Strength in Numbers: Library Freedom Is Intellectual Freedom

by alison | December 22, 2018

Photo by Janko Ferlič on Unsplash

This post is one in a series of blogs to complement our 2018 crowdfunding campaign, Strength in Numbers. Anonymity loves company and we are all safer and stronger when we work together. Please contribute today, and your gift will be matched by Mozilla.

Anonymity loves company, but it can be hard to get people to show up to the party. Adoption is an issue for pretty much all free software projects, particularly those that might seem challenging for ordinary users. In the last few years, the Tor Project has tried to address this problem by expanding our outreach efforts. Through our Global South Initiative, we've done amazing work with activists and NGOs around the world.

In the United States, our outreach efforts have turned to some of the best defenders of democracy, privacy, and human rights: librarians. A former librarian myself, I started the Library Freedom Project (LFP), an initiative under the Tor umbrella, that provides training to librarians to help them become privacy advocates in their local communities.

We first introduced LFP to the Tor community in 2015. It was originally focused on providing direct trainings to libraries centered on teaching and using Tor, introducing privacy strategies and tools to the mainstream, and occasionally setting up Tor relays inside libraries. LFP made headlines in that first year. We worked with a library in New Hampshire to set up a Tor exit relay, but the U.S. Department of Homeland Security tried to intervene and shut it down. The community fought, and we won to keep it on. Since then, a number of other libraries have been inspired to run relays and install Tor Browser on their computers for the public.

Library Freedom Project poster

We knew we were onto something. But LFP's staff was small, and there was no way this method would reach a critical mass of libraries and librarians unless it scaled.

That’s why we decided to turn Library Freedom Project's smaller trainings into a free intensive six-month training course called the Library Freedom Institute (LFI), a partnership between LFP and New York University (NYU). LFI aims to provide everything a librarian needs to become a privacy advocate in their community and keep the momentum growing. LFI provides readings, practical collaborative assignments, a discussion board for participants to have real-time conversation, an in-person meetup in NYC, and weekly lectures from friendly experts around the privacy scene like Micah Lee, Kade Crockford, April Glaser, and Freddy Martinez. This is a one-of-a-kind opportunity for librarians who want to take their advocacy to the next level.

We wrapped up our first cohort at the beginning of December, and we're proud of our success. Our first graduating class of 13 librarians from around the United States will now become part of the Library Freedom Project, providing outreach and training to communities in diverse parts of the country. And we're excited to announce we just opened applications for our 2019 cohort for another 25 participants, which will commence in April.

By the end of 2020, we will have run LFI four times and trained about 85 privacy advocates, creating a multiplier effect that will bring privacy and anonymity to more communities. LFI and the Tor Project value training people who can train others, because there is strength in numbers.

Tell your librarian friends to apply for LFI. Though tailored to public and community college librarians, LFI is open to librarians from all types of libraries, and it is completely free.

If you’re not connected to the library community, you can help drive this movement to bring privacy to libraries by making a donation to the Tor Project.

donate button

Libraries need to remain safe places to learn and exercise intellectual freedom in private, and they need to adapt digitally, with tools like Tor, to ensure that happens. With your support, more librarians can become privacy advocates and provide communities with a much needed safe haven from surveillance and censorship online. Donate now, and Mozilla will match your donation.

 

Comments

Please note that the comment area below has been archived.

December 28, 2018

Permalink

What about privacy on Facebook.I had 500 facebook bans.All censorship needs to stop on Facebook users deserve privacy so people can sell and make money and be anonymous online

December 30, 2018

Permalink

How to setup Tor for oldest Windows XP? Files "tor.exe" and "tor-gencert.exe" nothing did. (First file just said about Tor running a circuit (which one, if no one Tor-browser window?) and then nothing else.)
No mail.

December 31, 2018

Permalink

Library use privacy: website browsing being one part, does LFP deal with libraries collecting and reporting customer's other records?

The weird thing is the choice of library software. While many database solutions exist, it seems 8 out of 10 libraries store their catalog (and the customer profiles) remotely on SirsiDynix sites. Check out your libraries - you can see the SisriDynix URL and regulatory statement at the bottom of screen while browsing the library catalogs online.

Then, the sole company could profile the interests and transactions of most library users across the US, and perhaps internationally. When you check out materials from different libraries, they still report to the same SirsiDynix. It's like the 3rd-party tracking the Tor products fight by using anonymity, only here the system has full personal data in your building profile. Not a concern for most, but consider that even the biometric data can be pulled on demand from the surveillance video feeds.

Perhaps the concerned libraries can be encouraged to more privacy in these aspects, too.

Yes, we do help them make better library software choices. It's a challenging problem though. Most libraries don't have the in-house IT expertise to run their own servers, so third party contracts are necessary. There are limited choices for library vendors and few of them share the values that librarians have, plus they are not very transparent about their data practices. We need privacy-centric software solutions that libraries can actually afford (libraries have very small budgets).

January 02, 2019

In reply to alison

Permalink

Hi Alison,

I would like to expand upon the OP's comment with some information about Tor Project's "home town library" (so to speak), the Seattle Public Library system. Some years ago SPL hired a Canadian company, Bibliocommons, to manage its collections catalog, patron records (including checkouts and catalog searches), and "book club" discussions with personalized "likes", etc., in the cloud, specifically Amazon EC3 servers, but with the data analyzed and "managed" as a service by Bibliocommons in Toronto (which is also home to CES).

This means that sensitive information about what the citizens of Seattle are reading/thinking is passing (apparently unencrypted) across the US-CA border where apparently both NSA and CES can intercept and store it. And there is little reason do doubt that they do just that, not because they have a good reason, but just because they can.

(Modern intelligence agencies are information hoarders: any bit of information might prove useful somehow sometime in the future, they believe, so they collect it all and store it all, forever, because it has become technologically and economically feasible to do so.)

Over the years SPL has also been quite hostile (especially in comparison to the King County Libraries system, for example) toward free speech, blocking not only Tor Project but many new sites (years before the new EU laws came into effect).

Many other public libraries in North America (Canada, US, Mexico) also use Bibliocommons to manage their on-line catalogs and patron records. One consequence of this is that should FBI desire to examine someone's reading habits, instead of pushing out an administrative subpoena to an individual library (which might very well fight in the courts to protect their patron's privacy), they can address a blanket subpoena to Bibliocommons for a large fraction of library patron records in North America. In particular, last I checked, New York Public Library (the largest public library system in North America, if not the world) also uses Bibliocommons to manage its catalogs and patron records.

A telling quotation from the founder and CEO of Bibliocommons, Beth Jefferson, speaking to a business audience about the "privacy controls" Bibliocommons offered to patrons:

> At first we went out to users with an interface specifying "public" or "private" nature of their contribution, but most people wanted to keep things private, so we had to reverse the incentives, and shifted the semantics to "share" vs. "hide".

The reason Bibliocommons feels it needs to share patron data--- I am not sure whether they still bother to ask permission--- is that its business model apparently relies on selling patron data. (Bibliocommons was founded as a nonprofit but later became a profit making company, apparently.)

Even more disturbing, much of the personal data SPL holds about patrons concerns data about children, who are encouraged to seek reading and homework help via Bibliocommons managed social media resources.

Another problem is that Bibliocommons does not allow library patrons to prevent anyone else from adding them as a "friend", a security flaw often abused by LEAs and corporate spooks embarked upon a fishing expedition trawling through social media sites (and thanks to Bibliocommons, all SPL patrons are social media users at the Bibliocommons site--- if you have a library card, you have a social media account with them, tied to your real identity).

Further, as we all know (I presume) very serious and essentially unfixable security flaws which particularly affect "cloud computing" were uncovered a year ago, and given such names as Spectre. While some software mitigations have been implemented, the only genuine fix is for chip makers to design entire new families of CPUs which avoid "speculative execution", and for cloud computing services to replace their servers once the new chips become available. Unless someone holds their feet to the fire, I doubt that companies like Bibliocommons and SirsiDynix will do this.

If all this is beginning to sound a bit like Facebook, well, I think the resemblance is disturbing--- and the potential for serious abuse of sensitive personal information is all to real.

In my experience in attempting to goad library systems to address potential security and privacy issues, librarians have disappointed me by becoming defensive, and even attempting to dismiss privacy concerns as unimportant--- an attitude at odds with the pro-privacy ethos which you have described. I hope LFA can work with public library systems to address these issues in a more effective and constructive manner.

Thanks to the OP for speaking up! It's always good to know that I am not alone in trying to warn about the dangers to patrons of technically/legally insecure library sites (especially with regard to checkouts, catalog searches, and patron contact information).

January 02, 2019

Permalink

OT, but very welcome news: a nice article urging everyone to use Tor every day just appeared in Wired:

wired.com
Tor Is Easier Than Ever. Time to Give It a Try
Lily Hay Newman
1 Jan 2018

> Tor has been relatively accessible for years now, largely because of the Tor Browser, which works almost exactly like a regular browser and does all the complicated stuff for you in the background. But in 2018 a slew of new offerings and integrations vastly expanded the available tools, making 2019 the year to finally try Tor. You may even end up using the network without realizing it.
...
> With all this new private industry collaboration, the Tor Project's Bagueros says she thinks that more people will start using the service and be able to integrate it into their lives. The Tor Project has been working on ways to scale more efficiently in anticipation of eventually needing to meet this higher demand. But it also remains focused on the core concept of Tor as a distributed and decentralized network. "We don’t want any corporations to own a big part of the network," Bagueros says. "So we educate them on how many servers are okay for them to pitch in and if they want to add more they can donate to different nonprofits who run relays so they can still increase the network that way."
>
> The vision of Tor as the underpinning of the entire internet is still probably a long way off, if it can ever happen at all. But the options available to access the Tor network and use it more easily are rapidly expanding. This is the year to try them out.

Thanks to everyone at Tor Project and to all the volunteers for your hard work!