Safeguarding Library Customer Data: A Critical Examination
This investigation delves into the importance of protecting the digital privacy of library patrons, outlining EU laws, national regulations, and university policies. Emphasis is placed on data protection rules, avoiding data breaches, and upholding patrons' right to informational self-determination. The analysis explores the implications of HTTP communication, weblogs, and cookies on customer privacy within the context of library systems. Key considerations are discussed to ensure the secure handling of patron data in a library environment, particularly focusing on the implications for Dr. Andreas Sabisch at FU Berlin Universitätsbibliothek.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Universittsbibliothek Using your library software what third parties will get to know about our library customers Dr. Andreas Sabisch FU Berlin Universit tsbibliothek Garystr. 39 13469 Berlin andreas.sabisch@fu-berlin.de
Agenda Agenda Motivation for this investigation Webcommunication for dummy's Examples of third parties communication: What to do Andreas Sabisch 2
Why we must deal with We must protect the digital privacy of our patrons EU laws, national laws, university rules question from patrons, university boards, secure research, We (especially in Germany) have to describe how we deal with the patrons data Data protection rules describtion (Datenschutzerkl rungen) Avoid data producing, storage and propagation Right of informational self-determination (BVerfG) (Recht auf informationelle Selbstbestimmung) We have a monopol with our library systems loan, EZ-Proxy access, course material, How we can do this Analysis Describtion Avoid Andreas Sabisch 3
Http-Communication Andreas Sabisch 4
Weblogs and cookies What is in an webserver-log: the apache log file 130.133.152.192 - - [10/Apr/2014:09:16:44 +0200] "GET /docs/images/poweredby.gif HTTP/1.1" 200 2376 "http://160.45.152.195/docs/content/below/index.xml" "Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0" IP of the requested host: 130.133.152.192 When: 10/Apr/2014:09:16:44 +0200 What (request):/docs/images/poweredby.gif Technical information: Success-code and Transfered volume : 200 2376 Where comes the request from (refferer) :http://160.45.152.195/docs/content/below/index.xml" (Browser)information: "Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0" Recognition from the webserver: the cookie file Cookie Textfile Name: JSESSIONID Value: 7AE6B0776E8F4D75BAC8B46189F419FB HOST: primo.kobv.de PATH: /primo_library/libweb Sending for: Each connection type Valid until: End of session Just the webserver which send the cookie can read it. But each third party, which involved in the request, can set a cookie Flashcookies hard to detect, no example found yet in an library enviroment Scripts, which send additonal information Andreas Sabisch 5
A picture in pieces Loggin one request is a pice of information Logging a lot of request give a story line Logging a lot of request from different server give the whole live Thats what Google and Co. will do To X-ray one person (i.e to give you personalized services and advertising) To get statistical evidence for a whole group (i.e. people, who are interested in this, are interested in this as well) Andreas Sabisch 6
How to analyse data traffic (sniffen) Professionell tools tcpdump f r automatic processing Wireshark with graphical interface Analysies with Wireshark (suggestion for profis) Create a filter (Broadcast/own IP; just TCP or http...) Doing one action in the browser, start with analyse. If necessary, repeate Anaylse a whole session is a hard work. You can do this best, if you check for special issues in this session, i.e. which hosts will participate in this session. Browsertools (for a quick glimpse) i.e. Firefox => Extras-> Webtools ->Network; limit to http, no TCP und TLS connection I will use this Browsertools for some examples Andreas Sabisch 7
Aleph-Catalog with tracking-bugs dbs.pixel.hbz-nrw.de : DBS Tracking bug legal, describe Recommander.bibtex.de : Bib tip recommander System legal, but not describe Andreas Sabisch 8
Primo including a second source (library blog) RSS-Feed from our library block ajax.googleapis.com Formating from rss to jason Andreas Sabisch 9
and without google: no Biblioblog entry Blocking Google: no information any more Andreas Sabisch 10
Primo result site books.google.com exlibris-pub.s3.amazonaws.com images.amazon.com Andreas Sabisch 11
bX in Primo recommande-bx.hosted.exlibrisgroup.com bX service, integrate in Primo beacon01.alma.exlibrisgroup.com A tracking bug from ExL no description available Andreas Sabisch 12
An licencesed journal web site Imagic17.247realmedia.com metric.sciencemag.org now.eloqua.com www.google-analytycs.com Andreas Sabisch 13
Short-term work in library Check with tools for third party request Test the functionality of your site with blocking the request Remove the third party request With other/own functions By comment out in code or websites With help from your provider (i.e. ExL) Describe necessary third party request for your patrons; includes data protection policy of the third party Describe users possibility to protect their data Help users with a proxy server (i.e. the university computer department) Andreas Sabisch 14
Patron Option at the Moment Blocking programms like Adblocker or Ghostery Pro: selected third party requests Contra: Lack of functionalyties Using proxie server Opt-Out Option Data protection law conform (Datenschutzkonforme Herangehensweise) but much efford Thor anonymous surfen Andreas Sabisch 15
Long-term issues in librarys We must accomplish a Opt in culture Core functions must be in data save structures Add ons must be choosen by the patrons with knowledge of third partys involved (Opt in process) The library infrastructure and systems must support this strategy Andreas Sabisch 16
Summerise Modern library software include often third party requests Third party get information about your patrons via refferer information This violate the patrons right of informational self-determination Analyse your software enviroment Try to be law-conform: Avoid or describe Long term: accomplish a Opt in culture Andreas Sabisch 17
Highlights Each http-requests give information like ip-adress and referrer to the websever they are requested A website includes very often requests to third parties. This requests will send the same information to third party server and is nearly unvisible to the user We, as the provider of the library systems, are responsible for the data privacy policy for the users of our systems We must take care about the sending of user data to third parties and should always use options for a save privacy policy To do this is important to give our users the rights to their private data back (in german: Bewahrt das Recht auf informationelle Selbstbestimmung ) Thanks to Dr. Voss, HU and Uwe TU, who found the back tacks of hosted.exlibris.com and give the impulse for this investigation Andreas Sabisch 18