Sensible talk about HTTPS

https showing in a browser bar

(this is a slightly amended reprint of an article I wrote for Computers in Libraries magazine in 2016 and I’m putting it here because it’s timely. Original title: Practical Technology – Digital Privacy is Important Too. If something seems inaccurate, let me know.)

This month’s column is amplifying the signal on a movement that has been brewing in the library world: getting libraries to make patron’s digital activities as secure as their lending records. There are a few ways to do this but I’m going to focus on using HTTPS.

You’re probably familiar with the http:// prefix from web addresses. You may not know that it stands for Hypertext Transfer Protocol but you don’t really need to. HTTP is a method of exchanging information, mainly web pages, online. The information that is exchanged goes over the internet in plain text, unencrypted. This is fine if you are just trying to look at a website about caves or bats, but less fine if you are sending passwords, banking information, or other things that you’d prefer to be more secure.

How

Privacy-conscious individuals can use browser plug-ins for Firefox, Chrome or Opera such as HTTPS Everywhere on their own computers which will let them use an encrypted channel for sending information when possible. However if libraries are in the privacy business, shouldn’t we be offering HTTPS to our users as much as possible?

Eric Hellman who runs the popular library blog Go To Hellman has been working with the Library Freedom Project to get libraries to commit to digital privacy by signing the Library Digital Privacy Pledge. Simply put, it asks libraries to commit to using HTTPS to “deliver library services and the information resources offered by libraries.” in 2016.

Historically this has been an endeavor that came with associated costs since purchase of a digital certificate was required to verify the security of the connection. Recently, the Electronic Frontier Foundation has started the Let’s Encrypt project with sponsors like Mozilla and Cisco in order to lower the costs and the technical hurdles involved in getting set up with HTTPS.

Last year was the year for HTTPS. The White House made a statement in June of 2015 directing “all publicly accessible Federal websites and web services only provide service through a secure HTTPS connection” by the end of 2016. They have also created a web-friendly version of their memo along with an extended explanation about how and why they created this mandate. On their page entitled “Why HTTPS for Everything?” they explain

Today, there is no such thing as non-sensitive web traffic, and public services should not depend on the benevolence of network operators.

When properly configured, HTTPS can provide a fast, secure connection that offers the level of privacy and reliability that users should expect from government web services.

Why

The big reasoning for pushing for this in libraries is twofold. First privacy is our business. It’s in our professional bill of rights and it’s certainly in all of our marketing materials. The ALA’s Code of Ethics is very clear “We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.” That “transmitted” part is the key.

If we say we keep your reading list private, shouldn’t we be able to say the same about your internet browsing habits? Our users are getting their information not just from print materials but from databases that we provide as well as internet connections, and possibly computers, that we offer. If we’re in the privacy business it’s our responsibility to make these channels as secure as possible. This means managing these systems in our own libraries and urging, if not requiring, our vendors to do the same.

Major companies like Google, Twitter and Facebook as well as my employer the Internet Archive, have made the switch recently and if you haven’t really noticed that’s the good news. All major browsers should be able to handle this transition seamlessly. Users have a browsing experience that feels the same, but is much more secure. Libraries can offer their patrons public wifi access and also assure them that the data they send over that wifi isn’t “sniffable” by third parties. This is good PR for libraries.

And this brings us to the second reason, clarity. There are many different ways that internet content tries to make itself look reputable and authoritative. As librarians we’ve seen them all. However, telling a user “Look for the lock icon on the browser.” or “Look for https in the web address.” is a straightforward and simple way to make this additional security clear to users. This can help users resist phishing attempts and give them more confidence when interacting with sites that require their personal information.

Where and When

There are a few steps involved in making this change and some of it is dependent on the IT system the library is using. A very simple first step is contacting the vendors your library does business with and ask them if they use HTTPS and, if not, if they would consider implementing it. OverDrive, EBSCO and Elsevier have already made this change.

The next step is doing an assessment of the web services you offer and look into making the transition. This can be as simple as updating your website and inspecting your internet connection but possibly as complicated as rebuilding some of the code you have been using or looking at your content management system’s tools for implementing HTTPS. Sometimes this can be as simple as using a plugin.

The good news is that the last few years have seen a surge of companies and websites who have been moving to HTTPS so many of the starting points are Googleable. There are also people from the Library Freedom Project willing to help libraries get set up with HTTPS if you simply lack the resources to undertake this project on your own.

This pledge is also a chance for us to model good behavior for other users who may not understand how packets move across the internet. By showing that we care about their privacy and presenting privacy as a thing to be valued, we can help other people make good decisions about their own web content and internet habits. Join us.

Resources

Posted in 'puters | Tagged , , , | 4 Comments

Ask A Librarian: How does library presenting work? Who pays and when?

collage image of a woman's feet and part of a map, a postmark and some stamps

Travel image by Tyler Hewitt on Flickr

Email from someone asking about how to merge librarianship and public speaking. I may not be the right person for this question…

Does your employer (if you’re employed at a Library) pay (travel, salary and credited work time) for you to attend those conferences when you’re presenting or do you pay out of pocket?

I mostly freelance. So when I worked in a library, I had a part time job at the library and if I was not presenting for the library then I’d just get unpaid time off. If I was presenting for the library like at a local event, they’d give me (paid) time off and usually it was an either/or about who would pay for things like travel and expenses. If it was part of my job, the library would usually pay for travel or at least reimburse mileage. Occasionally, rarely, I’d get paid for my time by the organization, and that money would go back to the library if I was getting my time reimbursed by the library.

This is definitely a tricky issue with full-timers and it’s worth making sure you’re very above-board with your library about doing professional work like this. Some libraries are thrilled to have staff doing a lot of professional development (teaching or attending) and some are less into it.

If you’re giving a presentation at another library (such as staff day or as part of Library program) how are you contacted? Do you pitch a proposal to those libraries or do they contact you first?

I’ve been in a weird lucky place where I think people mostly have heard about me and so reach out? So I got started in 2004 being asked to give a talk for a local ASISt event and then people saw me and invited me to more stuff. I have a lot of flexibility because of my freelancing and my rates are attractive/competitive (honestly they are probably too low) which always helps. Occasionally I pitch presentations, especially for my local conferences. Now it’s primarily word of mouth. And here’s how it breaks down:

If someone contacts me, it’s a job and I expect to get paid, reimbursed and accommodated by the org who contacted me unless it’s a *very* prestigious conference in which case I just ask for entry to the conference (SXSW used to be like this, some very remote library conferences will pay you to get there and put you up, but not pay you otherwise)
If I contact them I assume I am on my own dime but might get free conference entry especially on the day I gave a talk

I was thinking of searching for other libraries outside of my state and submitting a Suggest for Program Proposal directly to that library with my presentation/program description and contact information. Is this something that you recommend?

Depending on how narrow your topic is? A lot of libraries don’t have a lot of money to pay speakers (especially for things like travel reimbursement) but every state has an annual conference and they bring in people for those, so maybe start at the state level in more states especially ones which are nearby to where you are so wouldn’t be a killer travel thing. Assume if your proposal gets accepted you would get free entry to the conference but likely not get paid (is my understanding).

Things like in-service days at libraries are definitely the exception: they like having professionals who can hold up a good chunk of the day, they pay well, and you get to meet a LOT of librarians and really spend time with them, which is something I always feel is special about these events. I do some of the talking that I do at in-service days at local schools as well as libraries which you might consider, again based on your topic.

Also, if you’re asked to speak outside of the United States, does your library pay for your travel accommodations and salary while presenting or are you paid directly by the Library who ask you to speak? – Thank you!

If I go outside the US, the organization pays for me to get there, stay there and talk there. But again, my situation as a freelancer is very different from when people are full-time employed, You might want to ask other librarians like David Lee King, Meredith Farkas or Michael Stephens, people who are in my cohort of public speakers and also full-time employed in library professions.

Posted in librarians | Tagged , , , , , | 6 Comments

Ask A Librarian: Options for Remote Librarianship

stained glass in the Lincoln Library
A portion of an email I received: “It seems you’ve been able to piece together disparate threads to form an unusual career. That’s exciting to me. I see the economy shifting toward a new model i.e. multiple income streams/work when you want/remote employment, and feel like there is for potential for me to carry over what I’ve learned in the library world, I’m just uncertain as to my options, and among them, which are lucrative and/or worthwhile.”

The trick mostly is learning to live on not much money and making sure you have a consistent profile online even if you don’t have a geographically bounded one. And staying in touch in a consistent manner even if you’re doing it from many locations. Have an email and a phone and a twitter that you ANSWER.

For me, it’s having a home base, at least, so I do get in some of that “terroir” thing of actually knowing a place. My general MO that I say is that librarianship is primarily a very very grounded profession, both in the philosophical sense and in the staying-put sense. Most librarians only cross-pollinate with people outside of their systems at professional development opportunities or at infrequent conferences and special events.

Accordingly, I think it’s a useful thing for some librarians (a small subset) to actually do more moving around, talking about libraries to other libraries. It’s tricky because you can wind up sounding like a
“Here I am someone who doesn’t really know what your job entails, telling you how to do it better” person. So it’s good to have a set of librarians, whoever they are, who really know you. For me this is the librarians in Vermont. I work with the profesisonal association, maintain their website and go to (and help plan) their conferences.

So picking a few things

  • Whatever your “local” is, might be an online community, might be one library or place where the people know you
  • Having a consistent online presence that is maintained since more people will know you through this than in person
  • Gigging with things that don’t require in person stuff (maintaining association or other websites, social media stuff, writing). I don’t know where the email/social media lady for VLA is and it doesn’t matter to me as long as she gets the job done.
  • Maybe some regular stuff that isn’t glamorous but pays bills. I write for Computers in Libraries, a regular column in a print magazine, and it keeps my health insurance paid

And realizing that it’s all about choices. If travel is the most important thing to you, other people with work to offer may realize that and say “Eh that’s not what we want” and that is also okay. Having a consistent self-narrative so that even if you’re not in one place, you are one person, will make a difference in how people feel about tossing money your way. Being professional in what you do for work, no matter what you’re doing in your life, is to me what people want to see.

I get a lot of mileage out of presenting at conferences, both in getting the word out but also meeting people and learning about them and their lives. Depending on what your traveling scenario looks like, having something where you travel between library conference gigs is a workable thing if you don’t mind having your travels being bounded by work responsibilities. It’s pretty easy to plan ahead of some of this stuff, especially at a national level, so thinking about having a thing or two you could do at these events that other people might pay for would be my first “plan of attack” in seeing if you can make this work for you.

Posted in librarians | Tagged , , | 1 Comment

Ask a Librarian: When do you touch a patron’s computer?

Conversation with my friend Peter (in italics) about teaching technology and when it’s okay or even helpful to touch a patron’s device. Slightly edited. I run a drop-in time weekly during the school year where people can come and ask questions about technology. First come first served.

I will also link to How to help someone use a computer by Phil Agre because I think it’s the single most helpful thing I’ve read on this topic, ever.

Peter: I am a fellow technology-explainer librarian. What is your policy about touching the devices of those you are helping? Do you make them do everything themselves, or do you take and manipulate things on your own? I find I’ve been doing the latter more and more. Thanks!

Me: Hey there. My general feeling is if it’s a thing they will need to do again I always make them do it. If it’s a one time configuration thing that, for example, should have been done by a tech at their workplace or something, I will sometimes do it and narrate what I am doing. Its hard right because people type slowly and there are only so many hours in the day, but I feel that for anything where they need to actually repeat the process, making sure they can do it for themselves (and what the pain points are like “Oh this has a drop-down menu and they don’t know what to do with that”) is important.

Sometimes I will “tee up” a site or something for them. If the class or example is “How to type a letter” and we’re learning cut and paste, I may step through getting Word up and running for example. One of the things I like about drop-in time the way we do it is that there are multiple people you are helping at once, so someone can be fussing with getting their password right on their own and I can be helping someone else at the same time. It’s a downside to short one on one sessions.

Peter: Thanks. We have drop-in time, too–in fact almost all of our tech help is now drop in since attendance at our classes was very low and unreliable. I’d much rather address their questions individually and directly. Seems so much more productive and they go away happier (I think). I tend to handle the devices of people who seem in a hurry or “just want you to” show them something or change something about their device/computer. I will take your approach to heart, though. I really do want them to learn how, so I will try to stick to encouraging them to do it themselves with my guidance unless, like you said, it’s a one-time configuration deal (Overdrive accounts, oy!).

Me: Well and it’s challenging I agree. Some people maybe don’t want to learn the ins and outs which is their right but I often (politely) make the point that if they just want me to do a thing for them, there are people you can pay to do those jobs and they are not me 🙂 And yeah for longtime users who I KNOW actually understand how to do the thing but are in a hurry, I will totally do a thing for them but I’m pretty fussy about making sure they know I’m doing that more as a friend to them than as an employee. I just don’t want to set up expectations where they assume they can, as an amusing example, get their watch battery changed at the library when it’s not technically a service we offer.

Peter: I agree with your concern that people will start to think there are things you can/will do that go beyond digital literacy instruction/learning. I do try to focus on learning by doing for those who come. I worry about becoming too successful, so to speak–of reaching a level of drop-in attendance that will overwhelm the helper (i.e., me), but I have only had that challenge a handful of times in the past couple of years. Most of the time I can juggle helping multiple people, as you described. I have some regulars that come every week, but they are very good about sharing the time with newcomers. I think it may be time for a new round of publicity, though, to make more people in town aware that the library is a place where you can get this kind of help/knowledge. My fall back is to make appointments with people at a time when I can focus on their issue exclusively for a little while.

Me
: Yeah I do a certain amount of triage where I sometimes refer people elsewhere (“You need to pay someone for this, here are some suggestions”) and also I spend some time coaching people into how to have conversations with others when that is what needs to happen (“Ask your son who gave you the laptop if he knows the admin password”) specifically how to talk to tech support (“Tell them the wireless card isn’t working and ask if it’s under warranty still”). I find the attendance is self-regulating, if we have too many people one week we’ll have fewer the next week. This year, for the first time, I have an intern, a 13 year old friend of a friend who is very good at computers but could use some people skills. He’s got great energy and enthusiasm, and so for people who mostly just need someone to sit by them while they do things so they feel more confident that they are not making mistakes, it’s been helpful. And he gets community service credits for school and all the snacks we can bring in!

Peter: Snacks! We don’t have snacks. I too do a lot of work with people helping them to understand the language of tech. One of my guiding axioms is that people don’t begin to understand something until they start to get a handle on the terminology. I try to be careful to use terminology consistently, and to call things by their factory approved names–i.e., the names their makers give them. I think that will help them if they ever talk to an official tech support person–to anyone, really.

Posted in access | Tagged , , | Comments Off on Ask a Librarian: When do you touch a patron’s computer?

Ask a Librarian: New Library Director Advice?

An old one from the inbox about starting as a new, youngish library director in an established library.

Here are some quick links and things to think about:

1. How to manage smart people.
http://www.scottberkun.com/essays/28-how-to-manage-smart-people/

If your staff is smart, they mostly need you just to help them with resources and support to help THEM be awesome and don’t need a lot of top-down guidance. If they’re not as smart, you have a different set of issues.

2. Know the work.

list of rural library director's jobs

A friend make this list. You’ll have to view this large but it points out all the different parts that go into library directorship in a smaller place and even though all those jobs aren’t going to be yours, many of them will be SOMEONE’s

3. Outreach.

I think the biggest thing that libraries do is they sort of hang their OPEN sign out and wait for people to come in. That doesn’t help or affect the people who aren’t coming in. Reaching everyone or as many people as possible in your service area is mission critical, to me, they spend money on the library so how do you help them. Populations that often get ignored are

  • the elderly who may have mobility/cognitive impairment
  • prisoners
  • teenagers (people think they’re annoying, want them to come back
    when they’re less annoying)
  • the disabled who may need accommodation
  • the computer illiterate

Basic improvements in signage, accessibility, staff training (for friendliness, usefulness, etc) can go a long way towards helping ALL these sorts of people without sort of unhelping other people at the same time. I really think every library needs to take a good look at their website, OPAC and other tech services to see if what they do is working for the patron, not just the staff. I mean you have to make the staff happy too, but reworking so that you’re visibly helping the patron is also good for funding and general satisfaction levels.

4. Eating your own dog food.

Make sure you’ve done a Work Like a Patron Day yourself and,at some appropriate point, for your staff.

Posted in requests | Tagged , , , | 2 Comments