Securing Public Access PCs Without Shutting Out Users

The trouble with providing public access computing in a public library setting is, of course, the public. Though we have the occasional tussle with spyware, unintended porn, or casino links on the staff computers, we wage an almost daily war with our 15 public access computers. Since we are a small library with no full-time systems librarian, troubleshooting computer problems is left to the head of circulation with the assistance of reference staff and sporadic visits from a local computer consultant. While this is not an ideal situation, it's what we've got.

Since we still have an obligation to protect the privacy of our patrons, the online safety of our youth users in particular, and the sanity of our staff members, we have a lot of work to do with few resources and little time. This article contains some accumulated wisdom and knowledge from our situation to hopefully assist you in working with yours.

This article assumes that you have public access computers in your library that may or may not have Internet access. It also assumes you could possibly use some help getting the larger system of public access computing running more smoothly in your library. This article deals more with the nuts and bolts of policy than the realities of specific software and hardware configurations.

Start with Sanity: The Five W's of PACs

If you can lead with a good system to begin with, you don't have to make as many mid-course corrections. Not having to constantly put out fires leaves staff free for miscellaneous other librarian jobs, and keeps them happier. Maintaining a networked computer system can easily take up all of one or many staff members' available time. Here are some guidelines for using the time that is available appropriately and judiciously. The recipe for sanity is a well-thought-out system that is implemented with competent leadership and adjusted using solid feedback mechanisms.

Who Staffs Them.

Decide who is going to administrate all duties related to PACs up front. None of these jobs will be taken care of by patrons. Some may be able to be done by volunteers. Some of these jobs can be automated, but many can't. Keep in mind that ensuring that these jobs are done is, itself, a job.

What Needs to be Done.

All duties includes turning computers on and off daily, regular maintenance, emergency maintenance, cleaning monitors and mice, upgrading and replacing hardware and software, and staffing in whatever way the library feels is appropriate. Be sure to include time for troubleshooting problems, shopping for equipment, supervising people doing these jobs, giving feedback on how well the system is working, and reporting on progress and problems to the necessary people.

The task of maintaining a public computer network is much different than maintaining a home computer and needs to be approached more seriously. While you probably know what is on your home computer, make sure you have an inventory of what operating systems, software (including version numbers) and networking configurations are on each different computer at your library, including staff computers. An inventory list can be combined with a maintenance log so you can keep track of who fixed what, and when.

When This Needs to Happen.

These jobs should be placed on someone's regular work schedule and done frequently enough to avoid problems. They take time. Patrons should not have to deal with home pages that revert to Windows Update, pop-ups telling them to upgrade their virus software, or Web pages that do not function because the browser they are using is several years old. All of these are easily preventable problems.

Where This Needs to Happen.

The more maintenance work you can do on the PAC while the library is closed, the better. If your library has determined that having computers is a patron right and not a luxury, you should not be surprised when people begin to rely on them and expect them to be functional when the library is open. Be clear about what patrons can and can't expect, and offer alternatives when possible if maintenance or outages make computers unavailable.

When Things Go Wrong.

A system with as many moving parts and interconnected systems as a PAC environment can be assumed to have troubles from time to time. With luck, this will happen less often if the system is well maintained. Any system is easier to maintain when it's working properly. Make sure you have procedures in place for reporting outages both internally and externally, reporting software and hardware malfunctions, alerting patrons to outages and problems, notifying staff of any odd new changes to the computing environment, having staff notify you if there are problems that can't be fixed immediately, and getting necessary updates for virus and spam filters. Try to not have staff reiterate tired "computers are hard and confusing" mantras when things don't work right. Your patrons, rightly or wrongly, see you as the experts and will take cues from you. Be in control of the situation.

If you do only one thing in this article, make sure you have a plan for what to do if things go wrong. Keep in mind that all of this planning takes place before the patrons even enter the picture...

Safety and Privacy: Two Sides of the Same Coin
Five T's To Think About

We have to protect our computers from our users while we try to protect our users from our computers. At the same time, we must protect our users and our computers from unwanted intrusions and spying, from both strangers and people we know. In your role as librarian superhero, here are some foes you must learn to vanquish, starting from the easy to the complicated.

Time.

Unless you are a very small library with some very tame patrons, you will need to manage the shared time that is available on your computers. I generally think that any system is preferable to no system, and that a system that you can explain in less than 20 seconds is preferable to one that may seem fairer, but is complicated to explain. As an example, here is the current state of our public access system:

We have five OPAC (Online Public Access Catalog)-only computers that can also search our Web site and our online databases. We have one stand-alone word processor and one stand-alone kids' games computer, both without Internet or sign-on screens. We have four patron-only computers that have Internet and word processing. Three are one-hour computers; one is a 15-minute express terminal. We have five computers available for patrons or non-patrons. Four are one-hour computers; one of them is filtered for children or anyone preferring a filtered Internet experience. One computer is a fifteen-minute express computer. All computers require logins. If you are a patron, your login is your library card number and PIN. If you are a non-patron you need to get a temporary login from me.

It's a mouthful. We have a system that evolved over time as the library got more computers and different ideas of what to do with them. To be fair, it used to be worse. At our library, computer users get a warning when their time is running out, but otherwise they are on their own as far as keeping track of time and queuing for computers. (Having the software time your patrons beats having someone with a Masters degree doing it!)

Thoughtlessness.

Do you have an Internet use policy at your library, or a privacy policy? Are they on your Web site? Make sure your users see them and agree to them every time they use the computer. Time management software often lets you insert a screen before the computer is "unlocked" where users can agree to the library policies. This may not keep patrons from using the computers inappropriately, but it makes enforcement a more cut and dried proposal. Similarly, if your patrons are free to view material that other patrons may not want to look at, invest in some privacy screens for your monitors and try to arrange computers so that you strike a balance between total anonymity and reasonable boundaries between patrons.

Thwarting Access.

I would certainly prefer to live in a world without Internet filtering, but CIPA and the Weird Wide Web have made thinking about filters a necessity. If your library has mandated the use of filters, make sure you know why. Make sure you know what needs to be done to bring your library into compliance with CIPA or with other local regulations. Decide if you want to meet the spirit or the letter of the filtering regulations, since they are often different. See if you can use a filter with a customizable blacklist, or a blacklist that your staff can access. Choose a filter where you can whitelist pages that are errantly blocked or disable the filter entirely if a patron requests it. Make sure you understand why pages are blocked so that you can explain that to patrons.

To Lock Down or Not to Lock Down.

As much as we like our patrons, we can't trust all of them to not test the limits of our systems. A proactive approach to security, optimally one that restores a computer to the same state for the next patron, is a good way to prevent both privacy and security issues. The more locked down a computer is, however, the less it behaves like a computer your user might recognize, so choices have to be made concerning how far you want to go down that path. Do you want users to be able to save documents on to the hard drive? The A drive? A CD? A Zip disk? Should they be able to right-click, restart the machine, use their own headphones, or bring their own software? These will all come at a price.

Trails and Breadcrumbs.

Any data that your users leave on a public computer after they leave could potentially be used by other users (such as email logins or credit card numbers), discovered by other users (such as bookmarks to porn or casino sites, or resumes) or made available to law enforcement, should they desire it. Assuming your patrons are using the computers primarily for Internet browsing and word processing, here is an incomplete list of places where personal user data can hide that you should be aware of:

Cookies.

These can be set so that they're on during a session, and cleared after it.

Bookmarks.

Ditto. These can also be restored to a default set of library bookmarks.

Home page.

If your library has a home page, it should be the fixed default page on your browsers, unless you have a start page already configured.

Browser cache.

There is no reason to keep a cache, unless you do not know how to get rid of it. Make sure you delete the cache for any browsers patrons might use, not just for the primary browser.

History.

Set this to zero days, and make sure it's clear after each session.

Hosts file.

Many browser hijacks corrupt the hosts file. This can be write-protected or rewritten with a clean copy each session.

Start menu.

My Recent Documents on the Windows Start menu stores the names of the last 10 or so files accessed. This can be locked down or cleared each session.

Most recently used files.

Same as above, for users of Word or other Microsoft applications.

Make sure your browsers are not set up to auto-fill forms, save passwords, or even, if you can avoid it, auto-complete URLs. Make sure there's no default user's email address configured. It's less than perfect if users can't click mailto links to send email, but it's better than users sending email from your library's email address.

Wrapping Up: Setting a Proper Tone

Of course, if you really want to test your security system, let a bunch of 15-year-olds use it for a few hours and see what sort of hijinx ensue. Short of that, keep track of problems or issues as they come up, and encourage your users to let you know when something isn't working correctly. Make them part of your troubleshooting system -- since they use the computers all the time -- and you can get early warnings of small issues before they become big problems.

A successful PAC system most of the time should "just work" and at the same time, not make users sad, frustrated, or horrified. Things will sometimes go wrong, but with proper foresight and regular maintenance, really ugly mishaps or glaring privacy invasions should be avoided or at least minimized.

Additional Resources

Windows SteadyState

How to Use Window's SteadyState on Your Public Access Computers

Patron Computer Software Comparison Chart

Disk Protection Software Installation Tools and Techniques