New Program Turns Librarians into Privacy Advocates

by alison | December 22, 2017

 

We've got an exciting announcement from the Tor and libraries partnership: New York University (NYU) and the Library Freedom Project (LFP) are creating a collaborative program funded by the Institute of Museum and Library Services called Library Freedom Institute.

Library Freedom Institute (LFI) will be a privacy focused train-the-trainer program for librarians which builds on LFP’s successful shorter programs to construct an extensive curriculum training 40 Privacy Advocates geographically dispersed across the United States. LFI will prepare these Privacy Advocates to serve as nodes of expertise in their regions by conducting workshops for community members, installing Tor Browser on library computers, running Tor relays, and helping their own libraries become more privacy conscious.

Over a six-month course, project staff and guest trainers from around the internet freedom world will teach our Privacy Advocates how to lead privacy-focused computer classes at several levels: how to install, troubleshoot, and maintain privacy software on both patron machines and library public workstations; how to teach their own train-the-trainer workshops to other librarians in their regions; how to approach members of their community about privacy concerns; and how to use their new roles as Privacy Advocates to influence policy and infrastructure.

Lectures and assignments will all be shared under an open source license. Library Freedom Institute is now seeking applicants for the inaugural course beginning June 2018.

To participate in the training or to apply for a role as a guest trainer, contact us at institute@libraryfreedomproject.org. More information is at libraryfreedomproject.org/lfi.

Comments

Please note that the comment area below has been archived.

December 23, 2017

Permalink

Good

December 23, 2017

Permalink

Library Freedom Institute is that i love in *tor : a solid & coherent project which will be built at a large scale ... but still for usa in usa by usa ... N.Y wins the price of the freedom for 2018 : happy new year & merry christmas.

I would *love* to extend the program outside of the US, but this round we got funded by a US federal agency (the Institute of Museum and Library Services) so these parameters are required this time. However, all the lectures and course materials will be shared through an open source license, which I hope will encourage people in non-US places to work along with us. And maybe future rounds of LFI can get a different funding source and be more open.

December 28, 2017

In reply to alison

Permalink

hello alison,
i think it is not exportable (except maybe in uk/canada/australia area) - - for the same reasons than a free internet (https://blog.torproject.org/volunteer-spotlight-kat-privacy-activism-ve…) - - can't exist as long as encryption (pgp e.g.) & to be the owner of our hardware will be prohibited in almost (not all) countries/territories/regions.
It is not about funding source or *federal support.

December 23, 2017

Permalink

This is great news! I think LFP is one of the best things going in Tor.

With respect to your cross-country tour, is LFP reaching out in advance to both public libraries and university libraries suggesting that they attend your trainings? What about high school libraries?

As a user not affiliated with TP or LFP, I tried to urge librarians to look into Tor, and found that university librarians often seemed intrigued, but to my dismay public library officials seemed to be stuck in the "Tor bad" mindset. But many large US cities lack major university libraries, so citizens must look to their public library system for privacy protections. So I think reaching out to the public library systems during your tour may be particularly important.

Something you are probably aware of--- but most public library patrons probably are not--- is that many, perhaps most major public library systems in North America (CA, US, MX) have hired a private company in Toronto which hosts their catalogs, "book clubs", etc.--- and apparently sells information about catalog searches, checkouts, and social networks of library patrons. The company says this information is "anonymized", but--- as you probably know, but most library patrons probably do not know--- "anonymized" information can often be "re-identified" (c.f. the Netflix scandal). Further issues arise from (apparently) unencrypted library patron data crossing national borders (where the data can be snagged by a NSA/CSEC dragnet) and being subject to different laws in other countries.

Further, I fear that most library systems have not yet really grasped the point that a great variety of "ordinary citizens", including "ordinary library patrons", have become the subject of sophisticated state-sponsored cyberattacks. The methods and goals of the attackers are typically completely misunderstood by both government and library system officials.

Thanks for your comment!

Public, academic, and HS librarians welcome! Public will probably make up the bulk of participants. In the course we'll cover problems with existing library software, how it violates our values, and what we can use instead.

December 23, 2017

Permalink

@ any Tor person:

Be aware that post NN-repeal, some US "upstream" ISPs (fiber owners) may already be blocking connections to Tor. I am experiencing problems connecting to the Tor network with and without bridges (at noon Saturday was working fine).

A few years ago TP worked with OONI and EFF (as I recall) to produce a version of OONI for Raspberry Pi. Would you consider bringing out an updated version? I need an ISO image I can verify with GPG and burn to a Micro-SD card for a Pi 3. The one I have is several years old and presumably has many unfixed security bugs.

Post NN-repeal, it seems more important than ever for OONI to provide tools making it easy for USPERs to check for net censorship or blocking.

December 23, 2017

Permalink

@ GK (or any TP person who maintains the onion mirrors for Debian):

As of Dec 23 I am experiencing problems connecting to the Tor network except by using a bridge. Ordinary connections were working fine earlier today. Tor 7.0.11 is working fine for me right now when I connect by a bridge, but I am not sure I know how to connect using Debian instance of Tor (not TBB instance of Tor) in order to connect to the onion mirrors for Debian. Can you give a link to the explainer I need? TIA!

December 24, 2017

Permalink

That's fine, if it wasn't because in some places (I'm thinking of the UK) public libraries are ultra-zealous their internet browsers aren't used for unlawful purposes. Were you to suggest to any councillor that they couldn't tell if their patrons had been looking for, say, child pornography, or terrorism stuff, because their internet activities weren't monitored, and were in fact privacy-enhanced (e.g., Tor), they'd rather monitor everything and everyone than maybe let one in a thousand get away with that.
If you're going to have Tor in libraries, the T&C would need to be changed from "You must not do X, Y, Z in our computers" to "You're free to do whatever you want with our computers, according to your conscience, and we're not monitoring you electronically, but beware you could be kicked out if someone walked by and, looking over your shoulder, saw you were doing something that you shouldn't and reported it to library staff".
Maybe adding "... so you'd better shield your monitor". In fact meaning, "if everyone should use Tor even if they have nothing to hide, then everyone using the Net in a public library should have the right to shield their monitors".
You can't have Tor in libraries and at the same time tell people what they can't do. I mean, you can, but it's contradictory and inconsistent. Of course librarians like anyone else (politicians in particular) can choose to be inconsistent, or assert they're consistent when they aren't (using denial to avoid discussing inconvenient truths), and maybe that's how the world works... but hey, I don't have to believe that's right.
The programme should have a chapter called "How to negotiate and make compromises between your hypocrisy and the alleged institutional 'public duty' to upheld generally accepted values, and actually providing unfettered privacy to people".

Things are indeed dire in the UK; I've worked with many amazing UK librarians who are committed to the cause. Check out the Radical Librarians Collective!

Without getting too deep into it, libraries face a serious challenge between living their values (intellectual freedom, privacy, open access) and keeping more conservative boards and adminstrators happy. Sometimes, there is a much needed financial incentive, like how in the US libraries that receive e-rate federal funding are required to install filters on all computers. Most librarians hate this, but feel that they have very little choice to stop it.

We will spend a lot of time in the course talking about making the case for privacy. It's so important that I'm going to make everyone get together in person and roleplay convincing boards, administrators, and the public.

December 28, 2017

Permalink

why doesn't your tails suite have more anti track antiblock tools? seems it is still vulenerable?

no privacy badger? no disconnect? no blur? no keyscrambler? no bitmask? no shadowsocks? and so on.....

Not a Tails dev, just another user, and I defer to the Tails team if I got anything wrong below, but FWIW:

Tails Project is allied to Tor Project, but they are separate NGOs.

From the viewpoint of maximizing anonymity with Tor Browser under Tails, having more third party additions is generally not helpful. Further, some things which might be a good idea in a generic Linux system are probably pointless or less relevant on a Tails system.

In general, the devs have to make lots of decisions which amount to trade-offs between usability, security, and anonymity, and I believe they generally make these taking account of their intended user base, at-risk people such as journalists, human rights workers, union organizers, political activists, and bloggers, especially in the most repressive nations (though most if not all are repressive to some degree).

Potential Tails users shouldn't put much credence in unsubstantiated rumors about alleged weaknesses, unless the news comes from a very credible source, such as Tails Project, The Intercept, or Snowden. (Snowden still uses Tails, I hear. Even the UK Parliament endorses both Tails and Tor Browser in a recent publication on dragnet surveillance.)

December 28, 2017

Permalink

Six months? Where will this be taught? NYU? Online? If at NYU, students would have to plan for many other expenses and the distance itself from home for six months. If online, will the teachings in the course be applied directly to how the students access the materials and communicate with each other as they are learning it?

As the website states, it's all online except one fully-funded in-person weekend requirement. I am having a hard time understanding your second question, but I think the answer is yes.

December 31, 2017

In reply to alison

Permalink

I am having a hard time understanding your second question

LFI will prepare these Privacy Advocates... by conducting workshops for community members, installing Tor Browser on library computers, running Tor relays... how to install, troubleshoot, and maintain privacy software...

For instance, would the course materials only be accessible on a hidden service? Would any chat services for course communication have to first be configured to use Tor's localhost proxy? Would LFI be installing the Tor relays, or would the students be given an assignment to set one up? In other words, would the course require that involvement be hands-on from the moment a topic is introduced so they gain active experience? The backend configuration can be daunting to first-timers, but if they will be expected to educate their geographical regions, facing not only the front-end clients but the difficult technical parts with the teacher's guidance can give you more assurance and give them a more stable foundation when they face questions from their own students.

Furthermore, does "privacy software" mean the course would cover, for instance, the software on the EFF: Surveillance Self-Defense and The Freedom of the Press Foundation's lists of tools and guides? Because some of those can also be daunting to the point that some first-timers might give up. The course should train them as thoroughly as possible for hardships they would encounter when they are on their own or with other librarians but also ways to gently introduce the tools to their library's patrons (the general public).

https://ssd.eff.org
https://freedom.press

Best wishes and thank you to you, LFI, and to everyone enrolling!

We've been teaching librarians and their community members about privacy for years, and our approach is designed to make newcomers feel comfortable. So, with that in mind, would we for example only put course materials on an onion service? Absolutely not. Making that "lesson one" is a good way to alienate almost everyone.

We are confident that the course is going to equip participants with everything they need to become privacy advocates.

January 04, 2018

In reply to alison

Permalink

I meant to emphasize "hands-on [experience with the difficult technical parts] from the moment a topic is introduced", not emphasizing the word "only" in the first sentence. The course expects them to graduate as teachers, themselves, and that doesn't always jive with making them feel comfortable. It's one thing to graduate as a student, but it's a whole other ballgame to graduate as a teacher. Yes, hidden services should not be lesson one, but a cumulative, eventual expectation of hands-on application of the difficult technical parts and tools under your guidance is necessary for them to be able to back up their written and verbal advocacy with application. They wouldn't be effective once they leave your hands if making them feel comfortable means they aren't trained to set up and manage the difficult technical parts. It's possible to retain comfort and moderate assurance of their skills if supplementary materials and contact are offered after the course ends, but I believe working out the most difficult things would be better achieved under your supervision rather than on their own.

Comfort, Difficulty, Expectation. I empathize that balance is tricky and every student is different. You are expecting a lot from *this particular group* of students after they graduate, too. Advocacy should imply even portions of both rhetoric and application.

January 02, 2018

Permalink

This is great news!

But I have to say, I have no idea how you're successfully convincing librarians to take this course. Maybe there's something special about librarians that I don't know about, but I'm half embarrassed to even say the word "privacy" in public anymore, let alone pitch an in-depth course on Tor and the like.

Very few people seem to care at all about privacy, and a lot of them even go a step further and alienate anyone who might. I would have expected librarians as a group to be generally a perfect example of this. Like another user mentioned libraries and especially universities always seem to have rather fascist network filters to begin with.

Not only that, anyone who googles Tor for the first time is going to be bombarded with stuff about drug trafficking, child porn, murder for hire, and everything else the media likes to single out Tor for.

I'm just wondering if you could sort of comment on how you get around obstacles like these, or if you've just had really good luck, etc. etc. Not just in the context of this campaign but also LFP's work in general.

Librarians *are* special in this regard. Privacy is a core value of librarianship. I've never had to do much outreach at all...all of LFP's success is basically word of mouth...and on that, we've trained about 3000 librarians in 5 countries. So I think it is indeed a unique group that "gets it" and wants to help others. The filtering stuff on library computers does not come from librarians, but rather administrators or federal requirements.

January 03, 2018

Permalink

your personal sens of 'privacy & privacy advocates' is bizarre , it sounds as an old lady decision,
a closed club school mind (obsolete, maintained with their support_effort_money) : zen attitude . good luck

Thanks for your opinion!!! You're more than welcome to start your own privacy institute as you wish! I'll just be over here with my squad of badass old ladies!!!!