Data Privacy & Digital Security

I recently participated in a Digital Privacy and Data Literacy professional training program that grew out of a collaboration between Brooklyn Public Library, the Metropolitan New York Library Council, New America’s Open Technology Institute, the Data & Society Research Institute, and Research Action Design. The program was funded by the Institute of Museum and Library Services (IMLS); the grant covered the development of the Data Privacy Project website in addition to the facilitation of the two-part workshop series.

Some of the goals and outcomes of the training program were examining the factors that impact patron privacy (including laws, policies, technology and behavior), learning how data moves through library networks and across the internet, generating important questions related to your library system policies and practices, and feeling better equipped to support patrons in protecting their privacy online. Since most of the workshops were geared towards library professionals, there was a lot of discussion of privacy policy and practice in libraries, with particular regards to integrated library systems, subscription database services, discovery services, public computer use, and account management.

Part of the training program involved making abstract concepts more concrete, and we found that using physical analogies is quite useful for library staff and patrons. For example, you can suggest to patrons that they consider sensitive digital information the same way they would something like a paper bank statement. Just as they probably wouldn’t leave their paper bank statements on a table in a public area at the library, they shouldn’t leave an active terminal session open with the same kind of sensitive material. Physical analogies can also help make abstract concepts, like the flow of digital data, more concrete. An analog example like sending a postcard can parallel the way digital information (like an email) travels—in both the analog and digital examples, you can demonstrate how the communication between primary parties can be visible in whole or in part by any number of third parties involved in relaying the message. When you understand the way data is created and controlled as it moves between devices, networks, and the internet, you can determine when data is or isn’t private—and you can start to take concrete steps to keep your own data more private.

Much of the training was based around a risk assessment framework to help determine how to best manage personal data. When conducting an assessment, there are only five main questions you should ask yourself:

  1. What information do you want to keep private?
  2. Who might try to access that information without your consent? How likely is it that they will succeed?
  3. What are you already doing to keep it private?
  4. What are the consequences and impact on you if someone accessed the information?
  5. How much effort are you willing to put into making the information more secure?

The last two questions in particular are important steps, and it can be helpful to realize that while you might want to put a lot of effort into protecting some of your information, it’s also valid to decide that the security of other kinds of information matters less to you.

We also discussed actionable plans to improve individual data security, including creating strong-yet-memorable passwords (my personal favorite method is Diceware), setting up two-factor authentication, using VPN services, or installing and using Tor software.

Thinking about privacy and security can be overwhelming, and it can feel impossible to keep digital information truly private. To prevent security fatigue, it can be helpful to think in terms of harm reduction. Even though we can’t control everything we do online, following a set of best practices around digital privacy helps us reduce the possibility of harm if and when our information is not private.