Margaret Purdy is a Graduate Research Intern in the Program on Information Science, researching the area of library privacy.
Building Trust: A Primer on Privacy for Librarians
Privacy Protections Build Mutual Trust Between Patrons and Librarians
Librarians have accepted privacy as a central tenet of their professional ethics and responsibilities for nearly eight decades. However, by 2017, privacy as a human right has been simultaneously strengthened and reaffirmed, defended and rebuffed, but rarely do we as librarians take the time to step away and ask why privacy truly matters and what we can do to protect it.
The American Library Association and the International Federation of Library Associations have both asserted that the patrons have the right to privacy while seeking information.1 The ALA in particular brings up the notion of privacy allowing for intellectual freedom – the ability to consume information and know they will not face repercussions such as punishment or judgments based on what they read. Librarians are in the business of disseminating information in order to stimulate knowledge growth. One major stimulus for such growth is the mutual trust between the library and the patron – trust that the patron will not use the knowledge in a destructive way, and trust that the library will not judge the patron for information interests. Ensuring patron privacy is one way for the library to prove that trust. Similarly, the IFLA2 emphasizes the right to privacy in its ethics documentation. In addition to the rights of patron privacy that the ALA ensures, the IFLA also allows for as much transparency as possible into “public bodies, private sector companies and all other institutions whose activities effect [sic] the lives of individuals and society as a whole.” This is yet another way to establish trust between the library and its patrons, ultimately ensuring intellectual freedom and growth of knowledge.
Globally, internet privacy and surveillance are also matters that are currently getting much more notice and debate, and government regulations, such as the EU General Protection of Public Data (GDPR)3, are working to strengthen individuals’ abilities to control their own data and ensure it does not end up being used against them. The GDPR is slated to go into effect in 2018 and will broadly protect the data privacy rights of EU citizens. It will certainly be a policy to watch, especially as a litmus for how effective major legislation can be in asserting privacy protections. Even more practically, however, is that the GDPR protects EU citizens even if the one collecting data is outside the EU. This will potentially affect many libraries across the United States and the world at large, as there is an added level of awareness required to ensure that any collaboration with or service to EU citizens is properly protected.
Libraries Face a Double-Barreled Threat from Government Surveillance and Corporate Tracking
In addition to the ALA and IFLA codes of ethics that ensure librarians work to ensure patrons’ rights to privacy, multiple governmental codes deal with the right to information privacy. In the United States, the fourth amendment protects the right to remain free from searches and seizures, and has often been cited as a protection of privacy. Similarly, federal legislation such as FERPA, which protects the privacy rights of students, and HIPAA, which protects medical records have reasserted that privacy is a vital right. Essentially every US state also has some provisions about privacy, many of which directly relate to the right to privacy in library records.4
However, in recent years, many of the federal government’s protections have begun to slip away. Immediately after 9/11, the USA PATRIOT Act passed, allowing the government much broader abilities to track patron library records. More recently, as digital information became easier to track, programs such as PRISM and other governmental tracking arose. Both of these government programs directly threaten the ability for library patrons to conduct research, information-seeking, and more in privacy.
Businesses have also learned ways of tracking their users’ behaviors online, and using that data for practices such as targeted advertising. While the vast majority of this data is encrypted and could not be easily brought back to personally-identifiable information, it is still personal data that is not necessarily kept in the most secure way possible. And while breaches do happen, even without them, it is not out of the question for an experienced party to be able to reconstruct an individual from the data collected, and to know not only that individual’s browsing history and location, but also potentially information such as health conditions, bank details, or other sensitive information.
While this information is often used for simple outreach, including Customer Relationship Marketing, where a company will recommend new products based on previous purchases, it can also be used in more invasive ways. In 2012, Target sent out a promotional mailing containing deals on baby products to a teenage girl.5 Based on their data they had tracked about her purchases, the algorithm had determined, correctly, that she was highly likely to be pregnant. While this story received extensive media attention, businesses of all types, including retailers, hotels, and even healthcare systems participate in similar practices, using data to personalize the experience. However, when stored irresponsibly, this data can lead to unintentional and unwanted sharing of information – potentially including embarrassing web browsing or shopping habits, dates that homes will be empty for thieves, medical conditions that could increase insurance rates, and more
Growing Public Concern
One of the most pressing risks to privacy protections currently is user behavior and expectations. With the information industry becoming much more digital, information is becoming easier to access, spread, and consume. However, the tradeoff is that users, and the information they view, is much easier to track, by both corporate and government entities, friendly or malicious. Plus, because much of the tracking and surrendering of privacy, including the ability to save passwords, CRM, targeted algorithms, and more, make it more convenient to browse the internet, many patrons willingly give up the right to privacy in favor of convenience.
Another similar poll8 shows that more than half of Americans are concerned about privacy risks, and over 80% have taken some precautionary action. However, most of that 80% are unaware of more that they can do to protect themselves. This is true for both government surveillance and corporate tracking. The public has similar levels of awareness and concern about both, but are unaware of how to better protect themselves, and thus, are more likely to allow it to happen.
Best Practices for Librarians
Given the increasing public concern and awareness, as well as the longstanding history of librarians’ focus on privacy, librarians have a perfect opportunity to intervene and re-establish the trust from users that their information will not be shared and to meet the professional ethical model of always protecting privacy. There are nearly endless resources that can outline in great detail what librarians should do to defend their patrons against attacks on privacy, whether that comes from government surveillance or corporate tracking. Some of these involve systematic evaluations of all touchpoints in the library and recommendations for implementing best practices. These exist even for areas that do not seem like obvious ways for privacy to be violated, such as anti-theft surveillance on surrounding buildings, or through third-party content vendors.
By dedicating library resources to systematically check for privacy practices, librarians can take some of the burden of inconvenience off of the individual patron. Many of these best practices involve taking the time to change computer settings, read and understand privacy policies, and negotiate with vendors, which few, if any, individuals would do on their own. With the muscle of the library working on it, though, the patrons will still benefit, without needing to dedicate the same amount of time. This serves a dual function as well, as in addition to actual steps to protect patrons, librarians can also serve as an educational resource to help patrons learn simple steps to take to protect their personal systems.
Some examples of protectionary moves are to create policies on library computers that ensure that as little information from user sessions is saved. There are several incredibly simple steps that, while they reduce the convenience slightly, ensure users a safe and private experience. This includes, settings that clear cookies, the cache, and user details after each session (also known as “incognito mode”); or the clearing of patron checkout records once the book is returned.
In addition to those tweaks, the ALA and LITA offer checklists of privacy best practices to systematically implement in libraries. These cover everything from data exchanges, OPACs and patron borrowing records, protection for children, and more in great detail. NISO also provides overarching design principles for approaching library privacy in a digital age. Additionally, there are recommended security audits, many of which Bruce Shuman mentions in his book, Library Security and Safety Handbook: Prevention, Policies, and Procedures.
Additionally, the library, already known for educational programs and community-oriented programming could serve as a location to educate the public about the real risks of tracking and surveillance. There is a definite gap between the public’s awareness of the risks and the public’s action to mitigate those risks. While librarians cannot force behavior, and most would not want to, offering patrons trustworthy information about the risks and how to avoid them in their personal browsing experiences helps re-establish privacy as a core value and gives patrons a reason to trust the library. This recent post from Nate Lord at Digital Guardian offers simple and more in depth steps that patrons can take to ensure their digital information is secure. If a library offered some of these in a training course or as a takeaway, it could serve as a valuable resource in narrowing the gap between patron awareness and activity.
Ultimately, privacy is often one of those words that many people give lip service to, but without fully understanding the risks and consequences, the motivation to give up convenience in order to protect privacy is not always there. However, we as librarians, who value privacy as one of the professions’ core tenets have a real opportunity to help protect patrons’ data against these threats. Resources, such as the aforementioned privacy checklists and audit guides, exist to help librarians ensure their library is in compliance with the current best practices. The threats against privacy are growing, and librarians are well-suited to intervene and ensure patron protection.
- 101 Data Protection Tips: https://digitalguardian.com/blog/101-data-protection-tips-how-keep-your-passwords-financial-personal-information-safe
- ALA Privacy Checklist: http://www.ala.org/advocacy/privacy/checklists
- ALA Privacy Toolkit: http://www.ala.org/advocacy/privacy/toolkit
- IFLA Statement on Privacy: https://www.ifla.org/files/assets/hq/news/documents/ifla-statement-on-privacy-in-the-library-environment.pdf
- International Privacy Law Library: https://iapp.org/resources/article/international-privacy-law-library/
- Library Security and Safety Handbook: Prevention, Policies, and Procedures: https://books.google.com/books?id=1N0iXPx5uqQC&lpg=PA111&ots=bUXo2DeMva&dq=library%20security%20audits&pg=PA1#v=onepage&q&f=false
- LITA: http://www.ala.org/lita/advocacy
- Karen Coyle: Privacy Audits
- NISO: http://www.niso.org/topics/tl/patron_privacy/
- Preparing for GDPR: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
- State Library Privacy Laws: http://www.ala.org/advocacy/privacy/statelaws
2. IFLA Code of Ethics. https://www.ifla.org/publications/node/11092
3. GDPR Portal (2016). http://www.eugdpr.org/
4. Adams, H. et. al. (2005). Privacy in the 21st century. Westport, Conn.: Libraries Unlimited.
5. Hill, K. (2012). How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did. Forbes.com. https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/#1bd0d38d6668
6. Ayala, D. (2017). Security and Privacy for Libraries in 2017. Online Searcher, 41(3).
7. Cranor, L. (2008). The Cost of Reading Privacy Policies. I/S: A Journal Of Law And Policy For The Information Society.
8. Rainie, L., & Rainie, L. (2017). The state of privacy in post-Snowden America. Pew Research Center. http://www.pewresearch.org/fact-tank/2016/09/21/the-state-of-privacy-in-america/