Text of a talk on library privacy (from April 2017) for CILIP Hants & Wight branch

Online privacy – Winchester (CILIP Hants & Wight)

  1. Introductory comments
  2. Ways privacy is relevant to the work of information professionals
  3. Can we extend user protections into the digital space?
  4. And if so how?
  5. Role librarians could/should play
  6. Types of data breaches involving libraries and their suppliers and their causes
  7. How to minimize the risks
  8. Practical steps. Examples of good practice

    Introduction

There has been a shift over the last four decades towards delivery of library services electronically, using integrated library management systems, ebook platforms, RFID technology, self‐service issue systems, online databases, and discovery services. Many libraries utilize cloud computing.

Another dimension is the way in which users access services on their own devices and/or they access library services remotely whether from home or elsewhere, rather than doing so solely on equipment provided by and located within a bricks and mortar library.

As libraries have relied more heavily on digital services, the challenge for librarians of being able to protect patron privacy has grown exponentially because of the complex ecosystem which has developed involving libraries, vendors, and third parties.

Third parties :

  • Marketing and business intelligence
  • Market research firms
  • Collectors of metrics of research impact
  • Collectors of general information on consumers

Analytics providers

  • Plum analytics (bought by Elsevier in 2017)
  • Clarivate analytics (Elsevier)

It is imperative that user privacy is extended beyond interactions with physical libraries, and this may require extensive programming and cyber security expertise.

Increasingly long and complex supply chain of third party suppliers

Increased outsourcing, offshoring, storage of data in the cloud

Problem – potential harm from secondary use of information along the supply chain

Problem – possible breaching of privacy expectations and confidentiality in passing information within the supply chain

In the course of normal Internet browsing, for example, the user may be under the impression that he or she is visiting and transacting with just one information provider or website at a time. In truth, a user may be sharing information with dozens of third parties while visiting just a single website. (The firefox addon lightbeam is a useful tool to visualise precisely which sites have had access to your information, both in terms of the sites you have visited AND the third parties who have also had access to your information)

  1. Ways in which privacy impacts the work of librarians
  2. Reading and borrowing histories (and how long they are held)
  3. Personalisation features in online databases (alerts, saved searches etc)
  4. Librarian bloggers venting publicly on their blogs about their interactions with patrons
  5. Use of web analytics tools on library sites
  6. Use of “enrichment”/book covers on the library catalogue

I want look in a bit of detail at these five examples, but in addition to the five that I will be looking at, there are plenty of other examples, such as:

  • RFID tracking
  • Ebook borrowing activity, and whether this is visible to outside vendors
  • Communications between patrons and library staff
  • Internet browsing histories

Example 1: How long do you retain loan history data?

  • Is it forever
  • Is it for the default period used by your library management software provider
  • Is it never (ie. as soon as an item is returned, the record is erased

Ultimately, ask yourself whether the information is held for longer than is strictly necessary

Do your users get a choice as to whether, and for how long, their reading history is retained?

Example 2: Online databases and personalization

Many online databases try to help users by providing a number of personalization features. However, this involves a trade-off with user privacy. In order to personalize the service, to tailor it to their needs, it inevitably needs to know the user’s identity. Otherwise, they would get the generic, standard service. A lot of people are happy to give up some of their privacy in exchange for a more tailored service. They want convenience. And that is absolutely fine, provided that the user is making an informed choice.

Think of the online databases that your institution subscribes to. Do you or your users:

–          Create saved searches that you can run as required

–          Create alerts so that users are automatically informed of new material matching their interests

–          Make use of personalization features such as a list of companies whose share price you monitor, or the industry sectors and sub sectors that you monitor regularly

–          Bookmark articles of interest

–          Annotate items

Are library staff confident that the database vendor will keep this information secure? If so, what makes you so sure. Did you cover that in the contract negotiations? And do you monitor that vendor on an ongoing basis, to see that they are living up to what they promised in the contract?

Imagine you are a corporate librarian. What if that sort of information gets into the wrong hands. It could tell a lot about you and your organisation – the companies you are looking as part of considering potential acquisitions; the product development work you are currently undertaking for a highly secret project on a new product idea and so on and so forth.

Example 3: Use of “enrichment”/book covers on the library catalogue

Content embedded in websites is a huge source of privacy leakage in library services. Cover images can be particularly problematic. Without meaning to, many libraries send data to Amazon about the books a user is searching for; cover images are almost always the culprit.

Eric Hellman points out two indications that a third-party cover image is a privacy problem. They are:

  • the provider sets tracking cookies on the hostname serving the content.
  • the provider collects personal information, for example as part of commerce.

Marshall Breeding has also written about the privacy implications of book covers and social sharing

– example: the presentation of cover art in the catalog can expose patron search behavior to amazon

— can enable tracking cookies to be deposited in user’s browser

– Vendors increasingly aware of this issue and proxy or cache images to avoid privacy issue

See Eric Hellman “How to check if your library is leaking catalogue searches to Amazon”

“I’ve come to realize that part of the problem is that the issues are sometimes really complex and technical; people just don’t believe that the web works the way it does, violating user privacy at every opportunity. Hellman, 2016: How to check if your library is leaking privacy” https://go-to-hellman.blogspot.co.uk/2016/12/how-to-check-if-your-library-is-leaking.html 22nd December 2016

His blog post gives details of how you can tell if your library is sending Amazon your library search data.

Example 4: Librarian bloggers venting publicly on their blogs about their interactions with patrons One area where librarians need to take particular care is over the genre known as “RefGrunt”. This refers to the genre of blogging/writing where librarians vent publicly about their interactions with patrons. It is named after a blog that a librarian kept for about a year in the early 2000’s.

Sally Stern-Hamilton, using the pseudonym Ann (Miketa, 2012) wrote a book entitled “Library diaries”. It led to newspaper stories with titles such as “Ludington librarian fired over tell-all novel says her First Amendment rights were violated”.

The book chronicles the unsavory characters who visit the local library in a place she called “Denialville”. From the introduction: The Library Diaries: “After working at a public library in a small, rural Midwestern town (which I will refer to as Denialville, Michigan, throughout this book) for fifteen years, I have encountered strains and variations of crazy I didn’t know existed in such significant portions of our population.”

The publisher’s description said: “Open this book and you’ll meet the naked patron, the greedy, unenlightened patrons, destination hell, horny old men, Mr. Three Hats, and a menagerie of other characters you never dreamt were housed at your public library.”

Risk of being dooced

What people post on social networking sites raises privacy concerns. Indeed these can have severe consequences, such as someone being “Dooced” (that is, dismissed from their employment because of what they have written on a website or blog).

(Farkas, 2007) said, so far, I know of only one library worker who was fired for negative comments about patrons that he had written in a blog community, but I’m sure clashes between bloggers and administrators will become more commonplace as the blogosphere expands.

However, even at the time Farkas was writing there had been other instances of librarians losing their jobs as a result of what they had posted on their blogs. There is a case from 2005 of a librarian from New Zealand, bizgirl. She wrote posts mentioning her work colleagues. She received a series of warnings regarding her blog.

People didn’t like what was being said about them, and even though it was anonymised, they could still tell it was them.

One commentator at the time said that it does seem silly to keep blogging things that can get you into trouble when people you work with know about your blog. I guess the feeling is that if you calm down at first, they’ll forget about it. But it seems that once people know that you are writing about them, vanity assures they will constantly check. People want to know what you are saying about them.

Example 5: Use of web analytics tools on library sites

Marshall Breeding undertook a survey of academic and research libraries. Using the Ghostery plug-in for Chrome, all tracking mechanisms detected on the library website, online catalog, or discovery interface were noted. (Breeding, 2016)

  • Google Analytics
  • Ajax search API
  • Google AdSense
  • Google Translate
  • Google Tag Manager
  • DoubleClick (owned by Google)
  • Yahoo Analytics
  • Adobe Omniture Analytics
  • Adobe Tag Manager
  • Adobe TypeKit
  • Facebook Connect
  • Facebook Social Plugin
  • Twitter Button
  • AdThis
  • Piwik Analytics
  • Crazy Egg
  • WebTrends
  • New Relic
  1. Can We extend user protections into the digital space

Yes, but it isn’t necessarily easy or straightforward, and it doesn’t just happen automatically:

–          Negotiating privacy clauses in vendor contracts

–          Choosing vendors who respect privacy

–          Using https:// encryption

–          Using secure forms of authentication (for example, if you are using SIP2, are you sending the requests through an SSH or VPN tunnel/stunnel)

–          Regularly checking your institution’s information security (network penetration testing, using “ethical hackers”)

–          Contractual language requiring vendors to warrant that there is nothing that would allow a third party to access their institutional data.

  1. If so, how

(Lynch, 2017) looks at the ecosystem that has evolved for scholarly journals involving a whole range of players including platform providers, various publishers’ websites, authors, readers, traditional publishers, libraries, third parties, and analytics providers.

“Whenever a third party has access to personally identifiable information, the agreements need to address appropriate restrictions on the use, aggregation, dissemination and sale of that information, particularly information about minors” (Jones, 2014a).

Agreements between libraries and vendors should specify that libraries retain ownership of all data; that the vendor agrees to observe the library’s privacy, data retention, and security policies; and that the vendor agrees to bind any third parties it uses in delivering services to these policies as well.

(Fouty, 1993) says that library staff authorized for any level of access to online patron records should be thoroughly educated in local and federal data privacy laws. She raises the question of enforcing institutional privacy policies and legislation. Fouty says that sanctions for violating rules and regulations governing data privacy should be approved and upheld by the library’s administration, and clearly presented to staff in the strongest terms possible. Staff should be made aware that any deviations from acceptable procedure will be treated as serious violations, subject to discipline or even termination of employment.

  1. Role librarians could/should play regarding privacy
  • To protect
  • To defend
  • Activism
  • To be radical
  • To lobby/advocate
  • To negotiate
  • To educate/train
  • To provide a sanctuary or safe haven for private reflection
  • To participate
  • To debate
  • To be a privacy watchdog or auditor
  • To take on a leadership role

I believe that the information profession needs to have a debate about the role of the librarian in protecting user privacy. Such a debate needs to go back to first principles to ask whether librarians have a role in protecting user privacy, and if so, what form that role should take. (Cooper, 2016) did a survey in which participants were asked their views on the following statement: “Libraries should play a role in educating the general public about issues of personal privacy and data protection”. The overwhelming majority (78.6%) of survey respondents either agreed or strongly agreed with the statement, but 15.5% neither agreed nor disagreed with the statement, while 6% of respondents either disagreed or strongly disagreed with it:

Strongly agree 40.5% Agree 38.1% Neither agree nor disagree 15.5% Disagree 2.4% Strongly disagree 3.6%

Even amongst those who do believe that librarians have a role to play in protecting user privacy, there is still the question of quite what that role should be. This could range from a more passive approach, simply protecting the personally identifiable information held about users – through to a more active approach in the form of lobbying and advocacy work; organising cryptoparties etc.

There are a number of potential roles that librarians can and do play. These are not mutually exclusive:

To protect (Brantley, 2015) believes that “Public libraries are among the last protectors of privacy in contemporary society”

(Fortier, Burkell 2015) reinforce the role of protecting user privacy saying that “Librarians have a professional responsibility to protect the right to access information free from surveillance. This right is at risk from a new and increasing threat: the collection and use of non-personally identifying information such as IP addresses through online behavioral tracking.”

To defend (Mattlage, 2015) (p76) considers the role of librarians defending the information rights of users: “Having special obligations to protect information rights means that information professionals must first of all take information rights seriously by defending them against countervailing pressures for more expedient public policies. It is the unique role of information professionals to be last to abandon the defense of these rights, even if this leads others—who do not have these special obligations—to perceive information professionals as unreasonable”.

Activism Speaking of the privacy role of librarians in terms of activism is bound to be controversial. But it is interesting to observe the way in which librarians in America reacted to the repeal of the Federal Communications Commission’s rules requiring ISPs to adopt fair information privacy practices in regards to their customers’ data (Caldwell-Stone and Robinson, 2017). These responses have included pointing people to use of encryption, of VPNs, and of using the Tor browser to enable anonymous web searching.

To be radical It is worth noting that people who identify themselves as being “radical librarians” seem to place a particularly high priority on ethical issues. “If we cannot (or do not) protect the intellectual privacy of our users, then we are failing as professionals” (Clark, 2016)

To lobby / advocate In the United Kingdom, librarians across the whole range of sectors have for many years worked together through the Libraries and Archives Copyright Alliance (LACA) to lobby for fairer copyright laws from a user perspective. I do believe that there is a real need for a similar organisation to lobby government for laws that are more respectful of user privacy, to raise awareness of privacy as an important issue, and to share best practice.

(Lamdan 2015b) “As traditional keepers of information, librarians have innate roles as Internet advocates for their patrons”.

To negotiate An important role for librarians involves vendor management – from the initial selection of vendors, negotiating the right contract terms, through to continuous oversight of the contract once the agreement has been signed.

A key part of that work involves ensuring that the contracts they have with vendors provide adequate protection for user privacy. (Dixon, 2008) “If libraries only chose vendors who had good privacy policies, the industry would have to change its standards in order to obtain library business”

(Magi, 2010) Librarians have a long history of protecting user privacy, but they have done seemingly little to understand or influence the privacy policies of library resource vendors that increasingly collect user information through Web 2.0-style personalization features.

(Caro and Markman, 2016) list a series of questions librarians should be asking of their vendors, covering data breach policy, data encryption, data retention, the ease of use of the vendor’s terms of service, patron privacy, secure connections and advertising networks.

(McMenemy, 2016) says that “We need to be careful of how many of our values we cede to software vendors to manage for us”

To educate/train (Fifarek, 2002) Libraries need to take an active role in educating users about protecting their privacy. Users should be educated as to what their privacy rights are and what privacy protections exist. Additionally, users need to understand that protecting their personal privacy requires them to make choices about what information they are willing to disclose in order to receive services.

Libraries are ideally placed to offer training on how users can protect their privacy (such as using browser addons and other tools; making full use of privacy settings within browsers etc).

(Noh, 2016) The library is the most general and representative organization that can promote digital inclusion. The public library, in particular, is one of the few organizations in the public domain that all citizens can use free of charge. Public libraries are accessible to citizens throughout the nation from all walks of life. As such, they are the ideal environment for studying varying digital levels of ordinary citizens.

(Jones, 2014b) p163 Libraries should seize this opportunity to play a major role in teen entrepreneurship, critical thinking, creativity—and the role of privacy in their digital lives. Libraries are well positioned to educate teens on how their personally identifiable information can be used to compromise their privacy and possibly hurt them at a job interview or other important events in their lives. The very technology that enables them so much creative freedom can also be used against them. With education on how their personal information is collected, and what they can do to protect their privacy, they will learn to make educated decisions and choices about their personal space.

To provide a sanctuary, a safe space or safe haven for private reflection (Johnston, 2000) says that “Public libraries further fulfill an essential social role by providing public space which serves ”as safe havens for private reflection and as meeting places for community functions””

(Sturges, Iliffe and Dearnley, 2001) recognise that “The library, whether public, academic or institutional, is both a communal and a private space: a paradox that has always contained a certain potential for tensions.”

(Campbell and Cowan, 2016) also acknowledge that privacy can have a paradoxical relation to the public sphere. They cite (Keizer, 2012) who suggests that individuals frequently move into the public sphere, not to sacrifice their privacy, but to retain it. Indeed, in an analysis of a court decision that grappled with the question of privacy in public places, Keizer writes of “the number of people whose very act of stepping out the front door represents a “subjective expectation of privacy”—because the public sphere is the only place where they can have a reasonable hope of finding it”.

In Quad/Graphics, Inc. v. S. Adirondack Library System, 174 Misc.2d 291, 664 N.Y.S.2d 225 (N.Y.Sup., 1997) the court noted that a library was “a unique sanctuary of the widest possible spectrum of ideas [and] must protect the confidentiality of its records in order to insure its readers’ right to read anything they wish, free from the fear that someone might see what they read and use this in a way to intimidate them”.

To participate If librarians are to protect the privacy of their users, it is essential that they take part in the formulation of privacy policies. A failure to do so would be an abrogation of their ethical responsibilities.

(Jones 2014) p159 All over the world people are concerned about government surveillance and corporate collection of their personal data. Now is the time for libraries to seize the opportunity to play a major role in this policy arena! Librarians and library associations from all cultures must collaborate in this work, since the concept and application of privacy principles varies from culture to culture

To debate (McMenemy 2016) says that “If we cannot debate important issues such as privacy and freedom of expression within our profession, we will lose our moral authority on them”.

To be a privacy watchdog or auditor (Johnston 2000) “By accepting the existence of new privacy threats within the institution, it becomes possible to see an important new role for librarians. By building on such traditional responsibilities as evaluation of sources, monitoring of information systems, and keeping abreast of new tools or changes in old ones and addressing internal and external information flows, the librarian could become something akin to a privacy watchdog or auditor”

To take on a leadership role (Fernandez, 2010) recommends that librarians take a leadership role in the public debate on privacy: “After determining that libraries should have a presence within a social networking site, they can take a leadership role in promoting awareness and engagement on the issues surrounding information literacy and privacy.”

(Lamdan 2015a) believes, more specifically, that librarians should lead a campaign to urge Internet social media companies to include Privacy by Design principles in their user agreements.

Privacy by design originates from a report on “Privacy enhancing technologies” from the Information & Privacy Commissioner of Ontario, Canada, the Dutch DPA Authority and the Netherlands Organisation for Applied Scientific Research in 1995. The foundational principles are:

  • Proactive not reactive; Preventative not remedial
  • Privacy as the default setting
  • Privacy embedded into design
  • Full functionality – positive-sum, not zero-sum
  • End-to-end security – full lifecycle protection
  • Visibility and transparency – keep it open
  • Respect for user privacy – keep it user-centric

https://autoriteitpersoonsgegevens.nl/sites/default/files/downloads/av/av11.pdf (revised edition of “Privacy enhancing technologies: the path to anonymity”, 2000).

(Magi, 2013) says “As a former marketing professional, I know the importance of occupying a unique position in the marketplace—of finding something that sets your organization apart. More than ever, libraries hold a unique and critically important place in the information landscape. I can think of few other information providers that do what libraries do: provide a broad range of information, make it accessible to everyone regardless of means, while embracing the ethical principle that our users’ personal information is not a commodity to be traded or sold. Our commitment to user confidentiality is rare and special, and it’s a characteristic that research tells us is important to people. That means it’s a competitive advantage, in the same way that reliability of its cars has been a competitive advantage for Toyota. I believe it’s essential that we work to preserve that competitive advantage, both because it’s the ethical thing to do, and because it’s a practical way to stay relevant”.

  1. Types of data breaches involving libraries and their suppliers and their causes

UK/Ireland

In 2011 there was a data breach at Trinity College Dublin. Students were warned that some of their data may have been compromised after a breach at the college’s library. A file containing student and staff names, addresses, ID numbers and email addresses was inadvertently made accessible on the college network. It was there for over a year and a half (August 2009-March 2011)

In 2011 snooping devices (in the form of keystroke loggers) were found on library computers in several public libraries in Cheshire.

During 2015/2016 the British Library withstood a “brute force” attack on its systems over a four day period, in which the attacker attempted to obtain access to customer data. The attack was unsuccessful and no data was lost. (Source: British Library annual report 2015/2016)

Ransomware (On Tuesday 26 January 2016, Lincolnshire County Council was subject to a malicious software (‘malware’) attack on its IT system. The attack led to a shutdown of council IT systems – and this included library comptuers – as the authority investigated the malware’s impact. Eventually, council systems and online services were fully restored after being out of action for almost a week.)

The attack was triggered when an employee clicked on a malicious attachment in an email. It was detected as a result of users being unable to access files on the corporate network. Further technical analysis determined the files were being encrypted by malware which was determined to have been delivered by an email attachment containing a .zip file.

 

Bloomberg – In 2013 it was reported that for years journalists at Bloomberg News had been using Bloomberg terminals to monitor when subscribers had logged into the service and to find out what types of functions – such as the news wire, corporate bond trades, or an equity index, that they had looked at. The sorts of information that the Bloomberg journalists had access to included background on individual subscribers, when they last logged on, chat information between subscribers and customer services representatives as well as weekly statistics on how often they used a particular function. It was suggested that reporters at Bloomberg News were using a function that tracks how recently a client has logged in as a way of generating story leads about personnel changes. Soon afterwards it was announced that former IBM CEO Sam Palmisano had been appointed as an independent advisor with the task of reviewing and recommending changes on privacy and data policies.

Reed Elsevier – In March 2005 it was reported that Reed Elsevier company LexisNexis had suffered a security breach. This was initially said to relate to a userid and password being used fraudulently to download information on 32,000 individuals. The information accessed included names, addresses, social security and driver’s licence numbers. However, within days, it was reported that the security breach was somewhat larger than first thought. The New York Times said that the figure wasn’t 32,000 but was instead information on 310,000 people. It also reported that the company had found 59 separate instances where unauthorized users may have fraudulently acquired personal identifying information through Seisint, a unit of LexisNexis. Seisint data is used by employers making hiring decisions, landlords choosing tenants and also by debt collectors.

In 2013 it was reported[i] that a number of companies, including LexisNexis and Dun & Bradstreet may have unwittingly aided identity thieves. The story said that the operators of an underground ID theft service had infiltrated some of the biggest providers of social security numbers, dates of birth and other consumer information.

As recently as 15th March 2017 I saw a report that a D&B 52gb database containing about 33.6 m records with very specific information on people from job title thru email address had been exposed.

Adobe (in the Autumn of 2014 there were a number of reports that Adobe Digital Editions was sending back to the Adobe servers in plain (unencrypted) text details including a list of books read

Overdrive / Amazon tie in led to accusations of their library lending program as being ‘anti-user, anti-intellectual freedom, anti-library’ and says that libraries have been ‘screwed‘. Concerns over the data about library users’ borrowing practices being in the hands of a corporation. IN ZDNet, October 21st 2011

This is a useful reminder of the need for caution with regard to any services which require people to synchronise their library accounts with an external service.

Analysing the causes of the data breaches:

  • Software upgrade glitch
  • Ransomware
  • Misconfigured database
  • Insider threat
  • A hacking attack
  • DDOS attacks
  • A laptop that was either lost or stolen
  1. How to minimize the risks
  2. Practical steps. Examples of good practice
  3. Default search engine (on public access terminals set the default search engine to one which respects privacy such as Startpage, Duckduckgo, or Oscobo)
  4. Default browser (use a browser such as Firefox)
  5. HTTPS (see https://letsencrypt.org/ for example)
  6. Vendor management: when negotiating licence agreements, make sure that there are robust provisions covering privacy & confidentiality
  7. Ad blocking software
  8. Organise a cryptoparty
  9. Develop a forum for discussion of privacy issues, sharing best practice, knowledge of tools (this could be a natural extension of a series of privacy training events/cryptoparties)
  10. Create an area on the library website dedicated to privacy issues ( a good example is that of San Jose Public Library, and their site lets you generate a custom privacy toolkit geared towards your own organisation’s online needs)
  11. Include privacy within any digital literacy training offered to your users
  12. Use software to automatically return library pc’s to their native state when a user has finished with the machine
  13. Carry out a cyber security risk management audit (see useful article by Caro and Markman 2016 on the topic)
  14. survey all technologies provided by the library
  15. describe current practices
  16. evaluate existing policies
  17. make recommendations to improve privacy
  18. Where data is housed in a data centre controlled by an external vendor, librarians should ensure they know where it is located, and what certifications the facility has (to ensure it meets industry best practice)
  19. If you are getting rid of equipment such as a photocopier, remember patron privacy. Some copiers (and other types of office equipment) have hard drives capable of storing confidential personal information, and these need to be safely wiped and destroyed.
  20. Do you undertake regular network penetration testing (ethical hackers)/network security checks to mitigate risk of data security breaches? Do this for both internal and external systems
  21. Embedded content: check if your library is leaking catalog searches to Amazon https://go-to-hellman.blogspot.co.uk/2016/12/how-to-check-if-your-library-is-leaking.html
  22. Make sure you are using a secure form of authentication to connect with self-serve units, journals databases, ebook platforms etc. If, for example, you are using SIP2, is it encrypted and if so how. One example of a secure method for authentication would be Open ID
  23. Have you signed up to the Library digital privacy pledge?
  24. Use the NISO patron privacy framework to inform their actions.
  25. Ensure that users’ print jobs can only be retrieved at the printer by using their own library card number.
  26. Monitor security alerts from CERT and install software patches and software updates to defend against attacks
  27. Use a full range of information security defences (firewall, intrusion detection system (IDS), intrusion protection system (IPS), web filtering, antivirus etc)
  28. Library administration might consider having staff members sign a security compliance statement prior to being issued any authorization to access patron records. (Ayre, 2017)

(Ayre, 2017) Limit collection and retention of user information. Only collect the minimum amount of information necessary to provide a service and don’t keep that information any longer than necessary.

(Wohlgemuth, Echizen et al. 2010) Privacy in cloud computing is at the moment simply a promise to be kept by the software service providers. Users are neither able to control the disclosure of personal data to third parties nor to check if the software service providers have followed the agreed-upon privacy policy. Therefore, disclosure of the users‘ data to the software service providers of the cloud raises privacy risks.

Vendors and libraries could partner to reshape the security landscape quickly if this were identified as a priority.

(Lambert, Parker et al. 2015) analyses privacy policies of digital content vendors, and points out that a user’s personal information is no longer solely in the hands of librarians. Cites the case of Adobe dating from 2014 because data was being collected by at least three parties – the library, the service vendor and the e-reader company, even though the library didn’t have a contract directly with the e-reader company. Libraries must work with multiple vendors to negotiate privacy protections for patrons, and they are forced to deal with the privacy policies of entitles with which they have no direct relationship (such as Adobe or Amazon).

BIBLIOGRAPHY

Ayre, L.B. (2017) ‘Protecting patron privacy: vendors, libraries, and patrons each have a role to play’, Collaborative Librarianship, 9 (1), .

Brantley, P. (2015) ‘Books and browsers’, Publishers Weekly, 262 (1), .

Breeding, M. (2016) ‘Issues and technologies related to privacy and security’, Library Technology Reports, pp.5-12.

Caldwell-Stone, D. and Robinson, M. (2017) ‘How libraries can respond to the repeal of the FCC privacy rules’, Intellectual freedom blog (Office for Intellectual Freedom of the ALA), (March 31), .

Campbell, D.G. and Cowan, S.R. (2016) ‘The paradox of privacy: revisiting a core library value in an age of big data and linked data’, Library Trends, 64 (3), pp.492-511.

Caro, A. and Markman, C. (2016) ‘Measuring library vendor cyber security: seven easy questions every librarian can ask’, Code4Lib, (32), .

Clark, I. (2016) ‘Why librarians need to act on mass surveillance’, Infoism, (March 15), .

Cooper, A. (2016) Safeguarding what’s personal: privacy and data protection perspectives of Library Association of Ireland members.

Dixon, P. (2008) ‘Ethical issues implicit in library authentication and access management: risks and best practices’, Journal of Library Administration, 47 (3-4), pp.142-162.

Farkas, M. (2007) ‘The blog’, Library journal, (December), pp.40-43.

Fernandez, P. (2010) ‘Privacy and Generation Y: Applying library values to social networking sites’, Community & Junior College Libraries, 16 (2), pp.100-113.

Fifarek, A. (2002) ‘Technology and privacy in the academic library’, Online Information Review, 26 (6), pp.366-374.

Fouty, K.G. (1993) ‘Online patron records and privacy: Service vs. security’, The Journal of Academic Librarianship, 19 (5), pp.289-293.

Johnston, S.D. (2000) ‘Rethinking Privacy in the Public Library’, The International Information & Library Review, 32 (3-4), pp.509-517.

Jones, B. (2014a) ‘ALA protests Adobe data breach’, Newsletter on Intellectual Freedom, 63 (6), pp.155-156.

Jones, B.M. (2014b) ‘It’s complicated: youth, privacy and library ethics’ in Amelie Vallotton Preisig (ed.) Ethical dilemmas in the information society: codes of ethics for librarians and archivists. pp. 157-166.

Keizer, G. (2012) Privacy. Picador.

Lynch, C. (2017) ‘The rise of reading analytics and the emerging calculus of reader privacy in the digital world’, First Monday, 22 (4 (April 3rd)), .

Magi, T.J. (2010) ‘A content analysis of library vendor privacy policies: Do they meet our standards?’, College & Research Libraries, 71 (3), pp.254-272.

Magi, T.J. (2013) ‘A fresh look at privacy – why does it matter, who cares, and what should librarians do about it?’, Indiana Libraries, 32 (1), pp.5-5 pages.

Mattlage, A. (2015) ‘Responsibilities of information professionals vis-a-vis information rights’, Journal of Information Ethics, 24 (1), pp.65-81.

McMenemy, D. (2016) ‘Rights to privacy and freedom of expression in public libraries: squaring the circle’, IFLA WLIC 2016, .

Miketa, A. (2012) Library diaries. CreateSpace Independent Publishing Platform.

Noh, Y. (2016) ‘A comparative study of public libraries’ contribution to digital inclusion in Korea and the United States’, Journal of Librarianship and Information Science, .

Sturges, P., Iliffe, U. and Dearnley, J. (2001) ‘Privacy in the digital library environment’, .

 

[i] Goodin, Dan (2013) How LexisNexis and others may have unwittingly aided identity thieves IN Ars Technica September 25th 2013

Loss of privacy and the “network effect”

I don’t believe that it is possible simply to look at privacy through the prism of individual, group, or society, where something must clearly fall into ONLY one of those headings. Drawing such definite distinctions fails to address some of the problems that can arise from our inter-connected world.

There is the “network effect”, where the loss of privacy of one individual may have an impact upon the privacy of others. So, for example, imagine that a library holds a Christmas party for the benefit of its staff. At the party, someone takes a picture of a member of library staff looking a little bit the worse for wear. That person then proceeds to post the picture on their Facebook page. Imagine, further, that the picture features half a dozen staff members, albeit that the person who appears most prominently in the picture is the individual who looks a bit drunk. What if the photographer didn’t just post the photograph onto their social media account, but they also tagged and therefore identified everyone who appeared in the photograph.

Another example of the network effect might be the way in which some people might share their email address book with others, whether this is done knowingly or not. Whereas some people may deliberately choose not to share information in that way. Now, imagine how that information could be used to generate information about someone who hasn’t directly shared their own information. If Joe Bloggs appears in the address books that other people have shared, then companies would be able to build a partial picture of the contacts in Joe Bloggs own address book, even if he didn’t share his address book directly himself.

I may not have explained this very well, so let me give a totally different example which illustrates this concept of interconnectedness.

An online vendor has a product which consists of trade data. The vendor has negotiated agreements directly with the statistical offices of many of the largest trading nations, but one or two statistical offices had been difficult over the contract terms, and the price they wanted to charge for the data. Nevertheless, the vendor is still able to get a certain amount of the data relating to those countries, because they can derive the data from the countries whose statistical offices have done deals with the vendor. If the statistical data covers trade, trade is a two-way process and it will of course therefore cover the trade that those countries (who have signed content deals with the vendor) have with other countries (that have not signed content deals with the vendor), albeit that this would be thought of as “derived” data.

Dangers of becoming blasé about information security

I can’t remember where someone said that there are two types of organisations: those who tell you that they have been hacked, and those who don’t know that they have been.

And for everyone, their priorities and reasons for being interested in protecting their information will differ from one person to another. For example, journalists, lawyers, or doctors will each have their own priorities.

As a result, a number of organisations, including the Electronic Frontier Foundation, refer to “threat modelling”, where they ask:
1. What do I want to protect
2. Who do I want to protect it from
3. What skills, resources, motivations do they have
4. How likely is it that they will come after it. What happens if they do
5. How much time, energy, resources am I willing to expend to prevent that

A number of organisations come up with personas, or types of people and outline the threat model that seems likely to be most appropriate to them.

The reality is that there is no such thing as perfect security. And that really needs to be our starting point.

There are a number of things which may seem really obvious, but which we may not think about too much because of becoming too blasé.

  • If you don’t collect the data in the first place, then you don’t need to worry about it getting into the hands of a hacker. Or, in other words, only collect data that it is absolutely necessary to have
  • Don’t keep information for any longer than is really necessary
  • If your organisation was the subject of a hacking attack, any potential damage would be reduced if you had encrypted the data
  • Think about the weakest link – which is the human element. Raise awareness of the risks. Provide education and training on defending library user privacy
  • Think about backups. Its not enough to have one backup. Time and again one sees people get into a mess, turn to their backup only to find that the backup was corrupt or something of that sort.
  • If it were a public library, and a significant percentage of the stock was always on loan at any point in time, think about losing your data. You wouldn’t know who to chase for the return of a portion of your collection, you wouldn’t know who owed you money from overdue fines etc etc. What made me think of that – reading up about one library (which shall remain nameless) where that’s precisely what happened.

Relying on reading habits as an indication of intent is flawed

There are legal cases where someone’s reading habits have been used as an indication of intent. Doing so is flawed and misguided.

Just because someone has a number of true facts doesn’t mean that they know the truth, that they have the full story. Surveillance can lead to true facts coming to the attention of those who authorised or initiated the surveillance. But that doesn’t mean that they therefore know the truth, that they have the full story. There may be vital pieces of information which they don’t have, and because they don’t they can sadly jump to conclusions that are incorrect and just plain wrong. The missing bits of information could make all the difference. And if those bits of information were known, could have recontextualised the (partial) picture that someone has built up.

Why do people swear by Almighty God that they will tell the truth, the WHOLE truth and nothing but the truth if only part of the truth were perfectly adequate?

Accurate information can tell inaccurate stories:

– reading a murder mystery does not make someone a murderer

– tracking someone’s location to having been outside a shop minutes after it has been robbed doesn’t make them the robber

– reading a book about aphasia doesn’t automatically mean that the person reading the book is afflicted by the condition

People read books for an infinite variety of reasons, and drawing generalized conclusions from another’s reading choices wrongly assumes that the most obvious reason is always the correct one.

Clifford Lynch (2017) says “remember that knowledge of actual reading activity rather than simply knowing what texts have been accessed or acquired still does not guarantee understanding of the values, beliefs, opinions, or intentions within a given human mind. We can only hope that governments, and commercial data collectors and exploiters, know this as well” (Lynch 2017)

Text of my @cilipinwales talk on privacy in libraries

Privacy in libraries (keynote talk given by Paul Pedley at CILIP in Wales

Llandudno conference on 12th May 2017

 

Agenda:

  • Privacy as a core value of librarians
  • Some quotations about librarians, libraries and privacy
  • Ways in which privacy impacts upon the work of librarians
  • Role of libraries and librarians regarding privacy


Privacy as a core value of librarians

Privacy is one of the most commonly featured values in the codes of ethics of library associations around the world. Indeed (Lamdan 2015) says that librarianship is one of the only professions that explicitly expresses privacy rights in its codes of ethics. (Shachaf 2005) undertook a study involving a comparative content analysis of the English versions of codes of ethics from the professional associations in 28 countries. The study yielded an empirically grounded typology of principles arranged in twenty categories. The most frequently identified principles were professional development, integrity, confidentiality or privacy, and free and equal access to information.

 

In 2000 Michael Gorman published a book “Our enduring values” (Gorman 2000), in which he lists the values that characterise and shape the work of librarians:

Gorman’s eight core values

  1. Stewardship
  2. Service
  3. Intellectual freedom
  4. Rationalism
  5. Literacy & Learning
  6. Equity of access
  7. Privacy
    1. ensuring the confidentiality of records of library use
    2. overcoming technological invasions of library use
  8. Democracy

Thinking of the point “overcoming technological invasions of library use”, that seems to get harder and harder with every day that passes. As Gorman says “Even in many democratic countries, the twin threats of an empowered surveillance state and a big technology assault on privacy make the defense of intellectual freedom harder than it was in previous generations” (Gorman 2015)

Quotations

“We keep talking about how libraries are heralds of privacy, but we are terrible at it” TJ Lamana @TheNewLibrarian, Tweeted 26 June 2016 https://twitter.com/thenewlibrarian/status/747116391505879040

Librarians have done a good job of protecting privacy in the print world, but in the online world they are somewhat lacking (not an exact quote, but my transcription from a webinar) (Caldwell-Stone, Robinson et al. 2016)

Hugh Rundle says “librarians talk good talk about user privacy but continue to use (and build) software that provides no protection from snooping librarians, contractors or police” and the reason he gives is that “librarians have tended to prioritise functions that make our lives easier rather than those that make library users’ lives easier” (Rundle 2016)

“teaching patrons how to use the internet, but not how to use it safely is like showing someone how to drive a car, but not where the seatbelt is” (Beckstrom 2015)

“Librarians have a professional responsibility to protect the right to access information free from surveillance”  (Fortier, Burkell 2015)

“Library manners demands respecting the privacy of others” (Covington 2013)

“Privacy is a cornerstone of our professional ethics. …We have an obligation to protect the privacy of our users as a matter of principle.” (Woodward 2007)(p. xii)

(Garoogian 1991) “Librarians are in a very powerful position since they have direct access to the private reading and subject interests of their users. They have been entrusted with this power. It is therefore their moral obligation to keep this information confidential”.

Ways in which privacy impacts upon the work of libraries

Self-service holds

Libraries offer “click and collect” services whereby users can browse through the library catalogue from the comfort of their own homes, select the item(s) that they would like to read watch or listen to, specify which library they would like to specify as the pickup location, and then visit that library at a convenient time to collect the item(s) once they have been notified that it is ready for collection.

As part of this “click and collect” facility, many public and academic libraries place the items awaiting collection in a public area of the library so that the library user can pick up the item without needing any library staff intervention. But the procedures vary from one library to another. Just as library practices vary, so too does the extent to which their actions encroach upon the privacy of library users:

LIBRARY 1:  Items that have been placed on hold are available on a set of open shelves housed on a standalone shelving display unit. All of the books that have been requested are individually wrapped in a sheet of A4 paper upon which are written the first three letters of the user’s surname, plus the last four digits of their library membership card.

LIBRARY 2: Items that have been placed on hold are available in a room on open shelves awaiting collection. In order to enter the room, users have to swipe their library card in order to gain access to the area designated for items placed on hold. Once inside, they browse the shelves looking for the first four letters of their surname. All items are individually wrapped in a sheet of A4 paper which is fixed in place with an elastic band.

LIBRARY 3: Items on hold are placed on the end of a set of library shelves in alphabetical order of requestor’s surname. All of the titles are easily browseable, because there is no paper wrapped around the items. Users full surnames are hand-written onto a slip of paper.

 

Of the three library procedures outlined above, the one adopted by library 3 is the least respectful of user privacy. First of all, because there is no paper wrapped around the items that have been requested, it is possible for anyone to quickly look through the titles. Then, secondly, if they spot titles that seem quite racy, provocative, controversial or embarrassing, they can look for the requestor’s surname to see if they recognize who has asked for that particular item. Some people have unusual or distinctive surnames thereby making it likely that in some cases the surname will be sufficient to identify a specific individual

 

Receipts from self-service machines

Years ago retailers realized that they were putting too much information onto till receipts, notably the full credit or debit card number. Given the threat of identify fraud, they stopped displaying complete card numbers, and instead only showed some of the numbers while using asterisks to mask some of the digits.

With the prevalence of self-issue machines, libraries need to think carefully about the information that is printed out on transaction receipts. In the case of receipts for items borrowed, consider the following two examples:

 

LIBRARY A:

At the top of the receipt it says:

Item(s) checked out to SURNAME, FIRSTNAME.

Then it shows:

TITLE:

BARCODE:

DUE DATE:

 

LIBRARY B:

At the top of the receipt it says:

Borrower’s full barcode number

Borrowed items DATE TIME

Item title

(Barcode of the book is shown)

(Followed by the title of the book)

Why is it necessary for LIBRARY A to show the user’s first name and surname on the printed slip? Wouldn’t it be better to show the last few digits of their library membership card?

Isn’t it likely that users will utilize the printed slip as a bookmark, to show how far they are up to with the book. And, further, isn’t there a fair chance that some users will forget to remove the printed slip before returning the book to the library. Depending on how many books they borrowed in a single transaction, and depending on the nature of the material being borrowed, the information on the slip could be quite revealing about someone’s reading habits.

 

Online databases and personalization

Many online databases try to help users by providing a number of personalization features. However, this involves a trade-off with user privacy. In order to personalize the service, to tailor it to their needs, it inevitably needs to know the user’s identity. Otherwise, they would get the generic, standard service. A lot of people are happy to give up some of their privacy in exchange for a more tailored service. And that is absolutely fine, provided that the user is making an informed choice.

Think of the online databases that your institution subscribes to. Do you or your users:

  • Create saved searches that you can run as required
  • Create alerts so that users are automatically informed of new material matching their interests
  • Make use of personalization features such as a list of companies whose share price you monitor, or the industry sectors and sub sectors that you monitor regularly
  • Bookmark articles of interest
  • Annotate items

Are library staff confident that the database vendor will keep this information secure? If so, what makes you so sure. Did you cover that in the contract negotiations. And do you monitor that vendor on an ongoing basis, to see that they are living up to what they promised in the contract.

Imagine you are a corporate librarian. What if that sort of information gets into the wrong hands, such as a competitor. It could tell a lot about you and your organisation – the companies you are looking as part of considering potential acquisitions; the product development work you are currently undertaking for a highly secret project on a new product idea and so on and so forth.

(Lynch 2017) looks at the ecosystem that has evolved for scholarly journals involving a whole range of players including platform providers, various publishers’ websites, authors, readers, traditional publishers, libraries, third parties, and analytics providers.

“Whenever a third party has access to personally identifiable information, the agreements need to address appropriate restrictions on the use, aggregation, dissemination and sale of that information, particularly information about minors” (Jones 2014)

Agreements between libraries and vendors should specify that libraries retain ownership of all data; that the vendor agrees to observe the library’s privacy, data retention, and security policies; and that the vendor agrees to bind any third parties it uses in delivering services to these policies as well.

 

Telephone notification

A library service notifies users that the book(s) that they have requested on hold has now arrived and is ready for them to collect

This is done by email, but sometimes by phone. In one instance, a member of library staff called the user to inform them. The library user wasn’t home at the time, and so a voicemail was left. The message included details of the book title that was now ready for collection.

What if that book had been about domestic violence. What if the message was picked up by the partner of the library user?

 

Librarian bloggers venting publicly on their blogs about their interactions with patrons
One area librarians need to take particular care is over the genre known as “RefGrunt”. This refers to the genre of blogging/writing where librarians vent publicly about their interactions with patrons. It is named after a blog that a librarian kept for about a year in the early 2000’s.

As well as blogs, another aspect of “Refgrunt” includes books written by librarians which describe their interactions with library users.

Sally Stern-Hamilton, writing under the pseudonym Ann Miketa (Miketa 2012) wrote a book about the crazy patrons she encountered at her library assistant job all day. From the introduction to the book (which is called “The Library Diaries”): “After working at a public library in a small, rural Midwestern town for fifteen years (which she calls denialville), I have encountered strains and variations of crazy I didn’t know existed in such significant portions of our population.”

The publisher’s description said: “Open this book and you’ll meet the naked patron, the greedy, unenlightened patrons, destination hell, horny old men, Mr. Three Hats, and a menagerie of other characters you never dreamt were housed at your public library.”

Is it fair for library users by entering the library to put themselves at risk of becoming a key character in a novel that is really a thinly disguised account of real life, where the novel describes their mannerisms in such detail that they are easily identifiable by members of the local community.

Risk of being dooced

What people post on social networking sites raises privacy concerns. Indeed these can have severe consequences, such as someone being “Dooced” (that is, dismissed from their employment because of what they have written on a website or blog).

When (Farkas 2007) wrote about librarian bloggers in 2007 they said that they only knew of only one library worker who was fired for negative comments about patrons that he had written in a blog community. But two years prior to that, a New Zealand librarian known as bizgirl was sacked for what she had posted on her blog. People didn’t like what was being said about them, and even though it was anonymised, they could still tell it was them.

Co-location

  • Co-location can result in a range of services being offered from a single location:

library, housing, tourism and customer service facilities etc.

  • Does the setup mean that potentially sensitive matters, such as conversations about housing benefits, council tax and even personal details can easily be overheard?
  • Police enquiry desk inside library where the public are able to speak to a uniformed member of police staff about:
  • Crime reporting
  • General policing enquiries
  • Road traffic collision reporting
  • Applications for firearms licences
  • Crime prevention advice
  • Lost and found property

How long do you retain loan history data?

  • Is it forever
  • Is it for the default period used by your library management software provider
  • Is it never (ie. as soon as an item is returned, the record is erased

Ultimately, ask yourself whether the information is held for longer than is strictly necessary

Do your users get a choice as to whether, and for how long, their reading history is retained?

 

Dealing sensitively with patrons who have a body odor problem

  • A library employee told a man that someone had complained about his body odor
  • The man suffers from hidradenitis suppurativa, a chronic skin condition in which pimple-like bumps grow wherever skin rubs together, like the groin and underarm areas. When the bumps rupture, they leak bloodstained pus that often has a foul odor.
  • Treat people with dignity and respect, be compassionate and helpful.
  • “In a room full of people, in a loud voice, you don’t just say that”
  • Have the conversation privately and discreetly
  • It isn’t always a hygiene issue

Source: (Masters 2017)

Letting commercial interests into libraries

Who provides digital literacy training? Is it a commercial company?

Private sector partnerships are one way forward when public funding is in short supply. Libraries have worked with Barclays and the Halifax (digital volunteers) and BT (wi-fi). Google has set up Digital Garages aimed at businesses in larger libraries. Though ostensibly “free”, such initiatives are, at least in part, commercially driven. Libraries need to be aware, if not wary, of that. (Source: Ayub Khan page 45 of CILIP Update, December 2016).

Where commercial companies have been brought in, have the libraries involved sought any assurances regarding privacy of library users?

 

CCTV

(Randall, Newell 2014) examined why four large libraries three in the US and one in the UK had installed video surveillance. They found that CCTV cameras had initially been installed either as a response to specific incidents of crime or as part of the design of new buildings. (Randall, Newell 2014) say that “Libraries have long maintained strong protections for patron privacy and intellectual freedom. However, the increasing prevalence of sophisticated surveillance systems in public libraries potentially threatens these core library commitments”.

(Collier 2017) The Iowa City public library has security cameras in the library bathrooms. Susan Craig, the Public Library Director said that “The reason the cameras are there are to protect people and to protect library property as well”.

Iowa lawmakers have said yes to a bill that bans cameras in restrooms and locker rooms at government buildings. It applies to schools, libraries, and other government buildings but has an exception for public hospitals

The legislation got through the Iowa Senate approved without a single no vote. Since I originally wrote about this, the cameras have now been removed from the city’s public library bathrooms.

Fingerprinting

School libraries throughout the UK have implemented technology enabling pupils to take out books by scanning their thumb prints instead of using a card. Such systems are intended to replace library cards and save time and money in managing the libraries. However, the use of electronic fingerprinting systems in this way to manage loans of library books has raised a number of privacy concerns.

In 2006 The Department for Education and Skills and the Information Commissioner said that parents could not prevent schools from taking their children’s fingerprints (The Register, 2006). However, the pressure group Privacy International expressed the view that the practice breached both the DPA and the human rights of the individual children concerned.

The Protection of Freedoms Act 2012 has changed things, because it envisages parental consent before processing of children’s biometric information can be permitted. Even if the parent has consented, a school must not process or continue to process the data if the child objects. Where a child does object, they must be provided with a reasonable alternative to the biometric system.

Use of “enrichment”/book covers on the library catalogue

Content embedded in websites is a huge source of privacy leakage in library services. Cover images can be particularly problematic. Without meaning to, many libraries send data to Amazon about the books a user is searching for; cover images are almost always the culprit.

Eric Hellman points out two indications that a third-party cover image is a privacy problem. They are:

  • the provider sets tracking cookies on the hostname serving the content.
  • the provider collects personal information, for example as part of commerce.

Marshall Breeding has also looked at the privacy issues involving boook covers and social sharing. He says that vendors are increasingly aware of this issue and that some of them proxy or cache images to avoid privacy problems.

Eric Hellman’s blog post “How to check if your library is leaking catalogue searches to Amazon” gives details of how you can tell if your library is sending Amazon your library search data (Hellman 2016).

“I’ve come to realize that part of the problem is that the issues are sometimes really complex and technical; people just don’t believe that the web works the way it does, violating user privacy at every opportunity. (Hellman 2016)

 

Use of web analytics tools on library sites

Marshall Breeding undertook a survey of academic and research libraries. Using the Ghostery plug-in for Chrome, he looked for all the tracking mechanisms that could be detected on the library website, online catalog, or discovery interface were noted. (Breeding, 2016)

  • Google Analytics
    Ajax search API
    • Google AdSense
    • Google Translate
    • Google Tag Manager
    • DoubleClick (owned by Google)
    • Yahoo Analytics
    • Adobe Omniture Analytics
    • Adobe Tag Manager
    • Adobe TypeKit
    • Facebook Connect
    • Facebook Social Plugin
    • Twitter Button
    • AdThis
    • Piwik Analytics
    • Crazy Egg
    • WebTrends
    • New Relic

Many libraries use Google Analytics, but Piwick analytics is more respectful of privacy than Google Analytics.

Role of libraries and librarians regarding privacy

I believe that the information profession needs to have a debate about the role of the librarian in protecting user privacy. Such a debate needs to go back to first principles to ask whether librarians have a role in protecting user privacy, and if so, what form that role should take. (Cooper 2016) did a survey in which participants were asked their views on the following statement:

“Libraries should play a role in educating the general public about issues of personal privacy and data protection”.

The overwhelming majority (78.6%) of survey respondents either agreed or strongly agreed with the statement, but 15.5% neither agreed nor disagreed with the statement, while 6% of respondents either disagreed or strongly disagreed with it:

Strongly agree 40.5%
Agree 38.1%
Neither agree nor disagree 15.5%
Disagree 2.4%
Strongly disagree 3.6%

Even amongst those who do believe that librarians have a role to play in protecting user privacy, there is still the question of quite what that role should be. It could range from a more passive approach, simply protecting the personally identifiable information held about users – through to a more active approach in the form of lobbying and advocacy work; organising cryptoparties etc.

There are a number of potential roles that librarians can and do play. These are not mutually exclusive:

To protect (Brantley 2015) believes that “Public libraries are among the last protectors of privacy in contemporary society”

(Fortier, Burkell 2015) “Librarians have a professional responsibility to protect the right to access information free from surveillance”

To defend (Mattlage 2015) “Having special obligations to protect information rights means that information professionals must first of all take information rights seriously by defending them against countervailing pressures for more expedient public policies. It is the unique role of information professionals to be last to abandon the defense of these rights”.

Activism Speaking of the privacy role of librarians in terms of activism is bound to be controversial. But it is interesting to observe the way in which librarians in America reacted to the repeal of the Federal Communications Commission’s rules requiring ISPs to adopt fair information privacy practices in regards to their customers’ data (Caldwell-Stone, Robinson 2017). These responses have included promoting the use of encryption, of VPNs, and of using the Tor browser to enable anonymous web searching.

To be radical It is worth noting that people who identify themselves as being “radical librarians” seem to place a particularly high priority on ethical issues. “If we cannot (or do not) protect the intellectual privacy of our users, then we are failing as professionals” (Clark 2016)

To lobby / advocate In the United Kingdom, librarians across the whole range of sectors have for many years worked together through the Libraries and Archives Copyright Alliance (LACA) to lobby for fairer copyright laws from a user perspective. I do believe that there is a real need for a similar organisation to lobby government for laws that are more respectful of user privacy, to raise awareness of privacy as an important issue, and to share best practice.

To negotiate An important role for librarians involves negotiating with vendors, to ensure that contracts provide adequate protection for user privacy.

“If libraries only chose vendors who had good privacy policies, the industry would have to change its standards in order to obtain library business” (Dixon 2008)

(Magi 2010) Librarians have a long history of protecting user privacy, but they have done seemingly little to understand or influence the privacy policies of library resource vendors that increasingly collect user information through Web 2.0-style personalization features.

(Caro, Markman 2016) list a series of questions librarians should be asking of their vendors, covering data breach policy, data encryption, data retention, the ease of use of the vendor’s terms of service, patron privacy, secure connections and advertising networks.

(McMenemy 2016) says that “We need to be careful of how many of our values we surrender (cede) to software vendors to manage for us”

To educate/train (Fifarek 2002) Libraries need to take an active role in educating users about protecting their privacy. Users should be educated as to what their privacy rights are and what privacy protections exist. Additionally, users need to understand that protecting their personal privacy requires them to make choices about what information they are willing to disclose in order to receive services.

Libraries are ideally placed to offer training on how users can protect their privacy.

To provide a sanctuary, a safe space or safe haven for private reflection (Johnston 2000) says that “Public libraries further fulfill an essential social role by providing public space which serves ”as safe havens for private reflection and as meeting places for community functions””

(Sturges, Iliffe et al. 2001) recognise that “The library, whether public, academic or institutional, is both a communal and a private space: a paradox that has always contained a certain potential for tensions.”

(Campbell, Cowan 2016) also acknowledge that privacy can have a paradoxical relation to the public sphere. They cite (Keizer 2012) who suggests that individuals frequently move into the public sphere, not to sacrifice their privacy, but to retain it. Indeed, in an analysis of a court decision that grappled with the question of privacy in public places, Keizer writes of “the number of people whose very act of stepping out the front door represents a “subjective expectation of privacy”—because the public sphere is the only place where they can have a reasonable hope of finding it”.

In Quad/Graphics, Inc. v. S. Adirondack Library System, 174 Misc.2d 291, 664 N.Y.S.2d 225 (N.Y.Sup., 1997) the court noted that a library was “a unique sanctuary of the widest possible spectrum of ideas [and] must protect the confidentiality of its records in order to insure its readers’ right to read anything they wish, free from the fear that someone might see what they read and use this in a way to intimidate them”.

To participate If librarians are to protect the privacy of their users, it is essential that they take part in the formulation of privacy policies. A failure to do so would be an abrogation of their ethical responsibilities.

(Jones 2014) p159 All over the world people are concerned about government surveillance and corporate collection of their personal data. Now is the time for libraries to seize the opportunity to play a major role in this policy arena! Librarians and library associations from all cultures must collaborate in this work, since the concept and application of privacy principles varies from culture to culture

To debate (McMenemy 2016) says that “If we cannot debate important issues such as privacy and freedom of expression within our profession, we will lose our moral authority on them”.

To be a privacy watchdog or auditor (Johnston 2000) “By accepting the existence of new privacy threats within the institution, it becomes possible to see an important new role for librarians. By building on such traditional responsibilities as evaluation of sources, monitoring of information systems, and keeping abreast of new tools or changes in old ones and addressing internal and external information flows, the librarian could become something akin to a privacy watchdog or auditor”

To take on a leadership role (Fernandez 2010) recommends that librarians take a leadership role in the public debate on privacy: “After determining that libraries should have a presence within a social networking site, they can take a leadership role in promoting awareness and engagement on the issues surrounding information literacy and privacy.”

(Lamdan 2015) believes, more specifically, that librarians should lead a campaign to urge Internet social media companies to include Privacy by Design principles in their user agreements.

Privacy by design originates from a report on “Privacy enhancing technologies” from the Information & Privacy Commissioner of Ontario, Canada, the Dutch DPA Authority and the Netherlands Organisation for Applied Scientific Research in 1995. The foundational principles are:

  • Proactive not reactive; Preventative not remedial
  • Privacy as the default setting
  • Privacy embedded into design
  • Full functionality – positive-sum, not zero-sum
  • End-to-end security – full lifecycle protection
  • Visibility and transparency – keep it open
  • Respect for user privacy – keep it user-centric

(Magi 2013) says “libraries hold a unique and critically important place in the information landscape. I can think of few other information providers that do what libraries do: provide a broad range of information, make it accessible to everyone regardless of means, while embracing the ethical principle that our users’ personal information is not a commodity to be traded or sold. Our commitment to user confidentiality is rare and special, and it’s a characteristic that research tells us is important to people”.

“Libraries have, with the best of intentions in the world, taken a strong position on privacy, and they have lost. They got the whole privacy thing all wrong. Rather than participate in the policies of their institutions and the many organizations that interact with them, they have abdicated their role and are now watching as their institutions are being colonized by commercial interests, which are no longer answerable to libraries” (Esposito 2016)

To conclude:

  • It is important that librarians participate in the development of privacy policies within their institutions
  • They should speak up to get management support, to get the training they need in this area, and where necessary, the resources necessary to protect user privacy (cybersecurity, adapting software, if required)
  • They should provide training for their users on the ways in which they can protect their privacy through the use of privacy tools in the form of browser addons, and use of the Tor browser for anonymous searching
  • As a profession we need an equivalent of LACA to lobby and advocate on privacy issues, and to share knowledge and best practice
  • We need to work with people from other disciplines in order to properly protect library user privacy. I am thinking here of areas such as information security or legal experts.

BIBLIOGRAPHY

BECKSTROM, M., 2015. Protecting patron privacy: safe practices for library computers. Libraries Unlimited.

BRANTLEY, P., 2015. Books and browsers. Publishers Weekly, 262(1),.

CALDWELL-STONE, D. and ROBINSON, M., 2017. How libraries can respond to the repeal of the FCC privacy rules. Intellectual freedom blog (Office for Intellectual Freedom of the ALA), (March 31),.

CALDWELL-STONE, D., ROBINSON, M. and SCHIMPF, C., 2016. Changing landscape of library privacy. Techsoup, .

CAMPBELL, D.G. and COWAN, S.R., 2016. The paradox of privacy: revisiting a core library value in an age of big data and linked data. Library Trends, 64(3), pp. 492-511.

CARO, A. and MARKMAN, C., 2016. Measuring library vendor cyber security: seven easy questions every librarian can ask. Code4Lib, (32),.

CLARK, I., 2016. Why librarians need to act on mass surveillance. Infoism, (March 15),.

COLLIER, B., 2017. Cameras in library bathrooms cause privacy concerns. Our Quad Cities, .

COOPER, A., 2016. Safeguarding what’s personal: privacy and data protection perspectives of Library Association of Ireland members.

COVINGTON, N.R., 2013. Letters to the editor: respect privacy at the libary. South Kenton Recorder, (August 8),.

DIXON, P., 2008. Ethical issues implicit in library authentication and access management: risks and best practices. Journal of Library Administration, 47(3-4), pp. 142-162.

ESPOSITO, J., 2016. Libraries may have gotten the privacy thing all wrong. Scholarly Kitchen, .

FARKAS, M., 2007. The blog. Library journal, (December), pp. 40-43.

FERNANDEZ, P., 2010. Privacy and Generation Y: Applying library values to social networking sites. Community & Junior College Libraries, 16(2), pp. 100-113.

FIFAREK, A., 2002. Technology and privacy in the academic library. Online Information Review, 26(6), pp. 366-374.

FORTIER, A. and BURKELL, J., 2015. Hidden online surveillance: what librarians should know to protect their own privacy and that of their patrons. Information technology and libraries, 34(3), pp. 59-72.

GAROOGIAN, R., 1991. Librarian/patron confidentiality: an ethical challenge. Library Trends, 40(2), pp. 216-233.

GORMAN, M., 2015. Our enduring values revisited: librarianship in an ever-changing world. Chicago: ALA Editions, an imprint of the American Library Association.

GORMAN, M., 2000. Our enduring values: librarianship in the 21st century. Chicago; London: American Library Association.

HELLMAN, E., 2016. How to check if your library is leaking catalog searches to Amazon. GoToHellman, .

JOHNSTON, S.D., 2000. Rethinking Privacy in the Public Library. The International Information & Library Review, 32(3-4), pp. 509-517.

JONES, B., 2014. ALA protests Adobe data breach. Newsletter on Intellectual Freedom, 63(6), pp. 155-156.

KEIZER, G., 2012. Privacy. Picador.

LAMDAN, S., 2015. Librarians as feisty advocates for privacy. CUNY Academic works, .

LYNCH, C., 2017. The rise of reading analytics and the emerging calculus of reader privacy in the digital world. First Monday, 22(4 (April 3rd)),.

MAGI, T.J., 2010. A content analysis of library vendor privacy policies: Do they meet our standards? College & Research Libraries, 71(3), pp. 254-272.

MAGI, T.J., 2013. A fresh look at privacy – why does it matter, who cares, and what should librarians do about it? Indiana Libraries, 32(1), pp. 5-5 pages.

MASTERS, E., 2017. Library staffs deal with patrons’ body odor, other issues. Times Union, .

MATTLAGE, A., 2015. Responsibilities of information professionals vis-a-vis information rights. Journal of Information Ethics, 24(1), pp. 65-81.

MCMENEMY, D., 2016. Rights to privacy and freedom of expression in public libraries: squaring the circle. IFLA WLIC 2016, .

MIKETA, A., 2012. Library diaries. CreateSpace Independent Publishing Platform.

RANDALL, D.P. and NEWELL, B.C., 2014. The panoptic librarian: the role of video surveillance in the modern public library. iConference 2014, , pp. 14-14 pages.

RUNDLE, H., 2016. Zoia Horn’s library: protecting your users’ privacy with Tinfoil. HughRundle.net, .

SHACHAF, P., 2005. A global perspective on library association codes of ethics. Library & Information Science Research, 27(4), pp. 513-533.

STURGES, P., ILIFFE, U. and DEARNLEY, J., 2001. Privacy in the digital library environment.

WOODWARD, J., 2007. What every librarian should know about electronic privacy. Westport, CT.: Libraries Unlimited.

 

Why the #cilipinwales conference was the wake up call I needed

Even though I have spent two years reading up about privacy in libraries, and indeed the concept of privacy more generally, I have only just started my PhD studies in February this year.

I want to initiate a debate on what involvement libraries should have in protecting user privacy. And it certainly seems as though my talk at the CILIP in Wales Llandudno conference did get people thinking, and discussing some of the points I had raised.

In my talk I gave a number of examples of the ways in which privacy issues arise in libraries. And I get the feeling that some of those examples may have seemed to some people at least as being unnecessarily zealous, as though the reading and browsing habits of users are hardly sensitive.

In the time available I wasn’t able to run through examples of the “chilling effect” that arises when one is being watched, or thinks that one is being watched; or examples of self-censorship etc. Or to explain why the many arguments that start off from the stance of “nothing to hide, nothing to fear” are bogus because they overlook the fact that when someone holds information about you they potentially have power and control over you.

What the conference did was to provide me with a big wake-up call. Its all very well for me to talk about the Tor browser as a means of searching the web anonymously or about using https:// secure sites. What the delegates comments and questions taught me was that there are some incredibly practical considerations that need to be addressed first. And its only after the conference ended that I realised just how useful the insights I could glean from their questions really were. And for that I am incredibly grateful.

One question was about balancing privacy and security. The question was thinking specifically of what would be likely to happen if their library were to install the Tor browser given that the “dark web” is synonymous for some folk with the criminal underworld of drugs, firearm sales and the like. And of course this is a hugely important consideration. If providing people with the facility for anonymous searching comes with huge risks of facilitating criminal activity, then it’s a no-brainer: no library would ever go near anonymous searching. I have to confess that I know only a very limited amount about the Tor browser, and I need to address that gap in my knowledge! Instinctively I automatically think of the work of the Library Freedom Project who have championed the use of Tor in American libraries and who must therefore have had to deal with these issues. Because surely they will be in a position to help address precisely these issues head on.

Another question asked what can and should public library staff be doing tomorrow. In other words, what quick wins can and should they be looking to implement virtually overnight in order to be more respectful of user privacy. I think that the question was driven in part by a sense in which policies were set centrally; that things were reliant on their IT systems; that their IT function seemed quite remote. In short, the library staff might feel powerless to do anything.

Another question related to whether any of the tools available are designed for mobile devices. And I omitted to mention https://libraryfreedomproject.org/mobileprivacytoolkit/

And yet another comment was about how you can only set up https: secure using Lets Encrypt by rendering your machine vulnerable at the point where you set it up.

All of these points are hugely valuable to me. For one thing they help me to realise just how much more I need to learn, because right now I don’t have the expertise to adequately address them all. And now I know more precisely what some of my knowledge gaps are. But far more important than that, they are absolute gold-dust because they flag up the highly practical reasons why things won’t change unless these and other points are fully addressed in a way that provides the necessary reassurance. My main focus is not on criticising people for what they do regarding privacy. Rather it is to understand what the problems are, because until that becomes clearer, there’s absolutely no hope of moving forward.

So I want to say a massive thankyou to CILIP in Wales for giving me the platform to talk about privacy in libraries; to all of the delegates who made comments and asked questions for helping me to better understand the worries and concerns that will prevent us making progress unless we are prepared to fully address those concerns. And I hope that this write-up will prove helpful to CILIP HQ so that they can take these things on board as part of the privacy project it is undertaking with the Carnegie Trust because I think that they themselves are trying to work out where it is that they need to focus their attentions.

Thanks again to CILIP in Wales for inviting me to speak, and for putting on a great conference.

 

 

Lots librarians (and others) can learn from Soulmates data breach

The story about Guardian Soulmates experiencing a data breach could be used as a classic case-study of what to think about regarding data breaches.

I read the story on the tube this morning in The Metro 9/5/2017 “Hackers send explicit spam as soulmates site breached”, but another publication has the story at: http://www.cbronline.com/news/cybersecurity/data/guardian-soulmates-users-sent-explicit-spam-wake-data-breach/

Almost every line I read of the story in The Metro could be unpacked with lessons we all need to take on board:

  • It was down to human error (a significant proportion of data breaches are down to human error)
  • The error was made by a third party (data breaches are often down to third parties, so its no use just making sure you have your own house in order, you have to do everything you can to make sure that your vendors and third parties do too)
  • The story said that no banking details and other sensitive data was lost. But a dating site will surely tell people your sexuality, and that is sensitive personal data
  • They cited someone telling BBC News that “it’s all information that I was happy to put online at one point but, when it is used outside of context like that, it does feel a lot more creepy”. And that goes back to Helen Nissenbaum’s theory of contextual integrity. Its not just a question of what data you hand over, it’s the context in which it is then  used that makes all the difference.
  • It also reminds me of Viktor Mayer-Schonberger’s view that regulation shouldn’t just focus on consent. He argues the case for use-based regulation.
  • Another thing that struck me about the Metro’s story was that someone who left the service a long time ago spoke out having been affected. How many companies that have your data delete it after a reasonable period. There’s a mentality in an era of massive computer power, and big data, that data is valuable, and even if I can’t think what uses I might put it to later (overlooking the question of permission), I’ll hang on to it just in case. Many American librarians get rid of personally identifiable information as soon as they possibly can, so that it isn’t available to anyone – including hackers etc (so, for example, having a library management system that routinely un-links the user information from the detail of the item borrowed as soon as the book has been returned).
  • That idea of someone leaving a service and their data is still held by that company is a useful reminder that we are all leaving a digital trail, or footprint. And we need to be careful about who we give our data to, and whether we can get it deleted afterwards.
  • Another point worth making is that simply because you are paying a company for something, and that they need your data to deliver the product or service to you, it is no guarantee that your data is safe. Whether free or priced, there are still real dangers.