As I suspect is the case with many members, my relationship with the American Library Association runs hot and cold. On the one hand, like Soylent Green, ALA is people: I have been privileged to meet and work with many excellent folk through ALA, LITA, and ALCTS (though to complete the metaphor, sometimes I’ve seen ALA chew on people until they felt they had nothing left to give). There are folks among ALA members and staff whose example I hope to better emulate, including Andromeda Yelton, Deborah Caldwell-Stone, Keri Cascio, and Jenny Levine. I also wish that Courtney Young were ALA president now.

And yet.

For what follows, unfortunately I feel compelled to state my bona fides: yes, I have been and am active in ALA. I sign petitions; I grit my teeth each year and make my way through ballots that are ridiculously long; I have chaired interest groups — and started one; I’ve served on an ALA-level subcommittee; I helped organize a revenue-producing pre-conference. Of course, many people have rather more substantial records of service with ALA than I do, but I’ve paid my dues with more than just my annual membership check.

To put it another way, the spitballs I’m about to throw are coming from a decent seat in orchestra left, not the peanut gallery.

So, let’s consider the press releases.

This one from 15 November, ALA offers expertise, resources to incoming administration and Congress:

“The American Library Association is dedicated to helping all our nation’s elected leaders identify solutions to the challenges our country faces,” ALA President Julie Todaro said. “We are ready to work with President-elect Trump, his transition team, incoming administration and members of Congress to bring more economic opportunity to all Americans and advance other goals we have in common.”

Or this one from 17 November, Libraries bolster opportunity — new briefs show how libraries support policy priorities of new administration:

The American Library Association (ALA) released three briefs highlighting how libraries can advance specific policy priorities of the incoming Trump Administration in the areas of entrepreneurship, services to veterans and broadband adoption and use.

In other words, the premier professional organization for U.S. librarians is suggesting that not only must we work with an incoming administration that is blatantly racist, fascist, and no friend of knowledge, we support his priorities?

Hell no.

Let’s pause to imagine the sounds of a record scratch followed by quick backpedaling.

Although it appears that a website redesign has muddied the online archives, I note that ALA does not appear to have issued a press release expressing its willingness to work with Obama’s administration back in 2008. In fact, an opinion piece around that time (appropriately) expressed ALA’s expectations of the incoming Obama administration:

During this time of transition in our nation’s leadership, the greatest challenge we face is getting our economy back on its feet. As our country faces the challenges and uncertainty of this time, the public library is one constant that all Americans, regardless of age or economic status, can count on, and it is incumbent on our leaders make it a priority to ensure America’s libraries remain open and ready to serve the needs of students, job seekers, investors, business people and others in the community who want information and need a place to get it.

Note the politely-phrased implicit demand here: “Mr. President-Elect: we have shown our value; you must now work to bolster us.”

This is how we should act with our political leaders: with the courage of our convictions.

Of course, it was easy to do that with a president who was obviously not about to start tearing down public libraries.

Consider this from Julie Todaro’s Q&A about the whole mess (emphasis mine):

Why did we write the press releases in the first place?

ALA often reaches out to constituents, advocates, and decision-makers – both proactively and reactively – to request actions, express our support for actions taken, request a decision-maker consider libraries in general, and request that libraries be considered for specific activities or purposes. My presidential initiative focuses on library professionals and library supporters as experts and on their expertise, and on the importance of various library initiatives in communities and institutions of all types and sizes – and on the importance of communicating this value to decision-makers. In making a strong case for the value of libraries – in any political environment – it is important to state that case from the perspective of the decision-maker. So, if a legislator or administrator is focused on the importance of small businesses and their effect on the community, for example, the strategy is to prepare a statement illustrating how libraries support small businesses within their community – and how they could be even more effective with supportive legislation, funding or other appropriate action. Our stories – combined with data –can be framed to align our vision with other visions – always within the framework of our values.

Really? What on earth was that decision-maker’s perspective imagined to be?

That of a normal business man, fond of his tax cuts but not wholly bereft of a sense that some leavings from his financial empire ought to be sprinkled around for the public good, or at least the assuagement of a guilty conscience?

That of a conservative, Republican, library board member, who might never vote to eliminate overdue fines but at least recognizes that a town is not complete without its library?

That of a entrepreneur overfond of his technological toys, who at least might be shown that there are some things Google neither finds nor indexes?

Such people might be reachable.

A conman is not.

A conman who explicitly denies the value of acquiring information. A conman who unapologetically names a white nationalist as his chief counselor. A conman whose Cabinet picks are nearly uniformly those who would pillage the departments they would lead. A conman who, unlike George W. Bush, has no known personal connection to libraries.

A conman who cannot be bought off, even if ALA were to liquidate itself.

Cowering before Trump will not save us; will not save libraries. I do not suggest that ALA should have pulled the tiger’s tail; in the face of fascism, such moral authority as we possess only works quietly. We are in for the long haul; consequently, it would have been appropriate, if not necessarily courageous, for ALA to have said nothing to the incoming administration.

One of the things that appalls me about the press releases is the lack of foresight. There was no reason to expect that Trump would respect craven offerings, and it was entirely predictable that a significant portion of the membership would object to the attempt.

Contrary to Naomi Schaefer Riley’s piece in the New York Post, libraries are not suddenly political. However, in its recent actions, ALA deserves the contempt she expresses: an organization that yanks two press releases is, at least, inept — inept beyond the normal slow pace of library decision-making.

ALA desperately need to do better. The political climate is unfriendly enough even before we consider creeping fascism: we should not plan on the survival of IMLS and LSTA nor on the Copyright Office remaining under the oversight of the Librarian of Congress. An administration that is hinting at a purge of EPA scientists who investigate climate change will not hesitate to suppress their writings. An administration that seeks to expand a registry of Muslims may not stoop at demanding lists of library patrons who have checked out books in Dewey 297.

And frankly, I expect libraries to lose a lot of battles on Capitol Hill, although I do think there is at least some hope that smart action in Washington, but particularly at the state level, might ameliorate some of the losses.

But only if we recognize the situation for what it is. We face both the apotheosis of GOP efforts to diminish, dismantle, and privatize government services and a resurgence of unrestrained racism and white nationalism.

I just hope that ALA will remain with me in resisting.

Rob McGee has been moderating the “View from the Top” presidents [of library technology companies] seminar for 26 years. As an exercise in grilling executives, its value to librarians varies; while CEOs, presidents, senior VPs and the like show up, the discussion is usually constrained. Needless to say, it’s not common for concerns to be voiced openly by the panelists, and this year was no different. The trend of consolidation in the library automation industry continued to nobody’s surprise; that a good 40 minutes of the panel was spent discussing the nuts and bolts of who bought whom for how much did not result in any scintillating disclosures.

But McGee sometimes mixes it up. I was present to watch the panel, but ended up letting myself get plucked from the audience to make a couple comments.

One of the topics discussed during the latter half of the panel was patron privacy, and I ended up in the happy position of getting the last word in, to the effect that for 2016, patron privacy is a technology trend. With the ongoing good work of the Library Freedom Project and Eric Hellmann, the release of the NISO Privacy Principles, the launch of Let’s Encrypt, and various efforts by groups within ALA doing educational and policy work related to patron privacy, lots of progress is being made in turning our values into working code.

However, the reason I ended up on the panel was that McGee wanted to stir the pot about where innovation in library technology comes from. The gist of my response: it comes from the libraries themselves and from free and open source projects initiated by libraries.

This statement requires some justification.

First, here are some things that I don’t believe:

  • The big vendors don’t innovate. Wrong: if innovation is an idea plus the ability to implement it plus the ability to convince others that the idea is good in the first place, well, the big firms do have plenty of resources to apply to solving problems. So do, of course, the likes of OCLC and, in particular, OCLC Research. On the other hand, big firms do have constraints that limit the sorts of risks they can take. It’s one thing for a library project to fail or for a startup to go bust; it’s another thing for a firm employing hundreds of people and (often) answering to venture capital to take certain kinds of technology risks: nobody is running Taos or Horizon 8, and nobody wants to be the one to propose the next big failure.
  • Libraries are the only source of innovative new ideas. Nope; lots of good ideas come from outside of libraries (although that’s no reason to think that they only originate from outside). Also, automation vendors can attain a perspective that few librarians enjoy: I submit that there are very few professional librarians outside of vendor employees who have broad experience with school libraries and public libraries and academic libraries and special libraries and national libraries. A vendor librarian who works as an implementation project manager can gain that breadth of experience in the space of three years.
  • Only developers who work exclusively in free or open source projects come up with good ideas. Or only developers who work exclusively for proprietary vendors come up with good ideas. No: technical judgment and good design sense doesn’t distribute itself that way.
  • Every idea for an improvement to library software is an innovation. Librarians are not less prone to bikeshedding than anybody else (nor are they necessarily more prone to it). However, there is undoubtedly a lot of time and money spent on local tweaks, or small tweaks, or small and local tweaks (for both proprietary and F/LOSS projects) that would be better redirected to new things that better serve libraries and their users.

That out of the way, here’s what I do believe:

  • Libraries have initiated a large number of software and technology projects that achieved success, and continue to do so. Geac, anybody? NOTIS? VTLS? ALEPH. Many ILSs had their roots in library projects that later were commercialized. For that matter, from one point of view both Koha and Evergreen are also examples of ILSs initiated by libraries that got commercialized; it’s just that the free software model provides a better way of doing it as opposed to spinning off a proprietary firm.
  • Free and open source software models provide a way for libraries to experiment and more readily get others to contribute to the experiments than was the case previously.
  • And finally, libraries have different incentives that affect not just how they innovate, but to what end. It still matters that the starting point of most library projects is better serving the needs of the library, their users, or both, not seeking a large profit in three years time.

But about that last point and the period of three years to profit—I didn’t pull that number out of my hat; it came from a fellow panelist who was describing the timeframe that venture capital firms care about. (So maybe that nuts-and-bolts discussion about mergers and acquisitions was useful after all).

Libraries can afford to take a longer view. More time, in turn, can contribute to innovations that last.

The sort of blog post that jumbles together a few almost randomly-chosen bits on a topic, caps them off with an inflammatory title, then ends with “let’s discuss!” has always struck me as one of the lazier options in the blogger’s toolbox.  Sure, if the blog has an established community, gently tweaking the noses of the commentariat may provide some weekend fun and a breather for the blogger. If the blog doesn’t have such a community, however, a post that invites random commenters to tussle is better if the blogger takes the effort to put together a coherent argument for folks to respond to.  Otherwise, the assertion-jumble approach can result in the post becoming so bad that it’s not even wrong.

Case in point: Jorge Perez’s post on the LITA blog yesterday, Is Technology Bringing in More Skillful Male Librarians?

It’s a short read, but here’s a representative quote:

[…] I was appalled to read that the few male librarians in our profession are negatively stereotyped into being unable to handle a real career and the male dominated technology field infers that more skillful males will join the profession in the future.

Are we supposed to weep for the plight of the male librarian, particularly the one in library technology? On reflection, I think I’ll just follow the lead of the scrivener Bartleby and move on. I do worry about many things in library technology: how money spent on library software tends to be badly allocated; how few libraries (especially public ones) are able to hire technology staff in the first place; how technology projects all too often get oversold; the state of relations between library technologists and other sorts of library workers; and yes, a collective lack of self-confidence that library technology is worth doing as a distinct branch of library work (as opposed to giving the game up and leaving it to our commercial, Google-ish “betters”).

I am also worried about gender balance (and balance on all axes) among those who work in library technology — but the last thing I worry about in that respect is the ability of men (particularly men who look like me) to secure employment and promotions building software for libraries.  For example, consider Melissa Lamont’s article in 2009, Gender, Technology, and Libraries. With men accounting for about 65% of heads of library systems department positions and about 65% of authorship in various library technology journals… in a profession that is predominantly comprised of women… no, I’m not worried that I’m a member of an underrepresented class. Exactly the opposite.  And to call out the particular pasture of library tech I mostly play in: the contributor base of most large library open source software projects, Koha and Evergreen included, continue to skew heavily male.

I do think that library technology does better at gender balance than Silicon Valley as a whole.

That previous statement is, of course, damning with faint praise (although I suppose there could be some small hope that efforts in library technology to do better might spill over into IT as whole).

Back to Perez’s post. Some other things that I raise my eyebrow at: an infographic of a study of stereotypes of male librarians from 23 years ago. Still relevant? An infographic without a complete legend (leading free me to conclude that 79.5% of folks in ALA-accredited library schools wear red socks ALL THE TIME).  And, to top it off, a sentence that all too easily could be read as a homophobic joke — or perhaps as a self-deprecating joke where the deprecation comes from imputed effemination, which is no improvement. Playing around with stereotypes can be useful, but it requires effort to do well, which this post lacks.

Of course, by this point I’ve written over 500 words regarding Perez’s post, so I suppose the “let’s discuss!” prompt worked on me.  I do think think that LITA should be tackling difficult topics, but… I am disappointed.

LITA, you can do better. (And as a LITA member, perhaps I should put it this way: we can do better.)

I promised stuff to make satisfying thuds with.  Sadly, what with the epublishing revolution, most of the thuds will be virtual, but we shall persevere nonetheless: there are plenty of people around with smart things to say about gender in library technology.  Here some links:

I hope LITA will reach out to some of them.

Update 2015-10-26:

Update 2015-10-28:

  • Swapped in a more direct link to Lisa Rabey’s post.
Update 2015-11-06:

Perez has posted follow-up on the LITA blog. I am underwhelmed by the response — if in fact it’s actually a response as such. Perez states that “I wanted to present information I found while reading”, but ultimately missed an opportunity to more directly let Deborah Hicks’ work speak for itself. Karen Schneider picked up that task, got a copy of Hicks’ book, and posted about it on LITA-L.

I agree with Karen Schneider’s assessment that Hicks’ book is worth reading by folks interested in gender and librarianship (and it is on my to-be-read pile), but I am not on board with her suggestion that the matter be viewed as just the publication of a very awkward blog post from which a reference to a good book can be extracted (although I acknowledge her generosity in that viewpoint). It’s one thing to write an infelicitously-composed post that provides a technical tip of interest to systems librarians; it’s another thing to be careless when writing about gender in library technology.

In his follow-up, Perez expresses concerns how certain stereotypes about librarianship can affect others’ perceptions of librarianship — and consequently, salaries and access to perceived authority. He also alludes to (if I understand him correctly) how being a Latino and a librarian has affected perceptions of him and his work. Should the experiences of Latino librarians be discussed? Of course! Is librarianship and how that interacts with the performance of masculinity worthy of study? Of course! But until women in library technology (and in technology fields in general) can count on getting a fair shake, and until the glass escalator is shattered, failing to acknowledge that the glass escalator is still operating when writing about gender in library technology can transform awkwardness into a source of pain.

My ALA Annual this year is going to focus on five hashtags: #mashcat, #privacy, #nisoprivacy, #kohails, and #evgils.

#mashcat is for Mashcat, which an effort to build links between library systems and library metadata folks. We’ve had some recent success with Twitter chats, and I’ve made up some badge ribbons. If you’d like one, tweet at me (@gmcharlt)!

#privacy and #nisoprivacy are for patron privacy. My particular interest in using our technology to better protect it. I’ll be running the LITA Patron Privacy Technologies Interest Group meeting on Saturday, (where I look forward to Alison Macrina’s update on Let’s Encrypt). I’ll also be participating in the face-to-face meeting on Monday and Tuesday for the NISO project to create a consensus framework for patron privacy in digital library and information systems.

#kohails and #evgils are for Koha and Evergreen, both of which I hack on and which MPOW supports – so one of the things I’ll also be doing is wearing my vendor hat while boothing and meeting.

Here’s my conference schedule so far, although I hope to squeeze in a Linked Data program as well:

In the title of the post, I promised mod_proxy hackery. Not typical for an ALA schedule post? Well, the ALA scheduler website allows you to choose you make your schedule public. If you do that, you can embed the schedule in a blog post using an iframe.

Here’s the HTML that the scheduler suggests:


There’s a little problem with that suggestion, though: my blog is HTTPS-only. As a consequence, an HTTP iframe won’t be rendered by the browser.

What if I change the embedded URL to “https://alaac15.ala.org/user/36364/schedule-embed”? Still doesn’t work, as the SSL certificate returned is for https://connect.ala.org, which doesn’t match alaac15.ala.org. *cough*

Rather than do something simple, such as using copy-and-paste, I ended up configuring Apache to set up a reverse proxy. That way, my webserver can request my schedule from ALA’s webserver (as well as associated CSS), then present it to the web browser over HTTPS. Here’s the configuration I ended up with, with a bit of help from Stack Overflow:

    # ALA scheduler needs SSL with a cert that matches badly
    ProxyPass /alaac15/ http://alaac15.ala.org/
    ProxyPassReverse /alaac15/ http://alaac15.ala.org/
    ProxyHTMLURLMap http://alaac15.ala.org /alaac15/

    
       ProxyPassReverse /
       SetOutputFilter  proxy-html
       ProxyHTMLURLMap http://alaac15.ala.org /alaac15/
       ProxyHTMLURLMap / /alaac15/
       ProxyHTMLURLMap  /alaac15/ /alaac15/
       RequestHeader    unset  Accept-Encoding
    

This is a bit ugly (and I’ll be disabling the reverse proxy after the conference is over)… but it works for the moment, and also demonstrates how one might make a resolutely HTTP-only service on your intranet accessible over HTTPS publicly.

Onward! I look forward to meeting friends old and new in San Francisco!

Shortly after it came to light that Adobe Digital Editions was transmitting information about ebook reading activity in the clear, for anybody to snoop upon, I asked a loaded question: does ALA have a role in helping to verify that the software libraries use protect the privacy of readers?

As with any loaded question, I had an answer in mind: I do think that ALA and LITA, by virtue of their institutional heft and influence with librarians, can provide significant assistance in securing library software.

I waited a bit, wondering how the powers that be at ALA would respond. Then I remembered something: an institution like ALA is not, in fact, a faceless, inscrutable organism. Like Soylent Green, ALA is people!

Well, maybe not so much like Soylent Green. My point is that despite ALA’s reputation for being a heavily bureaucratic, procedure-bound organization, it does offer ways for members to take up and idea an run with it.

And that’s what I did — I floated a petition to form a new interest group within LITA, the Patron Privacy Technologies IG. Quite a few people signed it… and it now lives!

Here’s the charge of the IG:

The LITA Patron Privacy Technologies Interest Group will promote the design and implementation of library software and hardware that protects the privacy of library users and maximizes user ability to make informed decisions about the use of personally identifiable information by the library and its vendors.

Under this remit, activities of the Interest Group would include, but are not necessarily limited to:

  1. Publishing recommendations on data security practices for library software.
  2. Publishing tutorials on tools for libraries to use to check that library software is handling patron information responsibly.
  3. Organizing efforts to test commercially available software that handle patron information.
  4. Providing a conduit for responsible disclosure of defects in software that could lead to exposure of library patron information.
  5. Providing sample publicity materials for libraries to use with their patrons in explaining the library’s privacy practices.

I am fortunate to have two great co-chairs, Emily Morton-Owens of the Seattle Public Library and Matt Beckstrom of the Lewis and Clark Library, and I’m happy to announce that the IG’s first face-to-face meeting will at ALA Midwinter 2015 — specifically  tomorrow, at 8:30 a.m. Central Time in the Ballroom 1 of the Sheraton in Chicago.

We have two great speakers lined up — Alison Macrina of the Library Freedom Project and Gary Price of INFODocket, and I’m very much looking forward to it.

But I’m also looking forward to the rest of the meeting: this is when the IG will, as a whole, decide how far to reach.  We have a lot of interest and the ability to do things that will teach library staff and our patrons how to better protect privacy, teach library programmers how to design and code for privacy, and verify that our tools match our ideals.

Despite the title of this blog post… it’s by no means my effort alone that will get us anywhere. Many people are already engaging in issues of privacy and technology in libraries, but I do hope that the IG will provide one more point of focus for our efforts.

I look forward to the conversation tomorrow.

I recently circulated a petition to start a new interest group within LITA, to be called the Patron Privacy Technologies IG.  I’ve submitted the formation petition to the LITA Council, and a vote on the petition is scheduled for early November.  I also held an organizational meeting with the co-chairs; I’m really looking forward to what we all can do to help improve how our tools protect patron privacy.

But enough about the IG, let’s talk about the petition! To be specific, let’s talk about when the signatures came in.

I’ve been on Twitter since March of 2009, but a few months ago I made the decision to become much more active there (you see, there was a dearth of cat pictures on Twitter, and I felt it my duty to help do something about it).  My first thought was to tweet the link to a Google Form I created for the petition. I did so at 7:20 a.m. Pacific Time on 15 October:

Since I wanted to gauge whether there was interest beyond just LITA members, I also posted about the petition on the ALA Think Tank Facebook group at 7:50 a.m. on the 15th.

By the following morning, I had 13 responses: 7 from LITA members, and 6 from non-LITA members. An interest group petition requires 10 signatures from LITA members, so at 8:15 on the 16th, I sent another tweet, which got retweeted by LITA:

By early afternoon, that had gotten me one more signature. I was feeling a bit impatient, so at 2:28 p.m. on the 16th, I sent a message to the LITA-L mailing list.

That opened the floodgates: 10 more signatures from LITA members arrived by the end of the day, and 10 more came in on the 17th. All told, a total of 42 responses to the form were submitted between the 15th and the 23rd.

The petition didn’t ask how the responder found it, but if I make the assumption that most respondents filled out the form shortly after they first heard about it, I arrive at my bit of anecdata: over half of the petition responses were inspired by my post to LITA-L, suggesting that the mailing list remains an effective way of getting the attention of many LITA members.

By the way, the petition form is still up for folks to use if they want to be automatically subscribed to the IG’s mailing list when it gets created.

It came to light on Monday that the latest version of Adobe Digital Editions is sending metadata on ebooks that are read through the application to an Adobe server — in clear text.

I’ve personally verified the claim that this is happening, as have lots of other people. I particularly like Andromeda Yelton’s screencast, as it shows some of the steps that others can take to see this for themselves.

In particular, it looks like any ebook that has been opened in Digital Editions or added to a “library” there gets reported on. The original report by Nate Hofffelder at The Digital Reader also said that ebook that were not known to Digital Editions were being reported, though I and others haven’t seen that — but at the moment, since nobody is saying that they’ve decompiled the program and analyzed exactly when Digital Editions sends its reports, it’s possible that Nate simply fell into a rare execution pathUPDATE 10 October 2014: Yesterday I was able to confirm that if an ereader device is attached to a PC and is recognized by ADE, metadata from the books on that device can also be sent in the clear.

This move by Adobe, whether or not they’re permanently storing the ebook reading history, and whether or not they think they have good intentions, is bad for a number of reasons:

  • By sending the information in the clear, anybody can intercept it and choose to act on somebody’s choice of reading material.  This applies to governments, corporations, and unenlightened but technically adept parents.  And as far as state actors are concerned – it actually doesn’t matter that Digital Editions isn’t sending information like name and email addresses in the clear; the user’s IP address and the unique ID assigned by Digital Editions will often be sufficient for somebody to, with effort, link a reading history to an individual.
  • The release notes from Adobe gave no hint that Digital Editions was going to start doing this. While Amazon’s Kindle platform also keeps track of reading history, at least Amazon has been relatively forthright about it.
  • The privacy policy and license agreement similarly did not explicitly mention this. There has been some discussion to the effect that if one looks at those documents closely enough, that there is an implied suggestion that Adobe can capture and log anything one chooses to do with their software. But even if that’s the case – and I’m not sure that this argument would fly in countries with stronger data privacy protection than the U.S. – sending this information in the clear is completely inconsistent with modern security practices.
  • Digital Editions is part of the toolchain that a number of library ebook lending platforms use.

The last point is key. Everybody should be concerned about an app that spouts reading history in the clear, but librarians in particular have a professional responsibility to protect our user’s reading history.

What does it mean in the here and now? Some specific immediate steps I suggest for libraries is to:

  • Publicize the problem to their patrons.
  • Officially warn their patrons against using Digital Editions 4.0, and point to work arounds like pointing “adelogs.adobe.com” to “127.0.0.1” in hosts files.
  • If they must use Digital Editions to borrow ebooks, to recommend the use of earlier versions, which do not appear to be spying on users.

However, there are things that also need to be done in the long term.

Accepting DRM has been a terrible dilemma for libraries – enabling and supporting, no matter how passively, tools for limiting access to information flies against our professional values.  On the other hand, without some degree of acquiescence to it, libraries would be even more limited in their ability to offer current books to their patrons.

But as the Electronic Frontier Foundation points out,  DRM as practiced today is fundamentally inimical to privacy. If, following Andromeda Yelton’s post this morning, we value our professional soul, something has to give.

In other words, we have to have a serious discussion about whether we can responsibly support any level of DRM in the ebooks that we offer to our patrons.

But there’s a more immediate step that we can take. This whole thing came to light because a “hacker acquaintance” of Nate’s decided to see what Digital Editions is sending home. And a key point? Once the testing starting, it probably didn’t take that hacker more than half an hour to see what was going on, and it may well have taken only five.

While the library profession probably doesn’t count very many professional security researchers among its ranks, this sort of testing is not black magic.  Lots of systems librarians, sysadmins, and developers working for libraries already know how to use tcpdump and Wireshark and the like.

So what do we need to do? We need to stop blindly trusting our tools.  We need to be suspicious, in other words, and put anything that we would recommend to our patrons to the test to verify that it is not leaking patron information.

This is where organizations like ALA can play an important role.  Some things that ALA could do include:

  • Establishing a clearinghouse for reports of security and privacy violations in library software.
  • Distribute information on ways to perform security audits.
  • Do testing of library software in house and hire security researches as needed.
  • Provide institutional and legal support for these efforts.

That last point is key, and is why I’m calling on ALA in particular. There have been plenty of cases where software vendors have sued, or threatened to sue, folks who have pointed out security flaws. Rather than permitting that sort of chilling effect to be tolerated in the realm of library software, ALA can provide cover for individuals and libraries engaged in the testing that is necessary to protect our users.

After I got back from this year’s ALA Annual Conference (held in the City of It’s Just a Dry Heat), I saw some feedback regarding B.J. Novak’s presentation at the closing session, where he reportedly marred a talk that by many accounts was quite inspiring with a tired joke alluding to a sexual (and sexist) stereotype about librarians.

Let’s suppose a non-invited speaker, panel participant, or committee member had made a similar joke. Depending on the circumstances, it may or may not have constituted “unwelcome sexual attention” per the ALA Statement of Appropriate Conduct at ALA Conferences, but, regardless, it certainly would not have been in the spirit of the statement’s request that “[s]peakers … frame discussions as openly and inclusively as possible and to be aware of how language or images may be perceived by others.” Any audience member would have been entitled to call out such behavior on the spot or raise the issue with ALA conference services.

The statement of appropriate conduct is for the benefit of all participants: “… members and other attendees, speakers, exhibitors, staff and volunteers…”. It does not explicitly exclude any group from being aware of it and governing their behavior accordingly.

Where does Novak fit in? I had the following exchange with @alaannual on Twitter:

A key aspect of many of the anti-harassment policies and codes of conduct that have been adopted by conferences and conventions recently is that the policy applies to all event participants. There is no reason to expect that an invited keynote speaker or celebrity will automatically not cross lines — and there have been several incidents where conference headliners have erred (or worse).

I am disappointed that when the Statement of Appropriate Conduct was adopted in late 2013, it apparently was not accompanied by changes to conference procedures to ensure that invited speakers would be made aware of it. There’s always room for process improvement, however, so for what it’s worth, here are my suggestions to ALA for improving the implementation of the Statement of Appropriate Conduct:

  • Update procedures to ensure that all conference speakers are made aware of the Statement.
  • Update speaker agreements for invited speakers to require that they read and abide by the Statement.
  • Make available a point of contact for all speakers who can answer questions regarding the Statement and how it applies to presentations. This should not be construed as a request that ALA review the content of presentations beforehand, just that ALA provide an individual who can help speakers interpret the Statement in case of doubt.
  • Ensure that the exhibitors’ manual and the exhibitors’ portal (exhibitors.ala.org) prominently link to the Statement. This does not appear to be the case at the moment, although this may be due to the exhibitors’ portal switching over to the upcoming Midwinter.
  • If this is not already the case, ensure that exhibitor agreements incorporate the Statement.
  • Discuss the Statement periodically and adjust it based on feedback from conference attendees and emerging best practices from other conferences. Speaking of feedback, the Magpie Librarian is conducting a survey (that closes today) to gather information about code of conduct violations at past ALA conferences.

I invite feedback, either here or directly to ALA.

I yield!  Not only does Karen Schneider’s conference schedule beat up my schedule, it all but vaporizes it.

Nonetheless, I will be in Chicago, just not bouncing around quite so much.  When I’m not at MPOW‘s booth in the exhibits hall, I’ll be attending:

  • LITA Open Source Systems Interest Group (Saturday, 29 June from 1-2:30 at the Palmer House Hilton, Price Room)
  • ALCTS/LITA MARC Formats Transition Interest Group (Saturday, 29 June from 3-4 at McCormick Place, room E351)
  • LITA/ALCTS Linked Library Data Interest Group (Sunday, 30 June from 8:30-10 at McCormick Place, room N129)
  • LITA Imagineering Interest Group (Sunday, 30 June from 10:30 to 11:30 at McCormick Place, room N134)

I’m outgoing chair of the Open Source Systems IG, so I should mention that during the meeting we will be having a discussion on the organizational structures behind open source software.  For example, user groups–Evergreen has a very organized user group and so does Koha.  Is a foundation beneficial?  How is software development handled?  Is there a release manager?  How is project funding managed?

It promises to be an interesting discussion, so I invite any and all to attend.