LibX is still kicking and as far as I know it does all its work in-browser
(though I can't attest this with certainty). Does require more knowledge
and work on the part of the user to get proxy access.
On Tue, Sep 4, 2018 at 9:32 AM, Harper, Cynthia <[log in to unmask]> wrote:
> Is there a browser extension that does meet data privacy concerns
> adequately (or even well)? Your recommendations welcome.
> Cindy Harper
>
> -----Original Message-----
> From: Code for Libraries <[log in to unmask]> On Behalf Of Eric
> Hellman
> Sent: Friday, August 31, 2018 1:15 PM
> To: [log in to unmask]
> Subject: Re: [CODE4LIB] Lean Library Security Concerns
>
> Wow. Lean Library seems to be sloppily implemented, has a privacy policy
> that says that big dutch companies that acquire them receive ALL the user
> data, and the word "collect" doesn't mean what they think it means. The
> icing on the cake is that their T&C forbid us from reverse engineering
> their code to see what it really does.
>
> From their "privacy policy":
> We may disclose the information we obtain:
> If Lean Library is involved in a merger, acquisition or sale of all or a
> portion of its Please note that you will be notified by either email or a
> prominent notice on our website of any changes in ownership or uses of this
> information.
> from their T&C
> No Reverse Engineering and the like.User nor Licensee may, or may cause or
> permit any of its employees or any third party to, modify, adapt,
> translate, reverse engineer, decompile, disassemble, translate or create
> derivative works based on the Service without the prior written consent of
> Licensor, which Licensor may withhold in its sole discretion.
>
> Any librarian that pays to hand users over to LL as it presents itself
> today needs to reflect on their life choices.
>
> Having said that, (and having been involved in browser extension projects)
> I think LL would be super valuable if done right, with all the i's dotted
> and t's crossed.
>
> That would mean building independent code review and privacy and data
> audits of ops into LL's contracts. Remember that giving a company
> phone-back access to a browser extension gives that company (and anyone
> with the power or craft to compel that company) to see everything a user
> does online, credit card numbers, browsing behavior, passwords, EVERYTHING!
> Libraries need to examine their potential legal liability for their
> patron's catastrophic security loss if they recommend installation of this
> product (as presented today.)
>
> If anyone needs technical backup on this, please don't hesitate to contact
> me.
>
> Eric Hellman
> President, Free Ebook Foundation
> Founder, Unglue.it https://unglue.it/
> https://go-to-hellman.blogspot.com/
> twitter: @gluejar
>
> > On Aug 21, 2018, at 6:04 PM, Tammy Wolf <[log in to unmask]> wrote:
> >
> > I just wondered if anyone else on this list reviewed Lean Library<mailto:
> https://www.leanlibrary.com/> and had any security and/or privacy
> concerns.
> >
> > Here is what our Director of Security had to say,
> >
> > "I can confirm that browsing activity is sent to lean library. Attached
> is an example screenshot showing the POST when visiting a URL on
> reddit.com. And if you visit https://app.leanlibrary.com/?
> r=api/api/institutes it's trivial to see info about all subscribers of
> lean library.
> >
> > Also, there are Repeated Pings to capture user IP Address. This was also
> verified during the session capture. This occurs via
> https://app.leanlibrary.com/?r=api/api/getIp."
> >
> > Our Security Director goes on to say the following:
> >
> > "Of course this is also a question of consent. Any users of the plugin
> should first have to consent to the privacy policy:
> https://www.leanlibrary.com/privacy-policy/item181 - which would be in
> conflict with deploying this automatically to lab computers. I have some
> issues with the privacy policy itself as well. It states:
> >
> > What information does Lean Library and The Extension NOT obtain?
> > Your security and privacy is our biggest priority. We are only
> interested in information or data that can help us deliver the best
> experience possible in saving you time while and optimizing your academic
> research. Therefore, The Extension does not store any information for other
> browsing activity such as activity on non-database webpage urls.
> > Maybe they aren't technically "storing" the fact that I visited a URL on
> reddit.com, but that visit still went to their server and was captured /
> analyzed *somehow*. It would be more accurate for them to say that they
> analyze all sites you visit to determine whether they are academic in
> nature, or something. But that would be a red flag."
> >
> > Thoughts?
> >
> > Tammy Allgood Wolf
> > Director of Discovery Services
> > ASU Library
> > Arizona State University
> > 480-965-1797
> > <leanlibrary-postrequest.jpg>
>
|