Vendor Ethics and You, Or Giving a Damn About Who’s Sharing Your Patron Data

A red sticker on a metal utility pole reads "do you want a future of decency, equality, and real social justice"
Photo by Jon Tyson on Unsplash

The news cycle did not stop during our Cherry Blossom Break last week, alas. Last week LexisNexis signed a contract with U.S. Immigration and Customs Enforcement (ICE) to provide massive amounts of personal information, including financial data, consumer data (such as purchases), and criminal data. The data provided by LexisNexis captures a very intimate view of a person’s personal and public life. As Sam Biddle states in the investigative article about the contract, “While you can at least attempt to use countermeasures against surveillance technologies… it’s exceedingly difficult to participate in modern society without generating computerized records of the sort that LexisNexis obtains and packages for resale.” If you haven’t already done so, read the article to get a sense of the contract details.

It is not the first time LexisNexis has been under scrutiny for its personal data dealings. We wrote about LexisNexis back in 2019 about their relationship with ICE, including LexisNexis’s interest in building an “extreme vetting” immigration system. This interest did not go unnoticed or unchallenged, particularly from library workers who led the calls to boycott the company. The latest contract news has renewed calls for libraries and scholarly communities – such as this statement from SPARC – to question their relationships with businesses such as LexisNexis that increasingly play significant roles in surveillance systems through their roles as data brokers.

“But Becky,” you might say, “we don’t do business with LexisNexis or Thomson Reuters. As long as we don’t do business with them, we don’t have anything to worry about.” While your vendors may have escaped the public scrutiny that LexisNexis has received throughout the years, your vendors are most likely, at the very least, collecting and sharing patron data as part of their business model (e.g. surveillance capitalism). Read the vendor contract:

  • What patron data does the vendor collect from patrons? From the library?
  • Under what circumstances does the vendor disclose patron data to fourth parties?
  • Does the vendor reserve the right to resell patron data collected from patrons and the library, even in aggregated or “anonymized” form?
  • Does the vendor reserve the right to keep patron data, even in aggregated or “anonymized” form, after the end of the business relationship? For what purposes do they keep the data?

After reading the vendor contract (as well as the vendor privacy policy), you might have a sense as to how a vendor works with patron data; however, the contract and policy are not telling the entire story. While a contract might state a vendor’s right to disclose or resell data, the details about where that data’s going and how it’s going to be used are sparse. Vendors like LexisNexis have multiple revenue streams. Your vendor might have another product not targeted toward the library market but still uses patron data in ways in which can harm patrons. How can a library figure out if a vendor’s business model doesn’t violate patron privacy?

This is where ethics comes into play. The library profession has several codes of ethics, such as the codes from ALA and IFLA. Library vendors by default are not beholden to these codes; however, this does not mean that libraries cannot hold vendors to a level of ethical practices or standards before they will do business with them. For example, Auraria Library conducts a comprehensive ethics review of library vendors, ranging from privacy and accessibility to sustainability and diversity, using both consultants and an internal ethics questionnaire. At the end of their article detailing the review process, Auraria Library’s Katy DiVittorio and Lorelle Gianelli make a call to other libraries to proactively review their relationships with vendors and taking measures in encouraging vendors to adopt a business model that aligns with Corporate Social Responsibility. As we have encountered in the past, a critical mass of libraries demanding changes to a vendor’s practices can make that change happen. Having more libraries conduct ethics reviews of vendors can prompt vendors to change their business models if their current models cause libraries to do business elsewhere.

Where should libraries start with reviewing vendors’ business ethics? The Auraria Library review process is one place to start. Even creating a statement such as Auraria’s can start the conversation about vendor ethics at your library, particularly with library patrons who might be at higher risk for harm due to the vendor’s business practices. The selection process of the vendor relationship lifecycle can be modified to include a review of the vendor’s business model, including checking the vendor against the Library Freedom Institute’s Vendor Privacy Scorecard or scorecards from independent third parties such as EcoVadis (if one is on file, that is).  Vendor assessments and audits are other places where scorecards and metrics can be used. Being detailed about the appropriate uses of patron data in the vendor contract – including details around patron data collection, processing, retention, and disclosure – can give libraries some legal leverage in protecting patron data from questionable vendor business practices. The more libraries demand ethical business practices from their vendors, the more likely vendors will notice.

With these suggestions, however, comes a warning for libraries. Vendors might start marketing themselves as socially responsible or abiding by library ethics codes as more libraries ask for details about the ethics of a vendor’s business model. If a vendor’s marketing around social responsibility and ethics centers around legal compliance or if the marketing lacks specific details about their practices, then you might have a case of “ethics washing.”  Commonly encountered in tech companies, “ethics washing” can obscure or obfuscate problematic business practices through the use of savvy marketing tactics or pointing customers to one non-problematic area of the business while not drawing attention to a more problematic area (e.g. Google’s ethical AI work and, well, Google being Google). While it is tempting for libraries to accept vendors at their word through their marketing materials and sales pitches, it is not enough. Libraries must actively review vendor practices throughout the entire business relationship to ensure that the vendor’s ethics are in line with the ethics of the library profession.

In the end, libraries compromise their ability to live up to our professional ethics when working with vendors that violate those ethics. If libraries cannot or will not work with vendors that respect and uphold patron privacy, we as a profession then must have the difficult conversation about the inclusion of a patron’s right to privacy in our professional ethics codes. At the very least, we owe patrons the truth about the library’s data practices, including our relationships with vendors who use patron data in ways that can come back to harm them and not engage in ethics washing of our own.

To Renew Or Not To Renew

Welcome to this week’s Tip of the Hat! We at LDH are furiously getting ready for ALA Annual next week, and the Executive Assistant is bummed that she was not able to register for the conference. It appears that the only cats that are allowed at Annual are Baker and Taylor. Worry not, for the Executive Assistant has lined up someone to go in her place. You will get a chance to meet this new team member if you are heading to Annual. Stay tuned…

In the meantime, it’s Monday, and Mondays are the best days to talk contract renewals, right?

(Right?)

Last week Samantha Lee wrote about the upcoming changes to Lynda.com’s authentication process for library patrons, which would require patrons to either create or link a LinkedIn account to use their library’s Lynda.com subscription. Lee details the various issues surrounding patron privacy with this upcoming change:

LyndaLibrary had access to library card numbers for verification purposes. With the proposed change to require patrons to get LinkedIn accounts to access the Lynda resources, LinkedIn Learning would have access to more personally identifiable information than they would have as LyndaLibrary. To get a LinkedIn account, patrons would need to provide an email address and their first and last names. This is more PII than other library e-content vendors would require (OverDrive requires library card numbers only, Hoopla requires a library card and email). After a user creates an account, they are prompted to then add employment history and import their email contacts – under the presumption to help users expand their professional network. So LinkedIn would not only have patron information, but also information for others who did not agree to use its platform. [emphasis added]

In the post, Lee pointed out that several libraries have already decided not to renew their Lynda subscriptions. In the comments section, two commenters related their less-than-positive experiences in asking their vendor representative about the proposed changes, as well one commenter a vendor representative, explaining why the changes were being made.

This recent change highlights the long-standing tension between libraries and vendors regarding patron data. As Lee mentioned, other vendors do use some patron data to verify that the patron is with that particular library and can use the service. This tension is complicated by a number of factors, from the administrative (what data is being collected and why) to the technical (what data is needed for the service to function). Cloud-based applications add another layer of complicating factors, particularly if third-party contractors (sub-contractors) are involved in providing the infrastructure or other services for the application, which then increases the number of potential people that have access to patron data.

Some libraries use the contract negotiations and/or renewal phases to include contract clauses holding vendors to privacy and confidentiality policies set by the library, along with other privacy and security requirements surrounding patron data. Other times vendors work with libraries to create privacy-driven development and practices, closely aligning their applications to the standards of privacy laid out by libraries. And then there are times when vendors are proactive in creating a service or application with patron privacy in mind!

The Lynda.com change seems to be following the usual conflict pattern if you read through the comments – libraries pushing vendors for changes, vendors pushing libraries about why the changes are necessary. Sometimes, though, one party leaves the negotiations in hopes to gain an advantage over the other party. This is not without risk. Considering that many library patrons use Lynda.com for professional development and learn much-valued technical skills, some libraries might hesitate leaving the Lynda.com contract on the table. Nonetheless, some libraries are taking that risk in hopes that if there is a critical mass of unsigned contract renewals, then the vendor would have to respond to their requests. As Lee states, “If LinkedIn Learning cannot take our profession’s concerns seriously… then we can and will take our business elsewhere. Maybe then they will be willing to adopt the changes we require to protect patron privacy.” There is already some momentum for this strategy as mentioned by Lee and the commenters, and perhaps we might observe a critical mass sooner than later.

Into the Breach!

Welcome to this week’s Tip of the Hat!

Last week brought word of two data leaks from two major library vendors, Elsevier and Kanopy. Elsevier’s leak involved a server storing user credentials, including passwords, that was not properly secured. Kanopy’s leak involved an unsecured database storing website logs, including user activity. Both leaks involved library patron information, and both leaks were caused by a lapse in security measures on the part of the vendor.

As the fallout from these two breaches continues in the library world, now is as good of a time than any to talk about data breaches in general. Data breaches are inevitable, even if you follow security and privacy best practices. What matters is what you do when you learn of a possible data breach at your library.

On a high level, your response to a possible data breach should look something like this:

  1. Determine if there was an actual breach – depending on the nature of the breach, this could be fairly easy (like a lost laptop with patron information) or requires more investigation (like looking at access logs to see if inactive accounts have sudden bursts of activity).
  2. Contain and analyze the breach – some breaches can be contained with recovering lost equipment, while others can be contained by shutting off access to the data source itself. Once the breach is contained, you can then investigate the “who, what, when, where, and how” of the breach. This information will be useful in the next steps…
  3. Notify affected parties – this does not only include individual users but organizational and government agencies as well.
  4. Follow up with actions to mitigate future data breaches – this one is self-explanatory with regard to applying what you learned from the breach.

The US does not have a comprehensive federal data breach notification law. What the US does have is 50+ data breach notification laws that vary from state to state. These laws have different regulations pertaining to who needs to be notified at a certain time, and what information should be included in the notification. If you are also a part of a larger organization, that organization might have a data breach incident response procedure. All of the above should be taken into consideration when building your own incident response procedure.

However, that does not address what many of you might be thinking in light of last week’s data breaches – how do you prevent having your patrons’ information breached in a vendor’s system? It’s frustrating when your library’s patron information is left unsecured with a vendor, be it through unencrypted passwords and open databases containing patron data. There are a couple of steps in mitigating risk with the vendor:

  • Vendor security audits – One practice is to audit the vendor’s data security policies and procedures. There are some library related examples that you can pull from: San Jose Public Library performed a vendor security audit in 2018, while Alex Caro and Chris Markman created an assessment framework in their article for the Code4Lib Journal.
  • Contract negotiations – Writing in privacy and security clauses into a vendor contract introduces a layer of legal protection not only for your patrons but to your organization as a whole, with regards to possible liability that comes with a data breach. Additions can clarify expectations about levels of security surrounding patron data in vendor systems as well as data breach management expectations and roles between the vendor and the library.

Ultimately, it’s up to the vendor if they want to follow security best practices and have a data breach incident management procedure (though, if a vendor chooses not to implement security protocols, that could adversely affect their business). Nonetheless, it never hurts to regularly bring up security and privacy in contract negotiations and renewals, procurement processes, and in regularly scheduled vendor rep meetings. Make it clear that your library considers security and privacy as priorities in serving patrons, and (hopefully) that will lead to a partnership that is beneficial to all involved and leaves patrons at a lower risk of having their data breached.

Phew! There’s a lot more on this topic that can be said, but we must leave it here for now. Below are a couple of resources that will help you in creating a data breach incident response plan: