SECURITY FOR ONE, SECURITY FOR ALL
Several key areas address security within your own library, with information that you can use when advising patrons on the topic:
The machines that run the library or connect to internet- based services are subject to significant risks—malicious websites, malware, or a user attempting to break into the machine.
Lock down your entire network with the same type of con- trols that major corporations use: strong passwords (proquest.com/blog/pqblog/2015/10-Tips-for-Creating-Secure-Passwords.html), removal of administrator access for staff who do not require it, two-factor authentication for staff machines and applications, and tools that restore a clean image with every reboot for patron-facing machines (faronics.com/products/deep-freeze).
Program daily or weekly backups of any machine that contains important information, and check that you can successfully restore from those backups at least every few months.
Investigate the use of anti-malware applications to supplement the standard anti-virus software common on most PCs and some mobile phones. Anti-malware not only blocks but also cleans your system of malicious applications that find their way onto machines through the clicking of untrusted links in emails, opening malicious attachments, or installing untrusted applications.
Consider a separate network for patron use that cannot communicate with or compromise the network that staff use for key library functions.
Never plug an unknown device into a USB port or network jack. A common computer attack ploy is to drop a USB drive in a parking lot outside an office building or library. An unsuspecting employee or patron finds it (“Wow, free thumb drive!”), plugs it in, and voila—malware.
Ransomware is a type of malware that holds the data on the computer hostage by encrypting it. Only payment to the attacker will recover the data. According to a 2016 Symantec study (symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ISTR2016_Ransomware_and_Businesses.pdf), the average ransomware de mand has more than doubled between 2015 and 2016 and is now up to $679, from $294 only a year before.
In January 2017, the St. Louis Public Library had a ransomware attack that affected 700 devices and all electronic functions, including public computers, catalog search, and circulation, for days. The library did not pay the $35,000 ransom, but successfully used backups to restore systems to their previous operational state.
Phishing is the art of getting a victim to provide information to an attacker. The most popular means of attack is email.
In email phishing attacks, a key approach is to convince a user to click a link that looks just like a valid email from a known company and to go to a website that also looks legitimate. Of course, it is not. Tell your patrons: “Never open email links from an individual or company you don’t know or recognize as legitimate.” Does the suspicious email truly come from the person it pretends to be? Hover over the name in the “from” bar or any link within it and note its email address or URL before opening or clicking.
Nearly everything operates within the web browser. HTTPS encrypts and protects the content between the web browser and the server. It also ensures that you are actually communicating with the server you think you are.
In 2017, the new normal is that HTTPS should be used for all services, or be on the library’s road map. If the lock icon is not seen in the address bar, then HTTPS is not being used; it is OK to ask the service provider or system owner when HTTPS will be supported.
For library systems accessed by patrons or that require encryption, a new offering called Let’s Encrypt (letsencrypt.org), spearheaded by the Electronic Frontier Foundation (EFF), provides free encryption certificates that are trusted by all major web browsers.
In January 2017, Chrome and Mozilla implemented changes to encourage more hosted applications to adopt HTTPS by adding a “Not Secure” or red lock image for pages that do not use HTTPS and ask for secure information such as passwords or credit card numbers. By the end of 2017, this warning will be visible for all pages that do not use HTTPS in the web browser.
A recent trend in libraries is to provide Wi-Fi internet devices for patrons to check out. Ensure a full factory reset of the configurations of each device is performed every time one is returned to make sure the devices are safe for the next patron and free of malware that can infect your library’s or the next patron’s network.
DEALING WITH DATA PRIVACY
There is concern about how using technology for library services could impact the strict ethical standards libraries have established to protect user privacy.
Users see library web services in the same light as con sumer websites. They expect knowledge and personaliza tion; they want previous searches or book check-outs to inform future results; they want to store and retrieve documents; and they want to share their results. To provide such services, an advanced level of data must be maintained and analyzed. However, merely collecting does not equate to a privacy violation, especially when done in a transparent and consistent manner.
Opt-In Versus Opt-Out
The key to privacy success is to give the owner of the personal data, in this case the user, control over when his or her data is collected, knowledge of how it is used and with whom it is shared, and a clear understanding of the value he or she will receive for providing the data.
This type of informed user will continually be more criti cal of services that collect data and thus be more likely to seek out and demand those that ask them to explicitly agree to data collection and use, a process also known as “opt-in.” Many consumer services are “opt-out,” claiming that any use of their service is akin to implicit acceptance. In such cases, if a user would like to revoke that acceptance, the user has to find the way to tell the service provider. (To make that task just a little more difficult, the opt-out link or page is typically hidden deep within the website or appears in small, innocuous type at the bottom of a long webpage or email.)
It is reasonable for libraries to expect service providers to either provide explicit opt-in for data collection or have a road map that includes it in the near future.
Anonymization & Tor
Another mechanism of protecting data and anonymity is Tor, a distributed service that encrypts and routes internet traffic to protect the origin and the contents of the transmission from interception and traceback by attackers or those performing surveillance against the user. You can install Tor clients on patron-used public systems within the library. However, first discuss this option with library boards or oversight committees to ensure it aligns with the expectations of the library and local regulations. While Tor is very effective, it is not perfect and cannot guarantee complete anonymity or protection on the internet.
Possible Privacy Regulatory Changes in the U.S.
As of February 2017, Ars Technica reported that the new chairman of the FCC indicated a desire to roll back internet network neutrality regulations (arstechnica.com/tech-policy/2017/01/republican-led-fcc-will-quickly-get-chance-to-overturn-isp-privacy-rules) as well as a privacy provision that only recently became effective (in October 2016) which pre vents ISPs from selling the browsing data of internet users. Both of these changes would affect privacy of patrons and the community. They warrant a close watch to follow their progress in potentially being revoked so the impacts on libraries, patrons, and the wider community can be assessed.