The Investigatory Powers Bill: An Uncertain Future

Investigatory Powers Bill passed by parliament
What can we do to tackle the consequences of the Investigatory Powers Bill passing into law? (Image c/o Maurice on Flickr.)

Many thanks to Nik Williams of Scottish PEN for the following article on the Investigatory Powers Bill.

So there we have it. After a year of discussion and debate, the 1000+ pages of documents outlining the role of surveillance in a modern democracy has passed through both Houses of Parliament. After a bloated few weeks, with discussion monopolised by an ill-placed amendment on press regulation, the Investigatory Powers Bill will soon be an act of parliament. Here at Scottish PEN this occasion can only be met with resignation and deeply held reservations.

The nature of the closing weeks’ discussion in both houses should depress even the chambers’ most ardent supporters. With Baroness Hollins’ proposed amendment to extend exemplary damages to victims of phone hacking from newspapers not signed up to an approved regulator, the debate drifted away from the surveillance powers in the bill that will distinguish the UK from every established democracy in the world, towards a rehash of a discussion that has been left unfinished following the Leveson enquiry in 2011/12.

This did the bill and our civil liberties a disservice. When was the last time we heard the MPs and Peers use the words ‘bulk’, ‘communications data’, ‘request filter’, ‘interception’ or ‘civil liberties’? While phone hacking and press regulation commandeered space reserved for surveillance powers, these issues were ignored, scrutiny was frozen and forsaken and consensus across the house was assumed.

So now we are left with powers that enable our web records to be stored by public bodies on every British citizen for 12 months; the capacity of intelligence agencies to hack and potentially destroy devices, systems or networks; powers that collect data on the many to find the few and obligations that can be foisted on technology companies to undermine encryption. This is a crude summary of the powers – the sheer scale and the impact of the bill will only be fully realised when the bill is enacted.

So what do we do now? We mobilise, we secure, we seek to frustrate those who watch over us, we get smart. Interrogating what platforms we use and their privacy agreements are not luxuries afforded to the serial paranoiacs or techies alone, they are the actions we all need to take – they represent the markers on a roadmap we must all use to navigate our way through a narrowing and treacherous landscape.

These are obligations that fall to all of us; whether we write, research, communicate or shop online, whether we offer digital services to others, we all need to position privacy at the heart of our thinking, not as a peripheral second-thought. This is never truer than the situation public, academic and specialist libraries now find themselves in. Crudely defined as a telecommunication provider, as the IP Bill lacks any lower threshold to who can be obliged to store data and other requests from the state, the already precarious existence of libraries in the UK is further placed in jeopardy. But can libraries, seen by many as a refuge or sanctuary, be places that invite surveillance and consolidate our private information?

Following a pilot workshop at Glasgow Women’s Library in July, Scottish PEN is rolling out a series of workshops in Edinburgh, Orkney and Perth to build the capacity of libraries across these regions to protect the digital security and privacy of both their institutions and patrons. With libraries operating for many as the portal to the online word to facilitate communication, research, shopping and applying for jobs or benefits, how libraries can continue to offer these services in good faith in light of these new obligations is something we need to address now.

We do not believe in the principle that the collection of private data of innocent citizens will guarantee our safety or security (a belief mirrored by the intelligence agencies who fear, according to a confidential M15 report, that collecting too much data “creates a real risk of ‘intelligence failure’ i.e. from the Service being unable to access potentially life-saving intelligence from data that it has already collected”). But it appears that we all, including the intelligence agencies, need to strap in and assume nothing is sacred, nothing is beyond the reach of the voraciously hungry state.

But we need not be resigned to this fate. We need to know these powers inside and out, what they cover, what they don’t, and what they may enable through vague wording and overly broad interpretations. We need to listen to those who have things to say about encryption, threat modelling and zero-knowledge systems, and perhaps most importantly, we need to feel confident to reach out to others to ask questions and share knowledge, and this is where libraries can truly shine. The idea of a library being a repository of collective knowledge and endeavour is not new, but why can’t this approach be used to see libraries as spaces within which we can explore privacy enabling technologies, discuss the role of surveillance in our modern and digital democracy and learn more.

Perhaps then we can renew privacy’s position as a fundamental right, perhaps then we can reclaim the Internet as a space for exploration as opposed to a space of observation, perhaps then we will know how much of us is up for grabs.

These are a great deal of perhaps, but it gives us a place to start and that is better than nothing.

Meet the judges!

informed award banner

Meet our brilliant volunteer judges for the Informed Peer Recognition Award, who’ve described themselves below. They’re kindly contributing their excellent skills and experience, gained in a wide variety of sectors.

 

  • Steve Yorkstone

received_10157420767530403

I work as part of the joined Library and Information Services in Edinburgh Napier University.

In my day job I enable continuous improvement in my home university. In practice this means you’ll find me leading workshops; facilitating discussions; organising and delivering training; acting as a formal (and not so formal) coach; and getting involved in the constant daily business of solving problems and making stuff better.

Alongside the day job I chair Lean HE, the international peer organisation for continuous improvement in universities. I am on the editorial board of the operational excellence magazine, The LMJ. And for the past two years I was on the judging panel for, and awarded, the LMJ Top 25 Awards for Operational Excellence.

I co-designed the acclaimed Lean “St Andrews Model”, and I’ve authored “Lean Universities” in Routledge’s Companion to Lean Management, due for publication before the end of 2016.

My first job was work experience as a gangling teenager in Garstang County Public Library. My experiences back then with a substantial collection of large print bodice ripping novels stay with me to this day!

I’m really excited about the Informed Peer Recognition Awards. For me the work that library and information professionals do has never been more important than it is today, for reasons both large and small.

So, let’s celebrate the real difference colleagues who go above and beyond are making; to the profession itself, for individuals, and for the public at large.

 

  • Daniel Gooding

 

Daniel Gooding is Library Assistant at the Wills Memorial Library, University of Bristol. In June he won the Aspire Award to attend CILIP Conference 2016 in Brighton, and is hoping to pass on this good fortune to others in the profession through the Informed Peer Recognition Awards. He is Publicity Officer for CILIP Library & Information History Group (Twitter handle @CILIP_LIHG) and is currently studying for the MSc Information & Library Studies at Aberystwyth University, where his dissertation will be on the subject of historical fiction classification.

 

  • Katrina Clifford

 

Hi everyone, I’m Katrina and I’ve worked at Kingston University for 9 years, previously working at University of Warwick for 3 years. My day-to-day job is as a cataloguer and also as part of the Research Repository team. I was on the CILIP CIG (Cataloguing and Indexing Group) committee for about 5 years and the West Midlands branch of the Career Development Group before that. I’m on twitter at @kmlclifford (though I don’t tweet as much professional stuff as I had intended when I started!)

I decided to volunteer as I wanted to do something a bit new and different and it sounds a really great initiative. Whilst there are so many of us working hard at what we do, there are those who are going beyond what they need to do to support others in the profession or improve services for their users. Being able to recognise that will not only be wonderful for those involved, but will also help us showcase what we can do! I’m looking forward to working with the other judges and to read all the nominations.

 

  • Faye Cooke

 

As a happy recipient of the goodwill and support of other professionals, I am keen to take part in this opportunity to recognise individuals who consistently go the extra mile. I am a Chartered librarian specialising in legal information. After obtaining a postgraduate diploma from the University of Strathclyde in 2011, I worked for a university careers service as information officer before moving into the world of law libraries. Following a year with the Scottish Government Legal Directorate, I joined private client law firm Turcan Connell in August 2016.

As well as training to become a Citizens Advice volunteer adviser, I am a committee member of the Scottish Law Librarians Group. In my spare time, I can be found watching horror films, marvelling at Edinburgh and making up recipes.

@borrowedbread

 

  • Roddy Waldhelm

 

Roddy Waldhelm is Head of the Solicitor’s Legal Information Centre in the Scottish Government Legal Directorate. He joined the Scottish Executive in February 2001 from the Defence Evaluation Research Agency in Rosyth where he was Information Manager. He is currently Head of Profession for Librarians and Information Managers in the Scottish Government and its Agencies.

From 1990 to 1998 he ran the library and information services of Osborne Clarke in Bristol. Prior to that he was Deputy Head of Library Services at British Aerospace Dynamics Division, Filton.

In his spare time he is an avid collector of books (hard copy of course) and vinyl.  Quite old school really or perhaps ahead of the curve!

I was pleased to support the award as a judge as it is refreshing to be involved something that recognises excellence wherever it occurs in any sector of the profession.

 

  • Rachel Warkcup

 

Rachel Warkcup has worked in public libraries for over 10 years in a variety of roles, including driving a jungle themed mobile library around schools in North Tyneside! Rachel now manages the North Tyneside School’s Library Service, library services for children and young people and co-ordinate the libraries’ events and outreach programme.  A member of the Association of Senior Children’s and Education Librarians (ASCEL) and Youth Libraries Group. She is also a trustee of Northern Children’s Book Festival arguably the longest running cultural festival in the North East, the only dedicated children’s literature festival in the region, and the only one in the UK which covers an entire region

 

  • Barbara Band

 

After working for over twenty five years as a Chartered librarian in school libraries, Barbara Band is now a School Library, Reading and Literacy consultant offering support and advice to a range of schools, and delivering training to librarians and teachers. She works with several literacy organisations to promote the value and benefits of school libraries and reading, has been on numerous judging and book selection panels, and is the founder of the Pupil Librarian of the Year Award. Barbara publishes regularly on a range of reading, library and literacy related topics as well as writing her own blog, and has won many awards in recognition of her work in and contribution to school libraries including: the inaugural SLA Founder’s Award; School Librarian of the Year Honour List; and CILIP Youth Libraries Group Honorary Membership. She was also recently awarded an Honorary Masters degree by the Open University for her contribution to “raising literacy levels and removing barriers to education”.

 

  • Alison Brumwell

I have 18 years experience as a librarian and have been a children’s specialist for the past ten years. I’m Leeds-based and have worked in public libraries, as a secondary school librarian and, most recently, as a schools library service librarian. I am active within the profession as a regional member of both ASCEL and YLG and also sit as representative for Yorkshire and the Humber on national YLG. I am keen to be involved in the IPRA judging process as part of my ongoing professional development and to help raise the profile of librarianship.

 

  • Natasha Chowdory

 

  • Bethan Ruddock

I work in Digital Resources for Jisc, where I help to design, deliver, and maintain services for libraries and archives. This involves lots of lovely hands-on work with bibliographic data, as well as outreach and training.

Outside work, I’m a Chartered member of CILIP, a Chartership mentor, and have just spent a couple of years on the Board of the Special Libraries Association.

I’m really pleased to be involved in judging the IPRA. It’s a great chance to get to know more about the work of some fabulous professionals, and to help them be recognised for their achievements. The Informed team have done a really good job developing the award, and I’m looking forward to finding out more about lots of talented nominees!

 

Invite for nominations for Informed Peer Recognition Award

informed award banner

We’re excited to announce that the Informed Peer Recognition Award is now open for nominations! The form is available HERE.

The aim of the award is to recognise the work of those in the information profession who might otherwise go unnoticed, those people who may not be singlehandedly changing the world, but who really go above and beyond to make a positive difference to their services, users, and society. Although there will be one final award winner, we want the process of nominating someone to be a positive one regardless of the outcome of the nomination.

Often when people are nominated for an award, if they don’t win, they will never even know they were being considered for it, and they won’t see the thoughtful text of their nomination which explains exactly why others regard them as being exceptional. The text of the nomination for an award itself is important: it’s something that allows others to highlight how special an individual is, and explain clearly why this is so. Being able to see why others feel an individual is deserving of recognition from the text of a nomination can be as satisfying as winning the award, which is why it’s a core point of this award that all nominations texts will be made public. In this way, both the nominee and the wider profession can see how their work is valued and appreciated.

Additionally, many people who work outside the public sector can feel that they will never qualify for any sort of award, as their work is less visible. This award is an opportunity to allow recognition of those individuals who are quietly working to improve their service in a sustainable way, or developing resources that have a big impact on their own specific user group.

So, if you work with, or know of someone who you regard as being an exceptional information professional in any role or sector, please nominate them for the Informed Peer Recognition Award. #InformedPRA

Nominations can fall under one of the following three categories;

  • For those who have demonstrated a commitment to, or substantial involvement in activities which will contribute to the development of services and/or resources that will provide a benefit to the public.
  • For those who have worked to deliver improvements to a service (be it private, public, or voluntary) for the benefit of users and provide them with a better experience when interacting with the service.
  • For those who have worked across the profession to improve an aspect of it for the benefit of others.

Nominations should consist of a 500 word summary outlining why the nominator feels that the nominee would be a worthy recipient of the award, and be supported by a second nominator.

Please provide as much detail/evidence as possible within your nomination – the judges can only make decisions on the merits of each nominee based on the information the nominators present to them.

The nomination form is available HERE.

IPRA judges and nominations

informed award banner

We’re delighted to announce that our call for judges to assist with the Informed Peer Recognition Award (IPRA) was very successful, and we’ve now got a full complement of excellent people involved. A post introducing the judges will be appearing soon, but while the judges are getting to know each other and the judging process, we’d like you to start to consider who you would like to nominate for the IPRA. Nominations can be submitted between the 17th of October and the 25th of November.

The Informed Peer Recognition Award is intended to recognise the contributions of a library and information professional working in the UK who has gone beyond the requirements of their job to make a positive difference. Nominations can fall under one of the following three categories;

  • For those who have demonstrated a commitment to, or substantial involvement in activities which will contribute to the development of services and/or resources that will provide a benefit to the public.
  • For those who have worked to deliver improvements to a service (be it private, public, or voluntary) for the benefit of users and provide them with a better experience when interacting with the service.
  • For those who have worked across the profession to improve an aspect of it for the benefit of others.

Nominations should consist of a 500 word summary, and be supported by two nominators. The more information that you can give the judges that helps to show how your nominee has made a contribution in one of the above categories, the better they’ll be able to judge the nominations submitted.

You will need to provide the email address and if possible, the phone number of your nominee. This will enable us to inform them of their nomination, and if needed, contact them for clarification on any points raised in the nomination.

Completed nominations can be submitted via the online form which will be available on the Informed website from the 17th of October, 2016.

The text of all nominations will be published on the Informed website, to allow nominees to see why their peers believed that their activities deserved recognition. Therefore, please bear in mind that any information submitted in a nomination will be made public.

#informedPRA

Spotlight on The News Librarian: what did we do and what have we lost?

This year’s Best Picture Oscar went to the film Spotlight, about an investigative journalist team uncovering a scandal in the Boston Catholic church in the 1990s. Among the techniques which helped them make connections, find evidence and uncover new aspects, were searches through press cuttings archives and cross referencing library directories. Vaguely seen in the film are news librarians, retrieving microfilm and hard copy press cuttings files. Unsurprisingly, the heroes of the film were the journalists themselves, the librarians silent service personnel. Here, Katharine Schopflin shares her experience of working as a news librarian.

As a news librarian myself in the early 2000s, I can tell you that librarians did a lot more than just fetching and carrying. For a start, the press cuttings files themselves were compiled by librarians marking articles with relevant classification terms so they could be found again. To do so took expert news knowledge, the ability to analyse and disambiguate at high speed and an understanding of how future questions would be asked. Secondly, news libraries kept back copies of directories precisely so that they could be mined for information. The journalists in Spotlight descend to a basement storeroom and found them on the shelves, in order, where they expected to. Their life had they been kept in the newsroom would have been somewhat shorter.

And news librarians actually did research themselves. The late 1990s was the great era of the information professional as news researcher. Paula Hane’s Super searchers in the news (Information Today, 2000) interviewed ten librarians based in US news organisations. They discussed the questions they get asked, the stories they had researched, the skills they used and the resources they relied on. All indicated a close working relationships with journalists, investigative or otherwise, who clearly valued their skills and knowledge of resources. In some cases the librarian worked in the newsroom itself, in a role recognised as quasi-journalistic. This wasn’t a US phenomenon either. Sarah Adair’s edited collection Information sources in the press and broadcast media (Bowker Saur, 1999) demonstrated that specialist information searching skills were increasingly valued at a time when many journalists felt mistrustful or overwhelmed by the world wide web. News librarians understood where to look, how to evaluate and when to go to trusted sources such as hard copy reference or online databases which charged a hefty per-use tariff.

Image credit: 'New technology will slash cost of preserving written heritage' by University of Salford Press Office
Image credit: ‘New technology will slash cost of preserving written heritage’ by University of Salford Press Office

In the first decade of the twentieth century, a combination of panic and opportunity meant that library after library closed across the UK and US. Panic was caused by a succession of events: the dot.com crash, particularly affecting publications which had been taken over by tech companies (AOL Time Warner, which announced the closure of the Time Life editorial research library in June 2001 was a noted example), recession, the after-effects of the September 2001 World Trade Center attacks (which affected advertising revenue), and the decline in paper circulation as online news took over the eyes and interest of readers. In response, news organisations sought cuts wherever they could. As research resources became increasingly available via web interfaces directly accessed by journalists themselves, the opportunity to make savings by closing the library seemed obvious. In 2010, the professional association representing news librarians in the UK, the Association of UK Media, was wound up because so few of its members now worked in the sector.

Today, the news librarian is a rare creature indeed. There are some pockets of information professional work in news organisations in areas such as rights, licensing, media cataloguing and management and even research (see Katy Stoddard’s account of her work at the Guardian). But on the whole, the notion that an information professional has special skills essential to publication of unbiased, well-informed, original and accurate journalism has disappeared. Either organisations feel ‘it’s all on the web’ or a library was a luxury or something simply not relevant. Librarians are not the only casualty of a very real crisis in the modern media: increasingly fewer journalists work for newspapers and, as Nick Davies depicts in his excellent Flat Earth News (Chatto and Windus, 2008), much of the content produced by our news outlets rehashes the contents of press releases. Far less of the type of investigative journalism depicted in Spotlight takes place.

Nobody is arguing that librarians should be employed to classify hard-copy press cuttings when the most-heavily used content is available online, powerful and evocative as a hard copy press cuttings file is. And the day-to-day life of the news librarian was unglamorous and could be unrewarding. Yet the loss of an entire sector of a profession is no small matter. As I write, public librarians are active in protest to try and ensure that there will be professional jobs for them to take on in the future. Professions ensure standards, encourage training, provide best practice and support each other with knowledge, advice and shared resources.

newspaper clippings laid out on a table
Image credit: ‘newspaper clippings table’ by
Carmichael Library

News librarians were the people in their organisation who excelled at finding information, identifying sources and, as information increasingly became available in chaotic and unmediated formats via the web, establish the authority and reliability of a source. Many journalists cared about these things, but only the librarians took on the responsibility to be the filter which stopped short-cuts and lazy research. Perhaps this is the real tragedy of the loss of the news librarian, what it says about the journalism available to us. Nobody working in the field can afford to apply the types of professionalism a news librarian could bring to the job. This is unlikely to change as news organisations attempt to solve the conundrum of how to make their readers pay for professionally-written content.

The demise of the news librarian is not, therefore, simply a historical event, equivalent to the loss of paper-based accounts ledgers or a closed coal mine. It points to two depressing conclusions about the media we read, watch and listen to. First, the very connection of information skills with journalism has been lost. Those people who train and practice to connect people with high-quality information are no longer of interest to those who make the news. Secondly, information skills have become redundant in the media because few media outlets care about professional standards. It’s not just librarians who aren’t carrying out in-depth research, evaluating sources and finding the unfindable: nobody is.

I recently attended a Media Society event at which senior journalists discussed the future of news content. They agreed that, if journalism is to prove itself as important in society, more high-quality investigative journalism of the sort depicted in Spotlight should take place. I would like to think that, if it happens, the support and skills of information professionals would be recognised as offering value to the process. However, I fear the link between our profession and the news has probably been severed irrevocably.

First published in CILIP Update (magazine of the Chartered Institute of Library and Information Professionals, www.cilip.org.uk), June 2016, pp. 28-30, and reproduced by kind permission.

The Informed Peer Recognition Award

informed award banner

The Informed team are excited to be announcing the launch of a new award, the Informed Peer Recognition Award. We thought it would be a useful addition to the range of awards currently available for information professionals in the UK.

Background to the development of the award

Elly O’Brien, Mobeena Khan and Jennie Findlay spent a significant amount of time drafting a nomination for a professional colleague for an award back in autumn 2014. The process of writing the nomination was particularly time consuming and demanding, taking the three of us many hours of our time. Once the nomination was submitted, there was no further contact from the organisers. We had no information or progress updates on the process of the award judging, or timescales for the outcome, and there was no communication with nominators about the final outcome of the process. To see whether our nominee had been recognised we had to guess the possible announcement date, and monitor the website daily for a month. Our nominee received no contact from the organisers at any point, and in the end, we decided to send them a copy of the nomination material we’d drafted, as the purpose of us nominating them was to demonstrate to them how valued their work was. In the end the only way we could do this was to give them that information directly. Overall, taking part in that awards process as a nominator was incredibly frustrating.

The Informed team response

We began to think more deeply about the difficulties of the nomination process we’d been through, and how it had been both a frustrating and impersonal experience. We wondered if there was a way that the Informed group of volunteers could create and run an award which would try and avoid these frustrations, and ensure that all those nominated would be able to see what work or activity they were being recognised for.

Elly, Mobeena and Jennie discussed and began to develop the initial idea about creating an award. We decided at an early stage that it could not be run by any of the various professional bodies, because we wanted it to be inclusive, and usually these groups are only able to offer awards to their own members. Due to other professional commitments, Elly had to step back from active involvement, and Laura Ennis took her place. Together we’ve endeavoured to create an award structure that we hope will work in a way that keeps nominators and nominees informed, and is flexible enough to allow for the efforts of a range of information sector workers who may be excluded from nomination for other awards to be recognised .

Objectives

For easy reference, this is what we hope to achieve with this awards process:

  • Create an award that all UK information workers of all levels are eligible for.
  • Be as informative as possible for nominators submitting nominations – be open about the awards schedule, how quick a response the team will be able to give when contacted, and give nominators an idea of the timescales for each stage of the process.
  • Contact nominees to notify them that they have been nominated for an award, and tell them when the result is expected to be announced.
  • Ensure that judges are aware of the process and timescales involved when they volunteer to take part, to allow them to determine if the schedule will work with their personal commitments.
  • Publish the full content of all nominations on the Informed website, to enable the public recognition of nominees work that the nominators intend.

 

CryptoParty Newcastle and user privacy in libraries

The following post was contributed by Aude Charillon. Aude is a curious librarian interested in intellectual property, digital literacy, open data, online rights, and currently working at Newcastle Libraries.

CryptoParty Newcastle postcard

On Sunday 22 May, we held a CryptoParty at Newcastle City Library.

What’s a cryptoparty?

A cryptoparty is an informal gathering of individuals where people discuss, learn and share their knowledge of tools and systems to protect their privacy and electronic communications. It’s called “crypto” because of cryptography and encryption.1

Why did we hold a cryptoparty in a public library?

I personally believe that libraries exist to defend people’s right to enrich and improve their own lives, their environment and society. We library and information professionals make this happen by facilitating access to and the sharing of information, knowledge and culture.

In public libraries we already do a lot around digital skills and literacy: we teach people how to use a computer and the Internet, how to search efficiently and be critical about the information they may find… Privacy is a right enshrined in the Universal Declaration of Human Rights; knowing how to protect it in the digital world is part of knowing how to use the internet and technology efficiently. I feel that teaching library users how to protect their privacy and providing them with the tools to do so is simply the next step for improving digital skills, and it fits with our role as librarians. (Thankfully, my manager agrees!!)

“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondance, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
[Universal Declaration of Human Rights, article 12]

How was CryptoParty Newcastle really organised?

Ian Clark pointed out in an article that CryptoParty Newcastle was probably the first to take place in a public library in the UK, but quite frankly that wasn’t at all what was on our minds when we set off in this direction.

The way it really happened is through individuals – not necessarily librarians –expressing interests and taking the initiative.

This is where I explain that I am, in a personal capacity, keen on the defense of online rights – I am not what you would call an activist but I am a member of the UK Open Rights Group (ORG) and a supporter of La Quadrature du Net.

One day in early March, the following message appeared on the (then dormant) ORG North East mailing list:

Every time I see the snoopers' charter in the news again, I think to myself, we should put on another cryptoparty.

If we have a core of at least four people who want to make it happen, I'm sure we can do it. Say sometime in May? I can find a venue in Durham but am open to someone else finding a venue elsewhere.

Anyone up for it?

I was “up for it” because attending a cryptoparty was a chance for me to learn about privacy tools from people who used them – I wanted this event to take place, so I thought I might as well help make it happen! And because of the reasons outlined above, I was able to offer a space at Newcastle City Library.

A core group of four met, a date was set and a format agreed – you can see some of our preparations on the CryptoParty Newcastle wiki. The fact that the impetus came from individuals rather than institutions is reflected in the vocabulary we used on the event’s main page: the event was hosted by ORG North East and Newcastle Libraries. We promoted the cryptoparty through the ORG North East and Newcastle Libraries channels, local Linux user groups mailing lists, and it even attracted the attention of the Newcastle City Council Communications team who made a short video!

What happened on the day?

There were 6 people on the organising team and about a dozen participants turned up. We had picked topics and arranged to have one per table, so people could go to the tables they wanted, to learn about the tools they were most interested in. It was very informal and this system seemed to work pretty well. We also had handouts, which were brilliant and that people took home with them.

In a nutshell, people spent the afternoon discussing the tools, learning how to install and use them and eating cake!

Most participants had already had a go with at least one of the tools, so it was also interesting to hear how people were using them. A couple had never used any of them but felt they should learn more about how to protect their privacy and communications. A couple of people were very experienced and some conversations became very technical! All in all, everyone seemed to get something out of the event.

At the end of the day, we started talking about the next cryptoparty. We managed to recruit some of the participants to help with organising / helping out at the next event and we have a date pencilled in for October.

For more in-depth views on the day you may like to read a write-up from one of the participants and a piece by one of the other organisers: “What we learned from hosting our cryptoparty”.

Handouts cropped

What can you do for user privacy in your library?

First of all, you may like to make your library users aware of why they might want to use privacy tools and help them get started with some of these.

A great way to do this is obviously to organise a cryptoparty – because who doesn’t want to come to a party to talk about rights online and to improve their digital skills?! Don’t worry if you do not have experience of the tools: find the people who do and who may be interested in helping you out. Members of your local ORG branch (or the association in your area that’s advocating for online rights) might be able to help, but you could also try the local tech community – especially the user groups of open source systems as they often have similar ethics. There is not one format for cryptoparties: it’s worth looking at what others have done and decide with your co-organisers what works best for you.

Another way to teach your users about privacy tools is to hold digital literacy sessions. You may already be delivering one-to-one sessions or group workshops on using a tablet, accessing online journals and resources, etc. so why not add another topic on protecting one’s privacy while browsing the Internet?

Second, you might like to actually offer some of those tools on your library’s public computers or support them through your library’s infrastructure. This is where your favourite IT colleagues will have a few things to say – but, as they say in Newcastle: “shy bairns get nowt”.

The easier thing to put in place would be to offer alternative, more privacy-minded browsers on your public PCs. You may already have Internet Explorer and / or Chrome installed; you could also offer Firefox with the HTTPS Everywhere and Privacy Badger add-ons, and of course DuckDuckGo as the default search engine. The next thing could be to also offer Tor Browser – though if you have a content filtering system in place your IT colleagues might say no (and add a few more reasons why).

If you have bandwith to spare and an understanding IT department part of a very forward-thinking organisation you could also get your library to become a Tor exit node, or at least a Tor relay, to support the Tor network.

Your best resource (in English) is probably going to be the amazing Library Freedom Project based in the US. You can learn from their digital privacy education session slides or use their toolkit on running a Tor exit node in your library, among other things!

[1] This is my interpretation. See also the definition on the CryptoParty website, at: https://www.cryptoparty.in (Accessed 4 June 2016)

Investigatory powers bill and libraries

This blog post was contributed by Ian Clark from the Informed team and Lauren Smith, a Research Associate at the University of Strathclyde.

The news that libraries may be forced to hand over personal data to the security services raises serious ethical questions regarding the confidentiality of what people choose to read. A fundamental ethical principle of the library and information profession is the freedom of individuals to access information and read whatever they choose in confidence. The Chartered Institute of Library and Information Professionals (CILIP) is very clear on the obligations to library users. Its ethical principles state the need to demonstrate:

Commitment to the defence, and the advancement, of access to information, ideas and works of the imagination.

Such a principle is undermined if the government is known to be able to access data on the “information, ideas and works of the imagination” that individuals access. The chilling effect of such a move would inhibit individuals from accessing whatever they want without fear of reprisals from the state.

Furthermore, CILIP has also endorsed the Council of Europe’s “Public access to and freedom of expression in networked information: Guidelines for a European cultural policy”. These guidelines are very clear that what users choose to access should be treated as confidential and that the privacy of users should be paramount:

1.2 It is the responsibility of individuals using Public Access Points to decide for themselves what they should, or should not, access.

1.3 Those providing Public Access Points should respect the privacy of users and treat knowledge of what they have accessed or wish to access as confidential.

The proposals laid out by Theresa May seriously threaten these basic ethical principles. If the state is able to access data on what individuals have been reading in public libraries their freedom to read and access what they choose is seriously compromised.

Ironically, these proposals come at a time when libraries and librarians in other parts of the world are emphasising the importance of ensuring that individuals can access what they wish in confidence. In December last year, librarians were in uproar when Haruki Murakami’s borrowing record was published in a Japanese newspaper. In response, the Japan Librarian Association re-affirmed that:

“Disclosing the records of what books were read by a user, without the individual’s consent, violates the person’s privacy.”

In the face of similarly intrusive legislation (the PATRIOT Act) in the United States, some libraries have begun purging records of inter-library loan requests to protect users’ privacy. As yet we have not seen comparable moves by the profession in the UK, but the increasingly aggressive rhetoric from the government regarding what and how individuals seek out information is clearly in conflict with the values we espouse as a profession.

Libraries should not distinguish between books and web activity. What individuals read and access online should be as private and as confidential as their book borrowing habits. Although we do not have the constitutional protections to intellectual liberty that American library users are afforded under the First Amendment, both professional organisations (such as CILIP) and political bodies (Council of Europe) are very clear that what a user accesses in a library should remain confidential. The proposals put forward by Theresa May threaten these basic principles of intellectual freedom and liberty and will put intolerable pressure on public libraries. Our government’s desire to undermine these principles is not only dangerous, but will also seriously undermine the bond of trust between public libraries and their users.

Informed’s 2016 plans

The end of 2015 was a hectic one for all of us. We had our annual review in which the whole team gets together to review the year that has just passed and look ahead to the coming year. As a result of that discussion, we decided to revert to our old structure of having Administrators (who oversee the running of the site, commissioning content etc) and Moderators (who check submissions against our guidelines). As we are a team of volunteers, the time we can dedicate to Informed fluctuates depending on how busy we are at work, our other voluntary commitments and life! Reinstating these two roles allowed two of our (now) Moderators – Kevin and Helen – who had taken on a lot of other commitments in the year, to continue working with us.

One of our Admins, Stuart Lawson, stepped down from his role in Informed. Anyone who even vaguely knows Stuart knows how many projects he is involved in and how much of his time he dedicates to our profession, from helping to set up and edit the Journal of Radical Librarianship, to extensive work for the Open Access movement. Stuart was involved in the initial discussions that helped to shape what Informed would become – when it was a kernel of an idea in the heads of our founders, Elly, Ian and Jennie – and was our first Moderator to come on board. We are grateful to Stuart for all of the hard work he has put into Informed and for helping us to realise its creation and launch. We wish Stuart the best of luck in his many on-going projects!

In other personnel news, we have a new Moderator amongst us – Mobeena Khan. As with Stuart, Mobeena was involved with the early conversations and has been a great supporter and advocate for the site. We are delighted to have Mobeena as part of the team!

We have lots of exciting stuff planned for 2016. As ever we appreciate all of you who read, share and get involved with our content. We want you to continue to do so by offering ideas for content, volunteering to write posts, connecting us with relevant stories, etc. So please, get in touch if you want to discuss anything with the team.

#dammitJANET – Distributed Denial of Service (DDoS) explained

Simon Barron (@SimonXIX) explains what DDoS is, how it is used and debunks some myths about it.

On 7 December 2015, the academic network provider, Janet, suffered a DDoS attack which partially brought the service down (Martin, 2015). Workers in Higher Education institutions across the UK (and organisations that have their internet access provided by server farms in HEIs) suddenly found their internet connections weren’t working probably while Jisc engineers scrambled to fend off the attack and restore service.

A DDoS (Distributed Denial of Service) attack is a means of bringing down a server (or a cluster of servers) by flooding it with requests. In normal communication on the web, a local computer (i.e. a Windows desktop PC) sends a request to a server (i.e. by pointing Firefox to e.g. http://theinformed.org.uk/) to serve up a webpage; the server then responds by sending the data (i.e. HTML and CSS files) that makes up the webpage. A DDoS attack sends thousands of requests to a server continually from multiple IP addresses such that the server cannot respond: either from using up all the server’s CPU processing power at once or by filling up the short-term RAM memory of the server causing it to crash.

DDoS (sans the word ‘attack’) can be a valid method of testing the integrity of a server. A developer setting up a web service can perform load testing by incrementally increasing the number of requests sent to a page until it falls down: this gives you the total number of users that should use the service at any one time. A tool like Bees with Machine Guns (https://github.com/newsapps/beeswithmachineguns) uses the power of the Amazon Web Service to perform stress testing.

However DDoS is more effectively lodged in the public consciousness as a weapon of hackers. DDoSing without the express consent of the owner of the server is illegal. DDoSers in the USA have been prosecuted under the Computer Fraud and Abuse Act (CFAA) (Coleman, 2014). This weaponised version of DDoS is usually done through botnets. “A botnet is essentially just a collection of computers connected to the Internet, allowing a single entity extra processing power or network connections toward the performance of various tasks including (but not limited to) DDoSing and spam bombing… Participants whose computers are tapped for membership in a botnet usually have no idea that their computer is being used for these purposes. Have you ever wondered why your computer worked so slowly, or strangely? Well, you might have unwittingly participated in a DDoS.” (Coleman, 2014) A computer can become part of a botnet by being infected with a piece of malware.

Another method is a more voluntary form of DDoS using the program Low Orbit Ion Cannon (LOIC), an open-source load testing tool (http://sourceforge.net/projects/loic/). Like its science-fiction namesake, LOIC is simply pointed at a target and then fired: the user enters the IP address of a server and then clicks the large button labelled “IMMA CHARGIN MAH LAZER”. When co-ordinated, a mass group use of LOIC can send thousands of requests at once. However the use of LOIC is not secure: assurances – from the Anonymous #command channel and journalists from sites like Gizmodo – that IP addresses of LOIC-attack participants can not be logged on a targeted server are wrong: “The DDoS’ed site can still monitor its traffic, culling and keeping IP addresses, which can be subsequently used to identify participants.” (Coleman, 2014)

A DDoS attack is fairly simple hacking: it does nothing more than disrupt a service in a way easy to recover from and temporarily take down a public face of a company.

(Monroe, 2011: image licensed as CC BY-NC 2.5)

The real issue is what hacking can be done under the cover of a DDoS attack. While server defences are weakened by devoting processing power to dealing with requests and while sysadmins are distracted fending off the attack, a hacker can covertly perform more malicious hacks like accessing data in a server’s database or changing passwords or planting code or simply ‘rm -rf /’-ing the whole server.

The impetus for this kind of malicious DDoS attack can be political or simply, in the words of hackers, “for the lulz” (Coleman, 2014). DDoS as a tactic for political activism has become associated with the trickster hacker collective, Anonymous, who have used it to take down the websites and servers of various companies or groups. Since DDoS can be used to crash a server, it has been used to take down websites from the Church of Scientology’s site to Sony’s Playstation Network to PayPal (Coleman, 2014).

The use of DDoS as a tool for political activism is hotly debated among hackers. Groups like the Pirate Party and AnonOps (operational planners of Anonymous) disagree about the ethics and efficacy of using DDoS (Coleman, 2014). On one hand are those who argue that DDoSing is nothing more than another “large-scale, rowdy, disruptive [tactic] to draw attention and demand change.” (Coleman, 2014): no different fundamentally from a sit-in protest, a direct action blockade, or an occupation of a physical space. The only differences are squatting on digital space rather than physical space and the increased numbers of participants that can be involved in a protest via DDoS. Anonymous also argue that the visibility of the action and its ability to get the mainstream media’s attention justifies its use to highlight political and social justice issues. In 2013, Anonymous posted a petition on whitehouse.gov asking that DDoS be recognised as a legal form of protesting, the same in kind as the Occupy protests (whitehouse.gov, 2013).

On the other hand, other hackers invoke principles of free speech and freedom of information to decry the use of DDoS. With an absolutist view of free speech, taking a website offline is depriving the company or group that owns the website from expressing their views (via the medium of webpages) and also depriving the public of information. Oxblood Ruffin of the Cult of the Dead Cow hacker collective reasons that “Anonymous is fighting for free speech on the Internet, but it’s hard to support that when you’re DoS-ing and not allowing people to talk. How is that consistent?” (Mills, 2012) When using a botnet, there are also ethical concerns in harnessing someone’s computer without their consent to participate in illegal activity.

On the other other hand, a “more dynamic view of free speech could take power relations into account. By enabling the underdog—the protester or infringed group—to speak as loudly as its more resourceful opponents (in this case, powerful corporations), we might understand a tactic like DDoS as a leveler: a free speech win.” (Coleman, 2014)

In a sample of a chat log from anIRC chatroom, #antiactaplanning (quoted in Coleman, 2014), Anonymous members debated the use of DDoS on a US Government website:

<golum>: Whatever, listen. I’ve heard all the arguments for NOT ddosing. But the truth is we need to wake them up.

[…]

<golum>: I understand that ddosing could potentially harm our cause.

<golum>: But I think the risk is worth it.

<fatalbert>: well i as for myself disagree therefore im not helping with ddos

<golum>: We need attention

<+void>: OMG ITS THE ANONYMOUS, THE ONLY THING THEY DO IS DDOS, OMGOMGOMOGMOMG LETS MAKE ACTA PASS ON POSITIVE

<golum>: No.

<golum>: matty—how did contacting the politicians go?

<BamBam>: Yeah I’ve always kinda hated ddos

<golum>: Look. i’ve heard the arguments I just wanted to say, we should do this.

It’s unclear why Janet, the network enabling internet access for UK HEIs, came under attack this week. At the same time, the Jisc website received a direct DDoS attack as well (Jisc, 2015). It’s worth noting that although internet access through Janet in the UK was disrupted, users were still able to access the wider web by routing their traffic outside of the UK network either through a VPN like Bitmask (https://bitmask.net/) or through the Tor Project’s Tor Browser (https://www.torproject.org/). Such tools are often mistakenly perceived as being used exclusively by hackers, those accessing the ‘Dark Web’, criminals, or terrorists. Following the November 2015 Paris attacks by Daesh, the French Government have openly discussed banning the use of Tor Browser in the same way as Iran or China (Griffin, 2015). In reality, online privacy tools have legitimate and valid uses for defense in computer security: whether against DDoSers or governments and corporations conducting mass digital surveillance.

Whether morally legitimate or not, DDoSing is an effective tactic for hackers and other political activist groups. The core strength of DDoS is that it exploits a weakness in the fundamental principle of the internet: computers using telecommunications networks to request data from one another.

 

References:

Coleman, G., 2014. Hacker, hoaxer, whistleblower, spy: the many faces of Anonymous. London: Verso.

Griffin, A., 2015. ‘France could ban public Wi-Fi and Tor anonymous browsing following Paris attacks’ in The Independent, 2015-12-07 http://www.independent.co.uk/news/world/europe/france-could-ban-public-wi-fi-and-tor-anonymous-browsing-after-paris-attacks-a6763001.html

Jisc, 2015. ‘DDoS attack disrupting Janet network’ on Jisc website, 2015-12-08 https://www.jisc.ac.uk/news/ddos-attack-disrupting-janet-network-08-dec-2015

Martin, A. J., 2015. ‘UK research network Janet under ongoing and persistent DDoS attack’ on The Register, 2015-12-07 http://www.theregister.co.uk/2015/12/07/janet_under_persistent_ddos_attack/

Mills, E., 2012. ‘Old-time hacktivists: Anonymous, you’ve crossed the line’ on CNET, 2012-03-30 http://www.cnet.com/news/old-time-hacktivists-anonymous-youve-crossed-the-line/

Monroe, R., 2011. ‘CIA’ on xkcd, 2011-08-01 https://xkcd.com/932/

whitehouse.gov, 2013. ‘Make, distributed denial-of-service (DDoS), a legal form of protesting.’ on petitions.whitehouse.gov, 2013-01-07 https://petitions.whitehouse.gov/petition/make-distributed-denial-service-ddos-legal-form-protesting