Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis)
So a question - should we start proxying AddThis.com and ShareThis.com and their ilk whenever our proxy is being used, precisely to complicate the tracking? -Edward On 17/8/14 12:25 am, Eric Hellman wrote: So, 2 points worth discussing here. 1. I'll bet you most proxy servers are not proxying AddThis.com or Sharethis.com. So there wouldn't be any effect of proxying on the user tracking they do.
Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis)
Proxying has no effect on canvas fingerprinting. On 8/18/14 4:47 AM, Edward Spodick wrote: So a question - should we start proxying AddThis.com and ShareThis.com and their ilk whenever our proxy is being used, precisely to complicate the tracking? -Edward On 17/8/14 12:25 am, Eric Hellman wrote: So, 2 points worth discussing here. 1. I'll bet you most proxy servers are not proxying AddThis.com or Sharethis.com. So there wouldn't be any effect of proxying on the user tracking they do. -- Gary McGath, Professional Software Developer http://www.garymcgath.com
Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis)
You need to cut holes so you can see -- I should have mentioned that. Be sure to wear sunglasses to confound remote retinal scanners... On Sat, Aug 16, 2014 at 1:59 PM, Cary Gordon listu...@chillco.com wrote: I tried a paper bag, but it was very hard to find books. On Fri, Aug 15, 2014 at 4:34 PM, Kyle Banerjee kyle.baner...@gmail.com wrote: On Fri, Aug 15, 2014 at 3:02 PM, Jason Bengtson j.bengtson...@gmail.com wrote: ... Generally speaking, I think surveillance is wretched stuff. But there is a point at which the hand wringing becomes a bit much. I agree with Jon in that, while things are at a critical point, the technologies of security and anonymity will inevitable improve. In fact, the cruddy state of things has been adding momentum to that progress... And there are always the tried and tested technologies that have been around for ages. For example, if users wore paper bags over their heads, it would protect their anonymity and afford some privacy while they used resources in the library -- particularly when they need assistance. Anonymous checkout privileges secured with a bitcoin deposit could ensure accountability. As things stand, many if not most library staff know all kinds of things about their users. The paper bag solution (actually another material should be chosen to make it safer for smokers) is a major step towards rectifying this privacy and service issue. ;-) -- Cary Gordon The Cherry Hill Company http://chillco.com
Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis)
Maybe you need a cloak of invisibility Sent from my Windows Phone From: Cary Gordonmailto:listu...@chillco.com Sent: 8/16/2014 5:00 PM To: CODE4LIB@LISTSERV.ND.EDUmailto:CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis) I tried a paper bag, but it was very hard to find books. On Fri, Aug 15, 2014 at 4:34 PM, Kyle Banerjee kyle.baner...@gmail.com wrote: On Fri, Aug 15, 2014 at 3:02 PM, Jason Bengtson j.bengtson...@gmail.com wrote: ... Generally speaking, I think surveillance is wretched stuff. But there is a point at which the hand wringing becomes a bit much. I agree with Jon in that, while things are at a critical point, the technologies of security and anonymity will inevitable improve. In fact, the cruddy state of things has been adding momentum to that progress... And there are always the tried and tested technologies that have been around for ages. For example, if users wore paper bags over their heads, it would protect their anonymity and afford some privacy while they used resources in the library -- particularly when they need assistance. Anonymous checkout privileges secured with a bitcoin deposit could ensure accountability. As things stand, many if not most library staff know all kinds of things about their users. The paper bag solution (actually another material should be chosen to make it safer for smokers) is a major step towards rectifying this privacy and service issue. ;-) -- Cary Gordon The Cherry Hill Company http://chillco.com
Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis)
I would like to note, roy4lib uses addthis... ;) Sent from my Windows Phone From: Kyle Banerjeemailto:kyle.baner...@gmail.com Sent: 8/17/2014 2:16 AM To: CODE4LIB@LISTSERV.ND.EDUmailto:CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis) You need to cut holes so you can see -- I should have mentioned that. Be sure to wear sunglasses to confound remote retinal scanners... On Sat, Aug 16, 2014 at 1:59 PM, Cary Gordon listu...@chillco.com wrote: I tried a paper bag, but it was very hard to find books. On Fri, Aug 15, 2014 at 4:34 PM, Kyle Banerjee kyle.baner...@gmail.com wrote: On Fri, Aug 15, 2014 at 3:02 PM, Jason Bengtson j.bengtson...@gmail.com wrote: ... Generally speaking, I think surveillance is wretched stuff. But there is a point at which the hand wringing becomes a bit much. I agree with Jon in that, while things are at a critical point, the technologies of security and anonymity will inevitable improve. In fact, the cruddy state of things has been adding momentum to that progress... And there are always the tried and tested technologies that have been around for ages. For example, if users wore paper bags over their heads, it would protect their anonymity and afford some privacy while they used resources in the library -- particularly when they need assistance. Anonymous checkout privileges secured with a bitcoin deposit could ensure accountability. As things stand, many if not most library staff know all kinds of things about their users. The paper bag solution (actually another material should be chosen to make it safer for smokers) is a major step towards rectifying this privacy and service issue. ;-) -- Cary Gordon The Cherry Hill Company http://chillco.com
Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis)
Conversation between 2 instructional staff at a library school: Staff 1, “Say, I went down to our departmental library, and had to use the little paper slip to take out a book, because it’s summer and after hours. You have to fill in the book title, book bar code, and your own name ID barcode. The fold the paper in half and stick it in a box. It’s got a little disclaimer on the bottom that the slip of paper will be destroyed as soon as the infor is entered into the system.” Staff 2, “That’s adorable.” On Aug 15, 2014, at 5:02 PM, Jason Bengtson j.bengtson...@gmail.com wrote: Generally speaking, I think surveillance is wretched stuff. But there is a point at which the hand wringing becomes a bit much. dsshap...@wisc.edu Debra Shapiro UW-Madison SLIS Helen C. White Hall, Rm. 4282 600 N. Park St. Madison WI 53706 608 262 9195 mobile 608 712 6368 FAX 608 263 4849
Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis)
:-) Well, I don't know that I would use the word adorable, but it does warm my heart. I found, to my pleasure, that libraries were shredding the paper computer sign-up sheets every evening (or when they filled up). That was good. But then I found, to my displeasure, that they had a box on the table in the childrens' room where summer reading program kids wrote their name, school, and age, and that the box was not secured in any way from scrutiny by others. Gulp! So it's a mixed bag in most libraries. Plus, there's always a hoarder or two who will not get rid of obsolete records. One value of an audit is that timely record destruction becomes a *policy*. kc On 8/17/14, 11:54 AM, Debra Shapiro wrote: Conversation between 2 instructional staff at a library school: Staff 1, “Say, I went down to our departmental library, and had to use the little paper slip to take out a book, because it’s summer and after hours. You have to fill in the book title, book bar code, and your own name ID barcode. The fold the paper in half and stick it in a box. It’s got a little disclaimer on the bottom that the slip of paper will be destroyed as soon as the infor is entered into the system.” Staff 2, “That’s adorable.” On Aug 15, 2014, at 5:02 PM, Jason Bengtson j.bengtson...@gmail.com wrote: Generally speaking, I think surveillance is wretched stuff. But there is a point at which the hand wringing becomes a bit much. dsshap...@wisc.edu Debra Shapiro UW-Madison SLIS Helen C. White Hall, Rm. 4282 600 N. Park St. Madison WI 53706 608 262 9195 mobile 608 712 6368 FAX 608 263 4849 -- Karen Coyle kco...@kcoyle.net http://kcoyle.net m: +1-510-435-8234 skype: kcoylenet/+1-510-984-3600
Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis)
On Aug 15, 2014 5:52 PM, Karen Coyle li...@kcoyle.net wrote: On 8/15/14, 12:07 PM, Eric Hellman wrote: AddThis and ShareThis, on the other hand have TOS that let them use tracking for advertising, and that's what their business is. So, hypothetically, a teen could look at library catalog records for books about childbirth, and as a result, later be shown ads for pregnancy tests, and that would be something the library has permitted. Eric, I'm wondering about the full scenario that you are envisioning. Many libraries use proxy servers, so individual users are not identified. (Meaning that an 80-yr-old man may get the ad for the pregnancy test, not the teen.) You're right, using the public access machines inside a library would be relatively free from being able to track an individual, particularly if they are purely anonymous sessions (such as a dedicated catalogue kiosk). I think the primary concern rises from users accessing the catalogue from their own machine / browser, where services can easily and reliably correlate web usage behavior of an individual over time across many web properties.
Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis)
On 8/16/14 8:38 AM, Dan Scott wrote: I think the primary concern rises from users accessing the catalogue from their own machine / browser, where services can easily and reliably correlate web usage behavior of an individual over time across many web properties. The annoyance of inappropriate (or overly appropriate) ads is one aspect of this concern; a potentially much bigger one is the privacy of amateur or professional investigative journalists. If someone looks at a lot of books and sites about terrorism, violent doctrines, and explosives, for the purpose of researching terrorists and terrorism, and if overzealous government agencies observe this pattern, they might flag the researcher as a potential terrorist suspect. -- Gary McGath, Professional Software Developer http://www.garymcgath.com
Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis)
So, 2 points worth discussing here. 1. I'll bet you most proxy servers are not proxying AddThis.com or Sharethis.com. So there wouldn't be any effect of proxying on the user tracking they do. 2. It really doesn't matter if you identify yourself to the catalog or not. You're being tracked across sites all over the internet. If you identify yourself to one of them, you can be identified. Note that the main concern here is if you use your own device to access the library's catalog. On Aug 15, 2014, at 5:52 PM, Karen Coyle li...@kcoyle.net wrote: On 8/15/14, 12:07 PM, Eric Hellman wrote: AddThis and ShareThis, on the other hand have TOS that let them use tracking for advertising, and that's what their business is. So, hypothetically, a teen could look at library catalog records for books about childbirth, and as a result, later be shown ads for pregnancy tests, and that would be something the library has permitted. Eric, I'm wondering about the full scenario that you are envisioning. Many libraries use proxy servers, so individual users are not identified. (Meaning that an 80-yr-old man may get the ad for the pregnancy test, not the teen.) In addition, in many cases the machine wipes itself clean daily, replacing all potential user files. (Someone else can explain this MUCH better than I just did.) In my public library, I do not identify myself to the use the catalog on site -- not even to use journal article databases, because 1) authentication takes place in the library system 2) the proxy server's IP is my identity for those services. I have no idea what exits the library when I hook my laptop to the open network. Shouldn't all of these factors be taken into account? Can anyone articulate them from the point of view of a public library? Note: At the university here at Berkeley, no network use is allowed without an account, so there is no anonymous use, at least on the human side of any proxy server that they run. But at the public library there is no log-on. So what is AddThis getting in those two situations? kc -- Karen Coyle kco...@kcoyle.net http://kcoyle.net m: +1-510-435-8234 skype: kcoylenet/+1-510-984-3600
Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis)
Another question for someone who utilizes these services: What analytics does this provide and are the social analytics worth losing your user's privacy? (I think not) Can't we make our own non dynamic share links Sent from my Windows Phone From: Eric Hellmanmailto:e...@hellman.net Sent: 8/16/2014 12:25 PM To: CODE4LIB@LISTSERV.ND.EDUmailto:CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis) So, 2 points worth discussing here. 1. I'll bet you most proxy servers are not proxying AddThis.com or Sharethis.com. So there wouldn't be any effect of proxying on the user tracking they do. 2. It really doesn't matter if you identify yourself to the catalog or not. You're being tracked across sites all over the internet. If you identify yourself to one of them, you can be identified. Note that the main concern here is if you use your own device to access the library's catalog. On Aug 15, 2014, at 5:52 PM, Karen Coyle li...@kcoyle.net wrote: On 8/15/14, 12:07 PM, Eric Hellman wrote: AddThis and ShareThis, on the other hand have TOS that let them use tracking for advertising, and that's what their business is. So, hypothetically, a teen could look at library catalog records for books about childbirth, and as a result, later be shown ads for pregnancy tests, and that would be something the library has permitted. Eric, I'm wondering about the full scenario that you are envisioning. Many libraries use proxy servers, so individual users are not identified. (Meaning that an 80-yr-old man may get the ad for the pregnancy test, not the teen.) In addition, in many cases the machine wipes itself clean daily, replacing all potential user files. (Someone else can explain this MUCH better than I just did.) In my public library, I do not identify myself to the use the catalog on site -- not even to use journal article databases, because 1) authentication takes place in the library system 2) the proxy server's IP is my identity for those services. I have no idea what exits the library when I hook my laptop to the open network. Shouldn't all of these factors be taken into account? Can anyone articulate them from the point of view of a public library? Note: At the university here at Berkeley, no network use is allowed without an account, so there is no anonymous use, at least on the human side of any proxy server that they run. But at the public library there is no log-on. So what is AddThis getting in those two situations? kc -- Karen Coyle kco...@kcoyle.net http://kcoyle.net m: +1-510-435-8234 skype: kcoylenet/+1-510-984-3600
Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis)
I think what we want is http://socialitejs.com/ On Aug 16, 2014, at 12:52 PM, Riley Childs rchi...@cucawarriors.com wrote: Another question for someone who utilizes these services: What analytics does this provide and are the social analytics worth losing your user's privacy? (I think not) Can't we make our own non dynamic share links Sent from my Windows Phone From: Eric Hellmanmailto:e...@hellman.net Sent: 8/16/2014 12:25 PM To: CODE4LIB@LISTSERV.ND.EDUmailto:CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis) So, 2 points worth discussing here. 1. I'll bet you most proxy servers are not proxying AddThis.com or Sharethis.com. So there wouldn't be any effect of proxying on the user tracking they do. 2. It really doesn't matter if you identify yourself to the catalog or not. You're being tracked across sites all over the internet. If you identify yourself to one of them, you can be identified. Note that the main concern here is if you use your own device to access the library's catalog. On Aug 15, 2014, at 5:52 PM, Karen Coyle li...@kcoyle.net wrote: On 8/15/14, 12:07 PM, Eric Hellman wrote: AddThis and ShareThis, on the other hand have TOS that let them use tracking for advertising, and that's what their business is. So, hypothetically, a teen could look at library catalog records for books about childbirth, and as a result, later be shown ads for pregnancy tests, and that would be something the library has permitted. Eric, I'm wondering about the full scenario that you are envisioning. Many libraries use proxy servers, so individual users are not identified. (Meaning that an 80-yr-old man may get the ad for the pregnancy test, not the teen.) In addition, in many cases the machine wipes itself clean daily, replacing all potential user files. (Someone else can explain this MUCH better than I just did.) In my public library, I do not identify myself to the use the catalog on site -- not even to use journal article databases, because 1) authentication takes place in the library system 2) the proxy server's IP is my identity for those services. I have no idea what exits the library when I hook my laptop to the open network. Shouldn't all of these factors be taken into account? Can anyone articulate them from the point of view of a public library? Note: At the university here at Berkeley, no network use is allowed without an account, so there is no anonymous use, at least on the human side of any proxy server that they run. But at the public library there is no log-on. So what is AddThis getting in those two situations? kc -- Karen Coyle kco...@kcoyle.net http://kcoyle.net m: +1-510-435-8234 skype: kcoylenet/+1-510-984-3600
Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis)
I think that pretty much sums up the situation ;) Sent from my Windows Phone From: Eric Hellmanmailto:e...@hellman.net Sent: 8/16/2014 1:06 PM To: CODE4LIB@LISTSERV.ND.EDUmailto:CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis) I think what we want is http://socialitejs.com/ On Aug 16, 2014, at 12:52 PM, Riley Childs rchi...@cucawarriors.com wrote: Another question for someone who utilizes these services: What analytics does this provide and are the social analytics worth losing your user's privacy? (I think not) Can't we make our own non dynamic share links Sent from my Windows Phone From: Eric Hellmanmailto:e...@hellman.net Sent: 8/16/2014 12:25 PM To: CODE4LIB@LISTSERV.ND.EDUmailto:CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis) So, 2 points worth discussing here. 1. I'll bet you most proxy servers are not proxying AddThis.com or Sharethis.com. So there wouldn't be any effect of proxying on the user tracking they do. 2. It really doesn't matter if you identify yourself to the catalog or not. You're being tracked across sites all over the internet. If you identify yourself to one of them, you can be identified. Note that the main concern here is if you use your own device to access the library's catalog. On Aug 15, 2014, at 5:52 PM, Karen Coyle li...@kcoyle.net wrote: On 8/15/14, 12:07 PM, Eric Hellman wrote: AddThis and ShareThis, on the other hand have TOS that let them use tracking for advertising, and that's what their business is. So, hypothetically, a teen could look at library catalog records for books about childbirth, and as a result, later be shown ads for pregnancy tests, and that would be something the library has permitted. Eric, I'm wondering about the full scenario that you are envisioning. Many libraries use proxy servers, so individual users are not identified. (Meaning that an 80-yr-old man may get the ad for the pregnancy test, not the teen.) In addition, in many cases the machine wipes itself clean daily, replacing all potential user files. (Someone else can explain this MUCH better than I just did.) In my public library, I do not identify myself to the use the catalog on site -- not even to use journal article databases, because 1) authentication takes place in the library system 2) the proxy server's IP is my identity for those services. I have no idea what exits the library when I hook my laptop to the open network. Shouldn't all of these factors be taken into account? Can anyone articulate them from the point of view of a public library? Note: At the university here at Berkeley, no network use is allowed without an account, so there is no anonymous use, at least on the human side of any proxy server that they run. But at the public library there is no log-on. So what is AddThis getting in those two situations? kc -- Karen Coyle kco...@kcoyle.net http://kcoyle.net m: +1-510-435-8234 skype: kcoylenet/+1-510-984-3600
Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis)
I tried a paper bag, but it was very hard to find books. On Fri, Aug 15, 2014 at 4:34 PM, Kyle Banerjee kyle.baner...@gmail.com wrote: On Fri, Aug 15, 2014 at 3:02 PM, Jason Bengtson j.bengtson...@gmail.com wrote: ... Generally speaking, I think surveillance is wretched stuff. But there is a point at which the hand wringing becomes a bit much. I agree with Jon in that, while things are at a critical point, the technologies of security and anonymity will inevitable improve. In fact, the cruddy state of things has been adding momentum to that progress... And there are always the tried and tested technologies that have been around for ages. For example, if users wore paper bags over their heads, it would protect their anonymity and afford some privacy while they used resources in the library -- particularly when they need assistance. Anonymous checkout privileges secured with a bitcoin deposit could ensure accountability. As things stand, many if not most library staff know all kinds of things about their users. The paper bag solution (actually another material should be chosen to make it safer for smokers) is a major step towards rectifying this privacy and service issue. ;-) -- Cary Gordon The Cherry Hill Company http://chillco.com
[CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis)
On Aug 14, 2014, at 4:32 PM, William Denton w...@pobox.com wrote: At the university where I work Google Analytics is the standard, and we use it on the library's web site. There's probably no way around that---but we can tell people how to block the tracking, which will help them locally (ironically) and everwhere else. (I use Piwik at home, and like it, but moving to that here would be a long-term project, only partly for technical reasons.) I think a reasonable place to draw a line in the sand is use for advertising. If you look at the Google Analytics site, it doesn't appear that they can use Analytics tracking for advertising, because they don't make the carve-outs for children that I believe would be required if they did. So if you trust google, and assume they know everything anyway, you can let them track users. AddThis and ShareThis, on the other hand have TOS that let them use tracking for advertising, and that's what their business is. So, hypothetically, a teen could look at library catalog records for books about childbirth, and as a result, later be shown ads for pregnancy tests, and that would be something the library has permitted. A criminal prosecutor could subpoena either Google or AddThis/ShareThis to obtain tracking data for anyone in your library who had read books about Nazism or the Black Panthers or witchcraft, completely without involving the library. Do you think Google would easily comply with that sort of request? would AddThis? Would EBSCO? At Unglue.it, we use Google Analytics, but we have avoided Things like Facebook Like, and the third party shares because we didn't like the tradeoff. But maybe the horse has left the barn forever. Eric
Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis)
I don't believe the horse has left the barn forever. As Bruce Schneier says, security is a process, not a product. And as we learn more about this space we can advocate in our own institutions for greater awareness and perhaps adjustments to the technologies we use to evaluate online activity. AddThis and ShareThis probably have limited value for the data they compromise. Google Analytics is probably a much better trade. EZproxy too... Jon On Fri, Aug 15, 2014 at 2:07 PM, Eric Hellman e...@hellman.net wrote: On Aug 14, 2014, at 4:32 PM, William Denton w...@pobox.com wrote: At the university where I work Google Analytics is the standard, and we use it on the library's web site. There's probably no way around that---but we can tell people how to block the tracking, which will help them locally (ironically) and everwhere else. (I use Piwik at home, and like it, but moving to that here would be a long-term project, only partly for technical reasons.) I think a reasonable place to draw a line in the sand is use for advertising. If you look at the Google Analytics site, it doesn't appear that they can use Analytics tracking for advertising, because they don't make the carve-outs for children that I believe would be required if they did. So if you trust google, and assume they know everything anyway, you can let them track users. AddThis and ShareThis, on the other hand have TOS that let them use tracking for advertising, and that's what their business is. So, hypothetically, a teen could look at library catalog records for books about childbirth, and as a result, later be shown ads for pregnancy tests, and that would be something the library has permitted. A criminal prosecutor could subpoena either Google or AddThis/ShareThis to obtain tracking data for anyone in your library who had read books about Nazism or the Black Panthers or witchcraft, completely without involving the library. Do you think Google would easily comply with that sort of request? would AddThis? Would EBSCO? At Unglue.it, we use Google Analytics, but we have avoided Things like Facebook Like, and the third party shares because we didn't like the tradeoff. But maybe the horse has left the barn forever. Eric
Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis)
First, I have to get it out of the way: One of the biggest things to remember, the most secure system is the one that is not on and connected... Second (read the entire statement): This tracking data serves as a barter system for services, but I think the big issue is that there is no price tag on the website, it is like walking into a grocery store and seeing SALE! but with no price tag, then getting to the register paying and THEN looking at your receipt and realizing that book cost your soul. -- Riley Childs Senior IT Admin Charlotte United Christian Academy office: +1 (704) 537-0331 x101 mobile: +1 (704) 497-2086 web: rileychilds.net twitter: @RowdyChildren Checkout our new Online Library Catalog: catalog.cucawarriors.com From: Code for Libraries CODE4LIB@LISTSERV.ND.EDU on behalf of Jon Goodell jon.good...@gmail.com Sent: Friday, August 15, 2014 3:25 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis) I don't believe the horse has left the barn forever. As Bruce Schneier says, security is a process, not a product. And as we learn more about this space we can advocate in our own institutions for greater awareness and perhaps adjustments to the technologies we use to evaluate online activity. AddThis and ShareThis probably have limited value for the data they compromise. Google Analytics is probably a much better trade. EZproxy too... Jon On Fri, Aug 15, 2014 at 2:07 PM, Eric Hellman e...@hellman.net wrote: On Aug 14, 2014, at 4:32 PM, William Denton w...@pobox.com wrote: At the university where I work Google Analytics is the standard, and we use it on the library's web site. There's probably no way around that---but we can tell people how to block the tracking, which will help them locally (ironically) and everwhere else. (I use Piwik at home, and like it, but moving to that here would be a long-term project, only partly for technical reasons.) I think a reasonable place to draw a line in the sand is use for advertising. If you look at the Google Analytics site, it doesn't appear that they can use Analytics tracking for advertising, because they don't make the carve-outs for children that I believe would be required if they did. So if you trust google, and assume they know everything anyway, you can let them track users. AddThis and ShareThis, on the other hand have TOS that let them use tracking for advertising, and that's what their business is. So, hypothetically, a teen could look at library catalog records for books about childbirth, and as a result, later be shown ads for pregnancy tests, and that would be something the library has permitted. A criminal prosecutor could subpoena either Google or AddThis/ShareThis to obtain tracking data for anyone in your library who had read books about Nazism or the Black Panthers or witchcraft, completely without involving the library. Do you think Google would easily comply with that sort of request? would AddThis? Would EBSCO? At Unglue.it, we use Google Analytics, but we have avoided Things like Facebook Like, and the third party shares because we didn't like the tradeoff. But maybe the horse has left the barn forever. Eric
Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis)
On 8/15/14, 12:07 PM, Eric Hellman wrote: AddThis and ShareThis, on the other hand have TOS that let them use tracking for advertising, and that's what their business is. So, hypothetically, a teen could look at library catalog records for books about childbirth, and as a result, later be shown ads for pregnancy tests, and that would be something the library has permitted. Eric, I'm wondering about the full scenario that you are envisioning. Many libraries use proxy servers, so individual users are not identified. (Meaning that an 80-yr-old man may get the ad for the pregnancy test, not the teen.) In addition, in many cases the machine wipes itself clean daily, replacing all potential user files. (Someone else can explain this MUCH better than I just did.) In my public library, I do not identify myself to the use the catalog on site -- not even to use journal article databases, because 1) authentication takes place in the library system 2) the proxy server's IP is my identity for those services. I have no idea what exits the library when I hook my laptop to the open network. Shouldn't all of these factors be taken into account? Can anyone articulate them from the point of view of a public library? Note: At the university here at Berkeley, no network use is allowed without an account, so there is no anonymous use, at least on the human side of any proxy server that they run. But at the public library there is no log-on. So what is AddThis getting in those two situations? kc -- Karen Coyle kco...@kcoyle.net http://kcoyle.net m: +1-510-435-8234 skype: kcoylenet/+1-510-984-3600
Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis)
The system not connected to the internet is more secure. But that border keeps getting crossed. Stuxnet made the oxygen barrier leap, as have other malware packages since, through a variety of exploit tactics, once they managed to get to a machine that shared a network with or, in some cases, was just in close physical proximity to another machine that wasn't connected to the internet. Generally speaking, I think surveillance is wretched stuff. But there is a point at which the hand wringing becomes a bit much. I agree with Jon in that, while things are at a critical point, the technologies of security and anonymity will inevitable improve. In fact, the cruddy state of things has been adding momentum to that progress. And I don't lose any sleep over using Google Analytics to do some relatively innocuous web tracking. In fact, I probably would lose sleep if I wasn't trying to track usage. Best regards, *Jason Bengtson, MLIS, MA* Head of Library Computing and Information Systems Assistant Professor, Graduate College Department of Health Sciences Library and Information Management University of Oklahoma Health Sciences Center 405-271-2285, opt. 5 405-271-3297 (fax) jason-bengt...@ouhsc.edu http://library.ouhsc.edu www.jasonbengtson.com NOTICE: This e-mail is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure. If the reader of this e-mail is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the original message at the listed email address. Thank You. j.bengtson...@gmail.com On Fri, Aug 15, 2014 at 4:24 PM, Riley Childs rchi...@cucawarriors.com wrote: First, I have to get it out of the way: One of the biggest things to remember, the most secure system is the one that is not on and connected... Second (read the entire statement): This tracking data serves as a barter system for services, but I think the big issue is that there is no price tag on the website, it is like walking into a grocery store and seeing SALE! but with no price tag, then getting to the register paying and THEN looking at your receipt and realizing that book cost your soul. -- Riley Childs Senior IT Admin Charlotte United Christian Academy office: +1 (704) 537-0331 x101 mobile: +1 (704) 497-2086 web: rileychilds.net twitter: @RowdyChildren Checkout our new Online Library Catalog: catalog.cucawarriors.com From: Code for Libraries CODE4LIB@LISTSERV.ND.EDU on behalf of Jon Goodell jon.good...@gmail.com Sent: Friday, August 15, 2014 3:25 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis) I don't believe the horse has left the barn forever. As Bruce Schneier says, security is a process, not a product. And as we learn more about this space we can advocate in our own institutions for greater awareness and perhaps adjustments to the technologies we use to evaluate online activity. AddThis and ShareThis probably have limited value for the data they compromise. Google Analytics is probably a much better trade. EZproxy too... Jon On Fri, Aug 15, 2014 at 2:07 PM, Eric Hellman e...@hellman.net wrote: On Aug 14, 2014, at 4:32 PM, William Denton w...@pobox.com wrote: At the university where I work Google Analytics is the standard, and we use it on the library's web site. There's probably no way around that---but we can tell people how to block the tracking, which will help them locally (ironically) and everwhere else. (I use Piwik at home, and like it, but moving to that here would be a long-term project, only partly for technical reasons.) I think a reasonable place to draw a line in the sand is use for advertising. If you look at the Google Analytics site, it doesn't appear that they can use Analytics tracking for advertising, because they don't make the carve-outs for children that I believe would be required if they did. So if you trust google, and assume they know everything anyway, you can let them track users. AddThis and ShareThis, on the other hand have TOS that let them use tracking for advertising, and that's what their business is. So, hypothetically, a teen could look at library catalog records for books about childbirth, and as a result, later be shown ads for pregnancy tests, and that would be something the library has permitted. A criminal prosecutor could subpoena either Google or AddThis/ShareThis to obtain tracking data for anyone in your library who had read books about Nazism or the Black Panthers or witchcraft, completely without
Re: [CODE4LIB] Library Privacy, RIP (Was: Canvas Fingerprinting by AddThis)
On Fri, Aug 15, 2014 at 3:02 PM, Jason Bengtson j.bengtson...@gmail.com wrote: ... Generally speaking, I think surveillance is wretched stuff. But there is a point at which the hand wringing becomes a bit much. I agree with Jon in that, while things are at a critical point, the technologies of security and anonymity will inevitable improve. In fact, the cruddy state of things has been adding momentum to that progress... And there are always the tried and tested technologies that have been around for ages. For example, if users wore paper bags over their heads, it would protect their anonymity and afford some privacy while they used resources in the library -- particularly when they need assistance. Anonymous checkout privileges secured with a bitcoin deposit could ensure accountability. As things stand, many if not most library staff know all kinds of things about their users. The paper bag solution (actually another material should be chosen to make it safer for smokers) is a major step towards rectifying this privacy and service issue. ;-)