Skip to content

Instantly share code, notes, and snippets.

@peterk
Last active March 31, 2017 08:39
Show Gist options
  • Save peterk/ec92cd2ef085eeda7a928b4281b6888a to your computer and use it in GitHub Desktop.
Save peterk/ec92cd2ef085eeda7a928b4281b6888a to your computer and use it in GitHub Desktop.
Alpha Library Privacy Checklist (0.1)

Protection of privacy in the library environment (DRAFT)

v0.1 (roughly google translated from swedish - sorry for poor english).

Libraries should work for the democratic development of society by contributing to the dissemination of knowledge and freedom of opinion. This means that access to the internet is an important service to provide to visitors of the libraries. However, it does not mean that visitors should be able to do what they want with library equipment or access other visitor's information. Patrons should trust that their use of library services do not infringe on their privacy.

This document is a first draft of a checklist aimed at reducing the risk of intrusion into the visitors' privacy when using digital services in a library environment. The checklist is not exhaustive. The idea is that a librarian can use the checklist to get a basic idea of a library´s protection of patron privacy. This should be used in discussion with colleagues and suppliers about how you can increase privacy.

The checklist has three parts:

A. Physical access - how to check and prevents access to the computer to prevent visitors installing equipment that can be used to access other users' information.

B. Configuration of the computing environment - fundamental requirements for lockdown of the computing environment to avoid malware and unintended sharing of visitor data.

C. Library services on the Web - how to avoid sharing information about your visitor's activities to outsiders.

For each section you should document the results and then plan possible actions with your IT supplier. If possible, perform the test together with someone from your IT organization.

A. Physical Security

A1. Avoid having connectors for computers and peripherals accessible for visitors

If a visitor can access ports and cables for keyboards, there is a risk that a malicious visitor connects logging equipment to capture other visitors' keyboard activity. In this way, a malicious user get passwords, e-mail content and other information that visitors enter via the keyboard.

How to check

Make sure the library computer ports and cables are locked, encapsulated or otherwise made inaccessible to visitors. Is it possible to unplug the keyboard and plug something in between the keyboard cable and your computer? Is it possible to access network ports?

How to fix

Contact your IT provider to discuss possible solutions for locking cables and equipment. If keyboard cables aren't locked, you need to make regular inspections of the equipment to ensure that no one connected the unauthorized equipment such as a keylogger.

A2. Minimize "over the shoulder" access to information

In a library environment it can be difficult to use a computer for sensitive information if other visitors can see the screen. Try to place screens and seating in a way that minimizes the risk of gleaning information. This also applies to printers and copy machines. Can other people access printing jobs that another user has started?

How to check

Test whether you can see the screen from seats nearby a computer. Can you read text displayed on the screen? When printing, there is a risk that printouts are visible to others? Is it possible to discard printouts in a way that prevents access by other visitors (e.g. in a locked trash bin)?

How to fix

Place screens directly on the desk instead of on top of computers if possible. A lower positioned screen makes it harder for others who are sitting behind to see screen content. Consider the possibility to equip the screens with privacy filter (a plastic film which minimizes visibility from the side). Consider using locked bins for paper trash.

A3. Reduce risk of network intrusion

If visitors can connect their own equipment to the library network you need to minimize the risk that they get access to other visitor's information.

How to check

Try to connect a computer that does not belong to your organization in a network port on the premises. What services can be accessed? Can you see other computers on the network?

If your library has wireless internet access for visitors', check:

  1. encryption is enabled (at least WPA-2).
  2. default password is changed
  3. default SSID is changed
  4. DHCP addressing is limited (maximum number of simultaneous users)
  5. WAN requests are blocked (Blocked ICMP ping)
  6. wireless wifi configuration is switched off (should require a physical connection to the appliance)

How to fix

Contact your IT provider to discuss network security measures that protects privacy.

B. Configuration of the software environment

B1. Minimizing the risk of sharing information from a previous visitor

After a visitor leaves a terminal, it is important that the information that the user leaves behind isn't available to the next user of the same equipment. This applies to temporary documents, browsing history, stuck print jobs, cookies etc.

How to check

Use the equipment in the same way as a regular visitor would. Note the URLs you visit, enter information in forms and submit them, store files on the desktop. End the session according to the instructions and use the computer as a new user.

  1. Are documents left on the desktop or in the temporary files folder?
  2. Can you see browsing history in the browser?
  3. Are cookies stored?
  4. Is form information stored?
  5. Can you see recently opened documents in software available on the computer?
  6. Print a document to a printer that is switched off. If the user leaves the computer and the printer is turned on again, will the document be printed anyway?

How to fix

Lockdown of computers can be done in several ways depending on your computing environment. Review the results of the items above and talk to your IT provider.

B2. Do not let users install their own software or access system files

If users can install their own software on library computers there is a risk that such software intercepts other visitors' information. Configure the environment so that the software can not be installed by unauthorized persons. Hide and block access to operating system files / directories so that ordinary users can not replace files there. Narrow ordinary user's permissions to a minimum.

How to check

Use your computer as a library user would do. Try to install a program on your computer, download the installation files for e.g. Firefox or other free software that is not already on the computer. Run the installer. Was it possible to install? If it was possible to install the software, is it left installed for the next user?

Try opening a directory that belongs to the operating system. Is it possible to save files there? Is it possible to install extensions in the browser in a way that they remain usable when the next visitor comes?

How to fix

Contact your IT provider and ask them to lock down the IT environment so that unauthorized persons can not install software or access operating system files.

B3. Protect users from malware and monitoring

Users may need to download documents from the net. Minimize the risk that they are affected by viruses or unknowingly spread infected files by providing an antivirus software on the computers.

Enable users to learn more about digital privacy by having privacy badger or similar tools installed in the browser.

How to check

Is there anti-virus software on the computer? Is it up-to-date?

Are there privacy-related tools installed (e.g. browser extensions to skip ads and logging)?

How to fix

If antivirus software is missing, please order the installation of antivirus software from your IT provider. Install Privacy badger or similar software.

B4. Minimize access to logs

Ensure that information about your visitors are not passed on to third parties. If your organization logs network traffic you should ensure that procedures are in place for limiting access information in the logs.

How to check

Contact your IT provider to see if logging of user activity is done and what the procedures for accessing logs are.

How to fix

Ask your IT provider to establish guidelines on who has access to the logs, and the situations in which access is granted.

C. Library services on the Web

C1. Minimize sharing of information about user activity to third parties

The provisioning of digital library services typically involves several different actors. When the library's online services are used there is a risk that sensitive information is shared with other organizations through activity tracking in web statistics, sharing buttons, advertizing etc. By configuring digital services correctly, this can be minimized.

How to check

There are several tools to find out how information is shared with others. Use any of the tools below to test such your library's website and subscribed services.

How to fix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment