Interview with Alison Macrina

Alison Macrina is a librarian, privacy rights activist, and the founder and director of the Library Freedom Project, an initiative which aims to make real the promise of intellectual freedom in libraries by teaching librarians and their local communities about surveillance threats, privacy rights and law, and privacy-protecting technology tools to help safeguard digital freedoms. Alison is teaching a class for Library Juice Academy next month, called Everything to Hide: A Toolkit for Protecting Patrons’ Digital Privacy. She has agreed to do an interview here, to tell people about the class and also to talk about the Library Freedom Project.

Hi Alison, thanks for agreeing to do this interview.

Hi Rory, thanks for having me.

I want to start by asking you to briefly describe the Library Freedom Project and a bit about how it got started.

Library Freedom Project is an initiative to bring practical privacy education and tools into libraries and the communities they serve. We teach librarians about threats to privacy from government, corporate, and criminal actors, privacy law and our responsibility to protect privacy, and privacy-enhancing technology tools that can be installed on library PCs or taught to patrons in computer classes. We work closely with the ACLU — particularly the ACLU of Massachusetts — and with The Tor Project, who are the technologists building a few of the privacy technologies we recommend.

I started Library Freedom Project after Edward Snowden began his revelations about mass surveillance in the summer of 2013. The Snowden revelations showed me that the problem was much more massive than any of us could have imagined — and this includes those of us who opposed the passage of the USA PATRIOT Act back in 2002. I was working as a library technologist at the time, and I saw libraries as the ideal places to fight back against this kind of pervasive surveillance. For one, we have a historic commitment to privacy and recognize the relationship it has to intellectual freedom and censorship. We’re often the only spaces offering free computer instruction classes, and our computer terminals are for many their only computer access. Furthermore, libraries have long prioritized service to marginalized populations — such as immigrants, Muslims, people of color, formerly incarcerated people, and people who are or have been homeless — and we know that surveillance affects these populations much more significantly than the general population. So it seemed to me an obvious way of combining our values and our commitment to our communities with a very real social need, and I began traveling around my home state of Massachusetts with staff of the Massachusetts ACLU, training librarians on surveillance resistance.

Is the training you’re giving them similar to what you’ll be teaching in your class with us?

There are overlapping topics, yes. But the class will cover a lot more ground.

So what will the class cover?

The class will start with some of the issues around surveillance and privacy, as well as threat modeling — understanding the capabilities of our adversaries and determining which particular ways we want to protect ourselves. We will cover many of the ways in which the internet is a hostile and insecure place. Then we will learn how to use the technology, getting into more advanced topics like PGP for email and OTR for chat.

Full disclosure: I’m planning to sit in on your class, because I want to learn about these things. I’m a little embarrassed to tell you, but I think I’m typical of librarians in that I am aware of privacy issues in general but tend not to do much to address the problem in my own work life. I use Google services heavily, along with Dropbox and Evernote, often for important things. I anticipate that your course will help me feel empowered and encouraged to make changes in my own work life, as well as to equip me to help others. Do you find when you do trainings that you have that effect on librarians? What are your thoughts on that?

I don’t think that’s something to be embarrassed about. You’re where most people are. And I do find that our trainings are empowering, because at the very least they give people a framework to understand these issues, and they can start making small, meaningful changes immediately. Privacy is ultimately about control, and the loss of that control can feel very discouraging. Taking back even a little of it certainly helps people combat their feelings of despair.

You’ve been doing the trainings for a little while now. What are some of the common issues that come up, that you expect to address in the class? What are some of the more problematic issues?

There are a great number of challenges — pretty much all of this information is new to the participants, the issues around privacy and surveillance are too big to know, the problems are massive, and the adversaries are powerful. Plus, most people are nontechnical (not an insult) and privacy-enhancing technologies can be more difficult than technologies that trade privacy for convenience. I will try to address those issues in the class the way that I do whenever I teach: people should know that even small changes can be significant, and that security is a process. The internet is a hostile place, and we have a lot of work to do to overcome that, but we can be successful if we take it one step at a time, adopt new strategies and get comfortable with them, and then move on to something new when we’re ready.

I just want to clarify that when you say “the internet is a hostile place,” you’re not talking about people who are assholes in the comment section; you are talking about spyware and things like that, right? In your experience, are we less than fully aware of the extent of the hostility you’re referring to?

Well, in some ways I do mean both. There are hostile individuals who want to dox feminists and marginalized people online, and they use some of the same resources that the intelligence agencies do. But mostly I mean that the internet was never designed to be secure or private, and the adversaries have so much power. People are DEFINITELY unaware of the extent of the hostility, and who can blame them? So much of it is invisible. For example, most people don’t know that Flash is ridiculously hostile, because they go on using it. Most people don’t know that leaving your software updates for days or weeks or longer is putting you in a lot of danger of exploitation. Most people — even those who followed the Snowden leaks — don’t have any idea of the capabilities of the intelligence agencies and how those are used against real people in our communities. I honestly don’t know anyone who knows the full extent of the internet’s hostility, because so much of the internet is essentially secret — proprietary, closed source technology that can’t be examined for security flaws or malicious code, and agencies that operate under incredible secrecy. Fortunately, the technology exists to protect us — but making that mainstream is its own Herculean task. That’s why libraries are the right places to teach this stuff. We have to make it mainstream.

It strikes me that we’re still under the strong influence of an idealistic cyber-utopian vision of the internet, as a technology that links the world together benevolently. What you’re saying is that people need to be made aware that the opposite is true, and that libraries should have a central role in teaching people to defend themselves in an environment that we formerly cherished for its openness. Is that right? If so, what does it mean for the library ideal of information sharing? I mean, I remember Sandy Berman quoted as saying, “I can’t have information I know would be of interest to someone and not share it.” Privacy education is about teaching people how not to share information. Is there a tension here, and do you think it reflects changing times?

The internet does need to be open, but that doesn’t mean that individuals should be exploited by its openness. I believe in transparency for governments and corporations, and privacy for individuals. There doesn’t need to be a tension, because you can define it easily across those lines. Libraries have long recognized this — providing information access has *never* meant “freely handing over patron records to the police with no warrant”; we know that privacy and intellectual freedom depend on one another. And Sandy Berman, bless him, maybe didn’t consider how much advertisers might want information about his lifestyle habits, his intellectual interests, and his associations, and maybe he didn’t consider how they’d use that information to shape public opinion and filter the results we get on the web — thus making it less open and free. He also probably didn’t imagine that those advertisers would use means totally hidden to the average user…not exactly openness or transparency. Furthermore, he probably never thought about how secretive and powerful intelligence agencies would grow in the Global War on Terror-era, to the point where they, too, have access to all that advertising data, plus anything else we share with a third party, plus a whole lot of other stuff too.

Now, simultaneously, my belief in a free and open internet means that I value free and open source software — software where the source code is shared openly and can be scrutinized for security holes or other privacy threats — thus making it the best option for people who want to defend against these adversaries. Using FOSS protects internet freedom, including privacy, and is one way we can make the internet a more democratic place.

Thank you, you’ve drawn the key distinctions that I needed.

So the Library Freedom Project trains librarians to do patron education about privacy. I wonder if you’re also interested in addressing library policies around patron privacy. What are some of the issues there? And is that within the scope of the project?

Yes, but we are a tiny organization and so we haven’t been able to make this a priority. I did help a small amount with the best practices guidelines created by the Intellectual Freedom Committee and the LITA Patron Privacy Interest Group. The guidelines address some of the major issues — that is, we’ve given 3rd party vendors so much access to patron data, we have not demanded secure transmission and storage, and so on. That’s how we wound up with the Adobe breach, something that we should be deeply ashamed of as information professionals. It seems to me that in our push to get more electronic content for our patrons, we left privacy out of our policies and contracts almost entirely, and now that’s come back to bite us.

Right after you answered that question you did a webinar, which I attended. I noticed that in your presentation you were addressing the librarians in attendance as the users of the tools, rather than explicitly as patron educators, or stewards of patrons’ privacy. It probably isn’t a meaningful difference, because either way the librarians need to know the tools they are going to be teaching. But in teaching to an audience of librarians as direct users of the tools, you assumed a degree of motivation that may not be as high as it is for political activists whom librarians may find themselves helping as patrons. Not that privacy isn’t something everyone should be interested in, but I know that in my case, if I decided to get involved with Deep Green Resistance I would start to get very concerned about privacy and would want to use Tor and PGP a lot, when in the course of my daily work I am not concerned to that degree. How do you navigate that issue in teaching and doing in-depth workshops? Are there any issues that have a different shape depending on whether the librarians are the users of the tools or the stewards and educators?

Well, when I only have 15 minutes to speak, my approach is quite different than when I have an hour or more. Also, I don’t think I was really addressing the librarians only as users of the tools — I referred back to April’s part of the presentation frequently, mentioning how tracking affects our communities, etc. I can’t really get into teaching strategies in a 15 minute presentation, but some of the resources I referred to on our site include a teacher’s guide.

I’m also not really sure what you mean about assuming a degree of motivation — people showed up to a webinar about privacy, which tells you something already about the motivation they have in learning about privacy tools. I don’t think it’s wrong to believe that they are thus motivated to, you know, do what I suggest that they do. Also, it is my experience that librarians are HIGHLY motivated to help their communities protect their privacy — whether those community members are political activists or domestic violence survivors or whatever. Librarians are service-minded people, and they tend to care very much about the ways their patrons are affected by privacy issues. April brought up a lot of those issues in the first half of the presentation — for example, how advertisers use algorithms to target people of color with predatory lending ads. If there are librarians who hear about how these issues affect our communities in serious ways, and they still don’t care to help them…I’m not really sure what to tell those librarians, frankly.

Also, our longer trainings go into much more detail about specific threats, cover a much wider range of tools, and offer teaching strategies as well. In those in-depth trainings, we cover the reasons why all people, not just political activists or people with more serious threats, have a reason to use these tools. For example, you mention PGP encryption. Maybe you’re unmotivated to use it, but if I explained to you how insecure and nonprivate email is, you might change your tune. You surely have had to send tax forms or other sensitive material over email, and that is incredibly unsafe without PGP encryption. Tor Browser also might seem like too much for you, but if you knew how much advertisers, analytics companies, A/B testers, and the like were collecting information about you and using it to filter your web content and create an information profile about you to sell you products, you again might feel differently. Those are only two examples. My assumption in teaching librarians is always that they are both users and teachers of the tools, because in order to be good teachers, they have to use the tools themselves and understand them.

That makes good sense. It will be good to see how you get into issues of patron education in more depth in the class. Patron education, and do you also get into issues of ensuring greater privacy for patrons in their use of the internet in the library? I recall you mentioning in the webinar that you have helped a couple of libraries install Tor on public computers. Is that a complicated thing, as far as getting admin to go along with it? Do you find issues with untraceable, anonymous services? I am thinking of this because I remember hearing a story about something that happened at my last place of work. There was a patron who used a public computer to send a serious threat, and the IT department tracked the computer using its IP, and then used the surveillance footage to ID him, and the police ultimately made an arrest. I know that the people in IT and in the admin office, at that place anyway, were interested in helping law enforcement, and they didn’t hesitate to violate the patron’s privacy in order to help the police. And in this case, he wasn’t just exercising his first amendment rights. I am pretty sure that at that library the administration would be reluctant to install a system that got in the way of their cooperative relationship with law enforcement. That’s not very nice to think about, but I bet it is common. Have you ever gotten pushback about things like installing Tor on a public terminal?

Yep, I will talk about teaching strategies. And yes, half the point of teaching these tools is trying to get libraries to install them on public PCs. As for the difficulty in getting admin to agree to things like that, it really depends on the library itself. Some libraries have agreed immediately — like the library in Lebanon, New Hampshire, where we installed our first Tor relay. Their board and director agreed to join the project unanimously. Others are harder to convince, but as more and more libraries start making this a norm, it won’t be as hard.

As for the situation you outline, that sort of activity is exceedingly rare, and most libraries will never have to deal with something like that. But what is incredibly common is that our communities face surveillance threats every time they use the internet, from pervasive advertising to overzealous intelligence agencies, and all the malware and criminal hacking that comes with using insecure tools. A browser that makes it easy for the police to identify the source of criminal activity also makes it easy for a domestic violence survivor to be tracked by her abuser, or for a poor person to be targeted by predatory lending schemes, or for children to be followed by malicious people, or for anyone to have their online activity tracked step by step. That is not a free internet, but an internet ruled by adversaries. That worries me much more than the rare occurrence of criminal activity on library computers. Furthermore, criminals have many options, because they are willing to break the law to achieve their ends — they can use proxies or spoof MAC addresses or find some other way of conducting their activities. Other people who need privacy don’t have those options, and we should prioritize their needs, because there are many more of them than there are criminals. It is of course a risk to give people the freedom of anonymity online, but in a democracy, we are often confronted with such decisions. As the ALA Freedom to Read Statement says: freedom itself is a dangerous way of life, but it is ours.

Thanks for saying all of this so well. I’ve been provoking you a little bit and I’m really glad that you’ve said all of this. I’m excited that you’re going to be teaching this class for us, and I hope you keep inspiring people to take control of their online privacy. Thanks for the interview.

Thanks Rory. I am really excited to teach the class — I’ve never had the chance to teach so many people over such a long course of time — and I’m excited to see what we can all learn from each other.