CC.2: Week 2, threat modeling

What threat models do you know exist in your community? Which ones resonate with you the most? How could you use threat modeling to make arguments in favor of privacy in your library? In what ways is the library an adversary or a potential adversary?

IDK if this goes here, but it’s a development in my town that I see a problem with…when you get to the “facial recognition” part - which, although they claim they are NOT opting for NOW, I don’t have strong faith in the claim…

The more our library talks about how to use unizin. I can’t help but worry about what information our libraries are going to be pushed to collect. Currently we are discussing tracking course reserves which shouldn’t have any identifiable information but I can see the possibility of escalation.

Our library also had a discussion about tracking usage of library materials that are embedded in online course shells (essentially course reserves). Our vendor has the ability to track how many times something is clicked on, when, etc. and of course the promise is that the data is in aggregate so no single student can be identified. But students are already being tracked at the individual level in physical and online spaces and that data is/can be used to make inferences about each students’ ability to likelihood to “succeed.” Why wouldn’t the course reserves data eventually be used in the same way? Never mind that simply counting clicks is not any sort of meaningful assessment for the library or the student, it has the potential to be more invasive and used in conjunction with other data to make assumptions about who succeeds and who fails.

Since we’ve added social workers to our staff, who often go out in the bookmobiles, we’ve had an unanticipated situation pop up that called for threat modeling. The city (without any heads-up to the library) installed cameras plugged into facial recognition software to every vehicle - ostensibly to watch out for unsafe driving (i.e. you’re not looking at the road while the vehicle is in motion). Our social workers and peer navigators sometimes use the vehicles for private conversations with the public - and pointed out that their license specifically forbids them from recording conversations. Customers could be caught on camera saying things that could land them in legal trouble if that footage ends up in the wrong place. Add to that the possibility of a situation where the camera may be recording patron check outs or questions and its a privacy nightmare.

It’s wild to me that both @Aglenn and @sam 's libraries are talking about tracking course reserve usage. Course reserves!!! What could be the point??? As Sam points out, there’s no meaningful assessment here. What this is is the library succumbing to the collect-it-all data mentality that’s being foisted on us by our vendors. It’s silly, and wasteful (data storage uses up a lot of carbon), and it has the potential to do harm later when it gets combined with other data streams (aggregated data is not anonymous).

Wow, I’m so glad that the peer navigators noticed and flagged this. Is the facial recognition software getting removed? This is really a perfect example of not just using threat modeling, but the need to educate city officials in this kind of thinking.

Last update I heard was that the cameras were being left in the vehicles but not turned on as the library and the city talk. I’m going to see if there’s been any updates!

On @Aglenn & @sam’s topic I feel like there’s some interesting discussion to be had about how the push for libraries to be “data-driven” (or at least its a thing I’m hearing a lot in my circles) enables vendor nonsense - and encourages libraries to make the wrong call on what (should be) easy privacy questions.

1 Like

Currently a good chunk of our branches are under major construction or will be in the next few years. My home branch is closed for renovations and I am temporarily at another branch that will be closed in the next year: roll_eyes:
One of the big things the library administration is pushing for in the new branches are walk-in hold shelves; Where anyone can just pull their holds off a shelf and check their materials out using their phone or the self-checkout station. I know this isn’t new for other library systems in our area but it’s an idea that was faded out of the few branches that did it because of privacy reasons, so it’s odd that it’s making a comeback. In all the meetings regarding branch renovations, I have voiced my concern about how this invades privacy. I do NOT want patrons to see my full name or see what materials I check out. I have had patrons stalk and harass me in the past with lesser information. I can imagine patrons would feel the same since the community is diverse and oftentimes split on a lot of issues.

1 Like

Nina, something you could advocate for is changing the hold slip setting from the default of full names, or last name plus first initial, to the last four digits of the library card or some other identifier chosen by the patron. I know that most ILS are able to offer these different settings, but they just don’t get used. I wonder if your admin would be amenable to this idea, especially if you presented the case about privacy.


I enjoyed this week’s lecture and I thought threat modeling was a good way to address privacy needs in our library community. I was lucky enough to have a grad student work with me on student privacy issues on our campus a few years ago and we came up with the following list of scenarios that resonated with us:

  • Health/fitness apps
  • International border crossings
  • Safe(r) online dating
  • Online shopping
  • Organizing movements

I’ll expand upon these scenarios as we move about this crash course and hopefully come up with a way to address them in a teaching resource. We’ve already received support from our library administration to hold trainings on privacy surrounding these scenarios - which I think is a promising first step. The threat modeling framework would be great to include in these trainings - it’s just a good way to talk about privacy and helps others get involved with the topic.


These are great scenarios, and we’ll definitely be talking about a couple of them at length!

they whAT


This is lower-key than the others here, maybe, unless you’re twelve, but my library has a park next door, and we get a lot of children who come in alone or with a couple other kids. Sometimes that’s just because they want the heat or air conditioning; sometimes they come in here to avoid other kids or home and be someplace relatively calm where nobody is telling them to do stuff, and to feel like they have privacy. (I get that we’re generally talking here about the concrete implications of privacy/lack thereof, but gosh if I don’t feel for kids who just don’t want anybody to bother them! Same, kids!)

so in this case, the primary asset would be their location most of the time, though it could also be who they’re spending time with, what they’re reading, what else they’re doing here, and their affective sense of privacy/feeling that a place exists where they can do stuff without being watched by family or teachers; adversaries could be bullies, siblings, other kids they consider annoying (what a relief to be too old to use that word), or–less often in practice here, but potentially riskier–adults who consider what the kid is doing their business. The library can adhere to our policies about not saying where people are, make sure kids know what spaces are available, and let them know what the circumstances are where we’d share information about them if an opportunity arises to bring that up; that doesn’t guarantee that we’ll avoid being an adversary, but it does mean we won’t be a surprise adversary. The capabilities are really just, like, walking around the building in this case; part of the problem is absolutely that children often don’t have places where they can make decisions about their own privacy with more control. And the consequences are super variable–most of the time here, it’s ending up with a little cousin hanging off of them while they’re trying to play Roblox, but if word gets back to a parent who disapproves of how they’re spending their time, it could also involve punishment for that or loss of access to the library.

I’m appreciating the discussion below that brings in many different aspects of threat modeling in a social or work environment.

In the past, when I’ve heard this phrase brought up in privacy workshops at the Public Library, it seemed not to resonate with the folks in attendance. There could be a lot of reasons for the mismatch, but I think on the personal level, folks don’t want to imagine themselves as having adversaries. Just a note about when it might be useful (or not useful ) to introduce this language in public programming…tho’ every context is different!

In Newark we have a program called “Citizen Virtual Patrol” that allows anyone to access dozens of police cameras around the city through their computers or phones. The program was pitched by the city as a way for residents and police to work together to monitor cameras and report crime. It was opposed by the ACLU but received little pushback from residents.

When thinking about threat modeling, these cameras are obviously harmful to vulnerable groups such as sex workers, people experiencing homelessness, undocumented immigrants and victims of domestic violence who are often in hiding from their abusive partners. They cameras are more heavily placed in the low-income black neighborhoods of Newark and the upper middle class and whiter neighborhood of Forest Hill in Newark doesn’t have a single camera. Also, the assumption is that citizens will act in good faith when monitoring the cameras, but literally anyone can go to the citizen patrol website and access them so they can easily be used by the far right or a vigilante style group. The public library should allow people to come and go with as much anonymity as possible, but often the biggest surveillance threats are just outside our buildings.

Here is a link to the Citizen Patrol website and article from a local paper about the cameras:

One threat model that comes to mind for me as a Baltimore City resident is the license plate readers (LPRs) currently being used by the Baltimore City Police Department. These came out after the city faced backlash for the ever-present police helicopter, Foxtrot. These LPRs are in predominately Black neighborhoods. Let me be clear: this is not about apprehending speeding drivers who think they’re in a Fast & Furious movie. This is about police surveillance. Check out the links below!

How this relates to libraries, I see this being a deterrent for people wanting to visit a public library. I used to work at Baltimore’s Enoch Pratt Free Library and know of branches in areas where these LPRs are. If a community member wants to visit the library, they shouldn’t have to worry about what information is being captured about them.

[Baltimore & surveillance ] (Spy Plane Experiment is Over, But Growing Surveillance of Baltimore Continues)

Locations of LPRs

I feel the “data driven” thing is akin to “centralized collection development” being pushed by the likes of John Huber. It boils down to convincing (usually library administrators, but sometimes librarians, too) that selection lists from vendors like Ingram or B&T and “collection development tools” like Edelweiss replace the need to read journal reviews in Booklist or Library Journal “because those are all bought and paid for by the publishing industry.” (Hello, irony.) MLS librarians invested a lot of time and money to learn to be professionals in this field; there is an art to it as well as a number-crunching side. Whatever is behind it, I see a creeping, insidious trend toward replacing decent paying middle class professional jobs with (more or less) automation - “just say yes to all the suggestions, they’re customized based on the data!” What could possibly go wrong with that?!

This is mind-blowing. Literally, the eyes of the world can be upon you in Newark. And people think it’s a good thing. The harms that could come from this seem endless.

I’ve had a big issue with the requirements we have at our library for library cards. Right now we require an ID card and a piece of mail to get a library card, and the person has to fill out an application that we keep on file. These applications are kept in binders dating back many many years. We’re in an area where there could be many reasons someone may not have an ID - their ID could have been lost, stolen, or taken away, they may not have an ID or temporary ID because the person is undocumented and is unable to get one or uncomfortable using state services, etc. But more importantly, those applications are kept in our offices for YEARS for no reason with all their personal info on it! I can easily walk into that office and look up anyone I want.

I’m still rather new here and haven’t felt comfortable broaching this subject yet, but it makes us feel like we’re the adversary in this situation.