Week 5 Assignment - Example threat model, library instruction

I hope it’s okay to create these threads as we finish the assignments!

Since several readings were on domestic violence survivors, I tried to create an example threat model for a domestic violence survivor. I doubt I would work with this directly in the library, but I think it’s an important exercise to think about some of the more extreme challenges people might be facing as you’re considering how to help patrons. I’m also currently planning a social media privacy class, so I tried to think of how I might incorporate threat modeling into that class. I mocked up a few slides I might try.

yes!!! thread away!!!

Yeah, exactly, it can help prepare you for a possible situation where a patron shares some of those details. And it can also help you work through how to address it in a more general interest class, just in case someone with that threat model happens to be in the room.

This is great! Threat modeling is a good way to get a class started and help people personalize the issues.

I did a threat model for a library with an immigrant population. I’d like to expand this and use it as a way to teach libraries in my state (a state where the 100 mile border zone holds a great number of our population) about practical ways to help their patrons who may be afraid and seeking information about how to protect themselves and their families. Sometimes telling library administrators or staff that they need to prioritize patron privacy isn’t enough, they need examples that apply to people they see and interact with in libraries every day. This is a very real and impactful example of what could happen if we are flippant with patron information.

I linked a few resources at the bottom of my threat model that I thought could be particularly useful in a library setting.

1 Like

I am working on an assignment combining the work of week 3 and 5, focusing on low and average digital literacy attendees.
There is something that I am not sure how to advice about, I am getting the sense that I might be missing something: My practice has been to never link accounts, so never sign up to anything through another account. It is becoming something rather frequent that services tell you to sign up suing Amazon, Google or Facebook. On one of the readings for week 6 is mentioned:

For many people, their Spotify account, for instance, is tied to their Facebook login. Deleting Facebook means that people will either have to create different login access to tied accounts or simply not be able to use them at all if Facebook is the only means of authentication.

So my question is, especially with low digital literacy, is it better to advice people to create a email account that they use for these purposes or is it not worth the time since many have gmail accounts so it is as if you were signing with your Google. Is it worth it instead of using your Facebook account so at least some of your digital presence is a bit silo? Is it worth to focus on something like this or would it be a good example of ways of trying to keep your digital presence a bit under control?

This is great @AllyM. You should keep this threat model open when we have Franklin speak on Tuesday. I’ll be interested to see if hearing from an immigration lawyer helps you expand on any of these points!

Good question. It gets back to their threat model. Someone with a lower threat model and lower digital literacy skills might be okay with a single Google login, since Google provides pretty good security. But if that person had a higher threat model, like risk of doxing or something like that, I’d caution against it. All that said, even unlinked accounts can get linked through cookies and other trackers because of how normal browsers function. Using Tor Browser can prevent this linkage, but it tends to be a bit more advanced for most users. We’ll be talking about Tor in depth in NYC together. :slight_smile:

Week 5 https://github.com/alisonLFP/libraryfreedominstitute/blob/master/assignments/week5/B.N.%20Jones%20LFI%20Week%205.pdf

ooooh @librarianbryan I love that you picked union organizers! It’s such an important threat model considering how most employees in the US are at-will and effectively have no free speech rights, and that’s no more obvious than when trying to start a union. Actually, now that I think about it, a good friend of mine who is involved with the Radical Librarians in the UK did some digital security work with his union. I’m going to ask him if he can share some of his experiences about that.

Ditto, thank you for this, @librarianbryan! Will be sharing this with folks in our brand-new union (just certified last month!!!).

1 Like

I’ve realized that I make mini-zines when I’m struggling to break something down into manageable parts. This one is pretty silly, but: https://github.com/alisonLFP/libraryfreedominstitute/blob/master/assignments/week5/McElroy%20Week%205.pdf. So far I’ve just had a big stack in my work space, and they’ve made good conversations with colleagues – I’ll keep some in my bag and see how for I can share them.

I also am going to be meeting with some other folks working with undocumented students over the next couple of weeks to do some more real threat modeling.

2 Likes

I did mine in two parts: - the threat model, and then a worksheet could be used as part of an instructional session.

Pt. 1: The threat model “subject” was sparked by our branch’s monthly LGBTQ+ meetup - at the most recent one, two siblings attended who had recently been kicked out of their home.

Pt. 2: The worksheet wouldn’t be presented alone - there would be slides/discussion about threat modeling in the context of the session (for instance, specific to digital security), discussion of examples, and resources for people who wanted to learn more. But I wanted to worksheet to be a little more general so that it could be used in multiple contexts.

@kellymce I love this!! I really like the idea of using something tangible (and delicious) as an example, and an easy-to-grasp threat. This is such a great way to introduce people to the subject without it feeling too tech-y (and correspondingly, for many people, overwhelming).

1 Like

I have been waffling a lot on this assignment. I am often torn about what feels like a good example in front of students. Sometimes I get the sense that they are much too fatigued by their lived, stressful experiences, and so I try not to dive right into something too close to home.

I have tried to create this example threat model around a scenario I see a lot. Students come into the library to use our computers after the Financial Aid office tells them they need to complete the FAFSA process. Some have little idea of what they are doing, and while walking around helping other students, I’ve caught a few entering sensitive personal information in fake FAFSA sites :frowning:

1 Like

Kelly! Banana bread! It’s fun and cute and gets the point across without scaring people! You are so talented!

1 Like

Yeah I get that, but I think your example is a good and easy to digest one. Focusing on something narrow and impactful like private data on a FAFSA site is not only something that can help them with that specific scenario, but will likely give them the sense of what they should be on the lookout for on all websites. Even if the students are too harried to have a sit down discussion with you about it, you could make some kind of visual aid for the computer lab with the tips that you included on your threat model. Even just keeping an eye out for “https” and “.gov” could be communicated simply in this way. Maybe that poster/visual aid is something to do for an LFI assignment some week (building on past assignments is good!).

1 Like

@mtkinney Also, this is an oblique way to help students take more control of their financial aid experience – I have been in dozens of meetings where student affairs folks lament that students often just sign financial aid forms without reading them. It seems like a privacy approach, helping students identify what they want to protect, also could be a way to remind them of their agency. Maybe that’s overly optimistic, but it does seem like a piece of financial literacy.

2 Likes

Ah! Good. It feels a little invasive when I see they’re doing the sensitive stuff on the yucky sites, and then interrupting them to admit what I saw and that I want to help them… Signage is a better way to go. Good idea!

Thanks! I added that zine to our shared counter in Adult Services (where we put our galleys and publisher’s weeklies and misc. stuff)!

2 Likes