This checklist is intended to help all libraries take practical steps to improve privacy practices. It can help all libraries implement the principles laid out in the Library Privacy Guidelines for Public Access Computers and Networks.
Priority 1 actions are steps all libraries can take to improve privacy practices. Priority 2 and Priority 3 actions are as important as Priority 1 actions. They help protect user privacy, but may be more difficult for libraries to implement. This is because each library may or may not have the capacity to do Priority 2 or 3, depending on:
- differing technical expertise
- available resources
- organizational structure
Regardless of these factors, libraries can use Priority 2 and Priority 3 actions as talking points with third parties and vendors. These third parties and vendors may have the resources and expertise to help the library implement these actions.
Priority 1 Actions
- Use analog signage and/or splash screens to explain the library’s network and wifi access policies, including any privacy-related information.
- Make a policy decision about the level of privacy versus convenience that the library will offer its wifi users and adequately warn users of potentials for traffic interception and other risks of an insecure network.
- Set up public computers to purge downloads, saved files, browsing history, and other data from individual user sessions. This can be accomplished
- on logout via the computer reservation system if the library uses such a system;
- by using restoration software such as CleanSlate or Deep Freeze;
- by configuring browsers to clear all history and other usage data upon exit.
- Ensure that paper sign-up sheets for public computers, devices, or classes are destroyed when no longer needed.
- Offer classes and other educational materials to users about best practices for privacy and security when using the library’s public computers.
- Offer privacy screens to users who desire to use them.
Priority 2 Actions
- Use antivirus software on all public computers. Ensure that antivirus software that is installed has the ability to block spyware and keylogging software.
- Ensure that any computer reservation management system records, print management records, or ILS records in regards to computer use are anonymized or destroyed when no longer needed.
- Configure any content filters to not collect or store browsing data.
- Anonymize or destroy transactional logs for network activity when no longer needed.
- Perform regular security audits on all public computers, including digital inspection of security risks and flaws and physical inspection for unknown devices.
Priority 3 Actions
- Install plugins on public computers to limit third party tracking, enable private browsing modes, and force HTTPS connections.
- HTTPS Everywhere: https://www.eff.org/https-everywhere
- Privacy Badger: https://www.eff.org/privacybadger
- See guides about Firefox security options, e.g. https://securityinabox.org/en/guide/firefox/windows
- Install the Tor browser on public computers as a privacy option for users.
- Offer the privacy-oriented Tails OS on bootable USB or CDROM for use on public computers or user devices.
- Install malware-blocking, ad blocking, and anti-spam features on firewalls.
- Segment the network to isolate staff computers, public computers, and wireless users into their own subnets.
- Ensure that any applications and operating systems on public computers are disabled from automatically sharing activity data with software publishers (e.g. error reporting)
Resources
Security In A Box: Basic Security for Windows
Data Privacy Project: Mapping Data Flows
FTC Consumer Info: Public Wi-Fi Networks
San Jose Public Library: Security - How The Internet Works
How to Choose the Best VPN for Your Needs
Beckstrom, Matt. Protecting Patron Privacy: Safe Practices for Public Computers
Library Privacy Project Privacy Toolkit
Approved January 21, 2017 by the Intellectual Freedom Committee; revised January 26, 2020.