CC.4: Threat modeling

  • What threat models do you know exist in your community?
  • Which ones resonate with you the most?
  • How could you use threat modeling to make arguments in favor of privacy in your library?
  • In what ways is the library an adversary or a potential adversary?

Like I’m sure many other folks, I really resonated with the threat model associated with reproductive justice in red states. Indiana is experiencing a near total abortion ban (which has thankfully been placed on hold for by our Supreme Court for a little bit). I know that Oklahoma specifically has begun to target libraries as sources of reproductive health information, which (briefly) resulted in the Metropolitan Library System instructing librarians to not say the word abortion. I’m worried that a similar escalation may happen here, but we were able to hold off similar attacks regarding providing LGBTQ-related information to youth earlier this year by jointly mobilizing teachers and librarians, so I’m hopeful.

There are, of course, a lot of other threat models Indianapolis is facing. Like I mentioned in my intro post, there’s been a push to force mutual aid organizations to register with the City-County Council under the guise of keeping areas ‘clean’ and free from fighting. The assets here are of course the identities, contact information, and locations of several prominent organizers and Leftists in Indianapolis and the adversaries are the full force of the IMPD and Indianapolis government. Other threat models are a little less unique to the Indianapolis area, like closeted teens information seeking, community elders attempting to protect their private information, and folks engaging in criminalized behaviors.

I think threat modeling can definitely be a useful tool in library settings to help explicitly tie intellectual freedom to privacy. A lot of library administrations get this at a basic level (not keeping records of what folks have checked out), but tend to tap out when more complex threats arise. A lot of the surveillance footage examples we talked about during our live discussion come to mind; libraries implemented surveillance technology without a lot of forethought, but a few libraries decided to forego the technology once they considered it’s impact on intellectual freedom. Like a lot of other institutions, libraries tend to respond to violent incidents by increasing securitization and security, but having a tool like threat modeling that points out who and what is at risk with increased security measures might help stem their growth.

However, like we discussed, libraries are often adversaries, especially when it comes to policing behavior of patrons. Like (unfortunately) many public spaces, library patrons are often surveilled and policed for a wide variety of behaviors, many of which are benign (like sleeping). We also often like to collect a lot of data on our patrons, a lot of which is not stored properly or collected for a specific purpose. For example, a previous library I worked at had an ILS system that asked us to put in patron gender. We never used that field, specifically because we were worried about forcing patrons into binary gender categories and because we did not need or use that data in any way. However, I imagine there are other libraries using that field without much thought.

One of the threat models that I regularly interact with in my community is my neighborhood community Facebook Group. For the most part, the Facebook Group is pretty low key and sticks to events that are upcoming, lost pets, items for sell or free, or advice/recommendations for household issues. However, every once in a while, there can be a post that seeks to violate another person’s privacy rights in the process of seeking information about a crime or incident that they witnessed or heard about. One thing that has become more commonplace is that other residents are more vocal in raising the awareness of privacy violations or potential violations.

Using threat modeling in my local library would help to educate patrons on ways to guard their privacy while in public. I don’t think many patrons really pay attention to the many ways that their privacy can be accessed or violated while they’re going about their business in the library. Library staff can also be unaware of the privacy information that patrons are unknowingly sharing. The library’s privacy policy should be well documented and placed in public spaces for patrons and staff to be aware of, for everyone’s benefit.

A lack of privacy policies or guidelines is one major way that demonstrates how libraries can act as adversaries to the public. Not keeping staff up to date on privacy policies, even if they exist, or allowing staff to regularly disregard privacy policies are another way that the library can act as an adversary.

1 Like

For threat models existing in my community - I really connected with Facebook groups (and other social media) as a threat model. People share information publicly about other people on social media regularly, whether it’s images from Ring cameras or photos of someone they think is cool/cute, and I think it’s a serious issue. I’m also concerned about repro issues. I live in NY, which doesn’t have as restrictive laws as other states do, but there are still folks who want to make that happen and it concerns me, as I live in a red area of the state. These groups have also targeted NY libraries for book challenges and first amendment audits (which tie into social media as well, since those videos often get posted publicly to YouTube). These two issues probably resonate with me the most, and they encompass a number of people and networks.

I think threat modeling has a place in libraries. It can be used to educate both staff and patrons about the kinds of info they’re keeping (the former) and the kinds of info they’re sharing (both former and latter). Showing patrons that libraries care about their privacy is also a great way to model that behavior for patrons who might be newer to the concept and/or just getting comfortable with technology. Providing threat models and guidelines for privacy would be great tools in implement in internet and computer basics and safety classes as well and would apply to other areas of their life (such as keeping an eye out for scams).

Unfortunately, libraries aren’t always transparent about the information they keep. I have been frequently asked if I could print out a copy of their past check outs so to me, that indicates patrons don’t understand how their privacy is being protected at the library or why it should be.

I’m a week late to this but I’ve been brewing over threat modeling in academic settings. I thought I understood the threats to my DEI work and those of my students (external forces, legislation, etc). I had shaped this idea that it would come from the bad actors that are expected. However, the more I really threat model it, the biggest adversaries I hit up against time and time again is the strict but unspoken politics and hierarchies of academia and all the people within this system who enforce and uphold those hierarchies - many of which might be the Diversity Office or other high ranking DEI group that’s disguised as an asset.

I know we will touch on this in the coming weeks, but because I am also taking a course simultaneously on Privacy and Learning Analytics, so student data privacy and ethics surrounding the use of learning analytics is forefront in my mind right now. As we continue to utilize virtual platforms that were implemented in a time of emergency response, so that privacy may not have been a consideration at first, we need to re-evaluate how these services can impact the personal data of our students.

Beyond virtual learning platforms, students are engaging with their schools in unique ways, from learning analytics programs to social media and the use of other applications in various departments all over campus, and there very often is no education or even transparency in the data collection procedures that are happening to them. Considering the ongoing threat of a data breach, coupled with the increasing online presence of libraries and learning environments, when privacy is not embedded in the first steps of data collection, we are placing our students’ information at risk of being stolen.

I would also say our institutions are built on trust and as others mentioned, libraries are where people go when they need help with incredibly sensitive materials and topics because we have created a system of privacy and goodwill amongst the general public (students included). Dismantling that trust by engaging in anti-privacy activities or not advocating for better privacy policies/procedures and education, could threaten our very existence.

Having examples like these on hand are so valuable for getting people organized into understanding the threats too – what’s happening here, what’s happening elsewhere, and how have we been fighting back!

Yikes. Bad default settings are actively dangerous! Which ILS was this?

Great example. Sharing private and sensitive info in these kinds of groups has become so normalized, especially under the guise of “fighting crime”. I’m glad to hear that neighbors are starting to really push back against this.

These issues are all connected, as you rightly point out. It’s the same sets of reactionary people. And also, even if your state isn’t likely to change its abortion laws, the people who provide abortions and abortion-related information can still be targeted.

This is a really smart use of threat modeling Donna, and I think you’ve totally nailed it. When we started our anti-doxxing/anti-harassment work in LFP, we talked to dozens of people who had been targeted for their work in academia. And over and over again we heard about how university policy (official and unofficial) was in many ways the hardest part of the whole experience – targeted folks found that these policies created a toxic environment for them during a really vulnerable moment, and there was a lot of denial and gaslighting and blame against the targeted person. Many of them left academia because of this. So many DEI initiatives in academic institutions are pushing for more public scholarship from BIPOC scholars, but they are not prepared for the resulting backlash and because of this, they’re doing a lot of harm.

It’s ubiquitous and it’s almost never addressed directly with students, or even faculty or staff!

It’s so true. And we are constantly banking on that assumed trust. I think this is an important angle to take when trying to convince administrators and other decisionmakers about the importance of privacy. That data collection is a breach of trust, and once lost, that trust isn’t coming back.

I’m a little late to this discussion, but I’ve been inspired to post by my experience this week.

I, most unpleasantly, have been in the clutches of jury duty for the entire week. On Tuesday I spent a good part of the day in the courtroom with all my fellow potential jurors, court staff, the defendant, and trial observers, while the judge questioned each of us publicly for hours. I, personally had to answer a whole string of questions about my feelings and experiences with police and law enforcement, and others were asked about experiences with crime, assault, police protest, as well as detailed information about family members, jobs, place of residence, etc. I had never considered that space as one where personal information was so publicly shared, particularly when the judge would say each of our last names out loud each time we were called on. All the vulnerable information we were sharing had me thinking about threat modeling, especially within large institutions. In fact, this morning I had someone come up to me and say “Oh you’re the cop hater” just from my responses to questions the day before. There is very little action taken on behalf of the court system to remedy this dynamic, save allowing people to answer the questions in a separate room — but you still have to make that request publicly! If, for example, I didn’t want to publicly answer a question about a history of assault, I would have to share the desire to answer privately with everyone. Woof.

Anyway, I’m all worked up from this jury duty gig, and it has me feeling even more protective of assessing the risk and vulnerabilities of our information at the hand of large and powerful institutions.

I live in the blue part of Kansas, and with regards to threat modeling, I have been thinking a lot about two things. The first is the data we as youth services librarians keep with regards to misbehaving students, and the second is reproductive rights.

Our library has inappropriately placed security cameras (pointed right at teen zone computers) that are unlabeled. We do purge images on a biweekly basis (I believe is what I remember), but I really hate that the cameras themselves are unlabeled. We also keep a database of teens who have been banned from the library, as well as a log of incident reports. I do my best to make sure these are cleared out every 6 months or so, but I worry about the backlog of information on ‘misbehavior’ we possess. Specifically I worry about our records being requested or subpoenaed and used to create a ‘profile’ in order to prosecute one of our teens. None of the behavior is generally truly malicious, but I could see someone using a document of recorded misbehavior in public forums in a case towards incarcerating a young person.

Somewhat along the same lines, I did some digging and I learned that we do not delete computer history every night. We do that monthly. By utilizing security cam footage and harvesting data from our public computers, someone accessing information about an out of state abortion could be very easily pinpointed. With the cams and internet history, they could be prosecuted even if they used an anonymous guest pass. This was of great concern to me when Kansas was attempting to make it a level 1 felony to access an abortion, even out of state, and is still something that I have been bringing up to supervisors.

I also have concerns about the way that our data is stored and what data we keep on a general patron level. We still retain patron book records, against ALA guidelines. All in all, while I know that our library would fight attempts to obtain patron records, I think the mere existence of them should be rectified.

Wow Ari this is a threat model that I had not thought about until I read your post!

Thinking about the implications for this in a small town where everyone knows each other, where someone’s answers could be spread around easily.

Wow, I would love to know where these cameras came from, and why they are pointed right at the computers.

This is unfortunately a fairly common problem in library teen spaces, especially in libraries in urban areas that serve more vulnerable teens, and where the teens are seen as more of a behavioral problem.

It’s good that the library would fight it, but having the information in the first place makes that a very uphill fight, and one that the library might not win.

Just got the invitation to this and I’m not sure if I will be able to handle listening to a TV personality, someone who works for AncestryDNA, and a cop (along with some unnamed legislators) talk about how we should regulate DNA data use in forensics. Where the hell is the data privacy expert on this panel about data legislation? Also if anyone has questions they want me to ask during this event, let me know - I will happily interrupt the chat with them.

Screen Shot 2022-11-07 at 3.20.48 PM

Now this looks terrifying!