Watching You Watching Me

Imagine this – you visit your local art museum for the first time in over a year. You’re excited to be back in the physical building! You get to be in the same physical space as the art! You make your way to one of your favorite art pieces in the museum, but when you finally arrive, you find something odd. Next to your favorite art piece is a small camera pointing at you and everyone else viewing your favorite art piece.

A ShareArt camera next to a painting in the Istituzione Bologna Musei.
Image source: Istituzione Bologna Musei

Is this to make sure people are wearing masks? Social distancing? Or is it something more?

Museum-goers in Italy are already facing this reality with the inclusion of the ShareArt system in several Italian museums. The system aims to track how long museum visitors spend at the museum piece, creating data to inform exhibition layout and scheduling decisions. In addition, there is interest in having the system capture and analyze facial expressions as mask mandates fall to the wayside. While this project aims to guide museums in making their collections more visible and accessible for museum visitors, it also brings up new and perennial concerns around privacy.

Tracking Bodies, Tracking Data

Libraries and museums are no strangers to counting the number of people who come into a building or attend an event. Door counters installed on entrance/exit gates are a common sight in many places, as well as the occasional staff with a clicker manually counting heads in one space at a specific time. The data produced by a door counter or a manual clicker counts heads or people in an area usually is relegated to the count and the time of collection. This data can get very granular – for instance, a door counter can measure how many people enter the building in the span of an hour, or a staff person can count how many people are in a space at regular intervals in a day. This type of data collection, if nothing else is collected alongside the count and time collected, is considered a lower risk in terms of data privacy. Aggregating count data can also protect privacy if the door or event count data is combined with other data sets that share data points such as time or location.

Patron privacy risk exponentially increases when you introduce cameras or other methods of collecting personal data in door or space counts. Door or space counters with webcams or other cameras capture a person’s distinct physical traits, such as body shape and face. This updated door counter mechanism is a little different than a security camera – it captures an individual patron’s movements in the library space. With this capture comes the legal gray area of if audio/visual recordings of patron use of the library is protected data under individual state library privacy laws, which then creates additional privacy risks to patrons.

Performing for an Audience

One good point on Twitter about the ShareArt implementation is that people change their behavior when they know they are being watched. This isn’t a new observation – various fields grapple with how the act of being observed changes behavior, from panopticon metaphors to the Hawthorn Effect. If a project is supposed to collect data on user behavior in a specific space, the visible act of measurement can influence the behavioral data being collected. And if the act of measurement affected the collected data, how effective will the data be in meeting the business case of using behavioral data to improve physical spaces?

Libraries know that the act of surveilling patron use of library resources can impact the use of resources, including curtailing intellectual activities in the library. Privacy lowers the risk of consequences that might result from people knowing a patron’s intellectual pursuits at the library, such as checking out materials around specific topics around health, sexuality, politics, or beliefs. Suppose patrons know or suspect that their library use is tracked and shared with others. In that case, patrons will most likely start self-censoring their intellectual pursuits at the library.

The desire to optimize the layout of the physical library space for patron use is not new. There are several less privacy-invasive ways already in use by the average library to count how many people move through or are in a particular space, such as the humble handheld tally clicker or the infrared beam door counter sensors. Advancements in people counting and tracking technology, such as ShareArt, boast a more accurate count than their less invasive counterparts but underplay potential privacy risks with the increased collection of personal data. We come back to the first stage of the data lifecycle – why are we collecting the data we are collecting? What is the actual, demonstrated business need to track smartphone wifi signals, record and store camera footage, or even use thermal imaging to count how many people enter or use a physical space at a particular time? We might find that the privacy costs outweigh the potentially flawed personal data being collected using these more invasive physical tracking methods in the name of serving the patron.

An Audacity Postmortem for the Library World

A black silhouette of a condenser microphone against a white background with a blue audio wave track spanning across the middle of the background.
Image source: https://www.flickr.com/photos/187045112@N03/50135316221/ (CC BY 2.0)

It seemed so long ago – last week at this time, LDH was logging back into the online world only to find yelling. Lots of yelling. Why were so many people yelling in our timeline? What did someone in the library world do this time to set people off?

It turns out that the source of the outrage wasn’t located in the library world but instead in the open source community. Users of the popular audio editor Audacity loudly objected to the recently updated privacy policy, claiming that the new language in the policy violates the existing license of the software and turns Audacity into spyware. Even after clarification about the new language from Audacity, several users took the current Audacity code to start their own Audacity-like software projects that wouldn’t be subject to the new policy language. This created its own issues – one project maintainer was attacked after a targeted harassment campaign after they objected to the offensive name of another project.

The Audacity debacle continues; nevertheless, are a couple of lessons that libraries can take away from this mess.

Privacy Notices and Your Patrons

We will start at the privacy notice. In the privacy world, a privacy notice differs from a privacy policy. The latter is an internal document, and the former being a document published to the public. In part, a privacy notice informs the public about your privacy policies/practices and what rights the public has regarding their privacy. The language changes to the privacy notice carry several possible points of failure, which we encountered with the Audacity example. A comment thread in the language clarification post identifies some of the significant issues with how Audacity went about the changes:

“I think what a lot of people are also taking issue with… is that these major, scary-sounding changes are popping up seemingly out of nowhere without any sense of community consultation. Right now, I think people feel caught off-guard yet again and are frustrated that the maintainers aren’t demonstrating that they care about what the broader community thinks of their decisions.”

What can libraries take away from this?

  • Write for your audience – Privacy notices are notoriously riddled with legal language that many in the general public are not equipped to navigate or interpret. Your privacy notice can’t skip the vetting process by your legal staff, but you can avoid confusion by using language that is appropriate for your audience. This includes limiting library and legal jargon or creating summaries or explanations for specific points in the notice to understand more detailed or longer sections of the notice. Twitter’s use of summaries and lists in their privacy notice is one example of writing to the audience. In addition, don’t forget to write the notice in the major languages of your audience. Everyone in your community deserves to know what’s going on with their privacy at the library.
  • Involve your audience – The earlier quote from an Audacity community member demonstrates what can happen when key stakeholders are left out of critical decision-making processes. How is your library working with patrons in the creation and review of the privacy notice? Asking patrons to review notices is one way to involve patrons, but involving patrons throughout the entire process of creating and reviewing a privacy notice can reveal hidden or overlooked privacy issues and considerations at the library.
  • Communicate to your audience – What do you do when you publish a change in the privacy notice? Your patrons should not be caught off guard with a significant change to the notice. Luckily, your library already has many of the tools needed to tell your patrons about important updates, from your library’s news blog or newsletter to in-library physical signage and flyers. Website alerts are also an option if used judiciously and designed well – a website popup, while tempting, can be easily clicked away without reading the popup text.

Open Source Software and Privacy Expectations

We’ll go ahead and get this out of the way – open source software is not inherently more private and secure than its proprietary counterparts. OSS can be private and secure, but not all OSS is designed with high privacy and security standards by default. One of the primary reasons why so many in the Audacity community were upset with the changes is their assumption that OSS would not engage in data collection and tracking. However, several other popular OSS projects engage in collecting some level of user data, such as collecting data for crash reporting. Having other major OSS players collect user data doesn’t automatically make this practice okay. Instead, the practice reminds those who make software decisions for their libraries that OSS projects should be subject to the same rigorous data privacy and security review as proprietary products.

A strength of OSS is the increased level of control users have over the data in the software – libraries who have the in-house skills and knowledge can modify OSS to increase the level of privacy and security of patron data in those systems. The library OSS community can provide privacy-preserving options for libraries. Other libraries have already shared their experiences adopting privacy-preserving OSS at the library, such as Matomo Analytics and Tor. Ultimately, libraries who want to protect patron privacy must choose any software that might touch patron data with care and with the same level of scrutiny regardless of software licensing status.