It’s Dangerous to Go Alone

A cross stitch of a pixelated which old man with a white beard flanked by two pixelated fires. A pixelated sword lies in front of the old man. Text in white above the scene "It's dangerous to go alone. Take This."
Image source: https://www.flickr.com/photos/12508267@N00/31229743046/ (CC BY 2.0)

Juan saw his recent promotion to Director of Access Services at Nebo University Libraries as an opportunity to change his library’s approach to patron privacy. However, Juan knew that becoming a manager of one of the largest departments in the libraries would not altogether remove the roadblocks he kept running into when he advocated for more robust privacy policies and practices as a staff member. Juan now had to figure out how to use his new position to advocate for the privacy changes he had been pushing for a long time…

Juan was one of the four fictional library workers introduced to participants in a recent library privacy workshop. Unlike the other three library workers, Juan was in a unique position. Instead of addressing privacy concerns with other academic departments or campus members, Juan focused on the library itself. When he was still staff, Juan had some limited success in getting better privacy protections at the library. Like many others, Juan ran into organizational roadblocks when changing privacy practices on a larger scale. Newly promoted and with new administrative political capital in the library, Juan thinks he’s in a better position to push for privacy changes throughout the entire library system.

However, Juan is not considering one essential thing – it takes much more than one person in a library to create a sustainable culture of privacy. Many of us have been in the same situation as Juan in going out on our own and pushing for privacy changes in our libraries. We do this on top of everything else that we are responsible for in our daily duties. Sometimes we rationalize this additional workload by bending and stretching existing job responsibilities without formally accommodating the new responsibilities. Other times, we deem privacy work so important that we are willing to sacrifice a portion of our well-being to ensure our patrons are protected (hello Vocational Awe). This might gain us a couple of small wins in the short term: a change in a departmental procedure or reducing the amount of data collected by a patron-facing application or system. However, the long-term reality is that these changes are not set up to be maintained because there is no sustainable system in place. Unless, of course, we as individuals decide to take on that maintenance – but even then, one person can only take on so much on top of their existing workload before everything starts to fall apart.

Creating sustainable privacy practices and programs in organizations requires at minimum two things: dedicated resources and dedicated people. Most libraries do not have these things, relying on existing staff and resources to make privacy happen. While libraries have historically been able to operate with this organizational kludge, changes to library operations and services in the last few decades have made this kludge not only ineffective but dangerous to both patrons and the library as an organization with regard to privacy risk and potential harms if those risks are realized. It is nearly impossible for patrons not to generate data in their library use, be it physical or online. Because so much of this generated data is collected by the library and third parties, even the routine act of trying to document the lifecycle of this data can be a monumental task if there is no dedicated structure in place for this work to be done sustainably.

Like many of us, Juan wants to protect patron privacy. Nevertheless, if he tries to go it alone and does not build the infrastructure to sustain privacy practices, his efforts will be short-lived at best. Privacy policies and procedures are part of that infrastructure, but they’re a part of the infrastructure that is dependent on the dedicated staff time and resources that are critical for sustainable practices. What are some of Juan’s options?

  • Create a centralized library data governance committee – Juan can’t do this work alone, particularly when his primary job responsibilities don’t include overseeing the library’s privacy practices. Creating a data governance committee would bring in both administration and staff from different areas of the library that work or use patron data to oversee data management, including data privacy and security. This committee would not only create and review privacy policies and procedures but would also serve as an accountability mechanism for when things go wrong or to ensure things get done. No one library worker would be solely responsible for the library’s privacy practices in this option, though Juan would need to ensure that participation in the committee does not become an undue burden for staff.
  • Advocate for a dedicated budget line for data privacy and security – There might already be data privacy and security resources available at the university, but those resources might not cover library-specific needs such as professional development for privacy training, consulting, or auditing. Some departments in the library might already have a dedicated budget line for privacy and security, such as Library Systems. Juan might want to talk to the department managers to determine if there might be a chance to collaborate in increasing funds to help fund data privacy and security activities in the library.
  • Advocate for a dedicated privacy staff position in the library – Even with a library data governance committee, ultimately, someone has to wrangle privacy at the library. Juan’s role might include some oversight of some privacy practices in Access Services; unless his job description changes, he cannot be the privacy point person for the entire library. Having a dedicated point person for privacy at the library would ensure that the data governance committee is kept on track in terms of being the data steward for the group. More importantly, it would also ensure that at least one person in the library has dedicated time and resources to track, manage, and address new and evolving data privacy risks and harms patrons face while using the library. While a full-time dedicated position to privacy is ideal, the budget might not support a new position at the time of the request. In that case, Juan might argue that he could be the privacy point person under the condition that he can shift his current responsibilities to other managers in Access Services. Nevertheless, Juan’s suggestion should only be a short-term workaround while the library works to find funding for a full-time privacy position.

All three options require some form of collaboration and negotiation with the administration and staff. Juan cannot realistically create these structures alone if he wants these structures to survive. It comes back to creating and maintaining relationships in the organization. Without these relationships, Juan is left on his own to push for privacy, which inevitably leads to burnout. No matter how passionate we are about patron privacy, like Juan, we must realize that we must not do our privacy work alone if we want our efforts to succeed.

Just Published! Library Data Risk Assessment Guide

Welcome to this week’s Tip of the Hat!

To build or to outsource?

Building an application or creating a process in a library takes time and resources. A major benefit of keeping it local, though, is that libraries have the greatest control over the data collected, stored, and processed by that application or system. Conversely, a major drawback of keeping it local is the sheer number of moving parts to keep track of in the building process. Some libraries have the technical know-how to build their own applications or have the resources to keep a process in house. Keeping track of privacy risks is another matter. Risk assessment and management must be addressed in any system or process that touches patron data, so how can libraries with limited privacy risk assessment or management experience make sure that their local systems and processes mitigate patron privacy risks?

Libraries have a new resource to help with privacy risk management! The Digital Library Federation’s Privacy and Ethics in Technology Working Group (formerly known as the Technologies of Surveillance Working Group) published “A Practical Guide to Performing a Library User Data Risk Assessment in Library-Built Systems“. This 28-page guide provides best practices and practical strategies in conducting a data risk assessment, including:

  • Classifications of library user data and privacy risk
  • A table of common risk areas, including probability, severity, and mitigation strategies
  • Practical steps to mitigate data privacy risks in the library, ranging from policy to data minimization
  • A template for readers to conduct their own user data inventory and risk assessment

This guide joins the other valuable resources produced by the DLF Privacy and Ethics in Technology Working Group:

The group also plans to publish a set of guidelines around vendor privacy in the coming months, so be sure to bookmark https://wiki.diglib.org/Privacy_and_Ethics_in_Technology and check back for any updates!

A New Privacy Framework For You

Welcome to this week’s Tip of the Hat!

The National Institute of Standards and Technology recently published version 1.0 of their Privacy Framework. The purpose of the framework is to create a holistic approach to manage privacy risks in an organization. The Framework is different from other standards in such that the goal is not full compliance with the Framework. Instead, the Framework encourages organizations to design a privacy program that best meets the current realities and needs of the organization and key stakeholders, such as customers.

The Framework structure is split into three parts:

  • The Core is the activities and outcomes for protecting privacy in an organization. These are broken down by Function, Category, and Subcategory. For example:
    • Identify-P (the P is there to differentiate from NIST’s Cybersecurity Framework) is a Function in which the organization is developing an organizational awareness of privacy risks in their data processing practices.
    • A Category of the Identify-P Function is Inventory and Mapping, which is taking stock of various systems and processes.
    • The Subcategories of the Category are what you would expect from a data inventory: what data is being collected where, when, how, by who, and why.
  • The Profile plays two roles – it can represent the current privacy practices of an organization, as well as a target set of practices for which the organization can aim for. A Current Profile lists the current Functions, Categories, and Subcategories the organization is currently doing to manage privacy risks. The Target Profile helps businesses figure out what Functions, Categories, and Subcategories should be in place to best protect privacy and to mitigate privacy risk.
  • The Implementation Tiers are a measurement of how the organization is doing in terms of managing privacy risk. There are four Tiers in total, ranging from minimal to proactive privacy risk management. Organizations can use their Current Profile to determine which Tier describes their current operations. Target Profiles can be developed with the desired Tier in mind.

Why should libraries care about this framework? Libraries, like other organizations, have a variety of risks to manage as part of their daily operations. Privacy risks come in a variety of shapes and sizes, from collecting more data than operationally necessary and not restricting sharing of patron data with vendors to lack of clear communications with staff about privacy-related policies and procedures. Some organizations deal with privacy risks through privacy risk assessments (or privacy impact assessments). The drawback is that the assessments are best suited for focusing on specific parts of an organization and not the organization itself.

The Privacy Framework provides a way for organizations to manage privacy risks on an organizational level. The Framework takes the same approach to privacy as Privacy by Design (PbD) by making privacy a part of the entire process or project. The Framework can be integrated into existing organizations, which is by design – one of the criticisms of PbD is the complications of trying to implement it in existing projects and processes. The flexibility of the Framework can mean that different types of libraries – school, academic, public, and special – can create Profiles that both address the realities of their organization as well as creating Target Profiles that incorporate standards and regulations specific for their library. School libraries can address the risks and needs surrounding student library data as presented in FERPA, while public libraries can identify and mitigate privacy risks facing different patron groups in their community. The Framework also allows for the creation of Subcategories to cover any gaps specific to an industry or organization not covered by the existing Framework, which gives libraries added flexibility to address library industry-specific needs and risks.

The flexibility of the Framework is a strength for organizations looking for a customized approach to organizational privacy risk management. This same flexibility can also be a drawback for libraries looking for a more structured approach. The Framework incorporates other NIST standards and frameworks, which can help ease apprehension of those looking for more structure. Nonetheless, libraries that want to explore risk management and incorporate privacy into their organization should give NIST Privacy Framework some consideration.

Who Knows, Who Decides, and Who Decides Who Decides

Welcome to this week’s Tip of the Hat!

Shoshana Zuboff’s book The Age of Surveillance Capitalism provides a comprehensive overview of the commodification of personal information in the digital age. Surveillance capitalism is a specific form of capitalism that focuses on using personal data to predict and control user behavior. Zuboff’s analysis of surveillance capitalism centers around three questions:

  • Who knows?
  • Who decides?
  • Who decides who decides?

In the book, Zuboff provides some context to the questions:

The first question is “Who knows?” This is a question about the distribution of knowledge and whether one is included or excluded from the opportunity to learn. The second question is “Who decides?” This is a question about authority: which people, institutions, or processes determine who is included in learning, what they are able to learn, and how they are able to act on their knowledge. What is the legitimate basis of that authority? The third question is “Who decides who decides?” This is a question about power. What is the source of power that undergirds the authority to share or withhold knowledge?

Zuboff offers answers to these three questions in her book: “As things currently stand, it is the surveillance capitalist corporations that know. It is the market form that decides. It is the competitive struggle among surveillance capitalists that decides who decides.” While the current prognosis is grim according to Zuboff’s analysis, the three questions are a powerful tool in which one can discover the underlying power structures of a particular organization or culture.

An interesting thought exercise involves applying these three questions to the library. On a lower level, the data lifecycle provides some answers to “Who knows?” concerning access to patron data as well as the publication and disclosure of data in reports, data sets, and so on to third parties. The “Who decides?” question goes beyond the data lifecycle and ventures into the realm of data governance, where decisions as to who decides the data practices of the library are made. However, the answer goes beyond data governance. Library use of third-party tools and services in collecting or processing patron data bring these third parties into the realm of “Who knows?” as well as “Who decides?” The third-party can adjust their tools or products according to what best serves their bottom line, as well as providing a tool or product that they can market to libraries. Third parties decide what products to put out to the market, and libraries decide which products meet their needs. Both parties share authority, which leads this thought experiment closer to Zuboff’s analysis of the market as the decider.

That brings us to the third question, “Who decides who decides?” Again, our thought experiment starts to blend in with Zuboff’s answer to the same question. There is indeed a struggle between vendors competing in a niche market that has limited funds. We would be remiss, though, if we just left our analysis pointing to competition between third parties in the market. Part of what is driving the marketplace and the tools and services offered within are libraries themselves. Libraries are pressured to provide data for assessment and outcomes to those who directly influence budgets and resources. Libraries also see themselves as direct competitors to Google, Amazon, and other commercial companies that openly engage in surveillance capitalism. Instead of rejecting the methods used by these companies, libraries have to some extent adopted the practices of these perceived market competitors to keep patron using library services. A library on this path could find themselves upholding surveillance capitalism’s grasp in patrons’ lives.

Fitting this thought experiment into one newsletter does not give the questions the full attention they deserve, but this gives us a place to start thinking about how the library shares some of the same traits and qualities found in surveillance capitalism. Data from patron activities can provide valuable insight into patron behaviors, creating personalized library services where yet more data can be collected and analyzed for marketing purposes. It’s no surprise that data analytics and customer relationship management systems have taken off in the library market in recent years – libraries believe that there is a power that comes with these tools that otherwise wouldn’t be accessible through other means. Nonetheless, that belief is influenced by surveillance capitalists.

Decided for yourself – give Zuboff’s book a read (or listen for the audiobook) and use the three questions as a starting point for when you investigate your library’s role in the data economy.