Who is behind LibraryVPN?

LibraryVPN is an IMLS funded project. It is being developed by a partnership of libraries including the Lebanon Public Libraries, the Westchester Library System, and T.J. Lamanna (of the Cherry Hill Public Library) working with LEAP. This software is free and opensource, so anyone who wishes to can install it and run it free of charge. We are currently investigated the possibility of a hosted version of this software for libraries that wish to use it, but don’t want to host it for themselves.

Can We Run LibraryVPN if We Do Not Have IT Staff?

We would not recommend hosting LibraryVPN without dedicated IT staff. However we are hoping to have a hosted version available in the future so that all libraries can take advantage of their software to protect their patron’s privacy.

Will Everyone on the Library Network Use the VPN?

No, your existing library network will not be affected. Only people who choose to connect through the VPN client will use the VPN.

Why Should I Use a Vpn?

Virtual Private Networks (VPNs) protect your online traffic by creating a private tunnel between your computer and a VPN server. The internet traffic appears to orginate at the VPN server, and all that anyone who is sniffing network traffic can see is the encrypted connection. This helps those who are traveling, who are using public WIFI, or who want to avoid surveillance from their Internet Service Provider. Many mainstream sources such as the Freedom of the Press Foundation, the Wall Street Journal, and the Electronic Frontier Foundation all agree that using a VPN is an important part of maintaining privacy and security on the internet today.

Why Is This the Library's Role?

Library VPN brings together two ideas that are both widely accepted in modern library practice. 1. Libraries should work to protect patron privacy 2. Libraries host online services for their patrons

Libraries have long worked to protect patron privacy. Librarian sometimes refer to this as the “Freedom to Read”, but this extends far beyond physical books. We care about people being able to exercise their intellectual freedom when accessing information, regardless of the form that information takes. We know that surveillance can chill intellecual freedom, so we work to protect privacy for our patrons. This is in the American Library Associations values.

Libraries also are a way for communities to access resources which might be out the reach of many in the community. These resources might be academic journal subscriptions, newspapers, or streaming video and e-book subscriptions. As we move increasingly online, this is becoming a bigger part of library services and budgets.

LibraryVPN combines these two ideas. It is a way for a library to host a VPN which normally costs money for its patrons to help them protect their privacy while online.

Why Do We Need a Vpn? Isn't Https Enough?

HTTPS is very important for security. It provides end to end encryption of your content. You can think of this like an envelope on a letter. Unlike a postcard (http), people can no longer read the contents, but they can still find out lots of information (metadata) such as who is sending the information, who they are sending it to, and how much the two are talking.

In contrast, a VPN provides an encrypted tunnel that all the web traffic passes through. All anyone who is listening can tell is that traffic is going to a single server (the VPN server). They can’t tell anything about its final destination, or how many sites the person is visiting. Additionally, the web server at the other end sees all the traffic as originating with the VPN server rather than the individual. This provides a measure of anonymity that can prevent tracking from site to site and violating your privacy against your wishes.

What Is Wrong With Current VPN Offerings?

There are several problems with current VPN offerings.

First, all reliable VPN solutions require a monthly fee. This puts them out of reach of those who are most vulnerable to exploitation. They are already in the position of using publicly available internet connections which puts their security and privacy at risk, and because of their financial circumstances they cannot take advantage of the technology which can protect them.

The second problem is that using a VPN requires people to place their trust in whatever VPN company they use. Some (especially free solutions) have proven not to be worthy of that trust by leaking or even outright selling customer data or containing malware. These companies are taking advantage of vulnerable populations who are unable to afford more expensive solutions or who do not have the knowledge to protect themselves. This creates a situation of only having security and privacy available to those who can afford it and have the knowledge to protect themselves.

What Are Potential Risks to running LibraryVPN?

If you are self-hosting LibraryVPN you should be aware that anything a patron does while connected to the VPN will appear to come from your IP address. This is already the case when patrons use a libraries public internet or WIFI so this shouldn’t be too big of a change for libraries. Like when patrons use the public wifi available within the library, they may decide to do bad things while using the library’s VPN connection. If this happens the library may be contacted by law enforcement or recieve DMCA takedown notices if the VPN connection is used to pirate content.

We believe that libraries qualify for the safe harbor provision of the DMCA, so your library should not be liable for this abuse of your network. However, this does not constitute legal advice and your library should consult with your legal counsel to decide if this is an accetable risk to your institution. Please note, that anyone could already do these things since libraries provide public internet and wifi. This isn’t unique to VPN’s. The only difference is that now they will be able to do it from outside of range of library wifi.

Does This Replace Patron Education for My Library?

No! The best security has many layered. Patron education is absolutely essential. The best tools in the world won’t keep you from getting compromised if you try hard enough. Education is the base of all security so please keep doing that! A VPN is another tool in your patron’s security tool belt, like updates, backups, and using https. All of them are important, and when they work together, they are far stronger than any of these measures are individually.