How to Protect Patrons’ Digital Privacy

As broadband privacy rules are rolled back, what can libraries do to respond?

April 21, 2017

digital privacy

On April 3 President Trump signed a measure repealing Obama-era broadband privacy rules. Those rules, which had not yet gone into effect, would have required internet service providers (ISPs) to obtain customers’ permission before selling their information to third parties—information that includes browsing history, location data, and other highly sensitive content.

“The librarian profession cares a great deal about the public’s right to privacy, and this is a very serious erosion of that,” says Alison Macrina. Macrina is director of Library Freedom Project, an organization that educates librarians about privacy-related rights and tools. “It means that whatever ISP we use in the library is now privy to the browsing habits of our patrons. It also means that a third party will be able to monetize the data of our community members.”

The good news, she adds, is that in her view, “it is possible for us to have solutions to these problems, even if they’re just interim technical solutions. I’m afraid that people, when they understand the immensity of these problems, will decide not to do anything, but doing something really does matter. It is possible to get the toothpaste back in the tube.”

But how? Macrina and other privacy advocates offer several suggestions for libraries to consider as they determine how best to protect their patrons’ digital privacy.

Make sure your library’s website uses the HTTPS protocol. Does your library website’s URL begin with HTTPS, rather than just HTTP or WWW? Good. That means that communication between that website and a patron’s computer is encrypted.

“If a patron [at home] uses a library’s online catalog, for example, those communications include the queries they type into their browser, what they select, and in some cases, what they click on to download and read,” says Marshall Breeding, founder of Library Technology Guides, editor of ALA TechSource’s Smart Libraries newsletter, and author of several books including Cloud Computing for Libraries (ALA Tech Source, 2012). “Without that HTTPS encryption, anyone can see what’s going back and forth. It means that ISPs, as they peer from one part of the network to the other, can capture that traffic and sell it.” With HTTPS, ISPs can see that a patron visited the library site, but not the pages they accessed or the books they looked up.

Right now, Breeding has found, fewer than 50% of the libraries he’s queried use HTTPS for their websites, and fewer than 30% use it for their online catalog traffic. “These numbers are not great,” he points out. “My concern is that library practices fall far short of the values that we have for protecting patron privacy.”

For help implementing the HTTPS protocol, libraries can consult the Electronic Frontier Foundation or Let’s Encrypt.

Negotiate with your ISP. “Libraries are in a position, unlike individual consumers, to negotiate with their ISP to agree not to track users when they’re using the library’s internet connection, or at least not to sell user data,” says Mike Robinson, professor of library science and head of the systems department at the Consortium Library of the University of Alaska Anchorage and Alaska Pacific University. “If it’s a national ISP that’s not making any exceptions, you might get caught up in that. But a lot of ISPs serve organizations, and I don’t think libraries are going to be the only ones who don’t want that tracking.”

Consider installing the Tor browser on library computers. “Tor is a free and open source web browser that hides a lot of the information that is leaked when you use a typical web browser,” Macrina explains. “It hides your location info, and it obscures your browsing history from your ISP. If you use Tor, the ISP has nothing to sell.”

That said, using Tor tends to mean that web pages will be downloaded more slowly. Users may also find themselves being required to enter CAPTCHAs to access some websites.

Educate your patrons about virtual private networks (VPNs). A VPN is a way to hide your online activity from your ISP. “It basically creates an encrypted tunnel for your Wi-Fi traffic to go through,” Macrina says. The ISP can see that you’re connected to the VPN, but it can’t see what you’re actually doing online.

Unfortunately, VPNs are difficult to use at scale in a library environment. “You have to have a lot of control over your users in a way that libraries don’t,” she says. Instead, “when we’re teaching computer classes and things like that, we can recommend that patrons use VPNs on their own at home.” Libraries can also educate patrons about the value of other privacy-protecting tools, such as the Disconnect and HTTPS Everywhere browser extensions.

Advocate with lawmakers for greater online privacy protections. “All of these are technical solutions, but we need political solutions,” Macrina says. “Libraries need to lobby on behalf of privacy legislation,” such as the broadband privacy bills that are under way in Illinois and Minnesota. “We need to petition the lawmakers who voted badly on this and shame them for how much money they get from the telecommunications industry. We need to reach out to lawmakers who are sympathetic to privacy concerns and demand that they do something to reverse this. It’s possible to have an internet where we don’t have to sacrifice all this information just to get basic services.”