180 likes | 318 Views
Using your library software – what third parties will get to know about our library customers. Dr. Andreas Sabisch FU Berlin Universitätsbibliothek Garystr. 39 13469 Berlin andreas.sabisch@fu-berlin.de. Agenda. Agenda … Motivation for this investigation Webcommunication for dummy's
E N D
Usingyourlibrarysoftware – whatthirdparties will gettoknowaboutourlibrarycustomers Dr. Andreas Sabisch FU Berlin Universitätsbibliothek Garystr. 39 13469 Berlin andreas.sabisch@fu-berlin.de
Agenda Agenda… Motivationforthisinvestigation Webcommunicationfordummy's Examples of third parties communication: Whatto do Andreas Sabisch
Whywe must deal with We must protectthe digital privacyofourpatrons • EU laws, national laws, universityrules • questionfrompatrons, universityboards, secureresearch, … We (especially in Germany) havetodescribehowwe deal withthepatronsdata • Data protectionrulesdescribtion(Datenschutzerklärungen) • Avoiddataproducing, storageandpropagation • Rightofinformationalself-determination (BVerfG) (Recht auf informationelle Selbstbestimmung) Wehavea monopolwithourlibrarysystems • loan, EZ-Proxy access, course material,… Howwecan do this • Analysis • Describtion • Avoid Andreas Sabisch
Http-Communication Andreas Sabisch
Weblogs andcookies Whatis in an webserver-log: theapache log file 130.133.152.192 - - [10/Apr/2014:09:16:44 +0200] "GET /docs/images/poweredby.gif HTTP/1.1" 200 2376 "http://160.45.152.195/docs/content/below/index.xml" "Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0" IP oftherequested host: 130.133.152.192 When: 10/Apr/2014:09:16:44 +0200 What (request):/docs/images/poweredby.gif Technical information: Success-code andTransferedvolume : 200 2376 Wherecomestherequestfrom (refferer) :http://160.45.152.195/docs/content/below/index.xml" (Browser)information: "Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0" Recognition fromthewebserver: thecookiefile Cookie Textfile Name: JSESSIONID Value: 7AE6B0776E8F4D75BAC8B46189F419FB HOST: primo.kobv.de PATH: /primo_library/libweb Sendingfor: Eachconnection type Valid until: End ofsession Just thewebserverwhich send thecookiecanread it. But eachthirdparty, whichinvolved in therequest, canset a cookie Flashcookies – hardtodetect, noexamplefoundyet in an libraryenviroment Scripts, which send additonalinformation Andreas Sabisch
A picture in pieces Logginonerequestis a piceofinformation Logging a lotofrequestgive a storyline Logging a lotofrequestfrom different servergivethewhole live Thatswhat Google and Co. will do • To X-rayoneperson (i.etogiveyoupersonalizedservicesandadvertising) • Togetstatisticalevidencefor a wholegroup (i.e. people, whoareinterestedin this, areinterestedin thisaswell) Andreas Sabisch
Howtoanalysedatatraffic (sniffen) Professionell tools tcpdumpfür automaticprocessing Wiresharkwithgraphicalinterface AnalysieswithWireshark (suggestionforprofis) Create a filter (Broadcast/ownIP; just TCP orhttp...) Doingoneaction in thebrowser, startwithanalyse. Ifnecessary, repeate Anaylse a wholesessionis a hardwork. Youcan do thisbest, ifyou check forspecialissues in thissession, i.e. whichhosts will participate in thissession. Browsertools (for a quick glimpse) i.e. Firefox => Extras-> Webtools ->Network; limitto http, no TCP und TLS connection I will usethis Browsertools forsomeexamples Andreas Sabisch
Aleph-Catalogwith tracking-bugs dbs.pixel.hbz-nrw.de : DBS Tracking bug legal, describe Recommander.bibtex.de : Bibtiprecommander System legal, but not describe Andreas Sabisch
Primo including a secondsource (libraryblog) RSS-Feed fromourlibrary block ajax.googleapis.com Formatingfromrsstojason Andreas Sabisch
… andwithoutgoogle: noBiblioblogentry Blocking Google: noinformationanymore Andreas Sabisch
Primo resultsite books.google.com exlibris-pub.s3.amazonaws.com images.amazon.com Andreas Sabisch
bX in Primo recommande-bx.hosted.exlibrisgroup.com bXservice, integrate in Primo beacon01.alma.exlibrisgroup.com A trackingbugfromExL nodescriptionavailable Andreas Sabisch
An licencesedjournal web site Imagic17.247realmedia.com metric.sciencemag.org now.eloqua.com www.google-analytycs.com Andreas Sabisch
Short-term work in library Check withtoolsforthirdpartyrequest Test thefunctionalityofyoursitewithblockingtherequest Remove thethirdpartyrequest • Withother/ownfunctions • Bycomment out in codeorwebsites • Withhelpfromyourprovider (i.e. ExL) Describenecessarythirdpartyrequestforyourpatrons; includesdataprotectionpolicyofthethirdparty Describeuserspossibilitytoprotecttheirdata Help userswith a proxyserver (i.e. theuniversitycomputerdepartment) Andreas Sabisch
Patron Option at the Moment Blockingprogramms like AdblockerorGhostery Pro: selectedthirdpartyrequests Contra: Lack offunctionalyties Usingproxieserver Opt-Out Option – Data protectionlawconform (Datenschutzkonforme Herangehensweise) but muchefford Thor – anonymous surfen Andreas Sabisch
Long-term issues in librarys We must accomplish a ‚Opt in‘ culture • Core functionsmust be in data save structures • Add ons must bechoosenbythepatronswithknowledgeofthirdpartysinvolved (Optin process) The libraryinfrastructureandsystems must supportthisstrategy Andreas Sabisch
Summerise Modern librarysoftwareincludeoftenthirdpartyrequests Third partygetinformationaboutyourpatrons via reffererinformation This violatethepatrons‚rightofinformationalself-determination‘ Analyse yoursoftwareenviroment Try tobelaw-conform: Avoidordescribe Long term: accomplish a ‚Opt in‘ culture Andreas Sabisch
Highlights Eachhttp-requestsgiveinformation like ip-adressandreferrertothewebsevertheyarerequested A websiteincludesveryoftenrequeststothirdparties. This requestswill send the same informationtothirdpartyserverandisnearlyunvisibletotheuser We, astheproviderofthelibrarysystems, areresponsibleforthedataprivacypolicyfortheusersofoursystems We must take care aboutthesendingofuserdatatothirdpartiesandshouldalwaysuseoptionsfor a save privacypolicy To do thisisimportanttogiveouruserstherightstotheir private data back (in german: ‚Bewahrt das Recht auf informationelle Selbstbestimmung‘) Thanksto Dr. Voss, HU and Uwe TU, whofoundthe back tacksof hosted.exlibris.com andgivetheimpulseforthisinvestigation Andreas Sabisch