CC.1 Week 6: cybersecurity basics and public computer environments

How does your library’s cybersecurity measure up to best practices? What about your public computer environments? What barriers have you faced to making changes, whether from IT, admin, or elsewhere? What other thoughts do you have from this week’s talk and readings?

One thing I keep thinking about is what currently counts as optional vs nice-to-have and how to shift that window e.g. the idea that a user has to sign in to their own session is pretty widespread (it’s not common to just have one desktop that everyone signs in to and shares). most institutions we work at have some privacy policy that gets followed and enforced, and some that gets ignored – where are these lines, why are they there, etc…

Another thing I think about a lot in this area is the potental to use how the library computers are set up as a teaching opportunity in itself – so instead of libraries grudgingly doing the bare minimum ideally library tech could be an area where the library provides leadership that people can follow and learn from. (ie, how do I make my privacy better? do I even have any options? etc. Like wouldn’t it be cool if someone went home and used Firefox with Privacy Badger because “it’s what they had at the library and the library cares about that sort of thing!”

obviously I’m preaching to the choir here as it were but I wonder if this framing can be useful in terms of selling the idea of improving practises, that it can have an impact on the broader community in more ways than just providing computer access (where I think sometimes “well at least we have computers” is sort of the low bar; they’re “good enough” for people who don’t have other options but certainly don’t embody our highest ideals of internet freedom and user privacy… but maybe they could…)

3 Likes

I wanted to ask about my situation because I don’t have any control over it but want to know what I can bring to IT as a request.

Students at my school can login to a library computer either using their student ID or the account “Student.” Their ID account is unique to them and loads their drive and things unique to them. “Student” is an account with no password and I think gets cleared after the session is over but I am not certain. In addition, students have iPads with their own unique logins/pins, etc… For privacy concerns, should the ID sign on the library computer not even exist? The ID method is how most teachers login but we do so with our names.

To make things more confusing, the district only uses cloud services (G Drive, Schoology, etc…) so there is no real reason to have a student ID login anyway or at the very least, have a drive unique to them. However, I can’t think of any argument that will better their thinking which is, “What if a student looks at something inappropriate? How will we catch them?” If it is all just for punitive measures, is there a way to still anonymize student traffic? I don’t necessarily want students to view inappropriate things either but I would rather turn it into an educational opportunity instead of a punitive one.

Students and staff have access to Firefox, Chrome and Edge but it is not for privacy concerns. It is because the district uses an uncoordinated mix of Google, Apple, Microsoft and other SaaS and some things magically work better on one browser…Except Edge…Edge is trash.

how old are these students? that would impact my response to the inappropriate stuff question… most automated net nanny type stuff can prevent people from e.g. doing medical research, and more personalized review of internet traffic data is going to take time and resources most places don’t have… but I get that concerns are different for university students vs. a computer lab full of nine year olds!

re logins, I guess the first thing would be to make sure there’s truly no differentiation between student accounts in terms of permissions or storage or access to software or resources… maybe there are also some accessibility reasons why it’s nice to have an individualized sign in, if it can save some of your settings or whatever instead of having to redo them every single time, especially if you use the school computers a lot.

otherwise I’m not sure I understand why having them sign in with their student ID inherently a privacy concern, or inherently worse than them putting all their google info in a “student” session? Plus if you’re going to just have them signing in to their Google Suite every time you’d still need some kind of session to wipe downloads and sign ins and that sort of thing.

1 Like

Students are aged 14-18, so to more or less sum up the school’s concerns, they don’t want students to engage with pornography or violent video games. I am more concerned about things in the grey areas so to speak, like students conducting research about current events or things that impact their lives and being disciplined for it.

I agree with you, if you have certain settings you enjoy, having the ID login is great but that’s about it. No student is allowed to download different software except with the iPad if a teacher asks for it through self-service. Before the iPads, students had Chromebooks and life was actually a little easier for the reason that you mentioned, logging into the Chromebook was signing into their Google Drive and Google Classroom.

I don’t know if the IT department has the time or resources to go through all web traffic but my library is near the Dean’s office and I hear about students breaking the “Internet Code of Conduct” (or Lord knows what it’s called) so regardless if it is through the “Student” account or personal, they have some way of verifying and generating a report.

I will ask though what the difference is between the two types of logins because maybe there might not be much of a difference. I appreciate you helping me think this through!

1 Like

I think one major issue, in my personal experience, is that many libraries aren’t aware of or don’t even consider cybersecurity at all, let alone cybersecurity best practices. I graduated with my MLIS in August 2020 and while there were some elective courses on web design, I don’t recall seeing any courses on IT/cybersecurity or even internet/data privacy. To my knowledge, there were no certification programs in these areas either or any cross-listed courses on these topics from IT made available to MLIS students. I think this creates a huge challenge because libraries have to interact with technology and because there’s no required course or even standard elective on IT/tech/privacy it’s up to individuals to either learn on their own or just leave everything up to IT. To be fair, there were several things I wanted classes on while I was an MLIS student so I don’t know how much these programs can fill in those gaps - but I think any path towards incentivizing and creating pathways towards learning specialized skills like IT/cybersecurity for library workers (like this course) would be great. I think for me one challenge is that although I have some IT experience, I’m not super confident in my skills and I feel as though there is a lot I need to learn in some cases before I can make recommendations. At the same time though - I wonder what the stopping point is - like, does this progress to the point where we have IT librarians and if so, is that a good idea? What limitations does it incur?

1 Like

I think, your best bet is to stress to students to sign in using the generic “student” profile. I know our firewall can see who’s signed into a computer as well as IP and MAC address, so using the “student” profile might help obscure it a little. They’ll still see the traffic and where it’s going, but potentially harder to figure out the individual student. If students are signing into G Suite to access their documents and etc, then yeah, it’s entirely possible that logging in individually has no point. I’d definitely ask your IT about the difference.

This is speculation, on my part, because things like firewalls and filtering systems can vary quite a lot. I’m not familiar with school setups or software, but you might also ask your IT about that, and especially how to get something unblocked in the filter.

2 Likes

To share my IT side of things!

Cybersecurity is a constantly-moving beast. I did a presentation last October to our whole organization, and I took two full hours and couldn’t hit everything I wanted. Alison hit the basics of it very well: keep your OS and apps updated, keep regular backups, require good passwords, don’t plug USBs into anything willy-nilly. If your IT is the slightest bit competent, these things are automated already.

I updated our public computer environment to Windows 10 last summer while we were closed, and it was a huge project. Now that we’re open again (with COVID precautions) I’m hearing all the little issues that were bound to come up. There’s A LOT to consider about cybersecurity and privacy when configuring an environment; we use at least six different systems to manage ours. It’s mostly all transparent to the user and staff unless they run into an issue. So if your IT says they don’t have time for something, ask if there’s a future time that would be better! They might be in the middle of a giant project. Of course, if they’re hostile or dismissive, that’s another thing – unfortunately there are plenty of IT people out there who care more about the systems instead of the people who will actually be using them.

Most of the challenges I’ve faced when making changes have been more about lack of time than anything else. I’ll make a suggestion that will need admin approval, I’ll throw it up that ladder and not hear anything back because everyone has so much on their plates. Or all my time is going to solving something, instead of new or in-progress projects. There are definitely things we can improve on – making our protected wifi more accessible, adding Firefox and Privacy Badger to the public computers, for example.

One thing that really, really surprised me about the ALA Checklist was that this was Priority 3: “Segment the network to isolate staff computers, public computers, and wireless users into their own subnets.” It’s a pretty high cybersecurity risk, which in turn makes it a privacy risk. It’s out of the ballpark for most library staff, but segmenting your network is a basic cybersecurity practice, so I’m surprised that it was prioritized so low.

1 Like

Do you think the ALA priority points were maybe a mix of like what’s most likely to be doable as well as what’s most important? I know in class there was some general surprise that some of the priority 3 items weren’t higher up and I wonder if there’s some attempt at strategizing around making priority 1 like a lower bar/more attainable or similar?
(ETA I’m not even saying they made the right choices, and some things are fundamental enough that even if you can’t implement them yourself they belong in priority 1, just wondering what the rationale was!)

In my experience – it’s all fairly random, and it takes a person or multiple people to just keep pushing things in the right direction.

Yeah!! That’s definitely part of the idea. And in some ways, it’s an easier thing to achieve than making other infrastructural changes that have to do with how the library is collecting patron data. Also, if you can’t get things installed on your library PCs, you could always offer a public program about privacy tools. And then later you can have the patrons who came to that program ask admin why the tools aren’t available on library PCs. :smiley:

I mean, if they can just as easily use the student ID login as the “Student” login, you wouldn’t be able to catch the ones on the student account anyway. So if “student” is already widely available, and there aren’t any issues with students doing things they shouldn’t be, then that can help you make the argument that the student ID login is unnecessary!

Important points Emily. I feel like if any of these were true, you’d already know (and be advising students to use one login or the other depending on their situation) but they are important questions.

I just read this reply after I typed my message above, and I think this is something to look into…what are they finding about students who sign in with the “student” account?

It was the same in my MLIS and it seems to be pretty true of most of the programs.

It’s so true, and in smaller libraries you might be the IT. But there are cybersecurity and privacy concerns at all levels of interaction with patrons, and we do not prioritize learning these skills in the profession!

I definitely get this, and I find that it helps to just let people know where you’re at. “I know a little, but I’m not an expert, so let’s see if we can figure this out together.” You don’t have to know everything (and that’s not even possible anyway, it’s too big to know). You’ll get more comfortable with the basics before too long, and that’s mostly what you’ll need anyway. Also in tomorrow’s class I’m going to talk about all the people and spaces to follow to stay up on privacy stuff so that you can feel more confident going forward.

Yup, I had to cut last week’s outline waaaaaay down to fit our time.

So true, and gets back to the importance of relationship-building. If you get to know your IT people a little, you’ll have a better sense of when they’re doing system upgrades or when their maintenance days are, or just when they’re super swamped with something new.

I totally agree. I have no idea why it was such a low priority, especially since this is something that should just be getting set up when the network is initially configured. There are other priority levels on the checklists that are befuddling to me.

I kind of get that vibe from them. But I wasn’t involved in the final product (just made some initial recommendations), so I really don’t know. And like I said about Sarah’s point on the network segmentation, while this is out of the skill range of most librarians, most librarians probably aren’t setting up the wifi themselves, and you can have your IT person just do that for you when it gets set up.

1 Like

Our library uses Smartshield and Comprise (SAM) to manage our public PCs. Our PCs wipe out info once sessions are ended. People can lock their PCs if they need to step away, we also have one time use guest passes if people would rather log on to computers with that. I recently became a liaison between them and our library for tech support. It has been implemented before me that whenever we reach out for tech help they “need” as much info as possible about any issue we are having. Whenever we submit a troubleshoot report, people sometimes attach the library card # of the person who experienced an issue in their report. It makes me cringe every time and honestly it is useless information for the comprise team. I don’t give out that info. Since I’ve worked with them, they have not asked for that or needed it to help resolve the problem.

The politics of the library make it real tricky when it comes to approaching protocols and since admin is the main people who deal with our IT or any tech related issues, I would have to approach this with caution. I was only given the role because I showed a proficiency with SAM since it was the same system I used at the previous library. But had it not been for that, I don’t see how some of these practices would be changed.

3 Likes