Week 3 discussion (including more resources!)

As promised, here are some more resources to round out what Rosalie talked about this week. We’ll also have another week 3 lecture on basic privacy this Tuesday June 26 at 8:30 PT/11:30 ET.

FULL DISK ENCRYPTION:

Filevault (MacOS): https://support.apple.com/en-us/HT204837

Bitlocker (Windows): http://windows.microsoft.com/en-US/windows-vista/BitLocker-Drive-Encryption-Overview

LUKS (GNU/Linux): https://gitlab.com/cryptsetup/cryptsetup/blob/master/README.md

Veracrypt (for any desktop OS): https://veracrypt.codeplex.com/

Android full disk encryption: https://www.howtogeek.com/141953/how-to-encrypt-your-android-phone-and-why-you-might-want-to/

iOS: disk encryption is on by default, just create a password on the phone

PASSWORDS

These links are in our readings for the week:
https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/ and https://www.eff.org/dice

We’ll talk more about password managers on the Tuesday call.

PUBLIC KEY EXCHANGE

This is a highly technical concept that I don’t usually cover in privacy classes, but here’s more info to supplement what Rosalie talked about: https://ssd.eff.org/en/module/deep-dive-end-end-encryption-how-do-public-key-encryption-systems-work

HTTPS

This is an essential resource that EFF made for librarians a couple of years ago (LFP requested!!): https://www.eff.org/deeplinks/2015/05/what-every-librarian-needs-know-about-https

For this week’s discussion, let’s focus on talking about making master passphrases with the Diceware/EFF method above, and our impressions of the EFF Security Education Companion (sec.eff.org) plus any questions that came up for you during the discussion yesterday.

In Tuesday’s lecture we’ll talk about: browsers, backups, password managers, malware and phishing, software updates, probably a couple more things.

● How would you begin to bring these tools into the library?
I stole the outline from LFP’s Online Privacy Basics class and went to town. First, I brought in others to teach the classes, and then I started doing it myself with other like-minded librarians.

● What about teaching to low literacy (digital or otherwise) patrons?
I have always tried to emphasize I am just a regular book nerd librarian and not a coder / hacker / sysadmin / security researcher. I tried to never shame anyone about not having technical knowledge. I tried to use regular language, and not technical language.

● What advice can you find in the Security Education Companion for teaching specific groups of patrons

I found these passages insightful:

Perhaps you’ve identified a community you’d like to train. It’s best if you’re already a part of that community, and have some credibility with its members. These trainings should be a grassroots way to educate your neighbors and friends about the importance of digital rights, not a way to show up in communities you’re not part of or familiar with, and whose trust you have not yet earned.

It is not uncommon to hear people in the security industry say that if you don’t use a certain product or you don’t follow a certain best practice, then “you don’t deserve security.” You may believe that activists should not use Facebook, but if activists still use the platform because it is a highly effective way of reaching their audience, you should give them advice that allows them to be as safe on Facebook as possible.

Everyone has made digital privacy or security mistakes, including trainers. Stigmatizing or shaming people for confessing their mistakes during a training makes it less likely that other people will speak up about their own practices. Talking about your own digital security shortcomings is sometimes a good ice-breaker and helps make everyone feel more comfortable.”

And I don’t remember if Rosalie said this, or if it was on SEC site, but I have this note, “harm reduction is collective.” I took this mean that bad digital hygiene (and elitist attitudes about it) are corrosive to everyone. If a bunch of people in your family, town, work have unsafe habits that means that you have unsafe habits too.

1 Like

What about teaching to low literacy (digital or otherwise) patrons?

This question has been on my mind. I used to work for a small affiliate of Literacy Volunteers of America, and we actually used to keep some adult students’ email login info with the receptionist on notecards as the only way some could maintain access to their email account. At the library, the main problem that I run into is patrons who get locked out of their email or other accounts because they haven’t set up recovery methods, or they set up a phone or email for 2-step authentication, but who no longer have access to the method they set up. They are unable to answer the recovery questions and are baffled that I can’t do anything for them or that I can’t just call Yahoo. I’ve had patrons who don’t have to enter an email password at home since they asked their browser to remember it, and then are confused as to why they have to enter an email password on a public computer, let alone go through 2-step authentication. Today a woman tried to type her email address into the library’s catalog search box.

Recalling these experiences, I feel as though what we’re learning on face value isn’t really directed towards low (digital) literacy patrons, and I’ve been trying to envision what a successful model would look like for those folks. I can imagine that in the context of an ongoing learning community, with the librarian/library volunteer as the “more knowledgable other” (to borrow from Vygotsky), low literacy/digital literacy patrons would incrementally increase context and knowledge while developing good practices. Our little computer lab at the Literacy Volunteers could sometimes function that way, as someone was generally on hand on a more or less drop in basis to spend time with people. We have too many computers and not enough staffing for that at my library.

When I was in library school, I worked on digital literacy with a small group of low digital literacy women (around 6) in an ongoing, informal dialog-based format. I’m trying to imagine how to scale up that type of education for a larger library system, and it appears to me the only way would be with a LOT of remarkable volunteers that are drawn from a diverse array of communities! (Perhaps a train-the-trainers course for gatekeepers in different communities?) I have to tell myself it really just takes a great deal of time, ongoing interactions, relationships, trust building, etc. so it’s not something that’s going to happen right away this summer!

I’d be interested to hear about successful models from other people’s library systems!

1 Like

@alison Just submitted my week 3 assigment! Only I would submit week 3 before week 2. Was going to make a new thread for it, but then I thought that might be presumptuous! It wasn’t quite a flyer - more of a draft of an instructional handout I’d like to use for a class. Looking forward to getting ideas from other people’s instructional materials too. I’m going to steal all the best ideas.

1 Like

Patrons at our library also have the same struggles. Most of the people we help have limited technology skills and we’re often trying to retrieve passwords in the same way you mention, Sarah. One of the biggest issues we have, and I’m sure this is true in many other public libraries, is that folks don’t come to classes we offer because most of the trouble they have is happening in the moment and they need help right now, not next week when our class is scheduled. They’re frustrated and in a hurry and often in a panic because they’re trying to apply for a job or to pay a bill, etc. Something urgent that needs to happen right away. One way we’ve tried to address this is through one-on-one computer help through tutors who can spend more time with patrons and walk them through the steps. We also try to offer one-on-one sessions with our library staff as time allows. Patrons will often say, “I’m computer illiterate” or “I’m stupid when it comes to this stuff.” Sometimes I’ll tell them we’ll figure it out together. Something I love to witness is patrons helping each other on the computer. I’d love to develop patron to patron learning circles and really like your idea for train the trainer courses for gatekeepers in different communities.

1 Like

I really like the idea of patron to patron learning circles! And @Sarah_in_Oregon, I’d love to hear more about your digital literacy group. That sounds awesome.

I’ve also been thinking a lot about the best ways to bring these concepts to the patrons at my community college library. We have work study students from the computer science department scheduled during most of our high-volume daytime hours who provide tech help, so they’re often the ones who are helping students (and other patrons) navigate accounts, reset passwords, etc. I know they talk about security and strong passwords sometimes but I’m going to talk with them about doing that more systematically and also find out from them strategies they’ve found most effective.

The library, along with several other departments on campus, also offer this program called “Don’t Cancel that Class,” with a menu of workshops that professors can choose from instead of cancelling class on a given day. One of the workshops that the library is offering new in the fall for Don’t Cancel that Class is about using the Google education suite and our learning management system, and is aimed at developmental and intro classes. I think we could easily add some content and activities around passwords, phishing, and malware.

1 Like

@clobdell The digital literacy group was part of the “Latina Tech” program organized by my advisor Ivette Bayo Urban at the UW and we had a website mostly used by us: http://www.latinatech.org/ Some sort of rough Spanglish lesson plans are on the site. We meant to streamline the plans and make an online booklet and then…you know, I graduated and moved to Oregon, Ivette had a baby and was writing a dissertation. But the lessons were all based around what the participants wanted to learn anyway, so perhaps not so generaliz-able. I did try to adopt a lesson plan structure using Freire’s problem-posing technique where we started with a “code.” The most accessible and pragmatic resource I’ve found for using a Freirean approach in informal adult education is this article - which is focused on ESOL literacy but, you know, substitute the “digital” for “ESL” in your head!

3 Likes

I’ll bite:

Jessamyn West has great basics class in both patron and librarian versions: http://www.librarian.net/talks/privacy17/

West often shares this article about how to treat people with respect when offering tech help:
http://polaris.gseis.ucla.edu/pagre/how-to-help.html

These are just slides for longest version that we give to other librarians. Depending venue we strip it down and don’t go into the more complicated stuff.
https://librarianbryan.github.io/privacyworkshopBRRL/#/

We give out a handout that corresponds to the slides. Again, this is the bloated version we give to librarians. This is living document:

Especially, if there is not a lot of people, we just jump around and spend as much time as people need or want on a particular topic. Small chunks are probably a good idea. I’ve been presenting with a teen librarian who wants to break the cell phone portion into its own program.

Before each topic, we give people this “privacy audit” before sessions. We strongly emphasize the “scores” don’t mean anything, and we just want to get people thinking and pregaming what we are going to cover.

Give out colored dice in tubes to demo diceware:


We demonstrate Lightbeam, HTTPS, NoScript, ad blockers, Keepass, FreeOTP, yubikeys, faraday pouches, and router password, “what your browser” knows, plaintext password horror shows. If people have their own devices they can this hands on. We don’t do a live demo of a password cracker but we show a clip from Mr. Robot where a character uses one jokes and about how easy it is.

We use the metaphor that Tor is submarine and a normal browser with add-ons is a boat with patched holes.

Our experiences have been low turnout (2-12 patrons) but high enthusiasm/positive feedback. We run it for staff / other librarians we get higher turnout but people are usually forced to be there because mandatory professional development.

Any feedback appreciated!

1 Like