Investigatory powers bill and libraries

This blog post was contributed by Ian Clark from the Informed team and Lauren Smith, a Research Associate at the University of Strathclyde.

The news that libraries may be forced to hand over personal data to the security services raises serious ethical questions regarding the confidentiality of what people choose to read. A fundamental ethical principle of the library and information profession is the freedom of individuals to access information and read whatever they choose in confidence. The Chartered Institute of Library and Information Professionals (CILIP) is very clear on the obligations to library users. Its ethical principles state the need to demonstrate:

Commitment to the defence, and the advancement, of access to information, ideas and works of the imagination.

Such a principle is undermined if the government is known to be able to access data on the “information, ideas and works of the imagination” that individuals access. The chilling effect of such a move would inhibit individuals from accessing whatever they want without fear of reprisals from the state.

Furthermore, CILIP has also endorsed the Council of Europe’s “Public access to and freedom of expression in networked information: Guidelines for a European cultural policy”. These guidelines are very clear that what users choose to access should be treated as confidential and that the privacy of users should be paramount:

1.2 It is the responsibility of individuals using Public Access Points to decide for themselves what they should, or should not, access.

1.3 Those providing Public Access Points should respect the privacy of users and treat knowledge of what they have accessed or wish to access as confidential.

The proposals laid out by Theresa May seriously threaten these basic ethical principles. If the state is able to access data on what individuals have been reading in public libraries their freedom to read and access what they choose is seriously compromised.

Ironically, these proposals come at a time when libraries and librarians in other parts of the world are emphasising the importance of ensuring that individuals can access what they wish in confidence. In December last year, librarians were in uproar when Haruki Murakami’s borrowing record was published in a Japanese newspaper. In response, the Japan Librarian Association re-affirmed that:

“Disclosing the records of what books were read by a user, without the individual’s consent, violates the person’s privacy.”

In the face of similarly intrusive legislation (the PATRIOT Act) in the United States, some libraries have begun purging records of inter-library loan requests to protect users’ privacy. As yet we have not seen comparable moves by the profession in the UK, but the increasingly aggressive rhetoric from the government regarding what and how individuals seek out information is clearly in conflict with the values we espouse as a profession.

Libraries should not distinguish between books and web activity. What individuals read and access online should be as private and as confidential as their book borrowing habits. Although we do not have the constitutional protections to intellectual liberty that American library users are afforded under the First Amendment, both professional organisations (such as CILIP) and political bodies (Council of Europe) are very clear that what a user accesses in a library should remain confidential. The proposals put forward by Theresa May threaten these basic principles of intellectual freedom and liberty and will put intolerable pressure on public libraries. Our government’s desire to undermine these principles is not only dangerous, but will also seriously undermine the bond of trust between public libraries and their users.

Informed’s 2016 plans

The end of 2015 was a hectic one for all of us. We had our annual review in which the whole team gets together to review the year that has just passed and look ahead to the coming year. As a result of that discussion, we decided to revert to our old structure of having Administrators (who oversee the running of the site, commissioning content etc) and Moderators (who check submissions against our guidelines). As we are a team of volunteers, the time we can dedicate to Informed fluctuates depending on how busy we are at work, our other voluntary commitments and life! Reinstating these two roles allowed two of our (now) Moderators – Kevin and Helen – who had taken on a lot of other commitments in the year, to continue working with us.

One of our Admins, Stuart Lawson, stepped down from his role in Informed. Anyone who even vaguely knows Stuart knows how many projects he is involved in and how much of his time he dedicates to our profession, from helping to set up and edit the Journal of Radical Librarianship, to extensive work for the Open Access movement. Stuart was involved in the initial discussions that helped to shape what Informed would become – when it was a kernel of an idea in the heads of our founders, Elly, Ian and Jennie – and was our first Moderator to come on board. We are grateful to Stuart for all of the hard work he has put into Informed and for helping us to realise its creation and launch. We wish Stuart the best of luck in his many on-going projects!

In other personnel news, we have a new Moderator amongst us – Mobeena Khan. As with Stuart, Mobeena was involved with the early conversations and has been a great supporter and advocate for the site. We are delighted to have Mobeena as part of the team!

We have lots of exciting stuff planned for 2016. As ever we appreciate all of you who read, share and get involved with our content. We want you to continue to do so by offering ideas for content, volunteering to write posts, connecting us with relevant stories, etc. So please, get in touch if you want to discuss anything with the team.

#dammitJANET – Distributed Denial of Service (DDoS) explained

Simon Barron (@SimonXIX) explains what DDoS is, how it is used and debunks some myths about it.

On 7 December 2015, the academic network provider, Janet, suffered a DDoS attack which partially brought the service down (Martin, 2015). Workers in Higher Education institutions across the UK (and organisations that have their internet access provided by server farms in HEIs) suddenly found their internet connections weren’t working probably while Jisc engineers scrambled to fend off the attack and restore service.

A DDoS (Distributed Denial of Service) attack is a means of bringing down a server (or a cluster of servers) by flooding it with requests. In normal communication on the web, a local computer (i.e. a Windows desktop PC) sends a request to a server (i.e. by pointing Firefox to e.g. http://theinformed.org.uk/) to serve up a webpage; the server then responds by sending the data (i.e. HTML and CSS files) that makes up the webpage. A DDoS attack sends thousands of requests to a server continually from multiple IP addresses such that the server cannot respond: either from using up all the server’s CPU processing power at once or by filling up the short-term RAM memory of the server causing it to crash.

DDoS (sans the word ‘attack’) can be a valid method of testing the integrity of a server. A developer setting up a web service can perform load testing by incrementally increasing the number of requests sent to a page until it falls down: this gives you the total number of users that should use the service at any one time. A tool like Bees with Machine Guns (https://github.com/newsapps/beeswithmachineguns) uses the power of the Amazon Web Service to perform stress testing.

However DDoS is more effectively lodged in the public consciousness as a weapon of hackers. DDoSing without the express consent of the owner of the server is illegal. DDoSers in the USA have been prosecuted under the Computer Fraud and Abuse Act (CFAA) (Coleman, 2014). This weaponised version of DDoS is usually done through botnets. “A botnet is essentially just a collection of computers connected to the Internet, allowing a single entity extra processing power or network connections toward the performance of various tasks including (but not limited to) DDoSing and spam bombing… Participants whose computers are tapped for membership in a botnet usually have no idea that their computer is being used for these purposes. Have you ever wondered why your computer worked so slowly, or strangely? Well, you might have unwittingly participated in a DDoS.” (Coleman, 2014) A computer can become part of a botnet by being infected with a piece of malware.

Another method is a more voluntary form of DDoS using the program Low Orbit Ion Cannon (LOIC), an open-source load testing tool (http://sourceforge.net/projects/loic/). Like its science-fiction namesake, LOIC is simply pointed at a target and then fired: the user enters the IP address of a server and then clicks the large button labelled “IMMA CHARGIN MAH LAZER”. When co-ordinated, a mass group use of LOIC can send thousands of requests at once. However the use of LOIC is not secure: assurances – from the Anonymous #command channel and journalists from sites like Gizmodo – that IP addresses of LOIC-attack participants can not be logged on a targeted server are wrong: “The DDoS’ed site can still monitor its traffic, culling and keeping IP addresses, which can be subsequently used to identify participants.” (Coleman, 2014)

A DDoS attack is fairly simple hacking: it does nothing more than disrupt a service in a way easy to recover from and temporarily take down a public face of a company.

(Monroe, 2011: image licensed as CC BY-NC 2.5)

The real issue is what hacking can be done under the cover of a DDoS attack. While server defences are weakened by devoting processing power to dealing with requests and while sysadmins are distracted fending off the attack, a hacker can covertly perform more malicious hacks like accessing data in a server’s database or changing passwords or planting code or simply ‘rm -rf /’-ing the whole server.

The impetus for this kind of malicious DDoS attack can be political or simply, in the words of hackers, “for the lulz” (Coleman, 2014). DDoS as a tactic for political activism has become associated with the trickster hacker collective, Anonymous, who have used it to take down the websites and servers of various companies or groups. Since DDoS can be used to crash a server, it has been used to take down websites from the Church of Scientology’s site to Sony’s Playstation Network to PayPal (Coleman, 2014).

The use of DDoS as a tool for political activism is hotly debated among hackers. Groups like the Pirate Party and AnonOps (operational planners of Anonymous) disagree about the ethics and efficacy of using DDoS (Coleman, 2014). On one hand are those who argue that DDoSing is nothing more than another “large-scale, rowdy, disruptive [tactic] to draw attention and demand change.” (Coleman, 2014): no different fundamentally from a sit-in protest, a direct action blockade, or an occupation of a physical space. The only differences are squatting on digital space rather than physical space and the increased numbers of participants that can be involved in a protest via DDoS. Anonymous also argue that the visibility of the action and its ability to get the mainstream media’s attention justifies its use to highlight political and social justice issues. In 2013, Anonymous posted a petition on whitehouse.gov asking that DDoS be recognised as a legal form of protesting, the same in kind as the Occupy protests (whitehouse.gov, 2013).

On the other hand, other hackers invoke principles of free speech and freedom of information to decry the use of DDoS. With an absolutist view of free speech, taking a website offline is depriving the company or group that owns the website from expressing their views (via the medium of webpages) and also depriving the public of information. Oxblood Ruffin of the Cult of the Dead Cow hacker collective reasons that “Anonymous is fighting for free speech on the Internet, but it’s hard to support that when you’re DoS-ing and not allowing people to talk. How is that consistent?” (Mills, 2012) When using a botnet, there are also ethical concerns in harnessing someone’s computer without their consent to participate in illegal activity.

On the other other hand, a “more dynamic view of free speech could take power relations into account. By enabling the underdog—the protester or infringed group—to speak as loudly as its more resourceful opponents (in this case, powerful corporations), we might understand a tactic like DDoS as a leveler: a free speech win.” (Coleman, 2014)

In a sample of a chat log from anIRC chatroom, #antiactaplanning (quoted in Coleman, 2014), Anonymous members debated the use of DDoS on a US Government website:

<golum>: Whatever, listen. I’ve heard all the arguments for NOT ddosing. But the truth is we need to wake them up.

[…]

<golum>: I understand that ddosing could potentially harm our cause.

<golum>: But I think the risk is worth it.

<fatalbert>: well i as for myself disagree therefore im not helping with ddos

<golum>: We need attention

<+void>: OMG ITS THE ANONYMOUS, THE ONLY THING THEY DO IS DDOS, OMGOMGOMOGMOMG LETS MAKE ACTA PASS ON POSITIVE

<golum>: No.

<golum>: matty—how did contacting the politicians go?

<BamBam>: Yeah I’ve always kinda hated ddos

<golum>: Look. i’ve heard the arguments I just wanted to say, we should do this.

It’s unclear why Janet, the network enabling internet access for UK HEIs, came under attack this week. At the same time, the Jisc website received a direct DDoS attack as well (Jisc, 2015). It’s worth noting that although internet access through Janet in the UK was disrupted, users were still able to access the wider web by routing their traffic outside of the UK network either through a VPN like Bitmask (https://bitmask.net/) or through the Tor Project’s Tor Browser (https://www.torproject.org/). Such tools are often mistakenly perceived as being used exclusively by hackers, those accessing the ‘Dark Web’, criminals, or terrorists. Following the November 2015 Paris attacks by Daesh, the French Government have openly discussed banning the use of Tor Browser in the same way as Iran or China (Griffin, 2015). In reality, online privacy tools have legitimate and valid uses for defense in computer security: whether against DDoSers or governments and corporations conducting mass digital surveillance.

Whether morally legitimate or not, DDoSing is an effective tactic for hackers and other political activist groups. The core strength of DDoS is that it exploits a weakness in the fundamental principle of the internet: computers using telecommunications networks to request data from one another.

 

References:

Coleman, G., 2014. Hacker, hoaxer, whistleblower, spy: the many faces of Anonymous. London: Verso.

Griffin, A., 2015. ‘France could ban public Wi-Fi and Tor anonymous browsing following Paris attacks’ in The Independent, 2015-12-07 http://www.independent.co.uk/news/world/europe/france-could-ban-public-wi-fi-and-tor-anonymous-browsing-after-paris-attacks-a6763001.html

Jisc, 2015. ‘DDoS attack disrupting Janet network’ on Jisc website, 2015-12-08 https://www.jisc.ac.uk/news/ddos-attack-disrupting-janet-network-08-dec-2015

Martin, A. J., 2015. ‘UK research network Janet under ongoing and persistent DDoS attack’ on The Register, 2015-12-07 http://www.theregister.co.uk/2015/12/07/janet_under_persistent_ddos_attack/

Mills, E., 2012. ‘Old-time hacktivists: Anonymous, you’ve crossed the line’ on CNET, 2012-03-30 http://www.cnet.com/news/old-time-hacktivists-anonymous-youve-crossed-the-line/

Monroe, R., 2011. ‘CIA’ on xkcd, 2011-08-01 https://xkcd.com/932/

whitehouse.gov, 2013. ‘Make, distributed denial-of-service (DDoS), a legal form of protesting.’ on petitions.whitehouse.gov, 2013-01-07 https://petitions.whitehouse.gov/petition/make-distributed-denial-service-ddos-legal-form-protesting

The private sector and the digital divide: an unhelpful invasion of public library spaces?

Image c/o Taichiro Ueki on Flickr used under a CC-BY-NC-ND 2.0 license.

Ever since the emergence of the internet, there have been concerns about those excluded as services increasingly move online. Commonly referred to as the “digital divide”, this exclusion has manifested itself in two distinct ways: lack of access (first level) and that of skills (second level). Progress has been made with the former in recent years as the numbers of those without internet have steadily declined, but the latter has proven far more difficult to address.

Over the course of the past two years, the number of people that have never accessed the internet has fallen by approximately 15% (from just over 7m in the first quarter of 2013 to just under 6m in the equivalent quarter in 2015). However, a lack of internet skills is still stubbornly high. In a BBC online skills survey last year, the corporation found that 20% of UK adults lacked basic online skills. Indeed, the overall lack of skills (particularly across the poorest households) remained unchanged between 2013 and 2014. These findings have been reinforced by a recent report by Go.On UK that found that more than 12m people “do not have the skills to prosper in the digital era”.

Traditionally, public libraries have been a key mechanism to close this so-called divide. Indeed, the People’s Network was borne out of this effort to close the gap and help more people get online. Libraries were seen as the ideal place to provide the support required. They offer a neutral space free from corporate influence, and are staffed by individuals trained to seek out and evaluate information. However, recent years have seen widespread library closures and cuts to staffing levels that have seriously impeded the services they provide. As a result, the libraries crucial role in bridging the digital divide has been severely undermined.

Whilst the role of libraries in tackling the digital divide has diminished, private sector organisations have stepped in to fill the gap. In March 2015, for example, BT and Barclays announced that they were going to work together to connect more people to the internet and to provide support to help people develop the skills they need. In order to provide this access and support, BT and Barclays would be working with local authorities to deliver the initiative in public libraries and community centres in England.

The delivery of this initiative is particularly interesting given the role of public libraries in this area and begs the question why such an initiative needs the direction of either Barclays or BT given the support public libraries have provided. However on the surface, in terms of closing the digital skills gap, there appears to be some benefit in their involvement. For example, Barclay’s Code Playground initiative is potentially a useful way to teach children how to code – a skill that is increasingly regarded as an important one for children to develop (although there are differing views on the extent to which coding itself should be prioritised). However, this option is only available if they can visit a Barclays branch during a weekday with an adult and can provide a laptop. An option, therefore, not available to those without a computer at home or those whose circumstances prevent a visit to the bank on a weekday.

Initiatives such as the Code Playground could, of course, be delivered effectively by public libraries should they have the funding and staffing to make it happen. Indeed, with public libraries being far more accessible to the general public (and a lot more child-friendly) there is a real opportunity here for libraries to develop the digital skills of the next generation and help the UK lead the world in bringing through the next generation of coders.  Delivering such an initiative that requires individuals to visit a branch and bring expensive equipment with them is perhaps not the most effective way of addressing the deeply entrenched digital skills divide.

The move to enlist Barclays and BT into the drive to tackle the digital skills gap emerged as an outcome of the Digital Inclusion Charter, where 38 signatories committed in December 2014 to reduce the number of people who are offline by 25% by 2016. The public library scheme will be run by Barclays Digital Eagles and BT’s Digital Friends. BT volunteers will be “working with trained Barclays staff – called Barclays Digital Eagles”, although it is difficult to determine who BT will employ as “Digital Friends” to deliver this initiative.

Furthermore, there is a lack of clarity regarding Barclays “Digital Eagles”: are they Barclays staff that have volunteered for these roles and been given extra training? Are these people experts who were recruited specifically to provide this service in libraries? Or are they simply bank staff doing this as an additional duty? It is unclear from the information currently in the public domain etc how Barclay’s will deliver this service. What we do know is that of the 377 UK-wide vacancies available at Barclays in August 2015, none have the title “Digital Eagle”.

Problems presented by the BT/Barclays partnership

There are a multitude of problems presented by this tie-up between BT/Barclays, and public libraries in England.

  • The encroachment of a commercial enterprise into a neutral public space such as public libraries is fundamentally at odds with the ethos of freely providing access to services for all.

 

  • The attempt by commercial enterprises to take over the roles of public servants: on what basis are volunteers working on behalf of a commercial body able to better provide the service than trained staff/volunteers working in public libraries?

 

  • How long is this funding going to last? It’s stated to be a two year project, but what happens when it ends? How will Barclays, BT and the government ensure that the development of digital skills continues after the project comes to a close?

 

  • Hardware – with Barclays Code Playground scheme (designed to help teach children to code), children have to bring their own laptop to the sessions. As this pairing of BT and Barclays seems to cover the internet connection (BT) and skilled support (Barclays), has there been any consideration regarding the provision of hardware? All three are required to effectively tackle a lack of digital skills, how will they ensure all three are available? Or is it only accessible to those who can provide the equipment?

 

  • Staffing – are commercial enterprise staff going to be allowed to use a public, neutral space? What will be the checks and controls on suitability of Barclays staff to work with often vulnerable users, such as Disclosure verification? Can we be sure that the staff provided by Barclays/BT will adhere to the highest levels of trust and privacy, meeting the standards expected of professional librarians?

 

  • Will BT or Barclays be allowed to use this neutral public space to promote their own commercial enterprises? Will there be any requirement for them to be entirely neutral when dealing with issues in terms of communications and banking?

 

  • When will this service be available? Is it only during dedicated sessions, as with those Barclays currently hold in their branches? Or will it be available during library opening hours, whatever they may be? Will BT/Barclays staff be available on evenings and weekends when the library is open?

 

  • Confusion over availability – digital TV means viewers across the UK will be seeing adverts for this service, which is actually only going to be available in England and Wales. This creates unrealistic expectations in potential service users of the resources available to them in their location, which their local public library staff will have to deal with.

 

Before the commencement of such an initiative, some clarity on these issues would be helpful and made clear to the general public.

Comment from CILIP – the professional body for librarians

To date, CILIP have not made any official comment on the implications of this collaboration between BT and Barclays, restricting their references to the announcement to a single tweet linking to a story published on The Bookseller website on 19th March. They also tweeted a link to another Bookseller story about the official launch of the pilot scheme on the 22nd July, but have not voiced any official concerns about this intrusion of commercial enterprises into a public space. Whilst there has been no comment to date, a representative from CILIP has attended all the meetings of the overseeing body, the Leadership for Libraries taskforce and have therefore been aware of the developments. It’s possible, of course, that all of the concerns raised above have been put forward by CILIP and these have been factored in to the development of the project.

The implementation of the scheme

The launch of the trial scheme took place on 22nd July 2015. As most of the publicity was on Government websites and the sites of the companies involved, the launch seems to have gone somewhat under the radar, aided by the lack of commentary by the professional body.

The press release mentions 100 libraries and community centres being involved in the scheme. The initial reports stated the scheme would cover “57 libraries and 13 community centres across the country. A further 10 sites, including a care home, a charity home and a homeless centre will also be provided with free wi-fi” – a total of 80 sites. Details of the remaining twenty sites are not currently clear which begs the question, what’s happened to involvement of the care home, charity home and homeless centre in the scheme? BT state that “more than 100 libraries and community centres” will deliver the project. The first Leadership for Libraries meeting indicates that the funding is for “80 libraries and 20 community centres in areas of social deprivation”, but in a later meeting the scheme is proposed to cover “100 sites including over 50 libraries”. Thirty libraries appear to have been dropped from the scheme, but there is no indication as to why.

Trying to locate specific detail about this scheme appears to be particularly difficult. How many libraries and other locations are actually involved in this scheme? Where can we find out which ones they are, and where they are? Why is there no consistency in the messages being published about this scheme? One of the risks of commercial enterprises being involved in public spaces and services is that the entire culture of a corporate body is focussed on protecting its own sensitive commercial secrets – a culture at odds with public body accountable to the public. The result seems to be what we have here with the BT/Barclays tie-up: a project that is both difficult to verify and one riddled with conflicting information.

Alternative approaches

In contrast to the above approach of inviting commercial enterprises to take possession of elements of a public space and services, an alternative project has also recently been launched in England by Arts Council England (ACE). As part of the drive to increase skills, ACE have announced the availability of  £7.1 million in funding for public libraries in England to access, which will run for six months and help enable free wifi access across all public libraries in England. Confusingly though, that initiative is also a “key development” of the Leadership for Libraries Taskforce in parallel to the BT/Barclays project.

Final questions

It would be helpful if BT, Barclays, and the Leadership for Libraries Taskforce address the issues raised above, and communicated with greater clarity about the nature of the scheme and how it will be delivered. Answers to the following questions would be particularly beneficial in terms of the roll-out of this scheme:

  1. How many public libraries are involved in this initiative? Which specific ones are they?
  2. What restrictions are there on the employees of commercial enterprises while in a neutral public space? Are they allowed to promote their products, or try and gain a commercial advantage by attempting to gain clients while positioned within public libraries?
  3. Was any analysis done on the viability of asking commercial enterprises to donate funds to public libraries to allow public library staff to provide the services which those commercial enterprises now wish to provide in libraries, prior to BT and Barclays being given permission to place their own staff within those spaces?
  4. What protections are in place for the vulnerable users of public libraries who make use of the resources provided by the BT/Barclay partnership? Both in terms of the checking of the commercial participants in this scheme, and ensuring that no inappropriate promotion of products is being undertaken.
  5. Who is responsible for the security of the machines which participants will use for the initiative, e.g. ensuring that no malware is installed on the machines involved.
  6. What is the long-term plan for supporting this approach to developing digital skills in the general public, once this project is completed?

Will TalkTalk be held to account for cyber-attack?

talktalk
It’s good to Talk, but it would be even better if you could do so and know your personal data is secure. (Image c/o on Flickr.)

The following article was contributed by Tim Turner, trainer & consultant on Data Protection, FOI, PECR and information rights.

“Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know.”

Donald Rumsfeld’s comment on the fact that sometimes we don’t know what we don’t know is notorious for its lack of clarity, but it is a very helpful summary of most massive data protection or security incidents. Take the recent TalkTalk debacle, in which the telco’s website was hacked, and a quantity of personal data was accessed and presumably stolen. We don’t actually know much more than that: we don’t know how the hack happened, we don’t know for certain who committed the act, we don’t know how much data has been stolen and most importantly, we definitely don’t know whether any laws have been breached.

There is a lot to keep an eye on. TalkTalk’s hastily assembled FAQs was emphatic that the Data Protection Act has not been breached by this incident, and the company has generally been at pains to hashtag every tweet with #cyberattack, painting itself as the victim. Meanwhile the company’s Chief Executive Dido Harding’s headlong rush into every available TV studio has impressed some with her frank admission that TalkTalk could have done more to protect customer data, but thrown the ‘no breach claim’ into doubt.

Data Protection law is built on eight principles, and the seventh principle requires that organisations put in place “appropriate” levels of technical and organisational security. The fact that whoever hacked the TalkTalk website has committed a crime in doing so does not absolve TalkTalk of responsibility. The 7th principle explicitly requires measures to prevent unauthorised and unlawful processing of personal data, so anyone whose website might be the gateway to personal data has to have proactive protections to repel a hacker. Several companies have already fallen foul of the 7th principle and received substantial monetary penalties after falling victim to hackers, including Sony Playstation Online, the British Pregnancy Advisory Service and the travel company Think W3. In each case, a criminally-motivated hacker was assisted by inadequate security and lack of testing.

All sorts of considerations can increase the burden of security. If an organisation is large and more high-profile, if they hold a large amount of personal data, or if a hack might expose sensitive data that might lead to harm, the measures must be progressively more robust. All three of these factors apply to TalkTalk. Harding has claimed that TalkTalk’s security was “head and shoulders” above that of its competitors, and if that can be proved, TalkTalk are off the hook. But with a Chief Executive who has already admitted that their security might have been found wanting, and the arrest of a 15 year old boy in connection with the hack (putting paid to some of the more lurid theories about some kind of Russian / ISIS / Cyber-Jihadi / SPECTRE agent being the perpetrator), presumably we know for certain that the Information Commissioner will act swiftly and decisively to enforce the law?

Well, not quite. Data Protection does not allow for summary justice. The Information Commissioner needs to prove at least on the balance of probabilities that there were appropriate measures to prevent hacking that TalkTalk should have had in place but didn’t. TalkTalk will have to be able to make their case, and the ICO will have to listen. The DP framework allows for the possibility that TalkTalk can be hacked and yet no breach has occurred – the breach is not the incident, but the absence of measures to prevent it.

The omens are nevertheless not auspicious. As well as Harding’s unwise comments, TalkTalk’s track record is troubling. In 2008, the company received an enforcement notice from the ICO, requiring them to stop such basic errors as customers being able to see each others’ records online. Much more recently, TalkTalk’s security was audited by the ICO, and in a break with the normal practice, TalkTalk refused consent for the executive summary to be published (despite other organisations allowing quite negative summaries to go online).

The most important thing that we do know is that the TalkTalk hack does not just put the company in the frame. The Information Commissioner is better at enforcing on security matters than nearly any other aspect of Data Protection but their appetite for taking on large organisations is inconsistent: there may be £250,000 penalties for Sony, but until recently, only unenforceable undertakings on a largely unrepentant Google. Many activists can recall big Data Protection scandals like press misuse of private data (which the ICO discovered but did not tackle) or secret trials of the Phorm internet tracking software (which some suspect went unpunished because the trails were carried out by BT). If the ICO fails to act, it will need an extremely persuasive justification to calm the outrage that will likely follow, and we simply don’t know if such an explanation exists, whatever the law says.

Toddling into the future

Fireworks

Well, another year has flown by, which means that Informed has just turned 2! In terms of what we’re meant to be doing now, does that put us into the Terrible Two stage, when we should start having temper tantrums? Perhaps though we’ll just skip the misbehaving bit, and get on with the informing plan!

The team took a little bit of a late summer/autumn break, and we’ve had some rearrangements of the responsibilities and makeup of the team, which we will announce soon. We’ve also been making some plans behind the scenes to try out a new venture, which we will also be launching in the near future. It will be something we’ll be looking for volunteers to help with, so if you’re interested in becoming more involved with Informed, keep an eye out for an upcoming announcement.

As always when we look back at our activities over the last year, we’d like to take this opportunity to thank everyone who’s been involved with the Informed project, both as the contributors of excellent articles published on the site, and as the volunteer staff working to solicit and moderate the content. As we are composed of a small team of volunteers, everyone’s contribution to the Informed project is hugely valued, and we thank everyone who’s been involved. But we’re not a static project, so if you feel like you’d like to get involved, or you feel you have an idea for a topic that you’d like to write about, please get in touch with the team via our contact form.

The problem with LIS education

Library and Information Studies (LIS) is a paradox: a vocational academic subject. People who study it plan to work as practitioners, but those who teach it need to be academics.

Studying librarianship as an academic discipline provides aspirant professionals with a reflective overview of the topic and a good understanding of principles that can be applied across varied situations. It should give graduates the ability to apply critical and analytical thinking to their daily work and make considered decisions as they increasingly take on responsibility. Highly practical skills tend to date quickly and are far better taught on the job than in an academic environment, so it is important that LIS courses provide a reflective and intellectual overview of issues in the profession. Moreover, academic research is a vital contributor to the health of the profession, telling us what is not immediately apparent about our information sources, workplaces and users and what we might expect from them in the future.

And yet it is also immensely important that LIS academics have a sound, practical understanding of the information workplace. How can someone teach the next generation of practitioners, when they have not themselves worked in a practitioner role for five years or more? How can they provide students with the preparation they need for their careers if it is not a career they themselves have undertaken?

This post is not intended to criticise LIS academics. I am a practitioner who worked for her PhD part-time while working full-time and who also teaches as a sessional lecturer on an accredited LIS course. I have nothing but respect for those many full-time academics that combine academic teaching and research with deep involvement in the working community, who find the time to speak at conferences and write articles and books which will have little or no impact on their record as an academic. My criticism is for a system which does not support the development in both directions.

I recently made an unsuccessful application for a full-time lecturer position. I met all the essential criteria, but not all that were desirable. Of course there might be many reasons for my not being shortlisted, not least the impressive pool of early career LIS academics whom I have met in my travels. The criteria I did not meet were around things like applying for grant funding and involvement with wider faculty activities, which is very difficult experience to acquire as a full-time practitioner. I can attest that academic achievement while working full time is extremely difficult. While I have been prepared to put time into writing and submitting articles for peer-review, I have not – as a full-time researcher might have – co-written articles with senior academics for high-impact journals. This is not to suggest that, as an academic, carrying out difficult research whilst in the middle of one’s PhD in order to be third-listed in the article credits is an easy option. But it is an almost essential step to academic achievement for an early careers researcher.

I do not blame selection committees for the decisions they make. LIS Department Heads rightly want to be recognised for their academic prestige in the Faculties of Arts, Social Sciences, Technology or Management in which they reside. The Deans of these Faculties need to demonstrate a high level of achievement at the Research Excellence Framework (REF) in research outputs and impacts. Of course they will assess candidates who demonstrate best how they will meet the not inconsiderable challenges facing UK Universities. And practitioner experience does not do this. Anecdotally, I have heard of department heads who have argued for the selection of practitioners with excellent professional records, and who had published in the information trade press, but have been unsuccessful because the candidates had not published sufficiently in high-impact academic journals.

Increasingly stringent demands are made on academics, not just to teach well and carry out research, but to raise funds, recruit students and undertake administrative work. Some have spoken out against what they see as a change in culture and, in particular, an attack on the humanities and social sciences (for example, Marina Warner in the LRB). This affects Library and Information Studies departments and there is evidence that information schools and courses are suffering under these changes. But I think they face further problems. There is no part of the measurement and reward system that compensates harried LIS academics for time and effort spent engaging with the profession. Combining an academic and a practitioner career is not just difficult, but is often perceived negatively by both employers and universities. And making the kind of mid-career move from practice to academia which characterised many of the great Information Studies teachers and researchers of the last fifty years is far, far harder than it once was.

The people who lose out in this situation are, I believe, the students. LIS students are unusual in that their career choice almost guarantees that they will never be high earners and yet they must get into considerable debt in order to acquire their qualification. It is a tribute to their commitment that so many of them are still prepared to undertake post-graduate study under the circumstances. Understandably, many complain about the quality of teaching and support and LIS academics themselves have demonstrated their concern that students are properly equipped for the workplace. My feeling is that if we ask students to acquire £9000 of debt to obtain a LIS MA or MSc, we should guarantee that they will be taught by those with a good understanding of the contemporary workplace. Although academics need to have excellent academic brains and to continue the valuable research the profession needs, a vocational degree requires up-to-date knowledge of the workplace. At present, students only receive this because of the unstinting commitment of certain academics to straddle the worlds of the academic and the practitioner. I don’t know how sustainable this is in the changing world of UK Universities. And that can only be bad for the standards of LIS courses and the students who take them.

Katharine Schopflin

How should we tackle “extreme” comments posted online?

The European Court of Human Rights, Strasbourg (image c/o James Russell on Flickr).

A recent ruling by the European Court of Human Rights (ECHR) could have ramifications for all of those with websites enabling comments to be posted by readers. The Court ruled that an Estonian news site (Delfi) may be held responsible for anonymous comments that are allegedly defamatory. A representative of digital rights organisation Access argued that the judgement has:

“…dramatically shifted the internet away from the free expression and privacy protections that created the internet as we know it.”

A post by the Media Legal Defence Initiative listed the main reasons why the court came to this decision, which included:

  1. the “extreme” nature of the comments which the court considered to amount to hate speech
  2. the fact that they were published on a professionally-run and commercial news website
  3. the insufficient measures taken by Delfi to weed out the comments in question and the low likelihood of a prosecution of the users who posted the comments.

The full judgement can be read here.

Who is responsible for comments posted online?

The timing of this is particularly relevant for me following the coverage of a tragic local incident. Following an attempted suicide by a local woman that led to the death of a man attempting to rescue her, a local news website reported the incident in relative detail, including statements from witnesses (although withholding, at the time, the names of the individuals involved). Sadly this led to a number of insensitive and inappropriate comments being posted about the woman who tried to take her own life. Upon approaching the publishers to request the closing of comments for such a story, I was told that I should report individual inappropriate comments rather than expect them to remove the comments thread altogether.

These two stories raise a number of interesting issues. Who is ultimately liable for content that is published online? Is it the responsibility of the host website to deal with “extreme comments”? Is it the responsibility of the individual who posts the comments? Should there even be any restrictions on what people post online? Should we just accept that everyone has a right to free expression online and that hurtful comments are just manifestations of free expression?

What is your view?

If you’ve got a perspective on the judgement by the ECHR, who should ultimately be responsible for comments posted online or whether any limits in this area are an unreasonable limitation of free expression and would like to write about the issues for Informed, we’d like to hear from you. Articles should be 800-1000 words (although this is flexible) and our normal moderation process applies. If you are interested in writing for Informed, please contact us via submissions[at]theinformed.org.uk.

If you require any support, The Samaritans are available 24hrs a day, 365 days a week to provide support.

Ian Clark
The Informed Team

Shelving the Qu’ran

Shelving the Qu'ran
Shelving the Qu’ran. Copyright: Laura Ennis

It caught my eye one afternoon. Sitting atop the cabinet that houses our staff pigeon-holes. I reached up to grab a hold of the green leather-bound book, at the same time asking my colleagues, “What’s this doing here?” Turns out, it was our only copy of the Qur’an in its native language. To begin with, it had lived in the stacks, much like any other Library book. Then someone had complained.

Muslims have varying notions as to the status of the Qu’ran, both as a sacred text, and as a sacred object. But consensus agrees in the case of Arabic editions – where the text is literally the word of god. The Qur’an was published with its own instruction manual as it were, and imparts some direction as to how it should be handled, for example;

Non shall touch but those who are clean. (56:77-79)

The above passage is widely interpreted as meaning that those handling the Qur’an should be physically and spiritually clean. In Islam, this state is known as wudu. The Qur’an itself does not list any special considerations for its storage, but medieval scholars have stipulated numerous special conditions for the use and storage of the Qur’an. For example, the famous Imam and scholar Abu ‘Abdullah Al-Qurtubi wrote in the Tafsir al-Qurtubi;

[do not] place other books upon the Qur’an, which should always be higher than all other books, whether they are books of Sacred Knowledge or something else,

It is for this reason that many Muslims find the shelving of the Qur’an with other books to be offensive and disrespectful. Especially when, as in our case, the shelf they are on is particularly low to the floor. So our copy was moved to the back room where no one could touch it, and placed above eye level where it languished and attracted dust. While this solved the problem, to me it seemed a poor compromise. I’m neither an expert in Library policy, nor religious issues by any means. But I have been working in Libraries for several years now, and by a strange quirk of fate my undergraduate specialisation was in Religious Studies, so it’s safe to say I know enough to speculate on the issue. Moving the book to a place where it wouldn’t be seen or used didn’t seem to be aligned with our mission as a Library, nor particularly respectful to item in question.

The idea that the words of god, or even the name of god, become scared when inscribed is not new, or limited to Islam. In Judaism for example, there are a multitude of names and epithets for god, but any document containing one of the ‘seven names of god’ becomes a holy object. The Megillah details the many prohibitions when handling, or being the presence of, the Torah and the seven holy names of god. Specifically, the Torah is to be placed above other books (Megillah 27a). As in Islam, Jewish instructions for handling sacred texts go one step further – old and damaged items are to be disposed of with as much reverence as possible. For example, in the United Kingdom there is a growing need for the respectful disposal of Jewish texts, many of which are buried en masse in an approved landfill near Stansted. Sikh copies of the Guru Granth Sahib are also treated with special care. It is stored or presented on a throne (takht) and treated like royalty. When they become old or damaged they are given a funeral. There are also strict instructions for carrying and handling of the text; the person carrying the Guru Granth Sahib should be clean, and it is elevated above the head whilst being carried.

Given that Libraries are certainly subject to holding copies of sacred texts I thought it would be relatively easy to locate policies in place at other institutions. While I invest quite a bit of time attempting to locate professional guidance on this issue, after a protracted search could find very little that would help. And after reading through what I did find, I was more confused than ever. The guidance from the Museum Libraries and Archives Council for the management of controversial material makes a brief and vague mention of the issue on the very last page of the report;

5. Stocking of religious texts

5.1 Leicester City policy on the shelving of the Koran and other religious texts

Some libraries in Leicester have received complaints about the Koran not being placed on the top shelves in libraries. Some customers go along the shelves and place the Koran so it is shelved higher than other books. This action arises from the practice in many Muslim homes of the Koran being placed on a high shelf above commonplace things, as it is the word of God.

The authority consulted the Federation of Muslim Organisations in Leicester about this matter, and they advised that all religious texts should be kept on a top shelf together. This meant that no offence is caused, as the scriptures of all the major faiths are given respect in this way, but none is higher than any other.

Unlike the strong language in support of intellectual freedom elsewhere in the document, this section is purposefully vague. It’s not even guidance, simply a retelling of something that another organisation has recommended. I also have to wonder at the placement of this piece of text within the guidance notes. It’s literally on the last page, as if the insertion is piecemeal, or a token measure of inclusion. Further digging uncovered a list of responses to an enquiry about libraries’ practice in shelving the Qur’an and other religious books collated by The Network. Of the respondents, five had made special arrangements for the shelving of the Qur’an, and three had not.

Dissatisfied with the information and guidance I had uncovered, I wrote to the British Library and asked them what their policy on the storage of sacred texts, and if they had had any special precautions or measures when shelving or handling them. The British Library holds an impressive collection of religious materials, including spectacular examples of handwritten and illuminated manuscripts from faiths across the world. The response I received, while not especially helpful, was certainly interesting reading. The British Library does have special provisions for the storage of Sikh sacred texts;

“They are shelved in such a way as to avoid other works touching them or being over them, and are retrieved, installed and returned only by the curator.”

Additionally, anyone wanting to view the items in person, must first make an advance appointment with the Curator of North Indian Languages. This is probably a practical matter as much as anything else, because the Library currently holds the oldest known copy of the Guru Granth Sahib outside of India and it is both culturally significant and fragile – not to mention that digitised copies of these works are now available online. Other special provisions for sacred texts include categorically avoiding the use of pigskin to bind copies of the Torah or Qur’an “to avoid offending the religious sensibilities of those readers most likely to visit the Library to consult such works.”

While I can admire the practicality and in some ways the political correctness of such measures, I can’t say the same for the British Library’s reason for doing so – to avoid giving offence. People have the inalienable right to be offended, but being offended doesn’t make them right. Works of art and items of cultural importance deserve respect for their own sake, not for the fragile sensibilities of those who might one day be offended. Though on this point, I know that not everyone will agree with me – especially within the context of religious material.

However I would ask, what does it say about us as a profession that we’re unwilling to officially discuss this issue? I discovered very little in the way of guidance, discussion or debate on this particular topic. Meanwhile, we devote a whole week to celebrating banned books, and are willing to publicly criticise government web filters. When did information professionals become so timid? Is it acceptable for us as professionals to single out items for special treatment for no other reason than ‘someone might get offended,’? Would you be comfortable applying this policy to other works in your collections?

In my own Library our copy of the Qur’an was eventually moved. It now sits on the top tier of the reference shelf behind our circulation desk where it can be seen by patrons and is joined by works from other faiths, known as the ′Ahl al-Kitāb, or People of the Book.

By Laura Ennis

Net neutrality – what is it and why should we be concerned about it?

(Image c/o Maik on Flickr.)

What is net neutrality?

Net neutrality is the principle that all packets of data over the internet should be transmitted equally, without discrimination. So, for example, net neutrality ensures that your blog can be accessed just as quickly as, say the BBC website. Essentially, it prevents ISPs from discriminating between sites, organisations etc whereby those with the deepest pockets can pay to get in the fast lane, whilst the rest have to contend with the slow lane. Instead, every website is treated equally, preventing the big names from delivering their data faster than a small independent online service. This ensures that no one organisation can deliver their data any quicker than anyone else, enabling a fair and open playing field that encourages innovation and diversity in the range of information material online. The principles of net neutrality are effectively the reason why we have a (reasonably) diverse online space that enables anyone to create a website and reach a large volume of people.

Isn’t this mainly a US issue?

The issue has been a major topic for debate in the United States for sometime now. In theory, this was recently resolved when the Federal Communication Commission (FCC) recently voted to protect the principle of net neutrality. However, this has not closed the debate as some US broadband providers have launched a legal challenge against this ruling and Republicans in Congress have launched an attempt to fast-track a repeal of the FCC’s new rules.

Why should we in Europe be concerned if this is a US issue?

Whilst there has been little public debate in the UK or Europe around the issue of net neutrality, it is becoming an increasingly important issue. Earlier this year, the Latvian government (currently holding the European presidency) proposed that there should be exceptions to net neutrality rules, particularly when their networks face “exceptional…congestion”.

In March, a majority of EU Member States voted in favour of changing the rules to bar discrimination in internet access but, crucially, the rule changes would allow the prioritisation of some “specialised” services that required high quality internet access to function. This was reinforced by the Chief Executive of Nokia who argued that some technologies (such as self-driving cars) will be hindered so long as providers have to abide by net neutrality principles.

The current situation in the EU makes an interesting comparison to the FCC ruling, as it has been argued that the EU is heading in exactly the opposite direction to the FCCs strong position on net neutrality. It’s unclear at this stage what impact the FCC ruling will have on the EU’s position. The difficulty in the EU is that the legislative process is more complex in the US, due partly to the number of countries and bodies involved. Furthermore, because there are many countries and many telecoms CEOs, there is much stronger lobbying against the legislation.

A recent report by Web Index found a mixed bag when it comes to net neutrality regulations across the EU. The report noted that whilst the Netherlands scored eight out of a possible ten for net neutrality, countries such as Italy and Poland scored only 2. In a blog post for the European Commission, Tim Berners Lee argued that binding net neutrality rules would “raise the bar for the performance of lower ranking countries, ultimately enabling Europe to harvest the full potential of the open Internet as a driver for economic growth and social progress”.

Will regulation solve the problem?

Whilst tighter regulation can help to oblige telecoms companies to adhere to the principles of net neutrality, it doesn’t mean to say that the problem will be eliminated. As with all laws, their existence does not eradicate an issue, it merely minimises it. For example, the Authority for Consumers and Markets in the Netherlands recently fined the country’s two largest operators, KPN and Vodafone, for blocking services and zero-rating data for subscribers to HBO. It’s clear that violations will continue to occur, but arguably there will be fewer once regulation is in place.

Who opposes net neutrality?

A range of large companies oppose net neutrality, including: Nokia (see above), Panasonic, Ericsson, IBM and CISCO amongst others.

Who supports net neutrality?

Article 19, Greenpeace, Twitter,  Microsoft (although Microsoft argue that “traffic should not be subject to unreasonable discrimination by their broadband provider” – it’s unclear what they mean by “unreasonable”), Etsy, Amazon, Facebook and, of course, the founder of the World Wide Web, Tim Berners-Lee.

What about Google?

Google have been largely quiet publicly when it comes to the net neutrality debate in recent years, although they had previously been very vocal on the issue and have lobbied the FCC in the past.

Why should I care about net neutrality?

Net neutrality ensures that we have an internet that enables the broadest possible range of views. By ensuring a level playing field, it ensures that no one perspective dominates the internet. If companies are able to ensure their data travels on the fast lane, then we can be sure that those companies will dominate the landscape because their sites transfer data quickly and efficiently. This will ultimately lead to a narrowing down of sites as people avoid using services where data travels in the slow lane, in favour of those that travel in the fast lane. Big companies will get bigger, small companies will disappear and new companies will not get off the ground without significant sums of money to enable them to compete. The internet thrives on innovation and an abandonment of these principles would seriously impede innovation.

We have also seen in other forms of media what occurs when regulation is too lax. We see in print and broadcast media a decline in media plurality. Certain media outlets have come to dominate the landscape with ownership of popular print and broadcast media. An abandonment of net neutrality rules could lead to the very same decline online. The internet will be dominated by a very few large corporations who provide the vast majority of the content. This is, of course, bad news for those that use the internet and bad news for democracy as a vibrant democracy relies on media plurality to ensure a well-informed electorate.

Where can I find out more about net neutrality?

The digital rights campaigning organisation Open Rights Group keeps a close eye on developments and often posts updates regarding developments on net neutrality in the UK. Article 19 is also a good source of information regarding the issue. As is Index on Censorship. A number of organisations (including Article 19 and Index on Censorship) are also members of the Global Net Neutrality Coalition – you can find details of all involved on their website. Web Index, produced by the World Wide Web Foundation, measures the World Wide Web’s “contribution to social, economic and political progress in countries across the world” and produces an annual report that has recently added net neutrality to the list of measures it assesses. American readers can also defend the principles of net neutrality through the Battle for the Net campaign

If you would like to write for Informed, about net neutrality, the internet or any issue related to the information sector, please get in touch with your ideas via our contact page here.