching patrons how to use the internet, but not how to use it safely is like showing someone how to drive a car, but not where the seatbelt is” Matthew Beckstrom, 2015. Protecting patron privacy: safe practices for public computers

“Librarians feel a professional responsibility to protect the right to search for information free from surveillance. Privacy has long been the cornerstone of library services in America…the freedom to read and receive ideas anonymously is at the heart of individual liberty in a democracy”  American Library Association (n.d.) Why libraries?              https://chooseprivacyweek.org/our-story/why-libraries

“If we cannot (or do not) protect the intellectual privacy of our users, then we are failing as professionals”  Ian Clark 2016 IN Journal of Radical Librarianship

“Libraries have, with the best of intentions in the world, taken a strong position on privacy, and they have lost. They got the whole privacy thing all wrong. Rather than participate in the policies of their institutions and the many organizations that interact with them, they have abdicated their role and are now watching as their institutions are being colonized by commercial interests, which are no longer answerable to libraries”      Joseph Esposito 2016. The Scholarly Kitchen 23rd June 2016 “Libraries may have gotten the privacy thing all wrong”

“There is, or there should be, a taxonomy for surveillance and tracking that would keep things in perspective. What that perspective should be is the work of thoughtful, civic-minded information professionals – librarians, for short. We should root for them to take the field, but it appears that we will have to look elsewhere for heroes. The library community has concluded that this is a distasteful battle and have simply walked away from it. We are all worse off for this”.   Joseph Esposito 2016. The Scholarly Kitchen 23rd June 2016 “Libraries may have gotten the privacy thing all wrong”

“Librarians have a professional responsibility to protect the right to access information free from surveillance. This right is at risk from a new and increasing threat: the collection and use of non-personally identifying information such as IP addresses through online behavioral tracking.”       Information Week 16th February 2016    “Library manners demands respecting the privacy of others”   The Cincinnati Enquirer, 8 August 2013. Nancy Rowles, A letter to the editor: Respect privacy at the library

“Privacy is a cornerstone of our professional ethics. …We have an obligation to protect the privacy of our users as a matter of principle.” (p. xii)          Woodward. What every librarian should know about electronic privacy.

Privacy as a core value of librarians

Having done a quick analysis of my literature review, I recently posted a tweet listing the authors who appeared four or more times. That posting was viewed many times, and several of the authors on the list either responded directly to me or retweeted the list.
In the case of @D_McMenemy, (https://twitter.com/D_McMenemy/status/827632879886802944 and https://twitter.com/D_McMenemy/status/827637315250053122), David quite rightly pointed out that Michael Gorman wasn’t on the list. In fact, I had already got several of Gorman’s works in the literature review, but not enough to trigger him appearing in my tweet (ie. less than the four or more occurences  for all of the authors who I had listed).
I am really glad that I put up the list, because only by doing so did I get the useful feedback that I did. So I would like to say thankyou especially to David, because it has made me realise that I need to spend more time thinking about privacy from an ethical perspective, not just from the perspective of law, technology, information security etc etc.
In 2000 Michael Gorman published a book “Our enduring values”, in which he lists the values that characterise and shape the work of librarians:
Gorman’s eight core values

1.       Stewardship

2.       Service

3.       Intellectual freedom

4.       Rationalism

5.       Literacy & Learning

6.       Equity of access

7.       Privacy

        a.       ensuring the confidentiality of records of library use

        b.       overcoming technological invasions of library use

8.       Democracy

Thinking of the point “overcoming technological invasions of library use”, that seems to get harder and harder for every day that passes. As Gorman says “Even in many democratic countries, the twin threats of an empowered surveillance state and a big technology assault on privacy make the defense of intellectual freedom harder than it was in previous generations” (from Our enduring values revisited, 2015).
Given that I only started my PhD studies formally on 1st February, I feel very fortunate to know right from the outset that I need to make absolutely sure that for the literature review I search for material on privacy that comes at the topic from the ethical perspective.
See:
Gorman, Michael. Our enduring values: librarianship in the 21st century. 2000. ALA Editions
Gorman, Michael. Our enduring values revisited: librarianship in an ever-changing world. 2015. ALA Editions