National Library Week – thoughts on cybersecurity

cyber

[this is a transcript of an email I sent to someone doing cybersecurity+libraries research]

There are two ways in which libraries could be doing a lot better in the realm of cybersecurity. And I should note, I work for rural libraries and digitally divided patrons for the most part so a lot of my ideas are on human scale but there are a lot of good ideas in the larger scale about just encrypting and anonymizing data but they’re sort of the same as they would be for any big business.

1. Being better at patron privacy re: cybersecurity. So if we offer patron privacy in terms of what they’re reading (and we do, in the US this is a big deal) why don’t we go to more trouble to help their patrons’ browsing experiences be more secure (https, Tor, encrypted wifi, who knows….)? The answer is boring: money. But it’s a useful concern and one that library leadership (professional organizations etc.) could be doing a HELL of a lot better at. Also pushing vendors (since we buy a lot of b2b software) to offer safer tools. We still have vendors who will email you a password in plaintext. Those vendors should not be getting money by anyone and it’s just a highlight of how little we understand. Like, you’d never buy a car without seatbelts (and, well, can’t) so why are these people still in business?

2. Being better at raising awareness of cybersecurity issues and communicating that to our patrons. So “talking the walk” if you will. This line is trickier because at some level if a patron says “I don’t really care about privacy…” it becomes a challenge to figure out what to do. Do you try to “incent” them to get more serious about it, or do you just realize there are a lot of different ways to be human? I think there are a lot of smart people in the Open Source world who sort of shot themselves in the foot being OS purists and people couldn’t get on board if the only way you could support free software was go ALL IN with OS tools. The same with cybersecurity and privacy, we have to find ways to allow people to twiddle the knobs for themselves. They want to use facebook, but do it safely. Do we have something to offer them?

THAT said I think we need, as a profession, to become a lot more aware of what threats really look like and who we’re really in danger from (imo, it’s more government and advertisers and not what we’ve traditionally thought of as “bad guys”) and having our own way to frame the narrative so that the library is part of that conversation and can help people understand the issues. You read “old media” and you get the feeling that a lot of them don’t really understand the problem (and TV news, my god) so it’s no wonder people who are of average computer intelligence can’t figure it out better. We need to provide options and sensible information to those people not just more FUD.

One thought on “National Library Week – thoughts on cybersecurity

  1. Polaris has known that plaintext passwords are a problem since at least September 1, 2009. They have an enhancement request titled “Patron password email should offer a reset option instead of sending in plain-text” which a librarian put in on that date.

    Every year some variation of this shows up on the enhancement request ballot, and every year it isn’t one of the winners, and my question has always been “why are security measures put up for a vote?”

Comments are closed.