- This article considers potential roles for libraries & librarians on privacy issues, from the passive and reactive through to more radical and activist roles
- To protect
- To defend
- To be radical
- To lobby/advocate
- To negotiate
- To educate/train
- To provide a sanctuary of safe haven for private reflection
- To participate
- To debate
- To be a privacy watchdog or auditor
- To take on a leadership role
Privacy is one of the most commonly featured values in the codes of ethics of library associations around the world. Indeed (Lamdan 2015a) says that librarianship is one of the only professions that explicitly expresses privacy rights in its codes of ethics. (Shachaf 2005) undertook a study involving a comparative content analysis of the English versions of codes of ethics proposed by professional associations in 28 countries. The study yielded an empirically grounded typology of principles arranged in twenty categories. The most frequently identified principles were professional development, integrity, confidentiality or privacy, and free and equal access to information.
(Fouty 1993) says that library staff authorized for any level of access to online patron records should be thoroughly educated in local and federal data privacy laws. She raises the question of enforcing institutional privacy policies and legislation. Fouty says that sanctions for violating rules and regulations governing data privacy should be approved and upheld by the library’s administration, and clearly presented to staff in the strongest terms possible. Staff should be made aware that any deviations from acceptable procedure will be treated as serious violations, subject to discipline or even termination of employment.
(Fouty 1993) considers the enforceability of the law, pointing out that the confidentiality laws in five states – Colorado, Florida, Arizona, Michigan, and South Carolina include clauses that define penalties for violating those laws. The American Library Association has gathered together the relevant state laws at http://www.ala.org/advocacy/privacyconfidentiality/privacy/stateprivacy. In the case of Michigan The Library Privacy Act MCLS prec § 397.601 says that “the person identified may bring a civil action for actual damages or $250.00, whichever is greater; reasonable attorney fees; and the costs of bringing the action”; while in Arizona, Florida or South Carolina it could be a prison sentence of up to 90 days, although the 90 day figure is only applicable in South Carolina, and only where the person convicted has committed a number of offences. The Code of laws of South Carolina, title 60: Libraries, Archives, Museums and Arts says that someone can be “fined not more than two thousand dollars or imprisoned for not more than ninety days for the third or subsequent offense”.
I believe that the information profession needs to have a debate about the role of the librarian in protecting user privacy. Such a debate needs to go back to first principles to ask whether librarians have a role in protecting user privacy, and if so, what form that role should take. (Cooper 2016) did a survey in which participants were asked their views on the following statement: “Libraries should play a role in educating the general public about issues of personal privacy and data protection”. The overwhelming majority (78.6%) of survey respondents either agreed or strongly agreed with the statement, but 15.5% neither agreed nor disagreed with the statement, while 6% of respondents either disagreed or strongly disagreed with it:
- Strongly agree 40.5%
- Agree 38.1%
- Neither agree nor disagree 15.5%
- Disagree 2.4%
- Strongly disagree 3.6%
Even amongst those who do believe that librarians have a role to play in protecting user privacy, there is still the question of quite what that role should be. This could range from a more passive approach, simply protecting the personally identifiable information held about users – through to a more active approach in the form of lobbying and advocacy work; organising cryptoparties etc.
There are a number of potential roles that librarians can and do play. These are not mutually exclusive:
To protect (Brantley 2015) believes that “Public libraries are among the last protectors of privacy in contemporary society”
(Fortier, Burkell 2015) reinforce the role of protecting user privacy saying that “Librarians have a professional responsibility to protect the right to access information free from surveillance. This right is at risk from a new and increasing threat: the collection and use of non-personally identifying information such as IP addresses through online behavioral tracking.”
To defend (Mattlage 2015) (p76) considers the role of librarians defending the information rights of users: “Having special obligations to protect information rights means that information professionals must first of all take information rights seriously by defending them against countervailing pressures for more expedient public policies. It is the unique role of information professionals to be last to abandon the defense of these rights, even if this leads others—who do not have these special obligations—to perceive information professionals as unreasonable”.
Activism Speaking of the privacy role of librarians in terms of activism is bound to be controversial. But it is interesting to observe the way in which librarians in America reacted to the repeal of the Federal Communications Commission’s rules requiring ISPs to adopt fair information privacy practices in regards to their customers’ data (Caldwell-Stone, Robinson 2017). These responses have included use of encryption, of VPNs, and of using the Tor browser to enable anonymous web searching.
To be radical It is worth noting that people who identify themselves as being “radical librarians” seem to place a particularly high priority on ethical issues. (Clark 2016) says that “If we cannot (or do not) protect the intellectual privacy of our users, then we are failing as professionals”.
To lobby / advocate In the United Kingdom, librarians across the whole range of sectors have for many years worked together through the Libraries and Archives Copyright Alliance (LACA) to lobby for fairer copyright laws from a user perspective. The present researcher believes that there is a real need for a similar organisation to lobby government for laws that are more respectful of user privacy.
(Lamdan 2015b) “As traditional keepers of information, librarians have innate roles as Internet advocates for their patrons”.
The advocacy function could also include promoting best practice within the profession.
An important role for librarians involves vendor management – from the initial selection of vendors, negotiating the right contract terms, through to continuous oversight of the contract once the agreement has been signed.
A key part of that work involves ensuring that the contracts they have with vendors provide adequate protection for user privacy. (Dixon 2008) “If libraries only chose vendors who had good privacy policies, the industry would have to change its standards in order to obtain library business”
(Magi 2010) Librarians have a long history of protecting user privacy, but they have done seemingly little to understand or influence the privacy policies of library resource vendors that increasingly collect user information through Web 2.0-style personalization features.
(Caro, Markman 2016, Magi 2010) list a series of questions librarians should be asking of their vendors, covering data breach policy, data encryption, data retention, the ease of use of the vendor’s terms of service, patron privacy, secure connections and advertising networks.
(McMenemy 2016) says that “We need to be careful of how many of our values we cede to software vendors to manage for us”
To educate/train (Fifarek 2002) Libraries need to take an active role in educating users about protecting their privacy. Users should be educated as to what their privacy rights are and what privacy protections exist. Additionally, users need to understand that protecting their personal privacy requires them to make choices about what information they are willing to disclose in order to receive services.
Libraries are ideally placed to offer training on how users can protect their privacy (such as using browser addons and other tools; making full use of privacy settings within browsers etc).
(Noh 2016) The library is the most general and representative organization that can promote digital inclusion. The public library, in particular, is one of the few organizations in the public domain that all citizens can use free of charge. Public libraries are accessible to citizens throughout the nation from all walks of life. As such, they are the ideal environment for studying varying digital levels of ordinary citizens.
(Jones 2014) p163 Libraries should seize this opportunity to play a major role in teen entrepreneurship, critical thinking, creativity—and the role of privacy in their digital lives. Libraries are well positioned to educate teens on how their personally identifiable information can be used to compromise their privacy and possibly hurt them at a job interview or other important events in their lives. The very technology that enables them so much creative freedom can also be used against them. With education on how their personal information is collected, and what they can do to protect their privacy, they will learn to make educated decisions and choices about their personal space.
To provide a sanctuary or safe haven for private reflection (Johnston 2000) says that “Public libraries further fulfill an essential social role by providing public space which serves ”as safe havens for private reflection and as meeting places for community functions””
In Quad/Graphics, Inc. v. S. Adirondack Library System, 174 Misc.2d 291, 664 N.Y.S.2d 225 (N.Y.Sup., 1997) the court noted that a library was “a unique sanctuary of the widest possible spectrum of ideas [and] must protect the confidentiality of its records in order to insure its readers’ right to read anything they wish, free from the fear that someone might see what they read and use this in a way to intimidate them”.
To participate If librarians are to protect the privacy of their users, it is essential that they take part in the formulation of privacy policies. A failure to do so would be an abrogation of their ethical responsibilities.
(Jones 2014) p159 All over the world people are concerned about government surveillance and corporate collection of their personal data. Now is the time for libraries to seize the opportunity to play a major role in this policy arena! Librarians and library associations from all cultures must collaborate in this work, since the concept and application of privacy principles varies from culture to culture
It is indeed important for librarians to participate in the process of formulating privacy policies. (Esposito 2016) says that “Libraries have, with the best of intentions in the world, taken a strong position on privacy, and they have lost. They got the whole privacy thing all wrong. Rather than participate in the policies of their institutions and the many organizations that interact with them, they have abdicated their role and are now watching as their institutions are being colonized by commercial interests, which are no longer answerable to libraries”.
To debate (McMenemy 2016) says that “If we cannot debate important issues such as privacy and freedom of expression within our profession, we will lose our moral authority on them”.
To be a privacy watchdog or auditor (Johnston 2000) “By accepting the existence of new privacy threats within the institution, it becomes possible to see an important new role for librarians. By building on such traditional responsibilities as evaluation of sources, monitoring of information systems, and keeping abreast of new tools or changes in old ones and addressing internal and external information flows, the librarian could become something akin to a privacy watchdog or auditor”
To take on a leadership role (Fernandez 2010) recommends that librarians take a leadership role in the public debate on privacy: “After determining that libraries should have a presence within a social networking site, they can take a leadership role in promoting awareness and engagement on the issues surrounding information literacy and privacy.”
(Lamdan 2015a) believes, more specifically, that librarians should lead a campaign to urge Internet social media companies to include Privacy by Design principles in their user agreements.
Privacy by design originates from a report on “Privacy enhancing technologies” from the Information & Privacy Commissioner of Ontario, Canada, the Dutch DPA Authority and the Netherlands Organisation for Applied Scientific Research in 1995. The foundational principles are:
- Proactive not reactive; Preventative not remedial
- Privacy as the default setting
- Privacy embedded into design
- Full functionality – positive-sum, not zero-sum
- End-to-end security – full lifecycle protection
- Visibility and transparency – keep it open
- Respect for user privacy – keep it user-centric
https://autoriteitpersoonsgegevens.nl/sites/default/files/downloads/av/av11.pdf (revised edition of “Privacy enhancing technologies: the path to anonymity, 2000).
Magi (2013) says “As a former marketing professional, I know the importance of occupying a unique position in the marketplace—of finding something that sets your organization apart. More than ever, libraries hold a unique and critically important place in the information landscape. I can think of few other information providers that do what libraries do: provide a broad range of information, make it accessible to everyone regardless of means, while embracing the ethical principle that our users’ personal information is not a commodity to be traded or sold. Our commitment to user confidentiality is rare and special, and it’s a characteristic that research tells us is important to people. That means it’s a competitive advantage, in the same way that reliability of its cars has been a competitive advantage for Toyota. I believe it’s essential that we work to preserve that competitive advantage, both because it’s the ethical thing to do, and because it’s a practical way to stay relevant.