tag:blogger.com,1999:blog-4990922102626688253.post5979731910597606365..comments2023-04-15T11:42:35.385-04:00Comments on Go To Hellman: How to check if your library is leaking catalog searches to AmazonErichttp://www.blogger.com/profile/14172740163003223132noreply@blogger.comBlogger29125tag:blogger.com,1999:blog-4990922102626688253.post-74367901744564707502017-03-23T11:12:35.386-04:002017-03-23T11:12:35.386-04:00As we communicated to the entire Primo customer co...As we communicated to the entire Primo customer community a few weeks ago I would like to update on the measures Ex Libris already took. <br />In order to protect privacy in Primo searches, we have redirected all requests for book covers from third party providers such as Amazon and Google through a proxy on the Ex Libris cloud data center. This way, there is no transfer of client IP data or cookies to these providers’ systems.<br />This solution was rolled out to all cloud environments during February.<br /><br />Yuval Kiselstein<br />Director of Product Management, <br />Ex Libris Discovery and Delivery solutions<br />yuval.kiselstein@exlibrisgroup.com<br />Anonymoushttps://www.blogger.com/profile/05822339496625653514noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-17760590938762620512017-03-14T11:06:39.794-04:002017-03-14T11:06:39.794-04:00That's excellent news!That's excellent news!Erichttps://www.blogger.com/profile/04483241450401134977noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-50557338076205525992017-03-14T08:56:39.882-04:002017-03-14T08:56:39.882-04:00Thought I'd update that ExLibris decided to pr...Thought I'd update that ExLibris decided to proxy all their requests for Book Covers for Primo, which solves the problem for all their users.Gustav Lindqvisthttps://www.blogger.com/profile/03936629881267100120noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-84587234294146757872017-01-17T14:31:58.252-05:002017-01-17T14:31:58.252-05:00Fully agreed. But I'd also want to direct limi...Fully agreed. But I'd also want to direct limited resources where they have the most impact.<br /><br />I do think raising awareness of these things is good (as well as the need to read TOS since Amazon makes it clear what's going on). I have serious concerns about the widespread practice of depending on "free" commercial products for production services.banerjekhttps://www.blogger.com/profile/01523074984347217430noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-80835939490032183932017-01-17T12:22:10.848-05:002017-01-17T12:22:10.848-05:00Pagers are a great example.
I like to compare pri...Pagers are a great example.<br /><br />I like to compare privacy threats to global warming. Each individual action is minuscule; we can only solve the problem by changing the larger "context". How do we do that? "Think globally, act locally" is a good start.Erichttps://www.blogger.com/profile/04483241450401134977noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-41303289324053428302017-01-17T11:46:44.516-05:002017-01-17T11:46:44.516-05:00You are correct -- my error. I will raise the issu...You are correct -- my error. I will raise the issue, as I do think people should be aware of how things work.<br /><br />I still do think that this is a minor privacy issue compared to many others patrons face while using library services. <br /><br />It reminds me of recently having to secure a server in response to our central IT. They were upset that a machine that existed only to serve public images and no sensitive data on the machine over HTTPS supported SSLv3 (weak encryption). Meanwhile, email remains the preferred channel for critical communication and the pagers that our clinical operations rely on are not encrypted.banerjekhttps://www.blogger.com/profile/01523074984347217430noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-29533741155591915922017-01-17T10:09:38.071-05:002017-01-17T10:09:38.071-05:00Umm, @banerjek, I did a search for "venereal ...Umm, @banerjek, I did a search for "venereal disease" on the Primo I think your library has, and I got an Amazon cover image.Erichttps://www.blogger.com/profile/04483241450401134977noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-37385828029094636442017-01-17T09:58:35.127-05:002017-01-17T09:58:35.127-05:00We'd say that violates our policies and missio...We'd say that violates our policies and mission. There are a number of things we don't do that could generate significant revenue such as accept advertising. BTW, we don't use Amazon cover images.<br /><br />I do think some perspective is in order. Library staff have always known a lot about what individuals read as well as why -- this knowledge is the basis of common war stories. And what we call tracking is typically anonymized because those doing the tracking don't care who it is but use the tracking to provide personalization services. Yes, there are ways of deanonymizing data, but if you want to spy on people, the library ILS is one of the worst sources possible. <br /><br />There are so many other services that the library facilitates access to that give away so much more information.<br /><br />Truly protecting privacy renders most of the Internet practically unusable.banerjekhttps://www.blogger.com/profile/01523074984347217430noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-81129722388706118302017-01-16T17:17:39.808-05:002017-01-16T17:17:39.808-05:00True, but if Amazon came to your library and said ...True, but if Amazon came to your library and said "we'll pay $50,000/yr for your complete search logs, identified by user", what would you tell them?Erichttps://www.blogger.com/profile/04483241450401134977noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-90276822537500017302017-01-16T13:33:51.069-05:002017-01-16T13:33:51.069-05:00It is good to be mindful that "free" ser...It is good to be mindful that "free" services that libraries and users alike depend on typically are funded with data about users.<br /><br />It is also good to keep things in perspective. It's a safe bet that the Internet access that libraries routinely provide hemorrhages much more sensitive patron data than this.banerjekhttps://www.blogger.com/profile/01523074984347217430noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-6758126039307182612017-01-04T00:26:39.957-05:002017-01-04T00:26:39.957-05:00Caching 3rd party content is a good way to prevent...Caching 3rd party content is a good way to prevent privacy leakage. Nice to hear!Erichttps://www.blogger.com/profile/04483241450401134977noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-77894486732310006052017-01-03T22:34:27.424-05:002017-01-03T22:34:27.424-05:00Evergreen ILS can be counted in the not effected c...Evergreen ILS can be counted in the not effected column. It caches cover art server side, so the client request is always to the Evergreen server. And I don't think amazon cover art is even supported, since the last time I checked it was against Amazon's TOS (granted that was several years ago, I remember something about how the use of the images must be used to drive traffic to Amazon.com as a requirement.).JRShttps://www.blogger.com/profile/08826028340091479860noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-76925054298000473432017-01-03T15:41:33.604-05:002017-01-03T15:41:33.604-05:00I 'm not saying libraries should seal themselv...I 'm not saying libraries should seal themselves off from third-parties. Rather, they should make careful, considered choices about third party resources and should avoid spewing patron data when it can be avoided. Building a safe space does not require building a "bastion". You're right though, a safe space requires transparency and education.Erichttps://www.blogger.com/profile/04483241450401134977noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-20050493885299897072017-01-03T15:24:35.618-05:002017-01-03T15:24:35.618-05:00Quite an honorable goal for the Library to seal it...Quite an honorable goal for the Library to seal itself off from third-parties, even if it's not the most realistic. But I think the larger take-away here is that libraries have the opportunity to recognize the lay of the land and be transparent enough to inform the public's expectations of privacy. We need to come to terms with the fact that we are not the bastion of some of our more loftier principles. We transgress. But, if we come out from under the hood of that delusion perhaps we can educate in the process?Michaelhttps://www.blogger.com/profile/07978965447414441714noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-4632745479970237532016-12-30T22:07:30.738-05:002016-12-30T22:07:30.738-05:00Obviously you haven't read the Go To Hellman B...Obviously you haven't read the Go To Hellman Blog License Agreement.<br /><br />But seriously, there's a huge difference in expectations about privacy when you visit a blog and when you visit a library site. There's also a difference between leaking a library website visit and a catalog search. As well as a difference in user expectations between a google-hosted blog capturing usage information and a library catalog spitting out identified user searches to Amazon. <br /><br />Now that blogger is HTTPS, it's actually not leaking anything to any 3rd parties except twitter and statcounter (at least on this page).<br /><br />As for "height of hypocrisy", perhaps you have slept through 2016. My condolences on waking.<br /><br />Erichttps://www.blogger.com/profile/04483241450401134977noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-62970987979042709272016-12-30T17:39:21.864-05:002016-12-30T17:39:21.864-05:00This is all good information but surely a huge pro...This is all good information but surely a huge problem is that this blog is hosted on Google - and therefore Google is both tracking all the users to this blog (including myself) and all their other usage activity.<br /><br />For all these issues it's culture change. We use Google Analytics on websites because it's quick and easy, we use blogger sites for the same reason. Libraries use Amazon cover images because it's free hosting for enhanced content on their sites and most users don't seem to care. <br /><br />But to highlight the issue on a blogging platform that is leaking user information all over the place does seem like the height of hypocrisy.Anonymoushttps://www.blogger.com/profile/12423643334371170886noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-50488274298023192562016-12-29T13:12:00.036-05:002016-12-29T13:12:00.036-05:00Thank you so much Eric. I appreciate how detail or...Thank you so much Eric. I appreciate how detail oriented this post is!<br />Justin Hoenkehttps://www.blogger.com/profile/08191676245626997256noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-11327747148538590542016-12-28T19:32:38.842-05:002016-12-28T19:32:38.842-05:00Justin, you probably see some other hostnames in t...Justin, you probably see some other hostnames in the sources tab. Two other cover image providers are syndetics and baker and taylor. If you use one of these, your library probably has a contract/agreement with them. If so, you'll probably want to review the contract to make sure that the vendor has committed to privacy and data retention policies that you're happy with.Erichttps://www.blogger.com/profile/04483241450401134977noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-79424251766157598182016-12-28T12:36:11.966-05:002016-12-28T12:36:11.966-05:00Thanks for this! I went through the process but di...Thanks for this! I went through the process but did not see any "images.amazon.com" on the Sources tab...does that mean that we're in the clear? I hope so!Justin Hoenkehttps://www.blogger.com/profile/08191676245626997256noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-25436444654624968932016-12-23T16:11:41.822-05:002016-12-23T16:11:41.822-05:00In the meantime, creating a hosts file to redirect...In the meantime, creating a hosts file to redirect those requests to the loopback address might be a reasonable solution.Charlie Byershttps://www.blogger.com/profile/10290387618559167480noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-28192292475285358202016-12-23T15:33:17.689-05:002016-12-23T15:33:17.689-05:00What's exasperating to me is how easy most of ...What's exasperating to me is how easy most of this would be to fix! Se <a href="https://go-to-hellman.blogspot.com/2015/06/protect-reader-privacy-with-referrer.html" rel="nofollow">here</a> for example.Erichttps://www.blogger.com/profile/04483241450401134977noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-6266722009888114612016-12-23T12:26:02.564-05:002016-12-23T12:26:02.564-05:00Yeah. If we want secure, private services on the W...Yeah. If we want secure, private services on the WWW, there's a lot that'd have to be rebuilt from the ground up. Inertia seems to be in the opposite direction.Charlie Byershttps://www.blogger.com/profile/10290387618559167480noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-24032050919833089462016-12-23T11:06:35.538-05:002016-12-23T11:06:35.538-05:00If only it was just one developer.If only it was just one developer.Erichttps://www.blogger.com/profile/04483241450401134977noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-51485805691947900072016-12-23T00:38:08.965-05:002016-12-23T00:38:08.965-05:00Oh, so the request to the Amazon service comes str...Oh, so the request to the Amazon service comes straight from your own browser, and that's how/why the cookie gets accessed. That is a very bad way to build a catalog system, in terms of privacy. Even if you use it in a privacy mode, Amazon has a record of your IP address and your search string, from the referrer header. Crappy design! I hope librarians can put some pressure on the developer to change that.Charlie Byershttps://www.blogger.com/profile/10290387618559167480noreply@blogger.comtag:blogger.com,1999:blog-4990922102626688253.post-22488965930156116912016-12-22T14:56:32.131-05:002016-12-22T14:56:32.131-05:00fixedfixedErichttps://www.blogger.com/profile/04483241450401134977noreply@blogger.com