How Important is Patron Privacy at Your Library?
I’ve never ever had a librarian tell me “we do not care about patron privacy or security at our library.”Â And come to think of it, I haven’t had them even say it’s not that big of a deal. Security breaches stink and they can be harmful as the news of Twitter’s secret information exposed shows.Â But they’re also embarrassing and ultimately very time consuming for those involved.Â What’s more, there are simple things that can be done to avoid them, keep things secure and keep patron (and librarian) information private.
In the past 2 weeks, I have seen or read about 3 serious instances of security/privacy issues that could have been avoided if people within organizations would have been a little more careful or at least aware that their actions were viewable by others:
1) A user id and password posted on a blog by a library. We notified them to let them know.
2) A user id and password tweeted from one twitter user to their client, unaware that their @reply could be seen by others.
3) Twitter getting hacked by someone guessing an employee’s password on a Google Apps account.
I had a quick talk with our CTO to find out what he would say are 5 helpful security tips for libraries, or any business for that matter, to consider.Â He gave me 6, the nice guy.
1. Whenever possible, don’t share user ID/logins between librarians.
Every time a login is shared, you’re creating more of an opportunity for a security breach.Â The same as trying to keep a secret: the more people you tell, the more chances of it not being a secret.Â The idea here is that if something happens, you can delete that user without disrupting everyone else.Â Sometimes you have to share log-ins.Â Understandable, so if you have to share, make sure the password is VERY unique but easy for everyone to remember.Â Consider changing it regularly.
2. Assume that blogs, wikis, websites, Twitter, Facebook, etc, are viewable by the public and that everyone can read them.
It’s actually not the case, many of them can be hidden behind passwords, but as long as people second guess what they’re posting and thinking it’s possible for someone to see, you are creating a more secure environment.
3. Use or create systems that don’t show or store private patron information.
This is the one we see the most, unfortunately.Â It’s done using hacks and work-arounds in the name of simplification, cost cutting, etc.Â One of the librarians who advises us said “many people are using hacks because they want to be able to offer services to patrons, but I’m seeing more people understand it is simply not worth the risk.”Â We believe if you can see a patron’s information, others can too.Â If you’re using Google products, you have to delete information 3 times: inbox, sent box and then the trash (information is stored in the trash folder).Â Sound a little paranoid?Â Ok, but understand this is a blog post about security tips.Â We care about security and hope you appreciate it.
4. Use Google Alerts for your library name to ensure that information posted about your library is what you want it to be.
These are easy to set up and easy to manage.Â You can set them for select words/terms (the name of your library for starters) and control when they’re sent to you.Â If someone is posting information about your library, you may not be able to get them to remove it, but at least you’ll know what it is.Â Besides the security element, they can be pretty fun and you’ll be able to see when people are tweeting about how much they love you.
5. HTTPS: The “S” is for “Secure”
This is something you might not be able to do on your own, you’ll have to speak with IT or ask any web services you’re using if they offer it.Â Simply stated, if you’re on a Wifi (most libraries are), or any sort of LAN network, and you login to a page without HTTPS, anyone in the network can sniff out your password.Â HTTPS is what banks and/or credit card companies use online.
BONUS TIP (thanks Jay!)
6. If you only have one strong password, make sure it’s your email password!
Password “reset links” all work via email.Â If someone can log into your email, they can get into anything.Â Make sure your email password is used ONLY for your email and that it’s hard to guess.
So there you have them.Â If anyone thinks of any more, please feel free to post them in the comments section.Â There are obviously various ways hackers can cause harm, recently some experts found that they can get private information from an iPhone security flaw through text messagaging.Â The difference is that some security issues are things hackers are going to find ways into.Â The others are choices people can make to be a little more secure.