Bumping this conversation up given the latest news: Lean Library was
purchased by SAGE. https://www.leanlibrary.com/news/item250
Tim
On Wed, Sep 5, 2018 at 12:32 PM Tammy Wolf <[log in to unmask]> wrote:
> I just met with Johan Tilstra, CEO of Lean Library this morning. According
> to Johan, the fact that browser activity was being sent to Lean Library was
> an architectural oversight. He has committed to a change the way they
> collect data, specifically storing browsing activity locally, rather than
> sending it to Lean Library. They current have a new architecture in Beta
> and should have something to show next week.
>
> I feel encouraged that the company really does seem committed to
> transparency and user privacy. We will see how things go testing-wise when
> the new plugin is released.
>
> Thanks so much for this great and lively discussion.
>
>
> Tammy Allgood Wolf
> Director of Discovery Services
> ASU Library
> Arizona State University
> 480-965-1797
>
>
>
>
> -----Original Message-----
> From: Code for Libraries <[log in to unmask]> On Behalf Of Eric
> Hellman
> Sent: Friday, August 31, 2018 10:15 AM
> To: [log in to unmask]
> Subject: Re: [CODE4LIB] Lean Library Security Concerns
>
> Wow. Lean Library seems to be sloppily implemented, has a privacy policy
> that says that big dutch companies that acquire them receive ALL the user
> data, and the word "collect" doesn't mean what they think it means. The
> icing on the cake is that their T&C forbid us from reverse engineering
> their code to see what it really does.
>
> From their "privacy policy":
> We may disclose the information we obtain:
> If Lean Library is involved in a merger, acquisition or sale of all or a
> portion of its Please note that you will be notified by either email or a
> prominent notice on our website of any changes in ownership or uses of this
> information.
> from their T&C
> No Reverse Engineering and the like.User nor Licensee may, or may cause or
> permit any of its employees or any third party to, modify, adapt,
> translate, reverse engineer, decompile, disassemble, translate or create
> derivative works based on the Service without the prior written consent of
> Licensor, which Licensor may withhold in its sole discretion.
>
> Any librarian that pays to hand users over to LL as it presents itself
> today needs to reflect on their life choices.
>
> Having said that, (and having been involved in browser extension projects)
> I think LL would be super valuable if done right, with all the i's dotted
> and t's crossed.
>
> That would mean building independent code review and privacy and data
> audits of ops into LL's contracts. Remember that giving a company
> phone-back access to a browser extension gives that company (and anyone
> with the power or craft to compel that company) to see everything a user
> does online, credit card numbers, browsing behavior, passwords, EVERYTHING!
> Libraries need to examine their potential legal liability for their
> patron's catastrophic security loss if they recommend installation of this
> product (as presented today.)
>
> If anyone needs technical backup on this, please don't hesitate to contact
> me.
>
> Eric Hellman
> President, Free Ebook Foundation
> Founder, Unglue.it https://unglue.it/
> https://go-to-hellman.blogspot.com/
> twitter: @gluejar
>
> > On Aug 21, 2018, at 6:04 PM, Tammy Wolf <[log in to unmask]> wrote:
> >
> > I just wondered if anyone else on this list reviewed Lean Library<mailto:
> https://www.leanlibrary.com/> and had any security and/or privacy
> concerns.
> >
> > Here is what our Director of Security had to say,
> >
> > "I can confirm that browsing activity is sent to lean library. Attached
> is an example screenshot showing the POST when visiting a URL on
> reddit.com. And if you visit
> https://app.leanlibrary.com/?r=api/api/institutes it's trivial to see
> info about all subscribers of lean library.
> >
> > Also, there are Repeated Pings to capture user IP Address. This was also
> verified during the session capture. This occurs via
> https://app.leanlibrary.com/?r=api/api/getIp."
> >
> > Our Security Director goes on to say the following:
> >
> > "Of course this is also a question of consent. Any users of the plugin
> should first have to consent to the privacy policy:
> https://www.leanlibrary.com/privacy-policy/item181 - which would be in
> conflict with deploying this automatically to lab computers. I have some
> issues with the privacy policy itself as well. It states:
> >
> > What information does Lean Library and The Extension NOT obtain?
> > Your security and privacy is our biggest priority. We are only
> interested in information or data that can help us deliver the best
> experience possible in saving you time while and optimizing your academic
> research. Therefore, The Extension does not store any information for other
> browsing activity such as activity on non-database webpage urls.
> > Maybe they aren't technically "storing" the fact that I visited a URL on
> reddit.com, but that visit still went to their server and was captured /
> analyzed *somehow*. It would be more accurate for them to say that they
> analyze all sites you visit to determine whether they are academic in
> nature, or something. But that would be a red flag."
> >
> > Thoughts?
> >
> > Tammy Allgood Wolf
> > Director of Discovery Services
> > ASU Library
> > Arizona State University
> > 480-965-1797
> > <leanlibrary-postrequest.jpg>
>
--
Tim McGeary
[log in to unmask]
GTalk/Yahoo/Skype/Twitter: timmcgeary
484-294-7660 (Google Voice)
|