1 / 18

Using your library software – what third parties will get to know about our library customers

Using your library software – what third parties will get to know about our library customers. Dr. Andreas Sabisch FU Berlin Universitätsbibliothek Garystr. 39 13469 Berlin andreas.sabisch@fu-berlin.de. Agenda. Agenda … Motivation for this investigation Webcommunication for dummy's

akiva
Download Presentation

Using your library software – what third parties will get to know about our library customers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Usingyourlibrarysoftware – whatthirdparties will gettoknowaboutourlibrarycustomers Dr. Andreas Sabisch FU Berlin Universitätsbibliothek Garystr. 39 13469 Berlin andreas.sabisch@fu-berlin.de

  2. Agenda Agenda… Motivationforthisinvestigation Webcommunicationfordummy's Examples of third parties communication: Whatto do Andreas Sabisch

  3. Whywe must deal with We must protectthe digital privacyofourpatrons • EU laws, national laws, universityrules • questionfrompatrons, universityboards, secureresearch, … We (especially in Germany) havetodescribehowwe deal withthepatronsdata • Data protectionrulesdescribtion(Datenschutzerklärungen) • Avoiddataproducing, storageandpropagation • Rightofinformationalself-determination (BVerfG) (Recht auf informationelle Selbstbestimmung) Wehavea monopolwithourlibrarysystems • loan, EZ-Proxy access, course material,… Howwecan do this • Analysis • Describtion • Avoid Andreas Sabisch

  4. Http-Communication Andreas Sabisch

  5. Weblogs andcookies Whatis in an webserver-log: theapache log file 130.133.152.192 - - [10/Apr/2014:09:16:44 +0200] "GET /docs/images/poweredby.gif HTTP/1.1" 200 2376 "http://160.45.152.195/docs/content/below/index.xml" "Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0" IP oftherequested host: 130.133.152.192 When: 10/Apr/2014:09:16:44 +0200 What (request):/docs/images/poweredby.gif Technical information: Success-code andTransferedvolume : 200 2376 Wherecomestherequestfrom (refferer) :http://160.45.152.195/docs/content/below/index.xml" (Browser)information: "Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0" Recognition fromthewebserver: thecookiefile Cookie Textfile Name: JSESSIONID Value: 7AE6B0776E8F4D75BAC8B46189F419FB HOST: primo.kobv.de PATH: /primo_library/libweb Sendingfor: Eachconnection type Valid until: End ofsession Just thewebserverwhich send thecookiecanread it. But eachthirdparty, whichinvolved in therequest, canset a cookie Flashcookies – hardtodetect, noexamplefoundyet in an libraryenviroment Scripts, which send additonalinformation Andreas Sabisch

  6. A picture in pieces Logginonerequestis a piceofinformation Logging a lotofrequestgive a storyline Logging a lotofrequestfrom different servergivethewhole live Thatswhat Google and Co. will do • To X-rayoneperson (i.etogiveyoupersonalizedservicesandadvertising) • Togetstatisticalevidencefor a wholegroup (i.e. people, whoareinterestedin this, areinterestedin thisaswell) Andreas Sabisch

  7. Howtoanalysedatatraffic (sniffen) Professionell tools tcpdumpfür automaticprocessing Wiresharkwithgraphicalinterface AnalysieswithWireshark (suggestionforprofis) Create a filter (Broadcast/ownIP; just TCP orhttp...) Doingoneaction in thebrowser, startwithanalyse. Ifnecessary, repeate Anaylse a wholesessionis a hardwork. Youcan do thisbest, ifyou check forspecialissues in thissession, i.e. whichhosts will participate in thissession. Browsertools (for a quick glimpse) i.e. Firefox => Extras-> Webtools ->Network; limitto http, no TCP und TLS connection I will usethis Browsertools forsomeexamples Andreas Sabisch

  8. Aleph-Catalogwith tracking-bugs dbs.pixel.hbz-nrw.de : DBS Tracking bug legal, describe Recommander.bibtex.de : Bibtiprecommander System legal, but not describe Andreas Sabisch

  9. Primo including a secondsource (libraryblog) RSS-Feed fromourlibrary block ajax.googleapis.com Formatingfromrsstojason Andreas Sabisch

  10. … andwithoutgoogle: noBiblioblogentry Blocking Google: noinformationanymore Andreas Sabisch

  11. Primo resultsite books.google.com exlibris-pub.s3.amazonaws.com images.amazon.com Andreas Sabisch

  12. bX in Primo recommande-bx.hosted.exlibrisgroup.com bXservice, integrate in Primo beacon01.alma.exlibrisgroup.com A trackingbugfromExL nodescriptionavailable Andreas Sabisch

  13. An licencesedjournal web site Imagic17.247realmedia.com metric.sciencemag.org now.eloqua.com www.google-analytycs.com Andreas Sabisch

  14. Short-term work in library Check withtoolsforthirdpartyrequest Test thefunctionalityofyoursitewithblockingtherequest Remove thethirdpartyrequest • Withother/ownfunctions • Bycomment out in codeorwebsites • Withhelpfromyourprovider (i.e. ExL) Describenecessarythirdpartyrequestforyourpatrons; includesdataprotectionpolicyofthethirdparty Describeuserspossibilitytoprotecttheirdata Help userswith a proxyserver (i.e. theuniversitycomputerdepartment) Andreas Sabisch

  15. Patron Option at the Moment Blockingprogramms like AdblockerorGhostery Pro: selectedthirdpartyrequests Contra: Lack offunctionalyties Usingproxieserver Opt-Out Option – Data protectionlawconform (Datenschutzkonforme Herangehensweise) but muchefford Thor – anonymous surfen Andreas Sabisch

  16. Long-term issues in librarys We must accomplish a ‚Opt in‘ culture • Core functionsmust be in data save structures • Add ons must bechoosenbythepatronswithknowledgeofthirdpartysinvolved (Optin process) The libraryinfrastructureandsystems must supportthisstrategy Andreas Sabisch

  17. Summerise Modern librarysoftwareincludeoftenthirdpartyrequests Third partygetinformationaboutyourpatrons via reffererinformation This violatethepatrons‚rightofinformationalself-determination‘ Analyse yoursoftwareenviroment Try tobelaw-conform: Avoidordescribe Long term: accomplish a ‚Opt in‘ culture Andreas Sabisch

  18. Highlights Eachhttp-requestsgiveinformation like ip-adressandreferrertothewebsevertheyarerequested A websiteincludesveryoftenrequeststothirdparties. This requestswill send the same informationtothirdpartyserverandisnearlyunvisibletotheuser We, astheproviderofthelibrarysystems, areresponsibleforthedataprivacypolicyfortheusersofoursystems We must take care aboutthesendingofuserdatatothirdpartiesandshouldalwaysuseoptionsfor a save privacypolicy To do thisisimportanttogiveouruserstherightstotheir private data back (in german: ‚Bewahrt das Recht auf informationelle Selbstbestimmung‘) Thanksto Dr. Voss, HU and Uwe TU, whofoundthe back tacksof hosted.exlibris.com andgivetheimpulseforthisinvestigation Andreas Sabisch

More Related