tic

transmitting in cleartext #accessyfc

tic

This is the text of a short Ignite talk I gave at the Access Conference in 2016. Ignite format is 5 minutes with auto-advancing slides every 15 seconds, so that’s why it’s got the lack of detail it does. I might link to a video version of this talk at some point too, ’cause otherwise the mad prophet aspect might get a little lost. In the meantime, please enjoy.

Hi everyone. I’m J Jack Unrau.

I don’t code much but I spend loads of my time on a public library info desk doing community tech support and talking about digital privacy, which is what I’m here for today.

just a bunch of hilarious stuff

Having been a children’s librarian and radio-based reading advisor, I feel well-equipped to tell you a story about what it means to me to teach people how to deal with the cyberpunk dystopia we have the fortune to be living in.

libr*folk get people hacked

Do you remember 2013 when a huge list of IDs and passwords were stolen from Adobe, including all the accounts librarians had made people get so they could read Overdrive ebooks?

It was terrible explaining to people what happened, & not just because it was our fault.

inigo montoya line (not that bit, the other one)

Adobe was storing passwords in poorly encrypted fashion and transmitting them in cleartext.

Or plaintext.

Plaintext?

Shoot, which is for vim and which is about encryption again?

Anyway.

The words cleartext and plaintext got bandied about a bunch.

escape from efrafa

In the wake of this breach, our library’s agitated techy public services librarians, like Emily Orr, got a notification posted and warned people to change their passwords.

And then we fell down the rabbithole of translating what cleartext means to plainspoken people.

clarity

Because it’s kind of counter-intuitive.

We usually want people who aren’t making some artistic statement to be clear communicators.

We want to get to the point in 300 seconds.

We want to communicate plainly and simply.

We want to tell our stories so we’re understood.

the opposite of clarity

When we’re teaching encryption and security, though, we’re promoting the value of obfuscation and complication.

No matter how much we say “You don’t do this because you have something to hide! It’s not just for pornographers” it’s still weird.

library freedom project

Some smart public-oriented folk have been working on this education project: teaching people what it means to encrypt for your security and liberty.

Alison Macrina‘s founding work on the Library Freedom Project is hugely important and useful.

They are showing us a path to teach these skills to our users.

So what are we doing with those resources?

we do what we must because we can

I teach monthly classes on electronic privacy (that are sparsely attended).

In these sessions we talk about governments and corporations and other thieves, what they want with people’s data, things they will do to get it, and what people can do to try and protect themselves.

using tech better will save us!

I explain digital rights management to our senior citizens.

For Freedom to Read Week a teen and his mom and I built a Tor router from a Raspberry Pi.

I’m doing my part to inch people along the path to looking after their security, to knowing why transmitting in cleartext is so bad.

but it won’t

However, this is not a “we done good” story.

This is a story set in 2016, after all.

This is ending in an apocalyptic trash fire.

normalizing technocracy

The world we inhabit is one where you can have all sorts of digital freedom if you know how to code, navigate pirated media repositories, blocklist the cesspools of Twitter, or run a VPN around Netflix / a repressive regime.

everyone loves setec astronomy

This world is made for people like me.

Doing what I do makes me feel good about “fixing” our users.

I love my secret arcane knowledge and I love sharing that secret arcane knowledge to help technophobes understand what I love about these tools.

we don’t need more technologists

But that makes the story about people like us.

Our goal can’t be to make the public more like us.

Doing this education stuff feels more and more like sharing tips from the lucky times the techy scouts weren’t squashed by the giants out ravaging.

earning freedom is bullshit

Teaching special tech tricks to fix our special users – the ones who ask for the knowledge, come to the classes – that isn’t enough.

That lets things get worse and worse for those who have more important things to do than taking a class on Facebook privacy settings (like Facebook chatting with their kid three timezones away).

obliquity

I’m an info-desk librarian.

I love helping people directly.

Communicating clearly about this stuff to a few people at a time feels good, but isn’t efficient.

The **most important** thing I’ve done for our users is harass IT into installing Privacy Badger on our public computers.

can we build it?

Users need tools for a default experience that is better for them than what fresh surveillance machines from BestBuy can do.

Maybe with Calibre and DeDRM plugins and LibraryBoxen and VPNs and adblockers for everyone we could make libraries have people’s backs even if they have no tech skills.

probably not

I get that there are economic concerns and political concerns in libraries and society that have grim answers for “why don’t we just…?” kinds of questions.

They’re the giants trampling the countryside, the 6th and 7th suns, all that apocalyptic stuff we can’t affect while we scurry among the shitty policies.

we’re doomed. now what?

Roy Scranton wrote this essay last year about how we can’t look to technology or politics to save us from climate change and the end of western civilization.

We have to learn how to remember and let go.

For me, sharing stories is the remembering value we’re adding.

uplifting dénouement missing

I guess I’m just saying teaching digital privacy classes gives us and our users practice at sharing the ransomware folktales we’ll someday tell huddled round our trashcan fires.

Which wasn’t what I expected, but I think it still has value.

Thanks. No moral.

recuperation in public

It’s been a busy summer at my place of work. My library branch has been renovated so I was off at other branches with nary a desk to call my own while working on all the projects our leadership decided to cram into the end of a five year strategic plan cycle. Now I’m back at my home branch, I have a toilet stall sized cubicle to work in, and the main time-suck since June has turned out as crappy as we’d been warning everyone who had any power to effect change we could. (We filled spreadsheets with the software’s failures to deliver what was on our RFP, but it remained awful.) Now because the public hated it as much as we did, the library’s going back to the old discovery layer meaning that all that work our team put in was ignored and then proven right but still ignored because we didn’t cc the mayor with our complaints.

It’s hard to be really enthusiastic about work in this kind of situation.

But for some reason, I’ve been having a good week. I think it’s just that the branch is open now. I’m not in a caretaker role, intruding on someone else’s space. This is my branch where I get to do my programs and talk to my users. It’s one of those things that sometimes makes me feel a bit like I shouldn’t be a librarian, that emphasis on “My” stuff since we’re supposed to be all about sharing and collaboration and have no egos and not give a fuck about not having an office.

It’s probably just that the branch is open and even though we have a third of the books we did pre-renovation and the place is echoey as fuck, there are people in the library. People I can help. Doing that front-line helping is the thing that gets me through all the behind the scenes workplace shit.

Put me on the desk; I must be some sort of public servant. (Plus it gets me out of that fucking cubicle.)

text "Librarianautica" split over 4 lines over a Hokusai print of waves

librarianautica podcast = librarians on the radio

One of the issues I have with Librarians on the Radio is that we are often talked about as a podcast. Until now that hasn’t been strictly true. We’ve been a radio show whose episodes I collect on the Internet Archive in the Nanaimo Community Radio Library. Podcasts need an RSS feed and for people not to have to go to a website to find a new episode. We didn’t have a really good podcast feed and more importantly for a lot of users, we weren’t findable in iTunes’ podcasts even before the radio station’s previous podcast hosting went under. That has all changed!

Here’s the Librarianautica RSS feed to plug into your non-iTunes podcast app and here’s the iTunes link to the show. I call it Librarianautica rather than Librarians on the Radio for the searchability factor (search for it in iTunes Podcasts and you should find it unlike the previous show title), and because I like making up words. It doesn’t have the whole back catalogue yet (only two storytime episodes up so far) because I don’t have a hugely expensive hosting plan, but this’ll be enough for now and hopefully a while into the future.

I hope that’s useful for you. Thanks for listening.

glasshouse-icon

life in a glass house (the ebooks part) #bclc2014

life in a glass house (papering the window panes)

This is the text for my half of a session at the 2014 BC Library Conference. The first half belonged to Myron Groover and can be found here.

Before I get started I have to make clear that though I work in a public library and a lot of what I’m saying today is informed by my time directly serving the public at an information desk, it is not an accident I’m not telling you where I work. ‘Cause, though when Myron’s king I’m sure I won’t be the first against the wall, till then my opinions are of no consequence at all. All the sawed-off shotgun words I might be using today are completely my own (as much as anything can be one’s own) and emphatically do not represent the views of my employer. I am not their fault.

The point of combining our talks into one thing today goes kind of like this: We’re both public librarians devoted to serving our publics. Myron’s been talking about how we can protect our users from malicious entities on the internet (and just to lay my cards on the table my definition of malicious entities includes everyone trying mine and get information out of unsuspecting folks), and I’m going to talk a bit more about how we could expand our users’ knowledge of what they can do with regards to one of the stupid terrible things we’re caught up in today. And by that of course I mean Overdrive ebooks.

So I am aware of very important high-level talks about ebooks and publishing and that’s all cool. In her talk Tuesday morning Christina de Castell mentioned how in a perfect world we’d be sharing DRM-free books with our members, but that’s not the kind of thing they’re really going for. They’re making the current system work more smoothly. I’m talking about how to subvert that system so we can share DRM-free books with our members as individual guerrilla librarians.

my bellyache

How many of you have spent time helping users download ebooks? I’ll do this quick without speaking in maths:

  1. the user needs to download software – Overdrive Media Console for a mobile device or Adobe Digital Editions for a more traditional computer
  2. make sure the software is set up to open the files by default
  3. set up an Adobe ID (which is separate from your library card)
  4. authorize the software
  5. borrow and put things in two virtual spaces called bookshelves
  6. open and read a book.

That’s basically the process.

Now here’s a question: How long does that process take? Not the actual downloading, but the teaching someone how to make this whole system work? Assuming everything is in its right place, that no one forgets their password to their device’s app store, or the time on a laptop isn’t set incorrectly? For me, one-on-one that’s about a 15 minute interaction at the reference desk. Like most public libraries, we also do workshops so we spend an hour with 10-15 people at a time.

At the end of those sessions, those excellent interactions where you’re being the compassionate face of the library helping with a technological challenge, what has the user learned?

it’s all cussed up

I posit that if we go into these interactions just trying to teach our users to jump through technological hoops we’re fucking up as librarians. Because here’s a selection of bad habits and lies we’ve just been complicit in teaching:

  • They’ve learned that reading books on a screen is a complicated process that requires a specific set of steps and proprietary tools.
  • They’ve learned to think of ebooks like physical books with physical limitations.
  • They’ve learned to click through end user license agreements. (though they probably already knew that).
  • They’ve also learned that Overdrive is how they connect with the library.
  • They’ve learned that to use the library you have to have an email address, and give that email address to Adobe, a huge corporation that is not a library and does not have library ideals.

Do you think that is all fucked up? I think it is. Here are some reasons why:

  • Users who do not have a credit card (to associate with app store accounts) cannot download library ebooks. (I see this often with hand-me-down electronic devices, and sometimes when one of those terrible Pandigital tablets goes on sale for more and more people the phone/tablet is their only computing device.)
  • Users who are using a mobile device that was set up by a family member and don’t know the password to actually add an app, cannot download library ebooks.
  • Users with unsupported devices (like a first-gen iPad, or a kindle) cannot download library ebooks.
  • Users who do not want to share their personal information with large corporations they have no real reason to trust cannot download library ebooks.

If we don’t like these lessons, we can’t blame this on satellites or the falling sky, but only on ourselves for not providing alternatives that better fit our values. For me those values are sharing, and like Ivan Coyote said on Monday, honouring that librarian code of silence.

A few weeks ago I started an ebooks workshop and a woman in the group had a Kindle she wanted to use with the library. What do you say to her? In my library branch our circ staff have (quite good) step-by-step how-to documents they give to people when they ask about ebooks based on their device. When they get someone asking about a Kindle they know that technically Kindles don’t work with our Overdrive system, but they also have a resource over at the info desk that might be able to fix things up for them.

drm-stripping

It is totally possible to get Overdrive ebooks onto a Kindle. There are a couple of tools you need to do it. Calibre, the open-source ebook management software and ApprenticeAlf’s DeDRM plugins for Calibre. Add these tools to the whole Adobe Digital Editions process and you can set up your users to take control over their ebooks. They still borrow the book through the normal channels, open it up in Adobe Digital Editions, but then drag the file into Calibre and it strips off all the stuff that stops you from modifying the file. Then you can convert it into a mobi file and pop it onto a Kindle. No problem.

Now when I say “strips off the stuff that prevents you from modifying the file” I am referring to Digital Rights Management, or, in the Canadian legal environment a TPM or a digital lock. When you strip that lock off, you’re breaking the law. You’re also stripping off the bits that prevent you from reading the book once you return it, and prevent you from making a copy to share yourself outside the Overdrive environment. I always tell people who want to use their Kindles that it is possible, but the laws say you technically are not supposed to be cussing around with that stuff.

The beautiful thing about stripping the DRM off an Overdrive book is that you’re now addressing a bunch of the problems I talked about earlier. They can use the tools of their choosing (which I realize sounds a little neoliberal of me, so I am sorry) which makes sense because an ebook is just a packaged up html file that people can save to disk read in their browsers. Users don’t need any extra apps or IDs to leak any more info about them, or to join in on the forced technology march of planned obsolescence.

To me that is exactly what librarians need to be doing. Our job is to serve our communities, not to make money for private companies.

possible techniques for libraries

Now you can totally say that my thoughts are misguided and a little naive, and I totally admit there’s a bit of a problem of scalability in the “teach everyone how to strip the DRM from their ebooks” approach. Not everyone wants to add that extra layer to their downloading process. There is a bit of extra software installation involved here, and it’s not something you can do right on an iPad. But I’ve helped people do it.I mean, it’s totally possible to automate the process on people’s individual computers, but many of our ebook users aren’t going to want to do that.

So my proposal is that librarians should be doing this ourselves for our users. We should be stripping DRM from our collections to give people a private (as in privacy, not as in how it’s paid for) option outside the corporate system, where we can be the secret keepers Ivan Coyote talked about in the opening keynote. In my perfect world public libraries would be the biggest seeders of ebook collections through bittorrent, and our catalogue links to ebooks would be direct to DRM-free ebooks in multiple formats.

Before we get there though, there are smaller scale ways to serve our ideals in the ebook-sphere & ideally not get sued to oblivion (though obviously I ain’t promising anything).

  1. First thing: we have to tell our users the truth about why the current system works the way it does. It is not to fulfill our library missions of serving our communities, but to ensure corporate profits. All the steps and privacy liabilities needed to read a cussing ebook are just a side effect of that.In my ebook workshops I explain why even though an ebook is just a file, we pretend you can only have one readable copy of that file out at a time, and that librarians would totally share everything we had with everyone for all time if it were up to us. Maybe that’s not the case for every librarian, but it is for me.
  2. Second thing: showcase alternatives to the corporate system. When talking about ebooks, make sure you’re showing them things like the Internet Archive, Project Gutenberg, Smashwords, Unglue.it, Manybooks.net (though that one really requires an ad-blocker to be sure your eyes don’t bleed).
  3. Third thing: this is a bit more subversive. Every time you download a demo ebook in a workshop or for a user, run it through Calibre and the DeDRM plugin. Save it to a USB stick. Share it locally, maybe using a LibraryBox. Build a little alternative selection of library ebooks to show people how the world could be if librarians were the sharers that we get warm fuzzies thinking we are.

Thank you. I’m sorry for cussing so much.

plug for my talk at bc library conference 2014

Next week I’ll be speaking at the BC Library Conference in Vancouver. I’m sharing our small session with Library Journal Mover & Shaker Myron Groover and we’ll be talking about protecting our users’ privacy online (this’ll mostly be Myron) and how the way public libraries are commonly doing ebooks fucks with librarianly values (around privacy & other matters) and what we can do to change things up.

The session is called Life in a Glass House (Papering the Windowpanes). We’ll be posting our portions of the talk on our respective blogs (we aren’t big powerpoint kinds of people, and at least speaking for myself any slides we’d have would be too cryptic to mean anything so you’ll have to make do with text).

public tech support, lavabit and me

A few weeks ago, a library member asked me to help her sign up for Facebook to find her kid. This is something I’m never entirely sure if I’m supposed to be doing. I mean, technically this takes up a bunch of time, and it’s not directly connected with our library resources. But really, for a lot of people who use our public internet computers I’m the public equivalent to the family member who can reset grandma’s VCR (which was not my job in our family – thank goodness for actually techy cousins). So I help with this kind of thing fairly often.

This particular instance was kind of interesting because the library member wanted to get rid of her Hotmail address before getting back into Facebook. For people who don’t use these tools all the time there’s a lot more disposability to these identities, which I find interesting. I mean, I wouldn’t trash an email address just because I forgot my Facebook password, but people do it.

I talked to her about how she didn’t need to delete her Hotmail account just to get onto Facebook again, but she was adamant, so I helped her do it. But before doing that I did manage to explain how we should set up a separate email address first. The idea of having two email addresses to be able to authenticate each other is a stumbling block I run into a lot with our library members especially because so many of them don’t have phones to get texts for authentication codes modern web authentication likes to use.

I asked her if she wanted a different Hotmail address and she didn’t. I suggested setting up a Gmail account and she had this visceral reaction against Google. I didn’t press on about it, but am interested in why this non-technologist grandmother really didn’t want to be associated with Google. Because of that reaction though, and because I’d gathered she didn’t use her email very often and basically just needed it to get on Facebook, I suggested setting her up with a Lavabit account, and she was fine with that.

So Lavabit was a very secure email provider (the one that Edward Snowden used) but they had a small free account option, which would work for this member’s purposes. We got her set up and then used it as her Facebook login, and I was pleased to be able to teach someone a bit about email and how it works.

Now, you probably know this already but I have to use the past tense talking about Lavabit, because that Snowden association got Lavabit shut down. They were going to have to comply with US government requests they felt were counter to their values so they shuttered up and are now involved in a big legal fight. And I have kind of created more problems for this library member who I haven’t seen recently if she wants to actually check her email. But she should still be able to get on Facebook, which was all she really wanted.

I don’t know if there’s a moral to this story that I actually want to draw from it. I mean, the obvious lesson is that I should only help people set things up with major corporations’ products because there’s much less chance they’ll disappear. But especially when those corporations are helping to spy on people I feel like I shouldn’t be just handing them naive users. Providing options and alternatives is something I feel strongly about. But most people want something that just works not an education in information policy and privacy, so I should probably be going with simpler tools than better ones?

Bah. I don’t know. If I get the chance I’ll help that member with setting up something to replace her now disabled Lavabit email address and hope my advice didn’t sour her completely on using the tools of the 21st century.