Category: Privacy

Posted on

Libraries, Privacy, and… Tropes?

Welcome to this week’s Tip of the Hat!

A popular way to procrastinate at LDH is to dig through the pile of articles and other literature about all facets of privacy: regulations, ethics, practices, current events… the current events pile is at overcapacity at the moment. In these piles of articles, we come across one particular trope that we’d like to address – libraries as exemplars of privacy ethics and practices.

This trope is similar to others in other mainstream stories that use libraries as exemplars for other things, such as community engagement, democracy, and learning centers. The “library as privacy exemplar” trope coexists with these other tropes, sometimes in the same story. Other times the trope is front and center of an article. An example of this is an IAPP article about general privacy practices at the library. At best, this article demonstrates the attitude and tone of how many writers think about the library as an enlightened entity with their focus on privacy. Near the end of the article comes another trait that these articles tend to share, which is modeling privacy practices off of the library profession: “While library culture tilts heavily in favor of protecting the ‘citizen from state’ intrusion, that same culture can be mobilized to advocate for ‘customer’ privacy as well in relation to third-party service providers.”

All of this leads us to a hidden danger in the “library as privacy exemplar” trope, which is unquestioned trust in libraries in all matters of privacy and data ethics. Some of that trust has been earned – there are several library privacy initiatives, such as the Library Freedom Institute, that are very active in the greater community in their advocacy and education around data privacy. In addition, LDH’s conversations with technology workers in other fields have made it clear that professionals in other industries wished that they had strong professional ethics and standards like the library profession.

Nonetheless, others from outside the library profession take this trust too far. For example, in Emma Trotter’s “Patron Data Privacy Protection at Public Libraries: The Ethical Model Big Data Lacks”, Trotter proposes that libraries should become personal data stores (PDS) where people can gather their data in one secure place and then manage the processing of their data by third parties. Trotter is very confident that libraries can become the ethical role model for Big Data with this marriage between PDS and library privacy ethics. Overall, Trotter believes that the ethical issues around Big Data would be negated once libraries become front and center in the overall management of Big Data.

While libraries do have a strong ethical basis around advocacy and adoption of privacy practices, libraries also have their fair share of privacy issues and gaps. Libraries are not immune to the same threats and vulnerabilities as other professions and industries, such as data leaks and breaches, ransomware attacks, phishing, and even underfunding or undertraining staff in ways to protect patron privacy. Librarianship also deals with ethical issues around their collection and processing of patron data, particularly for marketing and user profiling, as well as working with vendors who also collect and process patron data without giving the patron control over what is collected and processed. One doesn’t need to search too far to find an example of such – one being the Santa Cruz Public Library’s Civil Grand Jury Report about the numerous ethics breaches surrounding their use of patron data without full patron notice and consent, among other violations of patron privacy.

Yes, other industries can learn from libraries about how to approach privacy in their daily work, including ethics and advocacy, but libraries also have to be honest about the profession’s struggles around data privacy, both on a practical and ethical level. Part of that is being public with these struggles in the public discourse, be it with patrons or with people from other industries who are looking for a model to base their professional privacy ethics and practices on. Another part is re-evaluating how we, as a library profession, market ourselves as privacy experts and safe-keepers of data to our patrons. Again, libraries set themselves apart from other industries regarding privacy ethics and advocacy, but they cannot set themselves apart from the reality that is working with data in the real world that has real needs that fall into ethical gray areas and real data security and privacy risks.

Posted on

Summer Homework – Requesting Your Data

Welcome to this week’s Tip of the Hat!

Have you ever wondered what data OverDrive collects while you’re reading the latest ebook? Or what Kanopy collects when you’re watching a documentary? As library workers, we have some sense as to what vendors are collecting, but we are also patrons – what exactly are vendors collecting about *us*?

GDPR and CCPA both give different sets of users (EU residents and CA consumers, respectively) the right to access the data collected by organizations and businesses; however, some organizations extended that right to all users, regardless of geographic residency. Below are some of the more well-known library vendors who are offering some form of data request process for their users (aka library patrons, including you!):

  • Cengage
  • Elsevier
  • Kanopy’s data request appears only to apply to CA consumers: “Under California Civil Code Section 1798.83, if you are a California resident and your business relationship with us is primarily for personal, family or household purposes, you may request certain data regarding our disclosure, if any, of personal information to third parties for the third parties’ direct marketing purposes. To make such a request, please send an email to privacy@kanopy.com with “Request for California Privacy Information” in the subject line. You may make such a request up to once per calendar year. If applicable, we will provide to you via email a list of the categories of personal information disclosed to third parties for their direct marketing purposes during the immediately-preceding calendar year, along with the third parties’ names and addresses. Please note that not all personal information sharing is covered by Section 1798.83’s requirements.”
  • LexisNexis
  • OverDrive
  • ProQuest
    • ExLibris, owned by ProQuest, appears to have a different data request process: “You may request to review, correct or delete the personal information that you have previously provided to us through the Ex Libris Sites. For requests to access, correct or delete your personal information, please send your request along with any details you may have regarding the method by which the information was submitted to privacy@exlibrisgroup.com. Requests to access, change, or delete your information will be addressed within a reasonable timeframe.”

What is surprising is that there are not more library vendors that offer this option, or not extending the option to all users. This might change over time, depending on how the newest data privacy ballot initiative in California goes in November, or if additional regulations are passed in other states or even in the federal government. If more companies provide this right to access for all users, then it’s more likely that this practice will become a standard practice industry-wide. LDH will provide the latest updates around data access options from library vendors when they come along!

Posted on

Black Lives Matter

Hello everyone,

Black Lives Matter.

If your library or archive is thinking about collecting photographs, videos, or other materials from the protests around George Floyd’s death caused by Minneapolis police, what are you doing to protect the privacy of the protesters? Black Lives Matter protestors and organizers, as well as many protesters and organizers in other activist circles, face ongoing harassment due to their involvement. Some have died. Recently Vice reported on a website created by white supremacists to dox interracial couples, illustrating how easy it is to identify and publish personal information with the intent to harm people. This isn’t the first website to do so, and it won’t be the last.

Going back to our question – if your response to the protests this weekend is to archive photos, videos, and other materials that personally identifiable information about living persons, what are you doing to protect the privacy and security of those people? There was a call made this weekend on social media to archive everything into the Internet Archive, but this call ignores the reality that these materials will be used to harass protesters and organizers. Here is what you should be considering:

  • Scrubbing metadata and blurring faces of protesters – a recently created tool is available to do this work for you: https://twitter.com/everestpipkin/status/1266936398055170048
  • Reading and incorporating the resources at https://library.witness.org/product-tag/protests/ into your processes and workflows
  • Working with organizations and groups such as Documenting The Now
    A tweet that summarizes some of the risks that you bring onto protestors if you collect protest materials: https://twitter.com/documentnow/status/1266765585024552960

You should also consider if archiving is the most appropriate action to take right now. Dr. Rachel Mattson lists how archives and libraries can do to contribute right now – https://twitter.com/captain_maybe/status/1267182535584419842

Archives, like libraries, are not neutral institutions. The materials archivists collect can put people at risk if the archives do not adopt a duty of care in their work in acquiring and curating their collections. This includes protecting the privacy of any living person included in these materials. Again, if your archive’s response is to archive materials that identify living people at these protests, how are you going to ensure that these materials are not used to harm these people?

Black Lives Matter.

Posted on

Just Published! Library Data Risk Assessment Guide

Welcome to this week’s Tip of the Hat!

To build or to outsource?

Building an application or creating a process in a library takes time and resources. A major benefit of keeping it local, though, is that libraries have the greatest control over the data collected, stored, and processed by that application or system. Conversely, a major drawback of keeping it local is the sheer number of moving parts to keep track of in the building process. Some libraries have the technical know-how to build their own applications or have the resources to keep a process in house. Keeping track of privacy risks is another matter. Risk assessment and management must be addressed in any system or process that touches patron data, so how can libraries with limited privacy risk assessment or management experience make sure that their local systems and processes mitigate patron privacy risks?

Libraries have a new resource to help with privacy risk management! The Digital Library Federation’s Privacy and Ethics in Technology Working Group (formerly known as the Technologies of Surveillance Working Group) published “A Practical Guide to Performing a Library User Data Risk Assessment in Library-Built Systems“. This 28-page guide provides best practices and practical strategies in conducting a data risk assessment, including:

  • Classifications of library user data and privacy risk
  • A table of common risk areas, including probability, severity, and mitigation strategies
  • Practical steps to mitigate data privacy risks in the library, ranging from policy to data minimization
  • A template for readers to conduct their own user data inventory and risk assessment

This guide joins the other valuable resources produced by the DLF Privacy and Ethics in Technology Working Group:

The group also plans to publish a set of guidelines around vendor privacy in the coming months, so be sure to bookmark https://wiki.diglib.org/Privacy_and_Ethics_in_Technology and check back for any updates!

Posted on

Contact Tracing At The Library

Welcome to this week’s Tip of the Hat!

Contact tracing has been used in the past with other diseases which helped curve infection rates in populations, so health and government officials are looking at contact tracing once again as a tool to help control the spread of disease, this time with COVID-19. There have been various reports and concerns about contact tracing through mobile apps, including ones developed by Google and Apple. However, mobile contact tracing will not stop local health and government officials in taking other measures when it comes to other contact tracing methods and requirements, and libraries should be prepared when their local government or health officials require contact tracing as part of the reopening process.

While there are no known cases of libraries doing contact tracing as part of their reopening process, there are some ways in which libraries can satisfy contact tracing requirements while still protecting patron privacy.

Collect only what you absolutely need

What is the absolute minimum you need to contact a patron: name, email address, and/or telephone number are all options. Sometimes patrons do not have a reliable way of contacting them outside the library – health and government officials should have recommendations in handling those cases.

But what about having patrons scan in with their library card and using that as the contact tracing log? What seems to be a simple technological solution is, in reality, one that introduces complexity in the logging process as well as privacy risks:

  • Some of the people visiting the library will not have their library card or are not registered cardholders.
  • Contact logs can be subject to search or request from officials – maintaining the separation between the contact log and any other patron information in the library system will minimize the amount of patron data handed over to officials when there is a request for information.

Paper or digital log?

Some libraries might be tempted to have patrons scan in with their barcodes (see above section as to why that’s not such a good idea) or keep an electronic log of patrons coming in and out of the building. However, an electronic log introduces several privacy and security risks:

  • Where is the digital file being stored? Local drive on a staff computer that isn’t password protected? Network storage? Google Drive (yikes!)?
  • Who has access to the digital file? All staff in the library?
  • How many other copies of the file are floating around the library’s network, drives, or even printed out?

In this instance, however, a paper log will provide better privacy and security protections when you take the following precautions:

  • The paper log should be securely stored in a locked cabinet or desk in a secured area, preferably a locked office or other controlled entry space.
  • During business hours, the paper log should be filled out by designated staff members tasked to collect information from patrons. Do not leave the paper log out for patrons to sign – not only you give patrons the names of others in the building (for example, a law enforcement agent can read the log and see who’s in the building without staff knowledge) you also potentially expose patrons and staff to health risks by having them share the same hard surfaces and pen.
  • Restrict access to the paper log to only staff who are designated to keep logs, and prohibit copying (both physical or electronic copies) of the log.

Equitable service and privacy

Some patrons might not have reliable contact information or might refuse to give information when asked. If the local government or health officials state that someone can’t enter a building if they don’t provide information, how can your library work with your officials in addressing the need for libraries to provide equitable service to all patrons who come to the library?

Retention and disposal

Keep the contact tracing logs for only as long as the government or health officials require. If there is no retention period, ask! Your logs should be properly disposed of – a paper log should be shredded and the shredded paper should go to a secured disposal area or service.

Keeping a log of visits to the library is something not to be taken lightly – you are creating a log of a patron’s use of the library. Several other privacy concerns might be specific to your library that could affect how you go about contact tracing, such as unaccompanied minors. Contact tracing is an effective tool in containing disease outbreaks in the past, but it doesn’t have to come at the expense of losing entire personal privacy if the library works with its staff and government officials in creating a process that minimizes patron data collection, access, and retention.

Posted on

Choose Privacy Week Recap

Welcome to this week’s Tip of the Hat!

This weekend was hot in Seattle, with temperatures near 90 F. While the Executive Assistant took this time to bask in this heat, we at LDH tried to find a cool spot in the home office to work, away from the Executive Assistant’s gaze.

Last week was a busy week on the Choose Privacy Every Day site for Choose Privacy Week! Here’s what you might have missed:

  • Virtual Programming and Patron Privacy – Jaime Eastman along with the ALSC Children and Technology committee give much-needed guidance for library workers who are moving children-oriented programs and services online due to the pandemic. The post goes into the Children’s Online Privacy Protection Act (COPPA), and what library workers need to do to protect the privacy of children while keeping in compliance with COPPA. Bookmark the ALSC Virtual Storytime Services Resource Guide for additional guidance (coming soon!).
  • Protecting Privacy In A Pandemic: A Resource Guide – On Friday, May 8th, OIF hosted a Privacy Town Hall about patron privacy. While we wait for the recording of the Town Hall event, the blog post lists the main topics and resources covered by the panelists in the Town Hall.
  • When libraries become medical screeners: User health data and library privacy – Some libraries are now giving medical screenings to patrons who want to enter the library building. What privacy risks are there in collecting health data of your patrons? Read the article by LDH to find out why library workers might not be the best choice in handling health data.

Finally, if you have that one library privacy topic that you’ve been meaning to write about or if you want to share your privacy thoughts to a wide audience, Choose Privacy Every Day is looking for blog authors! There are some requirements for being an author for the blog, but this is a great opportunity to get your ideas and thoughts out into the library world.

That’s a wrap! Or, at least, the computer core temperature says it’s time to put the computer in the freezer. If you’re on the West Coast, stay cool, and for those of you who got snow on the East Coast, stay warm!

Posted on

Week Roundup – In The News and What Would You Do?

Welcome to this week’s Tip of the Hat! Last week was a busy week. Here’s a recap of what you might have missed.

LDH in the News

What Would You Do?

One public library in New Jersey has been finding various ways to support their community while the library building is closed, but one strategy has started a debate on Library Twitter – using patron data to do welfare checks:

Recently, the Library decided to take more direct action to help the Roxbury community. Armed with its enormous patron database, library staffers are going through the list and, literally in descending order, calling the oldest and most vulnerable of Roxbury’s residents to inquire on their well-being, let them know someone cares and will listen, and when need be to connect them to vital resources to get them through this difficult time.

The article goes on to describe how this strategy led to an increase in requests for masks to be distributed by the library.

While this single instance seems to have had a positive outcome, the use of the data collected by the library to do wellness checks brings up the question of “we could, but should we?” concerning using patron data in this manner. Some of the issues and considerations brought up on Library Twitter include:

  • Scope creep – several library workers serve as de facto social workers in their communities. How can libraries in this position support their community while working with local community organizations and local government departments who are better suited for social work? How can this work be done while honoring patron privacy?
  • Data quality – the article stated that the library staff used the age listed in the patron database. How reliable is that data? ILS migrations and even the move to an automated library system can introduce data quality issues in the patron record, including age.
    • For example – one library that moved from a paper-based system to an ILS in the mid-1990s still found patrons whose birthdays were listed as the date of the migration years later.
  • Notice and consent – patrons have certain expectations when giving data to libraries. Some of these expectations come from what the library states in their privacy and confidentiality notices, as well as other communications to patrons from the library. It’s safe to say that libraries don’t list “wellness checks” in their patron privacy notices as one potential use of patron data. This gets into the issue of using data outside of the stated purposes when the data was exchanged between the patron and the library. Recent data privacy legal regulations and best practices address this by requiring businesses to inform about the new use and to get affirmative consent before using the data for said new use.

There are some other items brought up in the Twitter discussion, such as different expectations from patrons, the size of the community, and patron-staff relationships. Some patrons chimed in as well! Like many other real-world data privacy conundrums, this one is not as clear cut in terms of how to best approach addressing the issue at hand – making sure that patrons in under-supported or vulnerable community groups get the support that they need.

We want to hear from you – what would you do in this situation? Email us at newsletter@ldhconsultingservices.com and we’ll discuss the results in a future newsletter. We will not post names or institutions in the newsletter results, so email away and we’ll do the rest to protect your privacy as we discuss patron privacy. Let us know what you think!

Posted on

#dataspringcleaning, Home Office Edition

Welcome to this week’s Tip of the Hat!

The trees outside the LDH office are now covered in leaves, the tulips and daffodils are blooming, and the grass has started growing again. All of which means one thing – allergy season Spring Cleaning Season! Or, as we at LDH like to call it, #dataspringcleaning season.

We covered the basics of #dataspringcleaning in a previous newsletter; however, determining if your data sparks joy might be a challenge this year given the state of current affairs. For this year’s #dataspringcleaning season, here’s a short cleaning list for your newly minted home office to help you in your data cleaning efforts.

Paper documents

Shred! If you don’t have a shredder at home, you have a couple of options:

  • Store documents for shredding at the office in a secured place in your home away from housemates.
  • Buy a shredder for your home. Look for a shredder that can shred at or above Level P-4. Having a shredder at home not only helps you protect patron privacy but also your privacy now that you have a convenient way to shred your personal documents and files.

Shredded paper should not go into your recycling bin – it’s most likely that your recycling center cannot accept shredded paper. In King County (where LDH is located) residents are instructed to use shredded paper for composting. You can also take a few handfuls of shredded paper to top off any garbage cans before closing up the garbage bag when you take the garbage out. Check with your local solid waste and recycling departments in your local area for more guidance about disposing of shredded paper.

Electronic equipment

  • Store patron data on work storage or equipment when necessary. Do not use personal hard drives, flash drives, or other personal storage devices to store patron data.
  • Do a quick data inventory of any personal cloud storage services you use, such as Google Drive or Evernote.
    • What patron data do you have stored in those services?
    • Can you migrate that data to work storage?
    • What data do you need to keep, and what data can be deleted?
  • If you have your work computer at home, now would also be a good time to do a data inventory of what’s stored on the local drive.
  • Remember, deleting a file doesn’t mean that the file is deleted! There are many programs available to help you permanently delete files.
  • If you do end up having to retire a physical disk or drive that held patron data, what tools do you have in your home toolbox? You most likely have a hammer, but you can also get creative depending on what’s available… we’ve mentioned power drills before, but perhaps you might want to try out the nail gun. Remember – safety first!

#dataspringcleaning at home is a good way to spend the time between meetings or to begin or end your workdays at home. A little bit of cleaning each day adds up to help protect patron privacy 🙂 Happy cleaning!

Posted on

More Zoom Updates and Free Webinar About Remote Work and Data Privacy

Welcome to this week’s Tip of the Hat!

Zoom has had one of those weeks. Since we last wrote about Zoom’s privacy issues last week, the number of additional privacy issues has skyrocketed. It’s gotten to the point where there are news articles just trying to keep track of all these updates. Even those articles are struggling to keep up. On March 31, TechCrunch published an article that listed the known privacy issues at that time, including the misleading advertising of true end-to-end encryption for voice chats, but the article came out a day before an article about zero-day bugs found by an ex-NSA hacker that could allow access to passwords and webcam/mic control if someone had physical access to the computer. Then the next day we learned that Zoom leaked LinkedIn data to other users. Additional reports suggest that Zoom is a very good target for intelligence gathering and interceptions for various governments.

Like we said – it’s hard to keep up with all the updates! Security expert Bruce Schneier’s writeup on Zoom is the most up to date list at the time of this writing.

The best option, in this case, is not to use Zoom, right? Unfortunately, it’s not that clear cut. A conversation on Twitter about Zoom brought up the point that Zoom fairs better than other web conferencing software in terms of screen reader access. While Zoom might be a hot mess when it comes to privacy, it still provides access to those who otherwise wouldn’t have it with other options. Workplaces complying with privacy and accessibility regulations find themselves in a tightrope act with trying to protect employee and patron privacy while at the same time provide tools that their staff can use. Zoom announced that they are addressing the privacy and security issues, which if the company follows through on their promise would solve the issue in the short term. The longer-term issue remains, however, with web conferencing software that have better privacy practices are not accessible for users, including for library workers.

For now, the best you can do is to lock down your Zoom meetings as much as possible and to review user and administration settings to ensure that all privacy and security settings are enabled. Some universities have created publicly accessible guides to more secure Zoom meetings, such as this guide from the University of Washington, as well as FAQs on privacy and security, that can help you formulate messaging to library staff about using Zoom.

Webinar on remote work and data privacy, April 9th

LDH Consulting Services is proud to sponsor this week’s LITA webinar “A Crash Course in Protecting Library Data While Working From Home”. This free webinar will provide strategies and actions in protecting patron privacy for library workers working from home, as well as some of the longer-term implications to patron privacy with libraries moving all essential operations and patron services online for the foreseeable future. Attendees will have the opportunity to share what they are doing to protect data privacy while working from home. Register today!

Posted on

Zoom and Privacy at the Library

Welcome to this week’s Tip of the Hat!

The amount that you spent web conferencing has most likely increased exponentially in the last few weeks. Library workers working from home now rely on web conferencing software for daily operations, including meetings and check-ins with other colleagues. With this shift to web conferencing, though, comes a shift in the level of risk to patron privacy.

Most libraries rely on third party web conferencing software which, like any other third-party vendor, brings its own set of risks to patron privacy. However, when you fundamentally change library operations to embed a third-party application into almost all parts of core operations, the existing privacy risks of that application change dramatically. You also introduce new risks into the mix! It’s already hard to keep up with all the risks to patron privacy in normal operations, and a rapidly changing work landscape compounds matters.

Let’s take Zoom, for example. Many libraries and library vendors use Zoom as their primary web conferencing application before the COVID-19 outbreak. That number only increased as many workplaces went remote, with many workers relying on their institutional Zoom accounts for both professional and personal online meetings. Other workers took advantage of Zoom’s generous free plan. What was once a tool used for webinar presentations and professional organizational group meetings, Zoom has become a lifeline for many remote library workers to stay connected to the library world for the foreseeable future.

With the increased use of Zoom came increased scrutiny of the application from the increasing number of remote workers in several industries. Soon after the shift to remote work started in earnest across the US, news media started reporting on privacy and security concerns with Zoom. One of the earlier news reports described Zoom’s “attention tracking” function, where an administrator can keep track of meeting participants who clicked away from the Zoom window. This level of tracking by the meeting organizer does not reach the level of other tracking software used by businesses to monitor employee productivity, but this tracking can still encroach on employee privacy. “Zoombombing” – the act of gatecrashing a public Zoom meeting and bombarding it with inappropriate material or attacks – is also on the rise, compromising the security of business and other meetings held by users who are newer to the platform.

Zoom’s data privacy practices have received increased scrutiny in the last week with the mass movement to remote work. In the same article about “attention tracking”, the reporter also touched on Zoom’s privacy policy’s vague language around selling personal data. The privacy policy has since been updated to remove the first sentence which caused the most concern, but the vague last sentence in the paragraph remains – “So in our humble opinion, we don’t think most of our users would see us as selling their information, as that practice is commonly understood.” – which is still a privacy concern. In addition, Zoom’s iOS App was sending user information to Facebook, which again wasn’t made explicitly clear in the privacy policy. Zoom released a statement that they will change the app to no longer send this information, but Zoom’s overall privacy practices and policies remain unchanged as described in this Twitter thread.

Your library might be using Zoom for business meetings, or it might be using Zoom for library programs, such as delivering online programs (like storytime or classes) or research/reference services. In both cases, Zoom might be collecting and processing patron data for their business purposes, increasing the risk of a privacy breach. You can take some actions to mitigate the new risks to patron privacy from using Zoom:

  • Use Zoom’s end-to-end encrypted chat feature [Update – the E2EE feature turned out to be false advertising.]
  • Limit the amount of patron data disclosed in Zoom, including text chats
  • Do not record video, voice, or text chats that involve patron data, including services to patrons conducted over Zoom
  • Do not share files with patron data over Zoom’s filesharing feature
  • Review privacy and security settings on the administrator, organizer, and user levels
  • Follow best practihttps://lifehacker.com/how-to-prevent-jerks-from-ruining-your-zoom-meetings-1842453487ces to prevent Zoombombing, including enabling the waiting room feature, limiting screen-sharing and voice controls (muting participants by default when they join), and locking the session when all attendees have arrived.

Limiting patron data disclosure on third-party applications is a challenge for a remote workforce. Choosing third-party applications with strong privacy and security practices is one of the best ways to mitigate privacy risks. Taking the time to assess privacy and security during a major global health crisis, nonetheless, doesn’t come naturally if you are not used to making critical privacy decisions under pressure. Settling into the new normal provides the opportunity to reassess data privacy and security practices in the workplace, including mitigating expanded or new risks to patron privacy. In the case of Zoom, limiting the amount of patron data transmitted through the application as well as making full use of privacy and security settings can help mitigate these privacy risks.