Configuring Public Access
Computers to Protect Patron Privacy
To Save or Not to Save? Strategies for
Protecting Patron Information Revisited
Amy West, University of Minnesota, email@example.com
ALA Annual Conference, Chicago, IL - 6/26/2005
The Good News
• Security intended to reduce maintenance
on public access computers can easily
protect patron privacy
Less Maintenance = More Privacy?
• When a computer is configured to reduce
the effects of malware, less information
can be written to it and less is preserved.
• The fewer traces left of a patron’s activity
that are left, the greater the effective
privacy of the patron.
Effective Shared Environments
• Because public access workstations are
public, some configuration decisions will
be made to create a welcoming shared
• These decisions can also have a positive
effect on privacy.
What’s Left to Identify Patrons?
• Resources out of the control of the library,
such as vendor web sites and central
authentication hubs can still provide
Minneapolis Public Library Needs
• Timed, limited Internet access
• Low-maintenance workstations, especially
• Screens not visible to staff
Minneapolis Public Library Solution
• Timer software that resets every 24 hours
– The reset erases preceding data
• Deep Freeze configuration protection
– This software re-images computers at log-off to
remove all configuration changes since the last image
• Privacy Screens on Monitors
– Limits viewing of monitors to small area directly in
front of computer
Minneapolis Public Library Effects
• The resetting of the timer software increases
privacy because it erases the record of who was
on which computer when that day
• By removing software artifacts (word processing
files, browsing histories, etc.) resulting from each
session, patron activity cannot be traced.
• Privacy Screens have no effect on patron
privacy because everyone always removes
University of Minnesota Needs
• Low-maintenance workstations, especially in branches
• Secure use of University of Minnesota x.500 Central
– At the University of Minnesota, a user’s x.500 username and
password gets to grades, HR/Registrar’s information, email,
library resources and more.
A University of Minnesota Solution
• Workstation configuration tied down
– Partitions modeled on Unix systems with hard drive partitions for system files,
program files and user files.
– Neither the system nor the program partitions are writable by users.
– The user partition is cleared at logout
• SSL Login to x.500 database
– A generic login for non-affiliated users has also been created with limited
permissions in the x.500 database.
• Internet Explorer’s and Public Browser’s tracking functions are
– No history, no cache. Cookies are retained, but they are tied to the Windows
user account which is a generic “public” account.
University of Minnesota Effects
• Workstation tied down
– Because users can’t do very much on these computers, there’s no path
• SSL Login to x.500 database
– No record in the Libraries is retained of who was on when. It is possible
to get that information from the Office of Information Technology, but
that’s all the information that is retained.
• Browser Tracking turned off
– Without the history or cache, finding out what someone did while online
is limited to what can be gleaned from cookies.
– Extra layer of protection for x.500 usernames and passwords
Comment on Browser Tracking
• At the University the decision to eliminate browser
tracking was not to facilitate privacy.
• It was actually to relieve subsequent users from having
to see the list of web sites that preceeding users might
have looked at.
– This decision didn’t assume that preceeding users would be doing
anything wrong. There are many valid research needs that would lead
User A to offensive web content. We felt there was no reason why User
B should have to confront that content, however inadvertently.
• Standard security measures intended to
decrease maintenance and facilitate
shared computing environments can
protect privacy because such measures
limit what a user can do on a computer,
thus limiting traceable information and
confine user activities to that user’s