Although I've gotten some good comments to my postings about patron privacy and RSS feeds, I've gotten lots of reactions that make me feel like I "have lobsters crawling out of my ears." (description borrowed from Paul Holliday, Cranston Public Library.)
That is, just seeing "RSS Feed Security" makes some folks feel a little gooey, even when they otherwise have great clarity on the importance of patron privacy. Yet what good does it do to take a stand against the PATRIOT Act if library records are not terribly private in the first place?
Here's a summary of a series of posts on what I've learned as I've tried out Library Elf - a third party service that offers email and RSS delivery of your own patron record, as well as the records of other cards you input. This can be done without your library's involvement, since the Elf finds library patron databases on its own.
Problem One: By signing up for RSS feeds, some library users can unwittingly show others what they have checked out.
I accidentally stumbled on live patron records, including email addresses, first names, and titles of books checked out, on hold etc. I found them by typing "library elf" into a bloglines search box. What I saw were records of patrons from various libraries who signed up for Library Elf's RSS delivery to Bloglines.com, a popular web-based RSS reader.
Library Elf took quick action (A+ on responsiveness) after my discovery and immediately stopped sending out those particular RSS feeds. It also issued a warning to users about this issue. Today it says "error error error" if you do the search. In fact, if you've never seen an RSS feed, congratulations for reading so far into this post. To see one, do the Bloglines search right now and click on one of the matches. You'll see a frozen snapshot of pretty much what I saw. You may have to scroll down to see the actual patron records.
The Seattle and Ann Arbor public libraries offer direct RSS feeds from their libraries (don't need Elf) to deliver patron records. Maybe your library does too. These libraries have apparently been grappling with the privacy issue for some time, and do not show the patron's email address in the RSS feed. Seattle shows the patron's first name (not bad for "Joe" but not so great for "Esmerelda"). Ann Arbor shows no names, no identifying information.
Both Seattle and Ann Arbor issue warnings to users that their feeds may be public, though Seattle's warning makes it sound like you can set your feeds to "private." (In reality, even setting a feed to "private" when using Bloglines does not make it private).
How to fix it: Probably look to Ann Arbor District Library as a model - no names, no identifying information, warnings to patrons.
Problem Two: Even when patrons don't sign up for RSS feeds or even know what they are, snoops can sometimes get RSS feeds to see what other people have checked out -- if the library has weak patron database security.
Libraries that let you see your record just by typing in the card number (and sometimes a PIN like the last four digits of your phone number) have pretty-poor-privacy-security. At one level, I guess I always knew that, but using Library Elf made me realize that it's a bigger problem than I realized.
That is, signing up with Elf (or a related service if there is one), allows you to enter multiple library cards all at once, and get the records sent to you regularly, by RSS or by email. Either way, you don't have to go back time after time to hunt for records. Takes 99% of the work out it - just take five minutes to set it up one time, and get other-people's-library-records delivered to your computer til the end of time. Quick, easy, convenient snooping.
How to fix it: (1) Libraries could stop letting patrons into library patron databases or (2) Libraries could greatly strengthen the passwords needed to get in. Don't use card numbers and phone numbers. Let patrons set up their own user names and strong passwords.
----------
As always, feel free to comment with clarifications or corrections. I'm not a techie, but a library law consultant, concerned with privacy of patron records.
-----
Jan 6 note - I'm still tinkering with some wording in this post to try to make it clearer - if I think I'm changing any substance I'll try to indicate that. - MM
As to risks associated with weak passwords (PINs) in the public library, I've found more at this web site than anywhere else. I could not have guessed that the Library Elf and RSS discoveries, which are new and surprising to me, would have brought forward concerns about weak library account passwords.
I don't weigh the issue of liberty-ensuring privacy and the issue of personal safety against each other on an importance scale. To me, both are vital; however, persons who belittle the former might, I hope, understand the latter.
In the library context particularly, I'd rather feel no need to think like the hypothetical perpetrator of harm against a library account user. But we need to do it.
As described in posts and comments to this web site, one's account number might be obtained in a few ways within the physical library, electronically or otherwise. The account number might be read, inside or outside the physical library, from the library card or from a receipt or other paper item given at the circulation desk. A mailed notice might contain the account number. An acquaintance or former intimate, one of which a stalker is likely to be, may have or have had access to the library card or the paper items stating the account number.
Once in possession of the targeted person's library account number but without the PIN password, the stalker can begin cracking. A PIN composed of four numeric characters is one of only ten thousand possible numbers. Birth date, street address number, and telephone number are likely sources from which the PIN may be composed. Even without those clues, certain parts of the numeric range are more likely to contain the password; for example, many of us recall few historic dates outside of 1776 through 2006. Moreover, if the stalker is hasty, he may resort to password-cracking software.
The obsessive, perhaps jealous or resentful stalker might find very interesting the library materials selected for reading, viewing, or listening. A selection might concern, say, building a loving relationship (when the stalker knows that he is not the loved one), or divorce, or child custody, or disease.
Should the stalker wish to draw near to the targeted person, due dates are dates of likely visits to a particular library campus. Dates when requested materials are ready for pick-up are at least as likely to be dates of library visits by the targeted person. If the account does not state whether a requested item is ready for pick-up, that fact might be ascertained through social engineering, calling and pretending to be a spouse, relative, or close friend.
Safety vulnerabilities resulting from weak passwords need to be taken seriously by more public librarians, public library administrators, and public library boards of trustees.
Indirect harm may result from a lesson implied by requiring or requesting creation of a weak password. The public library PIN password is the first password that many persons create. If a weak password is good enough the first time, and no obvious harm results, will there ever in life be any need for a strong password?
Posted by: tenode | July 07, 2006 at 07:27 PM
The SIRSI automation of our public library system allows a password (termed PIN) to comprise up to ten characters; in the preceding DRA system the requirement was four numeric characters, or so we were told. Applicants are still told that the library system would like you to compose a PIN of four numeric characters, despite the option (stated, unbeknownst to many, in the library system's web site) to use up to ten characters.
The behavior described above occurs in a large, award-winning county public library system located in metropolitan Atlanta.
I am not confident that this comment will survive transmittal. If so, I may later comment on risks.
Posted by: tenode | July 06, 2006 at 07:21 AM
I definitely have too many passwords and PINs. What I'd like to see with my library records and bank records would be a wall that didn't allow anyone in, including me, unless I first set up an authorization (in person is best). In both cases, this hasn't been true - both my library and my bank have already set up online access to anyone with my info. I'm not crazy about the fact that it's up to me (not to mention old-age pensioners) to take the initiative to change the default passwords. Assuming I do want online access to my library and bank records, then I'd like to be the one to decide if I create an easy password (if I don't care if someone else gets in) or a stronger password with eight alphanumericsymbol characters.
As for email, it may be more secure than RSS (at least as fed into public RSS readers like Bloglines), but libraries should probably be warning patrons that it's not all that secure either. Email, as you know, is like a postcard that hops from computer to computer, with lots of possible eyes along the way. I'd like to see easy encryption so that emails wouldn't have to be in clear text. I'm still looking for a way to try out easy encryption - I've tried to figure out PGP without success. If someone who uses encrypted email is willing to help me (if it can be done in a simple-idiot-style), I'd be grateful.
I do, however, have some enthusiasm and optimism about RSS and patron records, even with Bloglines-type readers. Using the Ann Arbor model, giving no personal names or other identifiers, as far as I can figure, a snoop would have to crack into someone's personal RSS reader (even Bloglines) to try to identify who has all those herpes books checked out... right? And even that may not give them enough clues...
Posted by: Mary | January 05, 2006 at 06:54 PM
"(2) Libraries could greatly strengthen the passwords needed to get in. Don't use card numbers and phone numbers. Let patrons set up their own user names and strong passwords."
This reminds me of the big to-do when the Social Security Administration was offering people's retirement info online. You had to type in 3 or 4 bits of information - your SSN, your date of birth, your place of birth, your mother's maiden name (I'm making that one up because I don't remember them all)... And immediately someone showed that it wasn't all that hard to gather this information about someone and their their retirement report. So lots of people said: they should have a pin or a password.
OK, how many pins do you have? How many passwords? Are there ones you use only every few years, and you still remember? How many old-age pensioners know how to create a secure password? How many will forget it immediately? How much time do you want to spend helping people remember their passwords?
The SSA had done what I think was the "right thing" -- they had required detailed information that people would know about themselves as a means of identification. I checked on my bank's web site at the time, and to set up online access to my account with my bank required 3 or 4 pieces of information, mostly the same ones that the SSA required -- and with my bank, getting on includes the ability to transfer funds, not just look at things. Essentially, identifying yourself online is broken broken broken, yet we do it every day. No wonder there is rampant identity theft. Actually, it's a wonder there isn't more.
Basically, passwords and pins are minor security, at best. They only work well for things that we use frequently. And they work less well with the very young and the very old, or just the very forgetful.
The Elf problem was not that someone could tap into your account, which they can do easily on some library ILS's (the paper records from my library's RFID system that shows what I checked out have enough info for someone to log onto my account in the ILS, yet there is no warning to keep those paper receipts secure) -- it was that your records were being shown publicly to anyone who did a search on an RSS aggregator that was ignoring "private" settings. This means that RSS is not a good technology for private information. It should be fixed, or something else should be developed that will perform the function privately. Library systems should avoid using technologies that have shown themselves to not meet our privacy standards. It's too bad, but that means that we're back to e-mail until the RSS problem is fixed.
Posted by: Karen Coyle | January 05, 2006 at 04:35 PM