Tag Archives: digital literacy

Awareness, Planning, Resilience: Thoughts on Libraries’ Cyber Defense in 2020

Digital vulnerabilities pose serious challenges for organisations, governments, companies and the wider public – libraries included. Cyberattacks and data breaches made headlines many times throughout 2019, from social media and popular software to public agencies. As a landmark 2019 report of the UN Secretary-General’s High-level Panel on Digital Cooperation pointed out, both the scope of threats and the range of targets for such attacks is rapidly growing.

For libraries, the importance of protecting the data and information they work with every day is readily apparent. Less than a week into 2020, the Contra Costa County Library in the US experienced a ransomware attack, impacting a number of library services.

From email scams to hacks into a library user database, library systems can become targets – and as the COVID-19 outbreak puts more pressure on online library resources, securing their digital assets and services, not least in order to protect staff and users, is a high priority. What is at stake, and what suggestions and tips for boosting libraries’ security can we draw from broader literature and available toolkits?

The Broader Context

Broadly in the field of security, you can think of three types of threats towards data:  it can be lost, exposed, or made inaccessible (known as the CIA triad – confidentiality, integrity and accessibility). A poll among cybersecurity professionals, for example, shows that the three biggest expected threats in 2020 are “weaponized email attachments and links (74%), ransomware (71%), banking trojans and other browser-based password hijackers (67%)”.

An alternative top-level taxonomy of threats (borrowing from ENISA guidelines for a different sector) identifies: malicious actions (as described above), supply chain failure (e.g. cloud service provider failure), systems failure (e.g. software of device failure), as well as threats stemming from human errors or other phenomena. All, clearly, can have negative impacts.

On the positive side, however, public awareness on digital security and privacy matters has fundamentally shifted in the recent years, and more and more organisations and companies put a high priority on addressing these issues. In the UK alone, for example, about three-quarters of charities and businesses in 2019 reported that cybersecurity is a “high or very high priority”.

It is not just public attitudes that are changing. As the 2019 Internet and Jurisdiction report points out, security regulations are increasingly often linked to other fields of government regulation – especially data privacy. This can impact libraries: for instance, a 2019 publication by the Colorado  State  Library discussed how the recently introduced state regulation on personal information creates obligations for libraries to, inter alia, ‘implement reasonable security procedures and practices’. Similarly, under the EU GDPR libraries as data controllers have a responsibility to, inter alia, prevent, detect and report attacks and security breaches.

These regulations point to the fact that security concerns for libraries will always be particularly pressing when dealing with personally identifiable information (as well as, arguably, information on the habits and preferences of their users). So how to respond?

Assess and plan: key questions to ask

Map the assets, know the threats

A first key step to boosting a library’s cyber defence, as suggested in a number of recommendations and broader literature, is to take stock of your assets and digital systems. Map your entire system to see what needs to be protected: the Integrated Library System, the data you store, staff and patron computers, tablets and other devices, the library website, the network… Whenever applicable, this can also include apps and cloud services, since those can also contain vulnerabilities.

Once you know your assets, consider the vulnerabilities, priorities and risks. A toolkit published by Scottish PEN adapts an Electronic Frontier Foundation guide to highlight the key questions to consider:

  1. “What do you want to protect?”
  2. “Who do you want to protect it from?”
  3. “How likely is it that you will need to protect it?”
  4. “How bad are the consequences if you fail?”
  5. “How much trouble are you willing to go through in order to try to prevent those?”

You can also consider who has access to the assets you want to protect, and how you would know and respond if something goes wrong.

These questions can help you decide what measures to take to safeguard both privacy and security.

Setting up a plan

Having mapped the assets and considered the risks, you can develop a plan of security measures and risk mitigation strategies. Just like the assessment step, this is something to do together with your IT team – if your library has access to one! A 2019 Library Freedom Institute lecture on cybersecurity, for example, mentioned that some libraries might get IT support through their consortia or similar organisations, at a local City Hall, or elsewhere.

Your security plan and risk mitigation strategy would be built with your assets and situation in mind. Some key elements to consider when developing your security regime and policies are as follows – as set out in the Cyber Security Toolkit for Boards developed by the UK National Cyber Security Center:

  • Network security
  • User awareness and education
  • Malware defense and prevention
  • Access to removable media
  • Maintaining the secure configuration of all systems
  • Managing and limiting user privileges
  • Incident management
  • Monitoring
  • Home and mobile working policy and security

Remembering the basics

Among these fundamental elements of the security regime, there are of course a few key concrete and tangible steps that can boost the security of your data, devices and processes. These are often mentioned when discussing the basics of cybersecurity, and you will likely have heard then often before:

  • Creating backups of your systems is crucial! A library that experiences a ransomware attack, for example, could be able to restore their systems faster with the help of existing backups. Have a backup plan and system that fits your needs and capacities.
  • Keeping your software updated, installing all patches and updates is a key security measure.
  • Setting up a password policy. See, for instance, the Tactical Tech Data Detox Kit chapter on passwords to see what makes a good password (or better yet, a passphrase!)
  • Website owners are encouraged to encrypt their website(s) and make use of HTTPS protocols instead of HTTP. HTTPS is a secure and encrypted protocol for communication between web browsers and websites – and the EFF offers some advice and resources for website owners on how to implement HTTPS by default. A 2018 case study of one public library’s HTTPS implementation points out that it is important to make use of HTPPS and related security measures consistently and pervasively, across all web-based library applications and their elements.

Staff training: protecting the library together

A key part of a library’s cyber defense – drawing on both broader literature and some library-focused overviews  – is making sure that all your staff is caught up on the basics of online security. This can help make sure that the whole team is more alert and aware, reducing the likelihood of some of the most common threats like phishing or malware distributed through emails.

There are different resources available to start such training – such as those developed by the EFF. A 2019 pilot study published in Information Technology and Libraries, for example, provides initial evidence of how librarians taking part in online cybersecurity courses can utilise their knowledge to strengthen cybersecurity practices in their libraries.

Create learning opportunities for your communities

And finally, libraries can be well-positioned to help their community members learn essential skills to be safe online. There are different examples of how libraries have approached this task – from ad-hoc assistance or linking users to relevant educational materials, to dedicated workshops (see, for instance, a listing from the Tompkins County Public Library) or offering full courses on cyber-security (e.g. in the Hague Public Library).

Libraries can partner with cybersecurity specialists and agencies to deliver such training – as well as host dedicated awareness-raising campaigns. Depending on capacity, a library can adopt some of the approaches listed above- or find their own ways to help their communities with learn essential cybersecurity skills.

These are of course just a few broad elements highlighted in the broader literature to consider when creating a library’s security strategy. With more demand for online library resources and services – and so more risk – it is worthwhile to go over your library’s security plans and practices to be sure that your data, information and processes are safe and well!

Essential, Meaningful, Equal? The World Wide Web at 31

The need for resilience in the face of a crisis lay behind the creation of one of the key forerunners of the World Wide Web – ARPAnet. Through facilitating more direct communication between people, the goal was to be able to cope with the consequences of a nuclear attack destroying parts of the network.

Today, on the 31st birthday of the creation of the World Wide Web, the crisis faced is not a military one, but a global pandemic which is seeing millions of people obliged to reduce their movements and change their habits in order to slow or stop its spread.

Thanks to the invention of the Web, and its subsequent development, many people are now facing disruption rather than a complete stop to their activities. Clearly this is not the case for everyone, and there are many working in the health, security, food and other sectors who have to continue to work as hard, if not harder than before.

Nonetheless, for everyone else, the possibility to move so much of their professional and social lives online, at least temporarily, is both unprecedented and welcome. For libraries in particular, it means that there is the possibility to continue to provide core services in support of their communities.

This blog explores this situation further, as well as underlining the need for continued effort to ensure that everyone has the possibility to benefit from this possibility.


An Essential Service

As highlighted in the introduction, one of the core features of the World Wide Web is its ability to ‘route around’ challenges and issues, meaning that the loss of any one connection or hub does not mean that all communication is lost.

Clearly the global pandemic faced today is not a threat to the physical integrity of the Web (although there are plenty of other risks here), but to societies and economies. Yet just as the Web and its forerunners were designed to allow life to continue as best possible in the face of a crisis, it now allows a much greater share of our jobs, communication, entertainment and beyond to go on.

This is not least the case when it comes to access to knowledge and culture – the core of the work of libraries.

Clearly the requirement to close public spaces – as already seen in a number of countries – is not something anyone wants to see continue longer than necessary. The virtual cannot replace the physical so easily, and indeed, it is the combination of the two that makes libraries so unique.

However, in those countries which have been most affected so far, we have seen growing use of digital libraries and possibilities to borrow books electronically. It is quite possible that many will be discovering what is available for the first time. Increasingly, libraries are also producing specific pages with reliable information sources about the virus, helping to counteract the far more dubious information that spreads on social media – a great example of libraries drawing on their reputation as places to seek quality information to make a real difference.

Without the Web, it would be almost impossible to continue to help researchers, readers and citizens in general to continue to enjoy their rights of access to information and culture, and to help achieve broader social goals.


Meaningful, Equal?

When, two years ago, the world passed the mark of 50% of the population being internet users, this was a moment for celebration. Progress has – thankfully – continued since then, but it remains the case that millions of people are still cut off. For them, the possibilities that the World Wide Web offers to continue with communication, research, and culture are not available.

Furthermore, among many of those who are counted as internet users, a lot will still face limitations, either in terms of what they can access – slow speeds, low data caps, restrictions on content – or on what they can do with it, notably due to low literacy and in particular digital literacy. The share of people enjoying such meaningful access – fast, unrestricted and empowered – is likely to be far lower than 50% still.

In effect, the potential of the World Wide Web to strengthen social, economic and cultural resilience in the face of a crisis like the COVID-19 outbreak may be concentrated in only some areas, even as the virus itself spreads around the world.

For libraries, this is both a challenge and a call to action. Clearly as institutions with a mission to provide access to information for all, it is uncomfortable when it is only the most digitally empowered who are able to do this. Others – older or more vulnerable people who come to use library computers, young parents who rely on story times, students who need to borrow textbooks from the library because they are too expensive to buy – risk facing more disruption.

Looking into the longer term, however, it is clear that once the current crisis is over, and we look back at how to become even more resilient, the type of work that libraries do will be essential.

For a start, the need for media and information literacy in the face of ‘infodemics’ cannot be underestimated. Libraries are already active in promoting the development of the necessary skills to find, evaluate and apply information critically. These can only become more important into the future.

Secondly, broader efforts to build digital literacy, giving more people the confidence and ability to get the most out of the internet – either at the library or at home – will also pay off if a similar pandemic happens again.

Third, the role of libraries as potential hubs or nodes in networks is also clear, making it easier to bring WiFi or other connections into people’s homes, for example via community networks.

Finally, enabling libraries to build up their digital presence – either through their own or through shared platforms – will also mean that they can offer more to people at distance. While this may have specific benefits for entire populations under lock-down, there are many – people in remote areas, those with disabilities – who may find it difficult to access libraries physically at any moment, and so who will also see advantages all of the time from this sort of work.


Together, these efforts will mean not only that the World Wide Web can make an even more effective contribution to resilience, but also that access to it will become more meaningful, for all. As the Web advances towards middle age, this is certainly a good life goal to be setting.

The IGF is in Paris – but you can join us from everywhere!

The 13th annual meeting of the Internet Governance Forum (IGF) is taking place in Paris this year. The meeting is ‎hosted by the Government of France at the Headquarters of UNESCO, and runs from 12 to ‎‎14 November 2018.‎

This year’s session has more than a hundred sessions, including national, regional and youth IGF initiatives as well as seventeen ‎Dynamic Coalitions with inputs from communities and stakeholders. This multi-stakeholder approach, a key characteristic of the IGF, makes this an important opportunity to influence and shape public ‎discourse on internet governance themes and to discuss needed improvements. ‎

This year’s gathering stresses the importance of creating an Internet of Trust. To achieve this goal, the IGF in looking at best practices ‎in gender and access; cybersecurity; local content; AI, big data and the internet of things. ‎

IFLA is at the Internet Governance Forum in Paris to discuss the importance of public access in libraries. We will be part of two important events. The first is on the 13 November at the American Library in Paris, with more details available here. It will highlight the importance of public access as a means of getting the remaining billions online, alongside other promising initiatives such as community networks, as previously discussed at the IFLA President’s Meeting in Barcelona, and offline internet.

The second, on the 14 November takes place as part of the formal IGF programme. The session of the Dynamic Coalition on Public Access in Libraries in which IFLA plays a leading role will discuss and improve the toolkit on public access that IFLA has prepared for library associations. The toolkit looks at the key policy questions in the fields of technology, financing, regulation, as they affect libraries delivering public access.

You can find a list of the events on the IGF website and you can follow all the sessions remotely. Please, join us and be a part of this community!

What’s On Online? Current Issues for Libraries in Internet Governance and Policy

The core mission of libraries is to provide people with access to information. With flows of information increasingly taking place online, our institutions have a major interest in the way the Internet works.

In December of this year, the world will celebrate 50/50 – the point at which the share of the world’s population with Internet accesses passes 50%. This will be a success to celebrate, but also a reminder of how many people remain unconnected.

Moreover, serious concerns remain about the way in which the actions of governments and private actors can affect this access, and whether people themselves are equipped to make best use of the possibilities.

In short, if people do not have access, or if this access is subject to restrictions, then the mission of libraries cannot be achieved. This blog lists a few of the issues currently on the agenda.


Delivering Access – New Tools?

As highlighted in the introduction, the celebrations around giving half of the world’s population access to the Internet will be clouded by the fact that the other half remain offline. While the unconnected are concentrated in developing countries, there are still minorities in richer countries who are cut off.

New technologies and techniques are emerging for getting people online. Major Internet companies have their own projects for giving access, through satellites, balloons and other tools. While Facebook, for example, has apparently given up on its plans to use drones, it is now investing in satellites.

One technology is TV White Space (TVWS), promoted by its supporters as a particularly smart means of bringing Internet to remote areas. It works by using frequencies which currently are not being used for television, and dedicating them to WiFi. A number of projects using this approach are at work in the United States and Colombia.

There are also efforts by cities and wider communities to set up new networks. Sometimes these are run by local governments who recognise the value of faster connectivity (‘municipal broadband’). Sometimes, it’s residents themselves who come together to establish ‘community networks’.

In both cases, they bypass traditional Internet Service Providers (ISPs), often accused of doing too little to invest in higher speeds.

However, such projects need favourable regulation to work. With radio spectrum usually ‘owned’ by government, there are ongoing questions about who can access this for TVWS projects. There are also stories of restrictions on use of telegraph poles being used to prevent municipal fibre projects.

In addition, there have been some signs of renewed interest in Universal Service and Access Funds (USAFs). These collect funds from taxes on telecommunications providers in order to support connections to poorly served areas and populations.

However, they are frequently under-used, and can be subject to the same risks of corruption and bureaucracy as other parts of government. A recent report from the Alliance for Affordable Internet (A4AI) underlines how, if properly deployed, they could make the difference for women in Africa for example.

Libraries are both beneficiaries of better connectivity, and potentially drivers of new projects. To do this, they will need the right regulations and financial support to be able to give their users – and their communities – effective access to information.


Delivering Content – New Threats?

Yet not all connections are equal. Even when the cables are laid, or the masts turned on, what a user can see online will depend on the rules and practices in place.

The role of government is a key concern. Governments continue to engage in complete or partial shutdowns, as well as in focused censorship.

AccessNow’s monitoring of shutdowns shows that these are depressingly frequent, with everything from national security to school exams offering an excuse. The collateral damage caused by these moves – to businesses, to medicine, to citizens’ daily communications, is significant.

Censorship continues to be a problem. At the end of April, the anniversary of Turkey’s ban of Wikipedia was marked. Freedom House’s 2017 Freedom on the Internet report showed record levels of online censorship and blocking. Steps in Tunisia, for example, to oblige bloggers to ‘register’ are also worrying.

Meanwhile, concerns about ‘fake news’ have served as an excuse for some governments to take dramatic action against both writers and websites. Cambodia, Azerbaijan and Vietnam provide some recent examples. In parallel, as Freedom House (mentioned above) underlines, governments are also more than ready to share disinformation themselves using the same tools.

Yet it would be a mistake to focus only on government. As technology advances, and with it the possiblity to use data to make new connections and offer new services, the risk to personal information grows.

The Cambridge Analytica scandal, as well as other cases of dubious practice by major Internet firms, have shown what can be done with personal data. Data ethics has become a new area for discussion, closely linked to the explosion in the volumes of information collected online (including by the Internet of things).

The entry into force of the General Data Protection Regulation in the European Union offers a response, but much will depend on how effectively people take up the new possibilities it creates. Similar rules appear to be spreading to California and Brazil, and data protection is an increasingly high-profile issue in trade discusisons.

Furthermore, net neutrality remains on the agenda. In the United States, the resistance to moves by the government to allow companies to discriminate continues at federal level. Individual states are passing their own laws to guarantee equal access to all content as far as possible.

Elsewhere, the news is better, with India underlining its support for net neutrality, and steps in some countries at least to do away with zero-rating offerings (i.e. allowing users to access some services without this counting towards their data caps).

An additional issue arises where private companies are pressured to take steps that governments themselves cannot.

As highlighted by the UN Special Rapporteur on Human Rights, platforms are not independent. They can be pressured, for example, to block certain types of content (‘fake news’, explicit content, extreme content), or apply rulings such as the European Union’s right to be forgotten principle.

In doing so, they take on similar powers to governments or courts, but with less oversight or control. Moreover, when governments pass laws that only create incentives to block content, there is no guarantee that legal content will be defended. Laws such as FOSTA and SESTA in the United States and anti fake-news laws in Germany and France risk doing just this.

For libraries, this is an issue of growing importance. The content to which libraires give access is increasingly online, rather than on-the-shelf. And libraries are committed to broader access to information as a driver of development.

While there is a case for acting against specific content that genuinely poses a threat, indiscriminate restrictions imposed by governments or companies, including the chilling effect that surveillance and data-collection can create, are bad news for libraries.


Delivering Skills – New Focus?  

A final area of focus is on individuals themselves. Even where there is connectivity, and the connection is not subject to unjusitified restricitons, citizens themselves need the skills and confidence to get online.

As Pew Internet Centre research showed recently, a falling share of people see the Internet as only having brought benefits for society. Other surveys suggest growing levels of distrust and concern about about the risks encountered on the Internet.

There is a risk, when faced with such worries, that governments will feel empowered to take more restrictive stances (i.e. banning non-mainstream content). As a result, the need to give citizens themselves the confidence to deal with what they find online themselves is growing.

Digital skills training, however, remains minimal in many cases. This can be down to a lack of equipment, a lack of capacity among teaching staff, or simply a failure to update teaching. Moreover, digital skills cannot only be a task for formal education.

Meaningful digital skills training, as highlighted in IFLA’s statement on digital literacy, needs to be about more than just coding (important, but for now unlikely to be relevant to everyone in their future lives), and focus on a broader range of competences.

This should include, notably, an updated version of media and information literacy, adapted to a digital age. It may well also require a renewed focus on some of the ‘soft skills’ which are also important in the offline world.

A number of countries are adopting more holistic curricula, and the OECD is already incorporating concepts such as ‘problem solving in a digital environment’ into its own work. But we are likely to see more moves among governments to develop more comprehensive packages of skills and training in coming years.

Libraries are natural partners for delivering such skills, at least when they are suffficiently equipped and staffed. As welcoming places open to all of the community, regardless of age, they can complement the work of formal education.

With a focus, also, on providing the information (and information literacy) to meet real life needs, they can play a real role in shaping digital skills training for all.


The Internet’s potential to accelerate development is high, but not inevitable. As this blog indicates, there is a regular stream of questions, of doubts. How to make full use of all possibiities to get more people connected? How to avoid overreacting to ‘fake news’ and concern about certain content? How to give people the confidence they need to use the Internet effectively?

All are questions with a real importance for libraries, and to which libraries can help provide solutions.