Universitätsbibliothek
Dr. Andreas Sabisch
FU Berlin Universitätsbibliothek
Garystr. 39
13469 Berlin andreas.sabisch@fu-berlin.de

Agenda …
Motivation for this investigation
Webcommunication for dummy's
Examples of third parties communication:
What to do
Andreas Sabisch
2

 We must protect the digital privacy of our patrons
 EU laws, national laws, university rules
 question from patrons, university boards, secure research, …
 We (especially in Germany) have to describe how we deal with the patrons data



Data protection rules describtion (Datenschutzerklärungen)
Avoid data producing, storage and propagation
Right of informational self-determination (BVerfG) (Recht auf informationelle Selbstbestimmung)
 We have a monopol with our library systems
 loan, EZ-Proxy access, course material,…
 How we can do this



Analysis
Describtion
Avoid
Andreas Sabisch
3

Andreas Sabisch
4

 What is in an webserver-log: the apache log file





130.133.152.192 - - [10/Apr/2014:09:16:44 +0200] "GET /docs/images/poweredby.gif HTTP/1.1" 200 2376 "http://160.45.152.195/docs/content/below/index.xml" "Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0"
IP of the requested host:
130.133.152.192
When:
10/Apr/2014:09:16:44 +0200
What (request):/ docs/images/poweredby.gif
Technical information: Success-code and Transfered volume :
200 2376
Where comes the request from (refferer) : http://160.45.152.195/docs/content/below/index.xml"

 (Browser)information:
"Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0"
 Recognition from the webserver: the cookie file
 Cookie Textfile





Name: JSESSIONID
Value: 7AE6B0776E8F4D75BAC8B46189F419FB
HOST: primo.kobv.de
PATH: /primo_library/libweb
Sending for: Each connection type
Valid until: End of session 


Just the webserver which send the cookie can read it.
But each third party, which involved in the request, can set a cookie
 Flashcookies – hard to detect, no example found yet in an library enviroment
 Scripts, which send additonal information
Andreas Sabisch
5

 Loggin one request is a pice of information
 Logging a lot of request give a story line
 Logging a lot of request from different server give the whole live
 Thats what Google and Co. will do


To X-ray one person (i.e to give you personalized services and advertising)
To get statistical evidence for a whole group (i.e. people, who are interested in this, are interested in this as well)
Andreas Sabisch
6

 Professionell tools
 tcpdump für automatic processing
 Wireshark with graphical interface
 Analysies with Wireshark (suggestion for profis)
•
•
•
Create a filter (Broadcast/own IP; just TCP or http...)
Doing one action in the browser, start with analyse. If necessary, repeate
Anaylse a whole session is a hard work. You can do this best, if you check for special issues in this session, i.e. which hosts will participate in this session.
 Browsertools (for a quick glimpse)
•
• i.e. Firefox => Extras-> Webtools ->Network; limit to http, no TCP und
TLS connection
I will use this Browsertools for some examples
Andreas Sabisch
7

dbs.pixel.hbz-nrw.de : DBS Tracking bug legal, describe
Recommander.bibtex.de :
Bib tip recommander System legal, but not describe
Andreas Sabisch
8

RSS-Feed from our library block ajax.googleapis.com
Formating from rss to jason
Andreas Sabisch
9

Blocking Google: no information any more
Andreas Sabisch
10

Andreas Sabisch books.google.com
exlibris-pub.s3.amazonaws.com
images.amazon.com
11

Andreas Sabisch recommande-bx.hosted.exlibrisgroup.com
bX service, integrate in Primo beacon01.alma.exlibrisgroup.com
A tracking bug from ExL no description available
12

Andreas Sabisch
Imagic17.247realmedia.com
metric.sciencemag.org
now.eloqua.com
www.google-analytycs.com
13

 Check with tools for third party request
 Test the functionality of your site with blocking the request
 Remove the third party request


With other/own functions
By comment out in code or websites
With help from your provider (i.e. ExL) 
 Describe necessary third party request for your patrons; includes data protection policy of the third party
 Describe users possibility to protect their data
 Help users with a proxy server (i.e. the university computer department)
Andreas Sabisch
14

 Blocking programms like Adblocker or Ghostery
 Pro: selected third party requests
 Contra: Lack of functionalyties
 Using proxie server
 Opt-Out Option – Data protection law conform (Datenschutzkonforme
Herangehensweise) but much efford
 Thor – anonymous surfen
Andreas Sabisch
15

 We must accomplish a ‚Opt in‘ culture
 Core functions must be in data save structures
 Add ons must be choosen by the patrons with knowledge of third partys involved (Opt in process)
 The library infrastructure and systems must support this strategy
Andreas Sabisch
16

 Modern library software include often third party requests
 Third party get information about your patrons via refferer information
 This violate the patrons ‚right of informational self-determination‘
 Analyse your software enviroment
 Try to be law-conform: Avoid or describe
 Long term: accomplish a ‚Opt in‘ culture
Andreas Sabisch
17

 Each http-requests give information like ip-adress and referrer to the websever they are requested
 A website includes very often requests to third parties. This requests will send the same information to third party server and is nearly unvisible to the user
 We, as the provider of the library systems, are responsible for the data privacy policy for the users of our systems
 We must take care about the sending of user data to third parties and should always use options for a save privacy policy
 To do this is important to give our users the rights to their private data back (in german: ‚Bewahrt das Recht auf informationelle
Selbstbestimmung‘)
 Thanks to Dr. Voss, HU and Uwe TU, who found the back tacks of hosted.exlibris.com and give the impulse for this investigation
Andreas Sabisch
18