This fall New York University (NYU), in partnership with the Library Freedom Project, will be seeking applicants for the Library Freedom Institute (LFI), a new program that will train 40 geographically dispersed librarians as “Privacy Advocates.” They will then serve as regional experts in online privacy, conducting workshops for their communities and helping their own libraries become more privacy-conscious. Funded with a $249,504 grant from the Institute of Museum and Library Services, LFI has a two-year project timeline, beginning with this six-month online train-the-trainers course. This pilot iteration will then be analyzed, revised, and ultimately offered to a larger cohort of librarians. Library Freedom Project founder and director Alison Macrina (a 2015 LJ Mover & Shaker) is well-versed in this type of work. In 2014, Macrina coauthored the Radical Reference Collective’s We Are All Suspects zine and partnered with the American Civil Liberties Union (ACLU) of Massachusetts to create workshops aimed at improving librarians’ understanding of digital surveillance. About 750 librarians attended 15 workshops in three states. The following year, Macrina was awarded a two-year, $244,700 grant from the Knight Foundation News Challenge on Libraries to continue this work full time. She has since led about 70 workshops for librarians annually, as well as workshops for patrons and regular webinars regarding online privacy and digital security, covering topics including handling subpoenas for patron records, threat modeling, security-focused public computer terminal maintenance, working with the Tor browser in a library environment, and more. “Librarians, as a group, … really care about these issues, and recognize the importance to their communities and to democracy…but [many] don’t know what they can practically do,” Macrina said. NYU will help Macrina shape this curriculum into a multi-part course designed for librarians who will then host privacy and personal security workshops of their own, explained NYU’s LFI lead Howard Besser, Associate Director of NYU's Moving Image Archiving and Preservation master's degree program (MIAP) and professor of Cinema Studies. “NYU is working with her on lengthening the curriculum, turning [it] into webinars…and [utilizing] different kinds of delivery systems,” Besser said. “There’s a lot of differences between doing workshops, and doing longer-term courses. How do you divide up the curriculum? How do you give people assignments” that are balanced and can be completed within an allotted time frame?

Politically motivated

Public concern about online privacy spiked in 2013, when former Central Intelligence Agency employee Edward Snowden leaked classified information from the National Security Administration (NSA), revealing the extent of global surveillance operations. But these operations don’t stop just because the topic drops out of the front page headlines. Currently it is unclear how the Trump administration is leveraging information gathered by agencies such as the NSA. However, it is evident that under the leadership of Attorney General Jeff Sessions, the U.S. Department of Justice (DOJ) is using Internet activity logs to identify and collect personal information on many activists who oppose the Trump administration. Officially, the department is searching for evidence to identify and indict people who were involved in riots or criminal activity during protests organized around Trump’s inauguration on January 20. But the DOJ is casting a remarkably large net. For example, in August, web hosting company DreamHost announced that it had been served with a search warrant by DOJ in July, demanding information that could be used to identify anyone who had visited disruptj20.org, the website of a loosely organized group formed to protest Trump’s inauguration. In an announcement posted shortly after the inauguration, DisruptJ20 claimed that it had gathered 400 protestors—among the thousands of protestors in Washington, DC— to physically block a checkpoint at 3rd and D streets NW for four hours. The DOJ, however, argued that it needed personally identifiable information about all of the 1.3 million people who had visited the disruptj20.org website. Following a counter motion by DreamHost and a somewhat narrower, amended filing by the DOJ, Judge Robert Morin of the DC Superior Court ruled that DreamHost would have to turn over membership lists, as well as information about anyone who had actively submitted information to the site, such as email addresses. “This is the kind of thing that we should be seriously alarmed by,” said Macrina. “It’s not just IP information. It included other types of login info, names, addresses—whatever information was submitted [by users] in the forms on the site, all of that was subpoenaed. What are they planning to do with that?” On September 29, CNN reported that it obtained court documents indicating that Trump administration lawyers had served Facebook with warrants demanding personal information on 6,000 users who had “liked” the group’s Facebook page. The DisruptJ20’s case has been widely reported, but Macrina noted other examples of recent online actions by the Trump administration that could be interpreted as hostile toward individuals who oppose the administration. “The White House recently published about 200 [negative] emails that they had gotten through their feedback form,” Macrina said. “They published the entire content of the emails, who sent them, their real names and their IP information. What was the purpose of doing that?... To me, that’s the White House saying to the Internet trolls, ‘here, have at these people.’”

Adapting to the times

Patron information needs regarding online privacy and security tend to shift regularly. The massive data breach at consumer credit reporting agency Equifax this summer, for example, caused more than 143 million U.S. citizens to have sensitive personal information exposed, including their social security numbers, making this arguably the most serious data breach in history. LFI Privacy Advocates would need to anticipate more questions about protecting against identity theft following such an event. “We have no meaningful consumer protections from all of these giant multinational companies that trade in our data,” Macrina said, noting that the Equifax breach is just the latest in what has become a steady flow of breaches announced by retailers, banks, online services, government agencies, and others, which seem to face few consequences for security lapses. And, Besser noted, while people may be aware of some of the privacy threats posed by corporate data collection, many of these practices are obscured by online conveniences. For example, Facebook and Google are mining the content of emails, likes, and posts, and in return, offering a free online calendar or better article rankings or a targeted ad. Many people aren’t aware of how much data is being collected in exchange for these services. “They’re just aware of the tip of the iceberg, or of the advantages of giving up private data, without giving informed consent about the downside,” he said. Beginning with its first class of Privacy Advocates this fall, LFI will help libraries offer patron education and assistance on this front. “We feel that libraries—who have always protected their users’ privacy—have a continuing and important role to play in the digital age,” as trusted institutions with connections to every community in the country, Besser said. LFI will soon have a website to take applications for the 40 Privacy Advocate spots. Macrina said that interested librarians can also contact her to learn more.