Keeping Up With... Cybersecurity, Usability, and Privacy
This edition of Keeping Up With... was written by Bohyun Kim.
Bohyun Kim is Associate Director, Library Applications and Knowledge Systems, at the University of Maryland-Baltimore, Health Sciences and Human Services Library, email: bkim@hshsl.umaryland.edu.[1]
What is Cybersecurity?
Cybersecurity is a broad term. It refers to the activities, practices, and technology that keep computers, networks, programs, and data secure and protected from harmful activities such as unauthorized access, modification, or damage. We became familiar with this term, ‘cybersecurity,’ through the reports of recent security breaches at J.P Morgan, Target, Sony, Anthem Blue Cross and Blue Shield, to name a few. The government and higher education institutions are not an exception to cyberattacks. In 2015, the Office of Personnel Management of the U.S. Federal Government got hacked twice, and its sensitive data was stolen.[2] In 2014, University of Maryland at College Park and Indiana University also suffered similar data breaches.
Cybersecurity Measures
To prevent such a data breach, institutional IT staff are trained to protect their systems against vulnerabilities and intrusion attempts. Employees and end users are educated to be careful about dealing with institutional or customers’ data. There are systematic measures that organizations can implement such as two-factor authentication, stringent password requirements, and locking accounts after a certain number of failed log-in attempts. While the term, ‘cybersecurity,’ may sound grand, actual cybersecurity measures can be mundane ranging from keeping the software versions and patches up-to-date, keeping viruses and malware away with effective anti-virus and anti-spyware, educating users so that they won’t fall for phishing or email scams, and backing up the data on a regular basis.
Competing Concerns – Cybersecurity vs. Usability and Privacy
However, some of the cybersecurity measures may negatively affect the usability of systems and applications, thereby lowering users’ productivity. One good example is the website of the United States Postal Service (https://www.usps.com/). The USPS website does not provide a way to reset the password for users who forgot their usernames. Furthermore, if a user enters wrong answers to the two security questions to retrieve the password more than twice, the system automatically locks the account. Clearly, the system that does not allow the password reset is more secure than the one that does. But average users do forget their passwords, usernames, and even the answers to the security questions that they set up themselves. That makes this USPS site seriously flawed in terms of usability. As another example, imagine that a library decides to block all international traffic to their licensed e-resources to prevent foreign hackers from accessing those e-resources. This would certainly help libraries avoid a potential breach of licensing terms in advance. But it would also render those e-resources unusable to the legitimate users traveling abroad.
Security is important, but systems and applications also exist for users to do their job. The more user-friendly and the simpler the cybersecurity guidelines are to follow, the more users will observe them, thereby making networks and systems more secure.
Another competing concern is the invasion of privacy. Through the documents that Edward Snowden leaked in 2013, we know that NSA collected the communication records of millions of people in bulk, regardless of suspicion of wrongdoing through Verizon.[3] After a cyberattack against the University of California at Los Angeles, the University of California system installed a device that is capable of capturing, analyzing, and storing all network traffic to and from the campus for over 30 days without consulting or notifying the faculty and those who would be subject to the monitoring.[4] In February 2016, the FBI requested Apple to create a backdoor application that will bypass the current security measure in place in its iOS in relation to the San Bernadino shooting incident. In April 2016, an anti-encryption bill was submitted to the Senate, which proposed that people should be required to comply with any authorized court order for data and that if that data is “unintelligible” – meaning encrypted – then it must be decrypted for the court.[5]
These recent events show that certain cybersecurity measures can be used to greatly invade privacy rather than protect it. This is ironic because security is essential to privacy. Because we do not always fully understand how the technology actually works or how it can be exploited for both good and bad purposes, we need to be careful about giving blank permission to any party to access, collect, and use our private data without clear understanding, oversight, and consent.
Conclusion
Librarianship is a fundamentally user-oriented profession. As such, librarians have been making great efforts to make library-related data, systems, and applications as user-friendly as possible. These efforts should continue along with the efforts to make those data, systems and applications secure. Library resources, systems, and applications all exist to be used, and that is why they need to be secured after all, not the other way around.
At the same time, libraries must continue to keep sensitive patron data safe and protected to ensure people’s privacy and intellectual freedom. As more libraries try to collect, retain, and analyze a variety of library data to improve their services and collections, this will become even more important. The Electronic Frontier Foundation states that privacy means respect for individuals’ autonomy, anonymous speech, and the right to free association.[6] If part of a library’s mission is to contribute to helping people to become such autonomous human beings through learning and sharing knowledge without having to worry about being observed and/or censored, libraries should advocate for people’s privacy both online and offline as well as in all forms of communication technologies and devices.
Notes
[1] This article is a revised and significantly shortened version of my previous blog post published in the ACRL TechConnect blog. Bohyun Kim, "Cybersecurity, Usability, Online Privacy, and Digital Surveillance,"ACRL TechConnect Blog, May 9, 2016.
[2] Lisa Rein and Andrea Peterson, "What You Need to Know about the Hack of Government Background Investigations," The Washington Post, July 9, 2015.
[3] Glenn Greenwald, "NSA Collecting Phone Records of Millions of Verizon Customers Daily," The Guardian, June 6, 2013.
[4] Phil Matier and Andy Ross, "Cal Professors Fear UC Bosses Will Snoop on Them," San Francisco Chronicle, January 29, 2016. Scott Jaschik, "U of Big Brother?," Inside Higher Ed, February 1, 2016.
[5] Andy Greenberg, "The Senate's Draft Encryption Bill Is 'Ludicrous, Dangerous, Technically Illiterate,'" WIRED, April 8, 2016.
[6] "Privacy," Electronic Frontier Foundation, accessed May 5, 2016.
Resources and Recommended Readings
Beckstrom, Matthew. Protecting Patron Privacy: Safe Practices for Public Computers. Santa Barbara, California: Libraries Unlimited, 2015.
Case, Andrew. “HowTo: Privacy & Security Conscious Browsing.” Gist, August 26, 2015. https://gist.github.com/atcuno/3425484ac5cce5298932.
Cranor, Lorrie Faith, and Simson Garfinkel. Security and Usability: Designing Secure Systems That People Can Use. 1 edition. Beijing; Farnham; Sebastopol, CA: O’Reilly Media, 2005.
“Cybersecurity.” Homeland Security News Wire. Accessed August 24, 2016. http://www.homelandsecuritynewswire.com/topics/cybersecurity.
“Cybersecurity.” Educause Library. Accessed August 24, 2016. https://library.educause.edu/topics/cybersecurity.
Grama, Joanna Lyn, and Valerie M. Vogel. “The 2016 Top 3 Strategic Information Security Issues.” EDUCAUSE Review Online, January 11, 2016. http://er.educause.edu/articles/2016/1/the-2016-top-3-strategic-informa….
Greenwald, Glenn. “Why Privacy Matters.” TED, October 2014. https://www.ted.com/talks/glenn_greenwald_why_privacy_matters.
“Have I Been Pwned?” Accessed August 24, 2016. https://haveibeenpwned.com/.
“Information Security.” The Guardian. Accessed August 24, 2016. http://www.theguardian.com/media-network/information-security.
Kaplan-Moss, Jacob. “InfoSec Engineering Reading List.” GitHub, May 25, 2016. https://github.com/jacobian/infosec-engineering.
Kerbs, Brian. Krebs on Security. Accessed August 24, 2016. http://krebsonsecurity.com/.
“Learn.” Decent Security. Accessed August 24, 2016. http://decentsecurity.com/.
“Library Freedom Project.” Library Freedom Project. Accessed August 24, 2016. https://libraryfreedomproject.org/.
“Library Privacy Statement.” University of Michigan Library. Accessed May 5, 2016. http://www.lib.umich.edu/library-administration/user-privacy-policy-uni….
Olavsrud, Thor. “5 Information Security Trends That Will Dominate 2016.” CIO, December 21, 2015. http://www.cio.com/article/3016791/security/5-information-security-tren….
“Privacy.” Electronic Frontier Foundation. Accessed May 5, 2016. https://www.eff.org/issues/privacy.
“Resources.” Library Freedom Project. Accessed August 24, 2016. https://libraryfreedomproject.org/resources/.
“Risk Assessment / Security & Hacktivism.” Ars Technica. Accessed August 24, 2016. http://arstechnica.com/security/.
Schneier, Bruce. Schneier on Security. Accessed August 24, 2016. https://www.schneier.com/.
“SEC4LIB Listserv.” Accessed August 24, 2016. https://listserv.nd.edu/cgi-bin/wa?A0=SEC4LIB.
“Security.” CIO. Accessed August 24, 2016. http://www.cio.com/category/security/.
“Security Now! Episode Archive.” Gibson Research Corporation. Accessed August 24, 2016. https://www.grc.com/securitynow.htm.
The Electronic Frontier Foundation. “Surveillance Self-Defense.” Surveillance Self-Defense. Accessed August 24, 2016. https://ssd.eff.org/en.
“Tips.” United States Computer Emergency Readiness Team. Accessed August 23, 2016. https://www.us-cert.gov/ncas/tips.
“Why Privacy?” Privacy Rights Clearinghouse. Accessed May 5, 2016. https://www.privacyrights.org/why-privacy.
Zalaznick, Matt. “Cyberattacks on the Rise in Higher Education.” University Business Magazine, October 2013. https://www.universitybusiness.com/article/cyberattacks-rise-higher-edu….
Zalewski, Michal. The Tangled Web: A Guide to Securing Modern Web Applications. 1 edition. San Francisco: No Starch Press, 2011.