This is Part Two in my many part series on IT Security In Libraries. In Part One I tried to lay the foundation for security. This week we'll talk privacy, and up next will be a general "Staying Safe Online" that will cover a million and one tips on how to keep you and your computer safe.
Privacy is a relative term. That is, the things that I consider important to my privacy, someone else might not care about. As librarians we usually key in on Confidentiality Threats. We want our patrons records safe. We also don't share that information with ANYONE else. In general, we are fierce about protecting our patrons’ privacy. This is something that has always set us apart from everyone else. Amazon won't do it. Google won't do it. Do I even need to say Facebook won't do it? People who come into the library or use our web sites don't worry about what's going to happen with their information (or at least they shouldn't need worry about it). They should know we are doing our best to guard their privacy. Keeping all our IT resources secure should be a large part of guarding that privacy.
There are no big events, dead bodies or explosions in privacy violations. It's something that is slowly eroding over time. The troubles are more subtle and are caused by errors, or intential misues and a shocking lack of transparency, accountability and security. We don't think about privacy much, we only think about it when things are going wrong. Most people tend to think privacy isn't very important, and don't give it a second thought. Most companies make money by keeping our information as free as possible so it can be used, shared, and sold.
Let’s start this section with some general arguments FOR privacy, some reasons why privacy is so highly valued in our profession:
- Invading a person's privacy can give you access to information about them which you can then use against them, even if that information is not objectively illegal, immoral or unethical.
- With privacy comes more freedom.
- People invading your privacy are not infallible. They will overstep their bounds.
- We don't know how our information is used or stored.
- We don't know who has access to it.
- We don't know how or when we can fix mistakes.
- We don't know how long it's stored
- We don't know what it'll be used for in the future.
- We don't know how it may be distroted or manipulated
- It can easily be misused on purpose or accidentally.
- It can be stolen.
- Privacy is not about hiding bad/illegal things.*
*This is the old “If you have nothing to hide then there is no reason for me to look” argument against privacy. The problem with the “nothing to hide” argument is the underlying assumption that privacy is about hiding bad things. Agreeing with this assumption concedes far too much ground and leads to an unproductive discussion of information people would likely want or not want to hide. It may indeed you have nothing to hide, but all the information that is being collected on all of us can certainly cause trouble.
I think that most librarians would agree with this statement from "The Eternal Value of Privacy"
"Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect. For if we are observed in all matters, we are constantly under threat of correction, judgment, criticism, even plagiarism of our own uniqueness"
So then what about when we are online?
More than ever we are being tracked & followed online, and what we do is used to build a database of personal information. So much of our communication is electronic, and so much of that leaves behind a trail, and that trail is recorded, and then bought and sold. We are volunteering an amazing amount of information online, through cookies and other tracking information, and we have no choice but to hope those databases are safe and secure. Your printer is spying on you, your passport Can Be Read from very long distances, your iPhone is recording where you go, Google is spying on you, Facebook is spying on you... it seems like it never ends.
Facebook is leading the way with its more permissive privacy settings. Mark Zuckerberg famously said, “There are new social norms now.” Facebook believes people are okay with reduced privacy, and that people don’t mind putting Facebook in control of their personal information. Facebook seems to think it gets to decide if you're safe, secure and private. In general Facebook will default to openess and sharing of your information, because this is how they make money. Their "recommended settings" tend to share MORE rather than LESS. It recently became widly known Facebook is sharing cellphone numbers between Facebook friends, and one would be well advised to ask who else.
In a particularly egregious example of a total disregard for its users privacy, LinkedIn amended their 6000+ word "privacy" policy in a way that allows them to use your name and picture in social advertising. So LinkedIn will watch what you do, figure out what you might sell for them, and then use your name and picture in an endorsement they make for some crap they'll stick on your friends pages. They also allowed your private information to be shared with unknown "third parties" for unknown purposes.
Other sites like Spokeo & Intelius can also take publicly available information about all of us and tie it together. The result is a frighteningly accurate picture of who we are, for sale to anyone.
There are ways to opt-out of most major tracking companies. However, a study by Stanford University Law School's Center for Internet and Society has found that many online advertising networks are not adhering to their own privacy policies and continue to rely on and push out Web tracking cookies even after users have indicated that they do not wish to be tracked. Half of 64 online advertising firms did not remove their tracking cookies from the computers of consumers who had opted out of behavioral ad targeting. More recently, researchers at U.C. Berkeley have discovered that some of the net’s most popular sites were using a tracking service that can’t be evaded, even when users block cookies, turn off storage in Flash, or use browsers’ “incognito” functions.
And what about privacy on your cell phone? Do you know (or care) that your phone could be giving it away? Most applications get to decide what they have access to. We are given few choices and usually aren't even aware of what the applications might be sharing. Fine grained control is lacking, and we are left with a take it or leave it situation when as app wants to have access to our phone. This can be used to access your phones location and identifiers to give advertisers and others insights into your habits.
We can begin to address issues of online tracking by considering some practical advice related to Facebook. Since it’s one of the more popular social sites that people use, it’s one of the more important sites to focus on. How can you make Facebook safer and more private?
- Check your settings.
- Be cautious of apps and links and anything shared by anyone.
- Use https.
- Never share anything that you don't want read everywhere by everyone.
- Know your friends. Do you really know who all your "friends" are?
- Always watch for changes to your privacy settings by facebook.
Now in general, how can we all work to be more private online? Remember that YOU should decide what information about yourself to reveal, when, why, and to whom.
- Turn on cookie notices in your Web browser, and/or use cookie management software.
- All browsers have privacy settings: get to know them and change them to be more private.
- Keep a "clean" e-mail address, one that is never given to anyone but trusted friends.
- Don't reveal personal details to strangers or just-met "friends".
- Check privacy (and https) settings on all social networks.
- Realize you may be monitored at work: avoid sending personal e-mail to mailing lists, and keep sensitive files on your home computer.
- Beware of sites that offer some sort of reward or prize in exchange for your contact information or other personal details.
- Do not reply to spammers, for any reason.
- Examine privacy policies and seals on sites you use.
- Use BCC when forwarding emails.
- Be careful with passwords (I’ll post an entire essay on passwords soon)
- Check for unintentional content/metadata in photographs you post online (e.g. geotagging, pictures of credit cards, etc.)
- Think about what you’re telling everyone by "checking in" on social sites.
- Don’t overshare.
- If you're really serious, use anonymizers.
Another interesting battle involving issues of online privacy can be described as that of “Transparency vs Anonymity”. We can choose to write and contribute as ourselves in a completely transparent way (e.g. I am Blake here on LISNews) or to be more or less anonymous (e.g. bibiliofuture is obviously a pseudonym and chooses to remain more or less anonymous) or somewhere in between (e.g. birdie is well known to regular readers as Robin). I believe anyone should have the option to be anonymous here at LISNews. Two popular websites that serve as prime examples of this battle are Facebook and 4chan. The folks behind Facebook believe that we should always be ourselves. Facebook thinks it best we are all identifiable in what we write on the web. 4chan and its founder are strong believers in anonymity. I believe there are solid arguments on both sides of this debate:
- When you're really you, you're willing/obligated to accept failure and criticism, and this will make you less likely to speak up or take controversial viewpoints, or disagree.
- With one identity, whatever you do and whatever you say or write, is always associated with you, so it makes you accountable for your behavior, and probably prevents slander, flamewars, etc...
- If you're anonymous, you're unfiltered and raw. You have expression without repercussions; it fuels creativity and experimentation, and makes what you do more authentic.
- If you have more than one identity, or if you're hiding behind anonymity, you're being inauthentic and cowardly.
I won't choose a side here, I'll let you decide if you believe there is more good in being anonymous or transparent. For many people be anonymous, or at least using a pseudonym doesn't mean they are trying to hide, but rather they are finally abe to be themselves. They can be real about themselves but not use their real name. Having a pseudonym, or being anonymous, allows what we say to be judged on its merit alone, with no preconseptions.
There is an arms race between those who want to track, and those of us who wish to opt-out. Who will win this race may be determined by Congress. So far, the United States has no comprehensive law protecting consumer privacy. We have a patchwork of laws, and some self-regulation. We should hope any new law would force companies to allow us to know exactly what is happening to our information. This may be changing, as a recent NYTimes Report says, the F.T.C. has endorsed a related idea — that companies collect only the data they need about people and keep it no longer than necessary. If businesses minimize data collection from the get-go, there may be less need for an eraser button later, says Jessica Rich, deputy director of the F.T.C.’s bureau of consumer protection.
I think that we, as librarians, need to consider a few questions:
Are there really new social norms now?
Are people okay with less privacy now?
Should this make any difference to your library policies?
Finally, something to think about… In theory, all your emails could become public, or are already public.