1. “What Happens When I Log Off?”
May 22, 2018
“Data, Libraries and Justice”
Eastern NY ACRL Conference
“What Happens When I Log Off?”
Data Privacy Literacy in the Library
I’m going to talk about some more context to data and privacy and surveillance these days, as well as describe some of the training work for library staff that we’ve been doing in NYC, and some practical elements of digital privacy literacy.
Melissa Morrone
@InfAgit

2. How do I prevent my bank account from getting “hacked”?
What is a strong password?
Can the library tell what sites I visit on the computers?
When I log off a public computer, can the next person see my files or get into my ?
Why do I see the same ads on different devices for something I searched for online?
Is my information still private when I’m connected to an open wifi network?
Why did I get pulled over by the police?
Why was I denied a loan?
First, I’m going to present to you some questions for reflection.

3. Who might have this question? You? Your colleagues? Your students?
Is this an Internet knowledge question?
Is it a library policy question?
Is it a legal question?
Is it a technological question?
Is it a political question?
Do you know the answer? Who (else) might know?
Is the answer the same for everyone?
And here are some questions about the questions.
I want you to hold onto this reflection process, how it can hopefully disambiguate some of the issues around data and its production and retention, how privacy vulnerabilities can occur at many points along the flow of data on the internet and be accessed and exploited by different actors, and how not everyone may encounter these types of questions in their lives, but these questions all kind of fall under the umbrella of “privacy.”

4. Gave her contact info to predatory telemarketers
Now I’m going to tell a few stories of real-world scenarios about data access and use that were not consented to.
Someone I know once got a late night that looked like it was from YouTube and clicked through to a user survey that would put her in the running for a gift card raffle. She distractedly filled out the survey, and then thought, "I don't know if that was really YouTube..." The next day she woke up to a series of phone calls from representatives of various companies about credit cards, loans, and refinancing offers.

5. Daughter found her browsing history
Gave her contact info to predatory telemarketers
Daughter found her browsing history
Someone else I know who shares her personal computer with her daughter got in a bit of trouble, before she learned about cookies and private browsing modes. When her daughter was 11 and saw something in her mother’s browsing history, they “had to have a conversation.” Now this woman takes extra steps to preserve her privacy at home.

6. Daughter found her browsing history
Gave her contact info to predatory telemarketers
Daughter found her browsing history
And a third person was telling her colleagues about the mysterious charges from Azerbaijan that once appeared in her credit card transaction history. She had been browsing the web when a window popped up indicating a problem with her account and prompting her to enter personal data. When she saw the subsequent credit card bill, she figured out what had happened. A chorus of accusations from everyone else —“Why did you click on the pop-up?” “Well,” she said defensively, “it said it was important!”
These were all...librarians! These stories help illustrate why the Data Privacy Project happened.
Shared her credit card info with thieves

7. The Data Privacy Project
A few years ago BPL received funds through the IMLS Laura Bush 21st Century Librarian Grant to do a project on digital privacy and data literacy in libraries. Our partners were the Metropolitan NY Library Council, or METRO, our local professional development organization, Seeta Peña Gangadharan New America’s Open Technology Institute, or OTI, and Bonnie Tijerina at Data & Society Research Institute. We hired Research Action Design to develop and conduct the training – you can see Bex Hurwitz from RAD right there. We trained a few hundred staff, mostly but not all librarians, at Brooklyn Public Library and then around NYC, in both theoretical and practical topics related to digital privacy. 7

8. How did this all happen? We actually started working with OTI’s Seeta Pena Gangadharan in 2011 on her research on marginalized people and their digital literacy and their attitudes towards privacy and online surveillance, and out of that came, among other things, evidence that library staff too have questions and varying levels of familiarity with privacy tools and how data flows online.
Mutual acquaintances put me in touch with Seeta, who wanted sites with public computer centers to study for her research on marginalized people who were new to the Internet, and their attitudes and practices related to online surveillance. We ended up having her come into BPL to observe public computer classes and speak with a number of staff, including librarians and Technology Resources Specialists (TRSs), the clerical title at BPL that conducts the bulk of the computer classes. Out of those meetings emerged the realization that, of course, library staff ourselves have questions and uncertainties about digital privacy and Internet issues (and that’s also where we heard some of those stories I just shared with you). So, we went out for the IMLS grant.
To be clear, working on a project like this is not exactly part of my job – I’m not otherwise involved in professional development at my library. 8

9. Curriculum (facilitator guides, handouts, zine) dataprivacyproject
Curriculum (facilitator guides, handouts, zine) dataprivacyproject.org/curriculum/
Online learning modules dataprivacyproject.org/learning-modules/overview/
Going back to the IMLS grant…This grant was specifically a professional development grant, but of course the ultimate goal is to enable library staff to better instruct and guide library users.
At BPL, we conducted one three-hour workshop in the summer and early fall of 2015, and a second, more practical three-hour workshop in early Then we adapted the curriculum for a more general library audience, not just public library staff, and held it through METRO.
The detailed facilitation guides (which, remember, are frozen in time, from 2016!) are online and available for download, along with handouts. We also translated some of the portions of the training into online modules, so you can take a look at those.
And then, since we still had money in the grant, we made a zine, which I have copies for some of you!
No curriculum, especially on digital privacy, appears from scratch, and one of the great things about working with RAD was how they work with a whole constellation of people, so we had a variety of technology educators co-facilitate the workshops. We’ve also used our contacts in the tech community to get feedback on the curricula, which strengthens existing bonds with people who work on protecting journalists, run CryptoParties, develop user-focused security technology, and so on. The content of the training also draws on resources from the Electronic Frontier Foundation, Frontline Defenders, the Library Freedom Project, and the Tactical Technology Collective. 9

10. Developing the curriculum and delivering the training was meant to be participatory on the sort of “client” side and involve library staff at multiple levels. At the start of the project, I put together a curriculum advisory committee made up of BPL staff of multiple titles, including librarians, Technology Resources Specialists [which are...], and IT workers. We met in person a few times and communicated via about whether the curriculum that RAD was crafting was comprehensive, appropriate, and understandable for public library staff. I met regularly with RAD personnel, who worked hard to apply an iterative refinement process to make the curriculum as relevant as possible for us.
For Workshop Two, we added a layer. In addition to drawing on the curriculum advisory committee, we used BPL staff as co-facilitators—in other words, as teachers of their colleagues. Here you see one of our TRSs, Ronella, acting as a co-facilitator during one of the trainings. The “train the trainer” model is often deployed at BPL for both efficiency and professional development, and given our grant partners’ commitment to library worker empowerment and more horizontal forms of learning, it made sense to involve BPL librarians and TRSs in this way.
This meant that the quality of instruction was not totally consistent, as some library co-facilitators were less certain about the material. At its best, though, staff attendees could see one of our own up at the front of the room teaching. It was equally important for them to trust that people from within the organization had a hand in the training, and that it wasn’t coming from an outside agency that may have been well-intentioned but ignorant about public library contexts.

11. In terms of students, at BPL the training brought together disparate groups within the organization who are all stakeholders in different ways in educating patrons on technology use. People found it helpful to be in a forum with colleagues in other titles and working in other branches and departments to talk about library policy and how to answer questions we get from the public.
In terms of content, one of the goals of the overall training was to make more visible the infrastructure of the internet, as a way to start staff's being able to answer those questions about the safety of wifi networks and online tracking and so forth. Here we see some library staff doing the data flows exercise that was at the beginning of our first workshop, which prompted participants in the training to literally draw out the paths that digital information might take in processes including sending an and visiting a website, and what hardware and businesses or organizations that that digital information encounters on its way. 11

12. This image, which is in one of the learning modules at dataprivacyproject.org, is based on this data flows exercise. Obviously a lot about understanding how the internet works is independent of the library, but we wanted to keep the curriculum tied to the library context, so here you see that the person is on a library computer and has signed on with their library card that authenticated against the ILS, before the patron opened the browser and typed in a URL. 12

13. Bibliographic database
Acquisitions system
Bibliographic database
Circulation records system
Digital repository
Online serials
E-books
Subscription databases
Link resolvers
Devices for loan (tablets, hotspots)
Online library catalog
Discovery layer
Chat reference platform
Library website and other Web properties
Servers
Routers
Hard drives
Internet service
Network traffic management tools
Web analytics
Public computers
Computer reservation software
Web filters
Privacy screens for public computers
Wifi
Kiosks to pay for printing and fines
Copiers
Scanners
Room design
Furniture
Security cameras
We also prompted staff to think about the different intermediaries in the library between users and their personal data, and what level of control the patron and the library each have over those intermediaries. The library context is complicated because of its role as a digital provider, and its role as a digital consumer.
Through a planning exercise with a small group of BPL staff, we came up with as many services and elements as we could think of that could affect patron data and privacy in the library.
How many of these are completely under the control of the library itself and don’t involve an ongoing data flow with a third party whose own privacy policies affect access to patron data? 13

14. Depending on how you look at it, it could be, at most, these…
Acquisitions system
Bibliographic database
Circulation records system
Digital repository
Online serials
E-books
Subscription databases
Link resolvers
Devices for loan (tablets, hotspots)
Online library catalog
Discovery layer
Chat reference platform
Library website and other Web properties
Servers
Routers
Hard drives
Internet service
Network traffic management tools
Web analytics
Public computers
Computer reservation software
Web filters
Privacy screens for public computers
Wifi
Kiosks to pay for printing and fines
Copiers
Scanners
Room design
Furniture
Security cameras
Depending on how you look at it, it could be, at most, these… 14

15. Layers of Influence on Privacy in the Library
And, the first workshop of the training also addressed the layers of influence on privacy in the library, to continue thinking through what “privacy” means and what and how library staff have in our control. In addition to those third-party vendors that bring in the services I talked about a minute ago, there’s:
Code—or the technology itself that a library implements—plays a role in privacy protection. For example, certain kinds of software encrypt or anonymize patron data to the extent that it’s difficult to determine what a particular patron is doing on the Internet. Technologists can create privacy-protecting software that is effective and easy to use by people in the library—or in any setting.
Library Policies. Local control can mean that a library has the power to establish guidelines for how data is stored, deleted, or shared, including who has access to patron data, how public computer session data is retained and/or purged, and the confidentiality of library transactions. And patrons can affirm, question, and express concerns about these policies that affect their use of the library’s digital services.
Patron and staff practice that’s a microcosm of social norms. Do patrons share library account passwords with their friends and family members? Do library staff help people set up new accounts down to password selection? Do technology class curricula include information about the importance of logging out of websites on public computers, choosing strong passwords, adjusting browser settings, and other elements of good privacy hygiene? These and many other social and professional practices are part of the culture of privacy at the library.
Laws, whether at the local, state, or federal level, also shape the ways in which information about library users will be dealt with. Patrons as well as library workers can participate in regulatory debates about privacy policies that affect whether and how the library provides patron data to legal authorities. And lawmakers can, or can not, institute policies that support privacy and data literacy at the library. For example, the federal Children’s Internet Protection Act influences network management at libraries that receive E-Rate funding, as they must install filtering software that (ostensibly) prevents children from accessing harmful or obscene content on the Internet. As we all remember, the Patriot Act requires the library to provide access to library records when requested with the appropriate authorization. And here in New York and many other states, state law dictates that library records must be kept confidential.

16. nysenate.gov/legislation/laws/CVP/4509
Here’s the relevant section from NY’s code, section 5409…
In short, the practices, norms, and values of people in the library—patrons and staff alike—will factor into how its information flows. People’s expectations of privacy are affected by legislation, media coverage of related events, community participation in digital platforms, the interfaces and policies of these platforms, and awareness of the flows of their data, among other factors. The library can play a role in shaping these expectations and educating people on what is possible to demand.
nysenate.gov/legislation/laws/CVP/4509

17. nysenate.gov/legislation/laws/CVP/4509

18. So this is some of what we talked about during the first workshop
So this is some of what we talked about during the first workshop. The second was more practical, where we talked about some specific tools and how they work and what sorts of risks they’re designed to mitigate. One of the sections of that workshop was on passwords, which sounds kind of basic but about which there’s a fair amount to say, and here we see a BPL staffer checking Kaspersky’s online tool that evaluates how strong your password is and how long it would take for a computer program to crack it.
One of the challenges of the two-part training overall was hitting people at the appropriate level. Overall the feedback was positive, but we heard from as many people who said that the training was so much information and kind of overwhelming as people who said, “It was good, but I kind of knew everything already…”
The second workshop made one technology trainer I spoke with think about how online security is more than simply antivirus protection. Indeed, there are many more ways that your computer and/or accounts can be harmed or compromised, and this generates a valuable conversation for staff since otherwise we take a lot for granted.
There was also the problem of the gap between the relatively high level of much of the “practical” workshop curriculum and the digital literacy of the majority of library users who actually approach the staff with technology questions. I have personally been asked only once specifically about a VPN, for instance, and that by a patron who had just heard of it herself from a friend and voiced the unfamiliar acronym self-consciously when talking to me. On the other hand, there have been countless queries from people who want to know if it’s “safe” to use their laptops or other devices while connected to the library’s unsecured wifi. And many BPL staff said that they were glad to learn about tools they could use in their personal life, not just at work.

19. — ALA Code of Ethics (1939-present)
We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.
— ALA Code of Ethics (1939-present)
We did invoke the ALA Code of Ethics during our training, but we didn’t really spend much time talking about what privacy is and why it’s important. Now, I know not everyone is an ALA member and professional guidelines are just that, not a guarantee that patron privacy really is always protected. Remember from a few slides back just how beholden all our institutions are to third parties who have their own business models and privacy policies.
I also recently heard a story about an academic librarian who got a request from the university administration to track and turn over some library data about the students. When a colleague expressed concern about the students’ privacy, the first librarian said coolly, “I was hired by my institution, not by my profession.”
But yes, for a long time librarianship has been vocal about patron privacy. This did make much more sense in a less complex era of patron transactions that involved only an analog, or not Internet-connected, record of book-borrowing. And if you remember back to the early aughts, librarianship was very vocal around the PATRIOT Act and issues of government use of data, but we missed the boat on the transformation of digital life to the collection of PII as the fuel. 19

20. Financial vulnerability ("hackers”)
Interpersonal threats (a harmful ex)
Corporate tracking (the shoe ads)
Government surveillance (Snowden; food stamps)
Who knows? (your Internet-connected toaster)
So let’s spend a little more time talking about what exactly privacy is. There are multiple legalistic and technological definitions that you can look to, and that are beyond the scope of this talk, but I think it’s crucial to think of privacy as being contextual. Helen Nissenbaum is someone who’s done a lot of work in this area of contextual integrity.
Privacy is not a binary; we may be accustomed to switches that we flip and toggle on our computers and in our apps. What I think a lot of us mean when we want our “privacy” respected and protected is control over it – you may want to share a photo of yourself at a party with certain people at a certain point in time, but that doesn’t mean that you want that photo available for other audiences, or owned by the platform to which you uploaded it.
And lots of times when you bring up privacy and staying safe online with people, their first thought is of “hackers.” Now, hackers are not solely malevolent basement dwellers or members of international rings of thieves, although those people do exist (remember my colleague who was phished for her credit card info), and there are other digital privacy risks.
This is totally not a scientific classification, but let’s consider these different categories… 20

21. NBC News, September 7, 2017
It is really, really easy to feel disempowered no matter who you are. For example, probably all of our Social Security Numbers are out there on the internet somewhere.

22. NBC News, September 7, 2017 The Guardian, March 17, 2018
Even if you’re not a Facebook user yourself, your online behavior is being tracked.
Also, this was an early headline – it’s up to about 87 million people affected by this Cambridge Analytica thing.

23. NBC News, September 7, 2017 The Guardian, March 17, 2018
There are massive data brokers and platforms that aren’t household names the way Equifax and Facebook are.
Bloomberg, April 19, 2018

24. NBC News, September 7, 2017 In Justice Today, May 8, 2018
The Guardian, March 17, 2018
What do you know, large-scale data collection efforts are of interest to local police departments, too.
“The LAPD uses Palantir’s Gotham product for Operation Laser, a program to identify and deter people likely to commit crimes. Information from rap sheets, parole reports, police interviews, and other sources is fed into the system to generate a list of people the department defines as chronic offenders, says Craig Uchida, whose consulting firm, Justice & Security Strategies Inc., designed the Laser system. The list is distributed to patrolmen, with orders to monitor and stop the pre-crime suspects as often as possible, using excuses such as jaywalking or fix-it tickets. At each contact, officers fill out a field interview card with names, addresses, vehicles, physical descriptions, any neighborhood intelligence the person offers, and the officer’s own observations on the subject. The cards are digitized in the Palantir system, adding to a constantly expanding surveillance database that’s fully accessible without a warrant. Tomorrow’s data points are automatically linked to today’s, with the goal of generating investigative leads.”
With this, let’s start thinking too about who are the most vulnerable among us, and what is our responsibility to them from our position in libraries and educational institutions?
And let’s also think back to that data flows exercise I told you about. I think that understanding the structure of the internet bolsters our critical thinking about not only how tools work but how they fit into the political and economic structure of the internet, which is after all a crucial part of the infrastructure of research and scholarship, cultural production, professional communication, and so much more that relate to libraries’ work. It also helps us understand the risks and vulnerabilities that our library users face.
Bloomberg, April 19, 2018

25. Near-total freedom from digital surveillance for an individual is simple, after all: just lead the life of an undocumented migrant laborer of the 1920s, with no Internet, no phones, no insurance, no assets, riding the rails, being paid off the books for illegal manual work. Simple, but with a very high cost, because the threat model of “everything” is ludicrously broad.
— Obfuscation: A User's Guide for Privacy and Protest, Finn Brunton and Helen Nissenbaum (2015), p. 85
Now, to underline what those headlines drove home, we are all at risk.

26. Near-total freedom from digital surveillance for an individual is simple, after all: just lead the life of an undocumented migrant laborer of the 1920s, with no Internet, no phones, no insurance, no assets, riding the rails, being paid off the books for illegal manual work. Simple, but with a very high cost, because the threat model of “everything” is ludicrously broad.
— Obfuscation: A User's Guide for Privacy and Protest, Finn Brunton and Helen Nissenbaum (2015), p. 85

27. Risk Assessment, aka Threat Modeling
What information do you want to keep private?
Who do you want to protect it from?
How likely is it they will try to access that information without your consent?
What are the consequences if they do?
How much effort are you willing to take to prevent those consequences?
What are you already doing to protect yourself?
So let’s talk about threat modeling, or, in a less militaristic phrasing, risk assessment. Risk assessment was developed by the EFF, the Electronic Frontier Foundation, and others and comprises some version of these questions.
That last point is actually not usually included, but when we incorporated a risk assessment exercise into our training, Seeta felt it was important to add so that people realize that we do already have skills and awareness; we’re not completely ignorant.
[exercise time!]

28. Here are some of my BPL colleagues
Here are some of my BPL colleagues. When we did this exercise towards the beginning of our second workshop, we held onto the worksheet and then, as we covered a given tool over the course of the workshop, we made time for the groups to consider whether that tool was something that would be of use to their patron profile.
Let’s go around and get some reflections, about your discussion and also about how this felt as a training exercise.

29. Patron 1 is a 30something student trying to leave their abusive partner with whom they have a child. They have a laptop and smartphone that they use to access social media, do coursework, and look for a new housing situation. Currently they’re making use of the campus’s mental health counseling services.

30. Password-protect devices with strong passwords
Patron 1 is a 30something student trying to leave their abusive partner with whom they have a child. They have a laptop and smartphone that they use to access social media, do coursework, and look for a new housing situation. Currently they’re making use of the campus’s mental health counseling services.
Password-protect devices with strong passwords
Two-factor authentication
Incognito browsing mode
Vigilance with privacy settings and photo tagging on social media
Restrict location settings
Consult hackblossom.org/domestic-violence
Strong privacy practices of campus counseling?
Federal legislation to protect health data?

31. Patron 2 is a college professor who researches sensitive subject matter in the library catalog, in subscription periodical databases, and on the open Web. They use both library computers and their own laptop, often connected to the campus wifi. They conduct interviews in person and over Skype with subjects whose identities need to remain anonymous.

32. Encrypt hard drive(s) and phone
Patron 2 is a college professor who researches sensitive subject matter in the library catalog, in subscription periodical databases, and on the open Web. They use both library computers and their own laptop, often connected to the campus wifi. They conduct interviews in person and over Skype with subjects whose identities need to remain anonymous.
Use a VPN
Encrypt hard drive(s) and phone
Use a secure cloud service such as SpiderOak One Backup
Privacy policies of third-party databases?
Read Best Practices for Conducting Risky Research and Protecting Yourself from Online Harassment
Consult ssd.eff.org/en/playlist/academic-researcher

33. Patron 3 is a 20something college senior and immigrant rights activist
Patron 3 is a 20something college senior and immigrant rights activist. For coursework as well as their activism, they search for journal articles through Google Scholar and in subscription databases. They get course readings and assignments and upload their completed coursework to an online learning management system. They document demonstrations and post videos online. Recently they’ve started searching for jobs and internships online.

34. Install anti-tracking browser plugins Use Tor for activism
Patron 3 is a 20something college senior and immigrant rights activist. For coursework as well as their activism, they search for journal articles through Google Scholar and in subscription databases. They get course readings and assignments and upload their completed coursework to an online learning management system. They document demonstrations and post videos online. Recently they’ve started searching for jobs and internships online.
Install anti-tracking browser plugins
Use Tor for activism
Log out of Google
Privacy policies of third-party database and LMS vendors?
Consult witness.org/resources

35. And some good things for everyone Look for HTTPS Make strong passwords
Use a password manager
Install anti-malware, including on mobile devices
Apply appropriate privacy settings on platforms
Use a VPN, especially on open wifi networks
“Wash your hands”
And, while the purpose of this exercise is to emphasize that there’s not really “one thing everyone should do,” here are some unifying techniques…
The technologist and trainer Matt Mitchell, who among other things founded CryptoHarlem in NYC, talks about, what do you do when you travel to an unfamiliar place and don’t want to get sick? You don’t need to be a medical professional or expert in the terrain to take a simple action that will cut down on a large part of your risks there – just wash your hands.
There’s information on your handouts about how to find guides to these various topics.

36. NYC Digital Safety: Privacy and Security
Articulate how data flows through the physical infrastructure of the internet
Here’s what’s happening now, following the IMLS-funded trainings. The NYC government is funding additional training that will build on the work of the Data Privacy Project and train staff at all three public library systems in NYC (NYPL, Brooklyn PL, and Queens Library).
It brings together an advisory board made up of staff from all three public library systems in NYC, including me at BPL, plus there’s Bonnie Tijerina from D&S, Seeta, and people from Mozilla, the Freedom of the Press Foundation, the new Digital Equity Lab out of The New School, the NYC government, and others.
Ideally this initiative will be the first in an ongoing collaboration among all these different organizations (hence the subtitled name).
We’re going to develop an online training course, as well as do some in-person workshops, and, like with the Data Privacy Project, curriculum materials will be put online and made available in some way TBD.
Based on what we did with the DPP curriculum, which, again, builds on other digital privacy and security trainings, and taking into account evolving tech and what we felt the DPP curriculum was missing, I’m going to share with you our desired outcomes for this future training through NYC Digital Safety…

37. NYC Digital Safety: Privacy and Security
Articulate how data flows through the physical infrastructure of the internet
Understand the most common threats to a person’s security and privacy, the motivations behind those threats, and how to mitigate them

38. NYC Digital Safety: Privacy and Security
Articulate how data flows through the physical infrastructure of the internet
Understand the most common threats to a person’s security and privacy, the motivations behind those threats, and how to mitigate them
Know how to protect themselves and others online by
Critically evaluating s, sites, applications for security vulnerabilities
Knowing how and when to look for “https”
Understanding app access control notifications
Being able to spot phishing scams
Creating strong passwords
Two-factor identification
Knowing when and how to make use of alternate and/or higher-level tools like DuckDuckGo, Signal, VPNs, and Tor
Limiting unwanted tracking by data brokers, businesses, and social media platforms.

39. NYC Digital Safety: Privacy and Security
Articulate how data flows through the physical infrastructure of the internet
Understand the most common threats to a person’s security and privacy, the motivations behind those threats, and how to mitigate them
Know how to protect themselves and others online by
Critically evaluating s, sites, applications for security vulnerabilities
Knowing how and when to look for “https”
Understanding app access control notifications
Being able to spot phishing scams
Creating strong passwords
Two-factor identification
Knowing when and how to make use of alternate and/or higher-level tools like DuckDuckGo, Signal, VPNs, and Tor
Limiting unwanted tracking by data brokers, businesses, and social media platforms.
Answer patron questions related to common digital privacy and security issues

40. NYC Digital Safety: Privacy and Security
Articulate how data flows through the physical infrastructure of the internet
Understand the most common threats to a person’s security and privacy, the motivations behind those threats, and how to mitigate them
Know how to protect themselves and others online by
Critically evaluating s, sites, applications for security vulnerabilities
Knowing how and when to look for “https”
Understanding app access control notifications
Being able to spot phishing scams
Creating strong passwords
Two-factor identification
Knowing when and how to make use of alternate and/or higher-level tools like DuckDuckGo, Signal, VPNs, and Tor
Limiting unwanted tracking by data brokers, businesses, and social media platforms.
Answer patron questions related to common digital privacy and security issues
Know where to turn for more information on these topics as library workers and tech trainers

41. NYC Digital Safety: Privacy and Security
Articulate how data flows through the physical infrastructure of the internet
Understand the most common threats to a person’s security and privacy, the motivations behind those threats, and how to mitigate them
Know how to protect themselves and others online by
Critically evaluating s, sites, applications for security vulnerabilities
Knowing how and when to look for “https”
Understanding app access control notifications
Being able to spot phishing scams
Creating strong passwords
Two-factor identification
Knowing when and how to make use of alternate and/or higher-level tools like DuckDuckGo, Signal, VPNs, and Tor
Limiting unwanted tracking by data brokers, businesses, and social media platforms.
Answer patron questions related to common digital privacy and security issues
Know where to turn for more information on these topics as library workers and tech trainers
Be able to direct library users to additional trustworthy information on online privacy & security

42. That was a lot of text! Let’s look at a pretty image.
I started taking ballet a few years ago (and am often the worst person in the class). One of the classes I go to regularly is Ashley Tuttle’s. One move she really likes and uses a lot is the brisé. Not everyone is already familiar with that step, so she’ll ask the person, “Do you know what a cabriole is?” The person will nod, and she’ll say, “Well, a brisé is like a cabriole that changes its mind.” I’ve overheard her say this to people at least half a dozen times, and it always makes me laugh because, while it’s not particularly helpful for me, it obviously resonates with her as the most useful pedagogical tool in this situation. And it always reminds me of how individual the learning process can be.
I like the concept of a “personal learning environment.” In many of the interviews I did for my book Human Operators, I asked about library staff’s digital literacy and effective ways to keep learning even after being in the profession for a while, and I really liked one thing that Jessamyn West said. She had this phrase, “being up for it,” which is kind of the opposite of the attitude of, “I learned this thing, and now it changed, and now I have to learn a new thing, and when will it end?!”
Now, I totally get that feeling, and when we’re talking about digitally connected data and issues of privacy and security and surveillance, it certainly adds to the sensation of being overwhelmed to consider how fast things are changing technologically. But especially as people who work in libraries, these realms of intellectual curiosity and inquiry, we really have to step up and “be up for it.” This is so that we better help our patrons and students and understand their digital worlds, model good practice for our colleagues, are able to better communicate with IT, and engage in more informed negotiations with vendors.

43. Typically, implementing healthy digital security practices will be a cyclical process rather than a one-off action. As a result, organisations need to dedicate continuing resources to digital security, and be aware that there is always more to learn.
— Ties That Bind: Organisational Security for Civil Society, The Engine Room (March 2018)
There’s a great report from a British organization, the Engine Room, and here’s a quote.
So now let’s talk a bit about institutional support for librarians’ learning environments, which may be “personal” but also need employers to make time for staff to keep up with professional discourse and attend trainings and webinars and so on.
One of the problems at BPL, where I’ve worked for over 15 years – and maybe this is a problem at your own institutions – is that there’s an initiative, often grant-funded, and it parachutes in and everyone has to care about it and go to a training or whatever, and then it’s over, and...it’s over. This is a version of what I was responsible for at BPL with this IMLS grant, and it’s really a challenge.
Learning, especially about digital tech topics, has to be ongoing within an organization. Privacy specifically needs to be embedded in any tech training. And we all need to understand that this learning can’t (only) be done in one-off trainings. Part of this process is building relationships with technologists, including our own IT departments.

44. My general point is this: you don’t have to be a privacy expert in order to help people learn to protect their privacy online and sometimes it helps if you aren’t.
— “Practical Privacy – Helping People Make Realistic Privacy Choices for their Real Lives,” Jessamyn West (May 2018)
I don’t want to assume that no one here considers themselves a technologist, but at this point I’m more speaking to the bunch of you that I include myself in, which is technology translators. I was once at a digital privacy training in an activist space with two trainers, and one of them said something about being a “technology translator.” Afterward, I went up to both of them and said, “I really liked what you said about being a ‘tech translator,’” and the other trainer immediately said, “Oh yeah, I consider myself a tech translator, too.”
As you know I work in a public library, and I’m sure there are similarities and also differences between how your library users approach you (or don’t) with digital literacy-type questions, and I’ll be curious to hear if this idea of tech translation resonates with you.
But certainly my experience is that it helps me to connect with patrons and offer guidance about privacy that may be ancillary to whatever question they have or task they need to do, but being able to talk to people comfortably and non-jargon-y about tech is very important for me.
I also want to point out that it is sooo not difficult to find tips and learning modules and other information about digital privacy. I was talking to some people recently about the IMLS grant and the Data Privacy Project, and the first question I got was from a librarian asking why we had spent all this effort making something new when there were already curricula out there.
But I think that the process is just as important. At BPL, when we involved staff in developing and then conducting our curriculum, they were made to feel involved and also enhance their skills by articulating the information, not just receiving it.
We had enough money in the grant to hire RAD to conduct two much smaller workshops for key Queens Library staff – again, not IT folks – and one part of their workshop was segment where the participants had to actually figure out how to teach a concept or tool to the others, and they found that really helpful.

45. And speaking of “expertise” and the lack thereof and going to the “experts” with questions...I mean, reality check, it’s not like people are swamping us librarians to the exclusion of other resources in their communities. But, I think situating library workers as trusted resources for tactics on protecting our data can mean that our work gets filtered out to people via those comparatively few who are coming in and asking us questions or attending our classes, or viewing our online guides and handouts and whatnot.
— Privacy, Security, and Digital Inequality, Mary Madden (September 2017)

46. It is only in isolate flecks that something is given off No one
to witness
and adjust, no one to drive the car
Join me now in some out-of-context William Carlos Williams. That photo is of—not the driver, but the person who was in the self-driving car that Uber was testing in Arizona, at the moment that it struck and killed someone.
Here’s a bigger reality check. What is going on these days is obviously much bigger than us, and bigger than teaching about privacy on an individual basis, like it’s only individual responsibility. “Big Data” methods used by governments and private industry has created opaque black boxes where decisions are made that affect people’s lives in ways that we can’t even see. And many of these consequences may be unintended. No one is driving the car, so to speak.
We live in a largely capitalist world, and personal data is the fuel on which the engine of the digital economy – which is to say, the economy – runs, so you do the math.
But despite what the software engineers might think, as we’ve seen, these are humanities issues as much as STEM ones. It’s about power, and capitalism, and race, and class, and so many other dynamics.
Improving digital literacy on an individual basis is important, but so is empowering ourselves, our colleagues, and our users to help limit the abuses – current and potential – of artificial intelligence, machine learning, predictive policing, algorithmic decision-making, all as we hopefully are fighting racism and white supremacy and sexism and homophobia and the rest of it.
Essentially, although I feel disempowered a whole lot of the time, especially in this area, I want to encourage us all to balance that disempowerment with practical action and visionary goals.
These fights might look like supporting regulatory reform and legislation, or building and using alternative tools and platforms.
We’re living in a pivotal time, and it may not be too late for civil society to influence policy and technology to the extent that things change.
We know that Facebook has been under recent scrutiny and analysis. The GDPR is coming into effect in Europe on Friday, and people are watching that.

47. Non-technology folks can contribute to building consentful tech by:
Holding the platforms we use accountable to how they use our data
Advocating for consent-focused policy and legislation
Intervening in development processes through community organizing (petitions, demonstrations, etc.)
Signing on to platforms that are consentful
Learning more about code, policies, and legislation
— Building Consentful Tech, Una Lee and Dann Toliver (2017)
When I was talking about privacy as contextual earlier, I was also thinking about the concept of consent. There’s this beautiful term that the designer Una Lee uses, “consentful.”
Drawing on a framework of consent in sexual relationships, “consentful” tech means that data collection is freely and enthusiastically given, that it’s reversible, that it’s transparent and informed, and that it’s specific. So this encompasses those concepts of contextual integrity and control that I think are so important to privacy.
Una and Dann Toliver made a great zine that’s on your handout, and here they have some advice for “non-technology folks,” which again I’m loosely considering the majority of people here, including me.
So there’s some digital literacy and training implied in there, in that last point, but also so much more.
This is a long game we’re in, but we have to be acting, and acting together, now. 47

48. Thank you!
@InfAgit

49. Artist credits
Abigail Miller
Ämeli Hansson (via the Noun Project)
Lluisa Iborra (via the Noun Project)
Evgeni Moryakov (via the Noun Project)
Evan Bond (via the Noun Project)
Piotrek Chuchla (via the Noun Project)
Otria (via Wikimedia Commons)