Risk
Assessment

Let’s learn about basic questions we can ask to figure out patrons’ privacy needs.

Risks vary from person to person. For example, a Visa card data breach impacts anyone who uses these cards, but a person who does not have a credit card will not need to worry about this. Patrons that use social media need to consider their privacy settings on those sites, as well as the terms of service of those companies. Journalists may need to protect who they contact, in addition to the content of their conversations. Depending on your risk, you’ll need different privacy "armor" that's appropriate for your particular situation.

To help figure out patrons’ risks and needs, we recommend asking the following questions:

The patron population is diverse and faces different kinds of threats depending on who they are. What level of digital literacy do they possess? Are they a library terminal user or do they use their own computer device on the library’s wireless network? Who are they as an individual and how do they communicate and share information online?
Patrons might be concerned about some things over others—for example, their financial transactions, but not their book borrowing history.
Not everyone feels their data is threatened by the same perpetrator. Some patrons might worry about a parent finding out about certain kinds of information, while others might be concerned about a snooping employer or marketing companies. Whether that person or entity is likely to be successful at accessing that information is another important consideration. Patrons might be concerned about their employer, but the likelihood that the company is actually surveilling its employees could be very low.
Some patrons might already be taking steps to protect their privacy. Knowing this is an important step along the way to making recommendations for what more they can do to protect the information they care about from risky people or entities. In general, we want to make recommendations that are most appropriate and considerate of patron’s needs.
When assessing risk, everyone should be ready to identify and evaluate the relative impact of someone accessing your information without your consent. For example, you might be a victim of identity theft after someone steals your email passwords and other essential account information. That’s highly impactful to your economic and emotional well-being. You might spend years rebuilding your credit or your personal reputation. By comparison, the consequences of someone finding out your PIN for your library card may be less damaging. The differences in these situations have implications for what you should do to protect yourself, such as using a password manager and a VPN versus using a more complex password for your library PIN. In short, context matters.

Examples

Let’s do some risk assessments based on four different kinds of patrons. First, meet our patrons:

Luca, a single parent with limited digital literacy skills and limited English skills, relies on the library for access to computers and the Internet.

Jo, an artist who regularly comes to the library to do research about strange and sensitive subject matter on both library computers and her own laptop.

Sara is leaving a difficult family situation and uses the library computers and wifi to access social media, look for housing, and read the news.

Xav, an outspoken, politically minded twenty-something, uses the library computers to search for jobs.

Patron 1: Luca

About

Risks

Step 1

Step 2

Step 3

Step 4

Summary

Luca, a single parent with limited digital literacy skills and limited English skills, relies on the library for access to computers and the Internet. Today, she’s using the library to renew her unemployment insurance and food stamps, both of which ask her to provide sensitive information.

Cyberthieves could intercept her information and steal her identity, and siphon benefits away from her.

Getting her identity back and correcting her records would cost thousands of dollars and many, many hours.

Because Luca is not very familiar with internet technology, she’s doing little to protect herself.

Make sure she’s visiting official unemployment insurance and food stamp websites—as opposed to fake ones—and that these sites are encrypted.

She could also take steps to erase her browser history in order to ensure that no cyberthief could access her data by those means.

Learning how to create strong passwords is essential to her safety.

Finally, we recommend she makes sure to log off of the library computer terminals to ensure no one can access her accounts.

Info to be protected
  • Personal information (e.g. Name, DOB, SSN)
  • Children’s personal information
  • Financial information
  • Location Information
Who is likely to access info against patron’s will?
  • Cyberthieves
What patron is doing/should do to keep their info private?
  • Browse via HTTPS
  • Clear browser history and cookies
  • Log off library terminal
  • Create strong passwords

Patron 2: Jo

About

Risks

Step 1

Step 2

Summary

Jo, an artist who regularly comes to the library to do research about strange and sensitive subject matter on both library computers and her own laptop, is currently researching new forms of biowarfare for an upcoming art project. Jo is combing the library catalog for books and electronic resources available through the library, as well as conducting general web research to find out more information on these topics.

Because Jo’s project deals with topics that have been associated terrorist activity, the most likely entity interested in accessing their library searches and Web search history are law enforcement and national security agents wishing to protect citizens from terrorists.

The likelihood of government officials gaining access is not very high, because Jo is already protecting themself by using Tor, a service that allows users to anonymize http requests.

We also recommend that Jo avoid logging into any websites when conducting research to avoid any companies.

Info to be protected
  • Personal information (e.g. Name, DOB, SSN)
  • Library usage
  • Web search history
  • Location Information
Who is likely to access info against patron’s will?
  • Government
  • Law enforcement
  • Corporations
What patron is doing/should do to keep their info private?
  • Browse via HTTPS
  • Clear browser history and cookies
  • Install anti-tracking plug-ins on my browser
  • Install anti-malware software
  • Log off library terminal
  • Use Tor
  • Don’t log in to my accounts
  • Use an account not in my real name
  • Create strong passwords
  • Visit legitimate sites/avoid fake sites
  • Use a VPN

Patron 3: Sara

About

Risks

Step 1

Step 2

Step 3

Step 4

Summary

Sara is leaving a difficult family situation and uses the library computers and wifi to access social media, look for housing, and read the news.

Because things got really bad at home, she is worried that a particular family member will try to track her down and intimidate, bully, or physically harm her. The likelihood of this happening is high: for the past year, the family has depended on a family plan with their mobile phone provider. During that time, the whole family enabled phone tracking features. In addition, her family regularly shared passwords, making it possible for different members to post social media accounts in the account holder’s name.

The best recommendation for Sara is to immediately change any account passwords that were formerly shared and set up two-factor authentication on sensitive accounts, such as social media accounts, in order to keep her personal communications to herself.

She is also advised to open a new cell phone account not connected to her family, since call logs and messages are typically available to the account holder.

She should also change location settings so that any device that takes pictures does not store and share location information, such as in posted photos, and could consider making her social media pages private.

As an additional precaution, she could consider using a device lock, to prevent anyone from tampering with her phone.

Info to be protected
  • Location Information
  • Email messages
  • Social media activity
Who is likely to access info against patron’s will?
  • Partner or family member
What patron is doing/should do to keep their info private?
  • Install anti-malware software
  • Use 2-factor authentication
  • Set up new cell phone account
  • Remove location information from posted photos
  • Use a device lock
  • Make social media settings private
  • Create strong passwords

Patron 4: Xav

About

Risks

Step 1

Summary

Xav, an outspoken, politically minded twenty-something, uses the library computers to search for jobs. He contributes to many different fora for heated political debates. On Reddit boards, Facebook, and newspaper comments sections, he regularly expresses his opinion in animated way, including in capital letters. Xav also regularly posts personal pictures, such as shots of him partying on the weekend with friends, and has been known to provide status updates about his health.

Unfortunately, Xav’s public and polemical visibility online could be a liability: data analysis tools run by both lenders and potential employers could sift through social networks and other public fora and classify Xav a high risk-individual. This in turn could make it harder for him to get a job, a reasonable rate for a credit card, or obtain a loan. While it’s not easy to tell when he’s been data profiled, the threat of being discriminated against for merely being outspoken is nevertheless a possibility.

It’s recommended that he protect himself from the data profiling by employers and financial institutions by ensuring he is posting anonymously to online fora and changing social media settings to private.

Info to be protected
  • Personal information (e.g. Name, DOB, SSN)
  • Financial information
  • Employment history
  • Location information
  • Social media activity
  • Online posts
Who is likely to access info against patron’s will?
  • Law enforcement
  • Corporations
  • Employer
  • Potential employers
  • Banks, lenders, and other financial institutions
What patron is doing/should do to keep their info private?
  • Clear browser history and cookies
  • Install anti-tracking plug-ins on my browser
  • Install anti-malware software
  • Remove location information from posted photos
  • Make social media settings private
  • Use an account not in my real name

A word about digital hygiene.

When we talk about being safe and secure online and protecting data you care about, we’re referring to digital hygiene. Though we review several steps in our curriculum, below we recommend three basic steps for anyone using a library terminal:

Always use strong passwords. A strong password is something that’s hard to guess by someone who knows you and by a computer. You can use a password manager to both generate and store hard-to-remember passwords for you. You can also test password strength—not your real passwords, but similar kinds of passwords—on password testing sites like this one.

Use sites that are secure (e.g., use HTTPS) for personal transactions. Websites that are encrypted prevent anyone else but you—the sender making the request to visit a particular website—and the website itself from seeing the data traveling between your computer and the website. Many people come to the library because it is the only place they are able to conduct all sorts of very personal business, such as applying to a job, renewing unemployment insurance, and banking online. Any time you have to submit data you care about and don’t want anyone else but the recipient to see, make sure you see the HTTPS or padlock icon in the browser’s address bar.

Log out of a library terminal before walking away. When you are still logged into a terminal and walk away from your session, the person who sits down at the computer next may be able to see your web history, any sites that you are still logged into, and any documents you may have stored in the computer’s temporary drive.