Library Privacy Checklist for Public Access Computers and Networks

This checklist is intended to help libraries of all capacities take practical steps to implement the principles that are laid out in the Library Privacy Guidelines for Public Access Computers and Networks

Priority 1 are actions that hopefully all libraries can take to improve privacy practices.  Priority 2 and Priority 3 actions may be more difficult for libraries to implement depending on their technical expertise, available resources, and organizational structure.

Priority 1 Actions

  1. Use analog signage and/or splash screens to explain the library’s network and wifi access policies, including any privacy-related information.
    1. Make a policy decision about the level of privacy versus convenience that the library will offer its wifi users and adequately warn users of potentials for traffic interception and other risks of an insecure network.
  2. Set up public computers to purge downloads, saved files, browsing history, and other data from individual user sessions.  This can be accomplished
    1. on logout via the computer reservation system if the library uses such a system;
    2. by using restoration software such as CleanSlate or Deep Freeze;
    3. by configuring browsers to clear all history and other usage data upon exit.
  3. Ensure that paper sign-up sheets for public computers, devices, or classes are destroyed when no longer needed.
  4. Offer classes and other educational materials to users about best practices for privacy and security when using the library’s public computers.
  5.  Offer privacy screens to patrons who desire to use them.

Priority 2 Actions

  1. Use antivirus software on all public computers.  Ensure that antivirus software that is installed has the ability to block spyware and keylogging software.
  2. Ensure that any computer reservation management system records, print management  records, or ILS records in regards to computer use are anonymized or destroyed when no longer needed.
  3. Configure any content filters to not collect or store browsing data.
  4. Anonymize or destroy transactional logs for network activity when no longer needed.
  5. Perform regular security audits on all public computers, including digital inspection of security risks and flaws and physical inspection for unknown devices.

Priority 3 Actions

  1. Install plugins on public computers to limit third party tracking, enable private browsing modes, and force HTTPS connections.
    1. HTTPS Everywhere: https://www.eff.org/https-everywhere
    2. Privacy Badger: https://www.eff.org/privacybadger
    3. See guides about Firefox security options, e.g. https://securityinabox.org/en/guide/firefox/windows
  2. Install the Tor browser on public computers as a privacy option for patrons.
  3. Offer the privacy-oriented Tails OS on bootable USB or CDROM for use on public computers or patron devices.
  4. Install malware-blocking, ad blocking, and anti-spam features on firewalls.
  5. Segment the network to isolate staff computers, public computers, and wireless users into their own subnets.
  6.  Ensure that any applications and operating systems on public computers are disabled from automatically sharing activity data with software publishers (e.g. error reporting)

Resources

Security In A Box: Basic Security for Windows

Data Privacy Project: Mapping Data Flows

FTC Consumer Info: Public Wi-Fi Networks

San Jose Public Library: Security - How The Internet Works

F-Secure Threat Descriptions

How to Choose the Best VPN for Your Needs

NISO Consensus Principles on User’s Digital Privacy in Library, Publisher, and Software-Provider Systems

Beckstrom, Matt.  Protecting Patron Privacy: Safe Practices for Public Computers

Library Privacy Project Privacy Toolkit

Tor Project

Approved January 21, 2017 by the Intellectual Freedom Committee