LFI.3 Week four discussion

  • How are you already seeing privacy rights eroded by the pandemic?
  • How else do you think things are likely to change?
  • What can we do about it?

Let’s also work on:

  • A threat model for someone organizing a wildcat strike (that means a strike without a union backing them up) at an Amazon warehouse
  • A threat model for someone who wants to create a mutual aid network for undocumented people in their community

Don’t worry about not knowing parts of each of these. Let’s figure them out together.

**How are you already seeing privacy rights eroded by the pandemic?**

Something of principal concern right now are libraries starting to work with vendors that they don’t have previous experience with. Many library vendors are offering free services to new clients (or expanded services to existing clients) at no cost for the next few months, sometimes as far as this fall. While these services can be useful stopgaps in filling in the new holes in the education infrastructure, their quick implementation and acceptance by libraries that have little experience with these groups leaves the libraries vulnerable to poor privacy policies and with little bargaining power (after all, it can be hard to push back against something that financially costs nothing).

How else do you think things are likely to change?

When libraries reopen, many will have to jump immediately into workforce development to help communities that have been rattled by the economic slowdown/recession caused by COVID-19 and the containment measures. As such, various communities, even those not typically in need of these services, will find these in high demand. This will necessitate review of new resources to ensure privacy and to teach basic technology skills about searching for and applying for jobs in a digital environment and the privacy concerns that are built therein.

Despite this, the format of programming will probably change. Many people will be uncomfortable being in close proximity to strangers, necessitating a change in the approach to programming and formal education classes that are the backbone of much of a library’s education work. If libraries open at a time when social distancing is still encouraged, that will make education, particularly around privacy and sensitive matters requiring privacy, to be much more difficult in-person.

Further, many libraries will probably undergo budget cuts that will begin in July and will roll through various quarters of the next year depending on when budget years start in various communities. This will potentially cause a reduction in library staff that will force libraries to contend with either doing less or learning how to do the same (or accomplish similar goals) with fewer team members. Thus, ideas that are typically shoved to the background in the interest of making it through the day (privacy, intellectual freedom, large scale access concerns) may be scaled back in many communities.

What can we do about it?

Produce a guide to what is free out there, what companies are behind it, and their various privacy policies/things libraries should know.

Reevaluate how to teach classes in a world that is changed in the way it gathers and consumes information in group and one-on-one settings after the COVID-19 reopening. Provide best practices for how to engage effectively and safely in these practices going forward.

Search for technology solutions that can curtail issues of spacing and distance.


I am unsure how to begin with the threat modeling for these particular scenarios but will add on when others begin. I went ahead and copied the questions to consider from the EFF 1-pager so that they are here and ready to refer to.

What do you want to protect?
Who do you want to protect it from?
How likely is it that you will need to protect it?
How bad are the consequences if you fail?
How much trouble are you willing to go through in order to try to prevent those?

2 Likes

I think this is a great idea! I think it’s important to get these issues into purchasers’ minds NOW so that they can integrate that info with everything they know and are learning.

Here’s me just getting started. Please add and revise!

THREAT MODEL FOR SOMEONE CREATING A MUTUAL AID NETWORK FOR UNDOCUMENTED PEOPLE

  1. What do you want to protect?
  • Identities and contact information of undocumented people
  • Identities of some or most of the participating documented people
  • Communications among members of the network, locations of members of the network while they are communicating
  1. Who do you want to protect it from?
  • National police forces (ICE)
  • Local police (sheriffs, local police department)
  • Browsable social media
  • Other commercial entities (other than social media) who could sell data to police forces.
  1. How likely is it that you will need to protect it?

Quite likely! This may depend on how active ICE is in your local area, and how much your local police cooperates with ICE, but these things can be hard to know, and are subject to change.

  1. How bad are the consequences if you fail?

Incredibly serious.

  1. How much trouble are you willing to go through in order to try to prevent those?

I would think that a person organizing a mutual aid network for people who could be so impacted by having their identities revealed should be willing to go to significant trouble to protect them.

So…what does that mean they should do?
(I’m cribbing from the EFF security self-defense guide!)

  • Use end-to-end encryption for chats and calls. e.g. Signal, WhatsApp, Wire.
    (Question: How likely is it that police forces would subpoena FB to get WhatsApp network metadata?)
  • Limit information you put on social media. Hide your contacts from non-friends. If possible, use false addresses and phone numbers connected to your social media profiles.

What else? I’m having a hard time identifying pieces of advice that are particularly relevant to this scenario (besides the basics like don’t reuse passwords, do use two-factor authentication). How would these police agencies be most likely to track a network like this, besides cell phone sniffing and social media research?

2 Likes

[quote=“alison, post:1, topic:574”]

  • How are you already seeing privacy rights eroded by the pandemic?

The State Library in Iowa is doing a series of webinars to help librarians manage the new landscape and yesterday it was a Q&A with a law librarian -which was really interesting - but one of the questions that was asked from a librarian in a smaller library was something along these lines: If the library finds out that one of their patrons is a confirmed Covid-19 case can the library then post that information on their Facebook page - Uggghhhhhhhh… NOOOO!

I think this is going to be typical of small towns, though, of which Iowa is generally. Privacy in small towns is a different animal. I think one of our readings talked about how surveillance is really the city expression of understanding the community the way you might in a smaller town. Who knows what panicked reactions the public is going to have if someone is perceived as a ‘threat’? We all know that guns and ammo sales have spiked - are we willing to retaliate against those that have the virus? Anyways, the library, whether small or large needs to avoid that energy all together - I once heard Grover Norquist say that one of the principle ways that people started to think taxes were bad was by repeating that very sentiment over and over. I think libraries almost need to take on a meditative mantra that says ‘people are good, people are worthy’ and see if it catches on. I know that veers away from the core privacy issue but if we believe that people are valuable then so is their life, their privacy, and their ability to exist in a community autonomously.

I think government agencies thrive on paranoia, too - I was just talking with my neighbor about the Nixon tapes, which were sort of happening about the time I was born. Nixon says a lot of weird stuff on those tapes - why was he recording himself? Was the government’s view of surveillance that laissez faire? Was it normalized in the culture? Yes, it probably was - and I think it still is so there is probably some sort of stepped up effort to access search histories, subpoena hard drives, whatever digital rights can be eroded will be. I also think privacy in the health sector is going to be a thing. I have been reading info for a while talking about how much money there is to be made in the digital health field and how this was going to be the new tech boom - but I look around me and I see a lot of people that don’t want to be monitored by healthy workplace initiatives let alone enter their information into a national system during a pandemic. When really it’s chemical companies, Nestle, Frito-Lay, all of those companies that need to monitored. It’s community monitoring of ADM and Cargill that need to happen - and more research done into the long term effects of chemicals on the human system and actual emotional living bodies. Individuals are always going to be held accountable for the actions of the corporations in our system - and corporations are going to fight like all hell to keep it that way. Did I just rant? My apologies -

  • How else do you think things are likely to change?

Look, I’m going to take a really hopeful view on this - life is going to change. Students are going to get really good at remote learning, the software offered is going to become more high speed, more interactive. Kids are going to have to self navigate a daily schedule on their own more than they do now. Internet access is a right and everyone needs it. We need to think more collectively rather than individually. We need to reconsider what we think ‘success’ looks like in a society. Money has no real value and is a made up thing - so what does that mean as far as class? We are not people in conflict with each other, rather we mostly are in conflict with ourselves and how do we become accountable for that? Abi Hassen, in our lecture, talked about not silo-ing ourselves, reaching out to the collective to understand the current world better - to build the intellectual infrastructure that has tools to build analysis.

  • What can we do about it?

Like Norquist said about taxes - repeat! repeat! repeat! We need to always be talking about these things - equity, non-violence, collective good, sharing, art, beauty, ethics - values in action.

This is why libraries really won’t go anywhere, even through a pandemic. I really believe its cathartic for people to be together in a building that isn’t asking anything of them. There’s both a freedom of thought happening as well as a primal need to just be part of a group. We are endlessly curious about each other but in a retail environment we all feel in competition and FOMO -

Libraries are going to be really needed - and there will also need to be an expansion of more social programs as society rebuilds, we’ll be there as that ‘intellectual infrastructure’ -

I hadn’t heard about this! Can you give some examples?

And as you note, this will be while we are also facing our own budget cuts and staff cuts, while being asked to expand our services. Anyone who was in libraries during the recession remembers this. I think you’re right that privacy gets shoved aside in those times, but I also think we’ll be confronting people with new threat models (labor organizing, etc) that might make them more interested in privacy. It’s really so hard to tell at this point what will happen.

I have been thinking a lot about this. Will people even feel comfortable coming into a library at all?We have never dealt with this kind of collective trauma in living memory.

We’ll be addressing this during one of our weekend talks with Mallory Hanora, who is an expert in transformative popular education. I am looking forward to asking Mallory’s view on how we adapt popular ed in these times.

The privacy angle is going to be important here!

GREAT JOB ON THIS!!!

I think it’s likely. Signal protects metadata when subpoenaed. The only information revealed is that the user has Signal installed, and the last time they used it.

Absolutely. Lots of the advice for this threat model is gonna come down to abstaining from what gets posted.

Reading this and thinking about it, I realized another adversary for this threat model: organized right wing networks online. 8chan types are really good at combing through social media and public data for information that might reveal that someone is undocumented. Just another reason to limit social media exposure.

Some other ideas for what to do:

  • Whoever is running the mutual aid project should be trained in secure data practices. This has implications for how they’re storing the data (can it be hacked or subpoenaed?) and who has access to it (limiting the exposure by limiting the number of people who even get to see the list of addresses, etc). I’m hoping we can make this the focus of our talk with Micah Lee in a few weeks, because as a journalist at The Intercept and the technologist who helped connect Laura Poitras and Glenn Greenwald to Edward Snowden, this is something he knows a lot about.

  • Adding noise to social media. Fake information, when done well, can be an effective way of throwing adversaries off the trail. We can ask Micah about this some more.

  • Limiting apps that have location services turned on. This is another thing that’s related to what can get subpoenaed or not. Data minimization isn’t perfect but it definitely helps.

I mean, HIPAA still exists (I hope)! I think the library would be able to say that someone who is a patron has tested positive, but they should not post that person’s identity! And as you note, small town privacy is a different thing and that means that identifying who the anonymous person is might actually be relatively easy.

YES!!! Let’s incorporate this thinking into our final project work as much as possible. This is the way we survive.

Paranoid megalomaniacs do some weird stuff!!!

Also, the good news is that a lot of the smaller startups doing this kind of thing are just going to collapse in the next few months. They’re propped up by venture capital that will dissolve.

But you’re right to point out how creeped out people are by these technologies, and we definitely want to use that sentiment. I also have noted how many actual health care workers are against the use of surveillance technologies to combat the pandemic, and I think we need to be collecting those stories and elevating them.

Makes me think about how I was listening to this hideous Stanford conference yesterday on COVID-19 and AI, and they were like, “we’re going to use an algorithm to figure out who gets a ventilator” and it’s like, wow, watch the status quo get upheld in real time. Everyone just accepted the idea that we won’t be able to get or make more ventilators, so they’ve already moved on to thinking about how to build technology (and make money from it!) that decides who gets killed. I would guess that there are few nurses who support this kind of thinking. How can we work with them to protect and expand privacy?

I think it’s essential in our discourse about privacy to clarify that we want privacy for individuals and transparency for companies and powerful figures like politicians. It reminds me of how Mark Zuckerberg owns all the houses around his house because he values his own privacy so much.

One of the few comforting thoughts I have these days is that right now, more than at any other point in my lifetime, we really are all in this together.

What does it mean 10 million people in the US file for unemployment IN ONE WEEK?

I think that library workers are a group that could get really good at this.

+1

How are you already seeing privacy rights eroded by the pandemic?
I mean, our readings are entirely about these changes. Previously, we’ve talked about doxxing in other contexts, but I found it (horrifically) interesting that this type of Internet behavior is being redirected to those who may or may not be positive for COVID-19, such as the lawyer and his family mentioned at the end of the New York Times article who was outed by the MAYOR (for goodness’ sake!!). Despite the fact that the lawyer and his family immediately quarantined themselves, contacted their coworkers, and started working from home, that type of outing directed a ton of blame on them that is very similar to racialized attacks on Chinese, Chinese-American, or racialized Chinese individuals at the early onset on this pandemic. I’ve seen a ton of anger and hatred from people I personally follow regarding individuals they’ve seen leaving home (even to do necessary things like grocery shop). Many people don’t care about privacy issues right now, because they’ve already been radicalized to hate and yell at any and every person who isn’t staying in their home 24/7. I had a friend who went hiking with his dog and was so absolutely overwhelmed by hatred from strangers on the Internet that he had to post a response about daring to do an isolated activity far away from humans.

How else do you think things are likely to change?
I thought John was right on when he mentioned this in his own response:

But as a librarian who is working remotely, I’m noticing that this change in services is already happening. In the last two weeks, the State Library has seen a huge increase in questions about unemployment benefits, etc. The vast majority of our reference questions, which used to be about legislative history or different government agencies, now focus on guidance regarding unemployment and COVID-19-specific policies. I doubt that questions about unemployment will cease as this pandemic continues. I recently reached out to my manager regarding how to best provide this information to our patron base. I also just listened to a webinar hosted by Hootsuite (which the library was using before, but now I’m interested in specifically what they’re privacy policies are) that centered around how Governments are Managing COVID-19 using social media. The experts included on the panel all agreed that just because we CAN create a webpage or account dedicated to COVID-19 doesn’t mean we should, because there is nothing more annoying to users than to click onto a promising link or social media account and see old, out-of-date information. We as librarians are great at identifying good sources, but sometimes we also tend to hoard information because we know how important it all is. Making sure that we are pointing to the first responder resources, rather than trying to reinvent the wheel ourselves, is going to be vital in giving our patrons the best services possible.

What can we do about it?
As I mentioned in the last paragraph, our responsibility as librarians to point to the best information sources has increased tenfold in light of this pandemic. Especially when information is changing so rapidly, making sure that we act as guides, and not as information providers ourselves, is crucial. Further, we need to double down on the tools that we are using and whether they are secure and protect the privacy of our patrons, especially the new tools that make remote/teleworking easier and might be offered to us discounted or free from providers specifically in reaction to COVID-19.

Much of what I’ve got is hearsay because I don’t do direct vendor contact, but a few of my colleagues at other libraries mentioned that so many of their vendors were offering free things (either brand new services or add-ons to existing services) for no charge until August. I think that the TumbleBooks product were doing something along these lines. In the rush to provide resources in a trying time, the instinct is probably to say yes and then figure out the consequences after the fact.

Oh, I did a little research. LJ has an article about all the potential freebies.

1 Like

In particular, libraries working with Zoom. To some degree, I feel trapped by the lack of options that do right by our patrons’ right to privacy and security. This was true before the pandemic, but it’s worse now. We are relying on Zoom heavily to continue offering programs to our patrons. As a community librarian, I feel that it is absolutely essential that I do all I can to keep members of my community engaged and connected, and yes–entertained. So I’m using Zoom to provide virtual programs. What other option do I have? No programs? No community? Total isolation? Or a far more complicated platform that will exclude less-tech savvy users? It’s an extremely frustrating tradeoff.

One thing I think ought to be added to the self-defense guide is literacy/awareness. I think it is so essential to include technology/privacy literacy when organizing, right at the outset. In order to protect workers, everyone involved in the strike need to understand the threats, and where they are vulnerable so that they can actively avoid those traps. So, practically, this means that yes, we use Signal. But not Signal + Facebook. The workers will have to understand why it is so important to get totally off of Facebook, despite how tempting it is as a platform to vent and spread information.

Tacking this on the end here, but here’s a frightening outline of how Tech companies are using this crisis as an opportunity to delay privacy regulations, screw their workers, and exploit their users!

Building on the article Nancy shared, have you all seen Google’s COVID-19 Community Mobility Reports? They’ve had this kind of info all along, but now they’re sharing it because it’s more likely to be perceived as “good” rather than “creepy.”

How are you already seeing privacy rights eroded by the pandemic?
It has been interesting watching our instructors going online who have never had experience with online teaching. There’s a lot of anxiety, which has led some instructors toward greater surveillance as a way to feel a greater sense of control. One instructor wants to require students to ask a librarian for help, but is not satisfied with the student simply giving the name of the librarian who helped them. They actually want the chat transcript or email, which seems needlessly invasive. I also worry about the surveillance options in D2L (our learning management system) – will instructors start checking how often students visit the course shell and what they do and don’t look at? It’s very easy in D2L to spy on students and I think these novice online instructors who are feeling insecure are the most likely to do this.

I’m also seeing a lot of frustration from instructors that students don’t want to turn their webcams on during Zoom/Google Meet sessions because they feel like they’re lecturing to no one if they can’t see students’ faces. They don’t consider that these students may be embarrassed about their surroundings or just feel weird about having themselves and their home-life in view to the whole class. Some are talking about requiring students to turn their cams on. In addition to the privacy ick of it all, I found it odd that no one on the email thread ever considered that some students may not have a webcam. It’s just interesting to me that so many instructors seem to be valuing their ability to see the reactions of students over the students’ rights to privacy in their own home. I just made these arguments on a thread on our faculty listserv about this, for what it’s worth.

I’ve been hearing about the police stopping people in L.A. to ask them where they’re going and if the reason isn’t good enough, they ticket them. I heard about someone getting ticketed for bringing food to their boyfriend who was sick with the coronavirus because apparently that wasn’t a good enough reason. That police are playing the role of judge, jury, and executioner about why someone has left their home is really frightening and feels very Gestapo-esque. I think we’ll see a lot more power-grabs like that, which I’ll address in the next question.

How else do you think things are likely to change?

From a societal standpoint, I think we’re going to see a lot more power grabs by the police, mayors, governors, and the President. What Abi said about the shock doctrine is right on the money and I think what New York is seeing with the consolidation of power under Cuomo is going to happen in other states as well. During times of crisis, people are really easily swayed by the calm (usually white male) voice of reason and are often willing to give that person a lot of power because it makes them feel safer. We definitely need to watch out for this happening in our own states/communities.

What can we do about it?

With regard to the surveillance of students by their instructors, as someone who has a lot of experience with online learning, I’ve tried to be a resource to our teaching faculty and to speak up about things that feel invasive. I think the more secure I can help them to feel in teaching online, the less they will feel the need to surveil their students. In our communities, I think we need to speak up when we’re seeing authoritarian power grabs that erode privacy. Starting petitions or getting the media involved in reporting on these things can be really valuable. The more light that is shone on practices like this, the more likely it is that the government/company/institution will backpedal on the decisions. Look at how Zoom is now making fixing their privacy/security issues their top priority.

Threat model for a mutual aid network for undocumented people.

I think @Eliza’s threat model is awesome, but I would definitely add to it that we need to protect the identities of the undocumented from people who might try to infiltrate the mutual aid group just for the purposes of getting that information. We’ve seen so many examples of right-wing folks joining progressive groups so that they could make misleading negative videos or to get personal information to dox people. I don’t think it’s far-fetched to imagine that people would try to volunteer for a group helping the undocumented just to try to hand over their information to ICE. I’m not sure how to prevent this entirely, but I think it would be important to not share personal identities with people who have newly started to volunteer their time for an effort like this. There would have to be mechanisms for people to build trust in the organization, but also it might be safer for people to always use pseudonyms or at least not give their full names when communicating/collaborating.

Hi Eliza,

This is a great start. I don’t know if this is useful at all but it seems that there is some literature out there that we can build off in terms of understanding the privacy behavior of undocumented students. I think I might contact these authors and ask them for ideas re: threat model for undocumented students. Maybe we can send them some questions or try to have a Zoom meeting with them?

Keeping a Low Profile?: Technology, Risk and Privacy among Undocumented Immigrants
https://dl.acm.org/doi/abs/10.1145/3173574.3173688

I am trying to do this kind of work as well. I’ve done a lot of research on information behavior of immigrant students. Another good report is the Undocuscholars 2015 report (http://www.undocuscholars.org/2015-report)

1 Like

I think this is a great example (one that applies to outside of the library world too). We are all relying so much on Zoom, and there are many questionable issues as we have discussed. My Mother in law works in the education system, and we were just speaking to her today (over the phone!) that his is a issue they are grappling with. There is a level of guilt there too - because I know so many people are out there relying on this software who have no idea about the wider privacy issues.

I have seen this flying all around in social media lately. I live in Michigan, so it’s been shared with “Look how good Michigan is at staying indoors!”, but I have been unable to shake how uncomfortable it makes me feel. Thank you for validating my sanity.

This is the type of issue that has really stuck with me though, and was what really drew me in to learning more about being involved in LFI. I feel like it is easy for me to articulate the issues in the article Nancy linked to people in a way that they understand. However, when I speak with people about “Google is tracking where you are at all times” I am often met at best with shrugs and “Who cares?”.

Absolutely! It seems more and more vital to focus on resources for the near to medium term future, because all the “what to do right now” stuff is covered ad nauseum. You mentioned unemployment stuff as an obvious example of this. I hope we can address some of these info needs in our final project.

hooooooooooo boy I can imagine

I am dreading the future where we have to produce things like this to justify the budgets we will be fighting desperately for.

Yesterday I got stopped by the cops for allegedly doing a little public art project and they were completely not social distancing from me and my friend even when I politely asked them to back up. I feel like they’re both going to be the violent enforcers of these new norms AND refusing to comply with them themselves!!!

THIS TIMES 1000

Great point. I think the mitigation is highly controlled access of personal info and vetting of new people in the group. The thing is about the right wing infiltrators is that they seem to always leave hints of some kind (they can’t help themselves). So if you have a mutual aid project for vulnerable people and someone new wants to get involved, they probably need to be assigned a trusted member of the group to vet them and give them non-sensitive tasks to complete to prove themselves before they are gradually escalated into more sensitive work.

We’re gonna be getting deep into how to respond to this! Basically, it’s all connected.