Tag: data request

Posted on

A Flurry of Privacy Bills, FLoC Flies Away, and a Smart Assistant’s Long Memory

A brown and white Pomeranian, wearing a red sweater and brown eyeglass frames, stands in front of an iPad sitting on a wooden tabletop.
Photo by Cookie the Pom on Unsplash

Congratulations on making it through the first month of 2022! As we prepare to enter the second month of the year, let’s take a few moments to catch up on a few news items in the privacy world.

A Flurry of State Data Privacy Bills

State legislators wasted no time introducing the latest round of data privacy bills at the start of the legislative year. Some states are reviving previously introduced bills with the hopes of pushing them through in the new session, while other states are finally joining the bandwagon and introducing comprehensive data privacy laws for the first time since the rush for state data privacy laws began several years ago.

Out of all the states introducing bills this legislative session, all eyes are on LDH’s home state, Washington State. The Washington Privacy Act, which failed to pass multiple times in previous legislative years, is back. However, there are currently two other competing comprehensive data privacy bills. The first bill, the People’s Privacy Act, deviates from WPA in several key places, including stricter requirements around data collection and processing (e.g., requiring covered entities to obtain opt-in consent for processing personal data), biometric data handling, and a private right of action. The second bill, the Washington Foundational Data Privacy Act, is a new bill that brings the idea of creating a new governmental commission, something that the two other bills lack. Each bill has its strengths and weaknesses concerning data privacy. Nevertheless, if Washington manages to pass one of these bills – or a completely different bill that is still yet to be introduced – the passed data privacy bill will influence other states’ efforts in passing their privacy bills.

FLoC Flew Away

Rejoice, for FLoC is no more! We previously covered Google’s attempt to replace cookies and the many privacy issues with this attempt. The pushback from the public and organizations has finally led Google to rethink its approach. It also didn’t help that major web browsers, which were supposed to play a critical role in FLoC, refused to play along.

Google didn’t completely abandon the effort to replace cookies, nevertheless. Google announced a new proposal, Topics, as an attempt to create a less privacy-invasive alternative to cookies. It’s still early to tell if this FLoC alternative is truly any better than FLoC, but initial reports seem to suggest that the Topics API is an improvement. However, we did notice that some of these reports mention that users would be primarily responsible for understanding and choosing the level of tracking in browser settings. Ultimately, we are still dealing with businesses pushing tracking user activity by default.

Smart Assistants Have Long Memories

Have you requested a copy of your personal data yet? Even if you are not a resident of the EU or California, you can still request a copy of your personal data from many major businesses and organizations. This includes library vendors! Requesting a copy of your data from a company can highlight how easy it is for a company to track your use of its services. A good library-related example is OverDrive’s tracking of patron borrowing history, even though users might assume that their borrowing history isn’t being recorded after flipping a toggle to “hide” their history in user settings.

The latest example of extensive user tracking comes from a Twitter thread of a person going through the data Amazon has collected about her throughout the years, including all the times she interacted with Amazon Alexia. We’re not surprised about the level of data collection from Amazon – the tracking of page flips, notes, and other Kindle activity by Amazon has been a point of contention around library privacy for years. Instead, this is a reminder for libraries who are currently using or planning to use smart speakers and smart assistants to provide patron services that Amazon (and other companies) will collect and store patron data generated by their use of these services by default. This is also a good reminder that your smart speaker in your work or home office is also listening in on your conversations, including conversations around patron data that is supposed to remain private and confidential.

If you have a smart speaker (or other smart-enabled devices with a microphone) at your library or in your home office, you might want to reconsider. The companies behind these products are not bound to the same level of privacy and confidentiality as libraries in protecting patron data. Request a copy of data collected by the company behind that smart speaker sitting in the library. How much of that data could be tied back to data about patrons? How much do your patrons know about the collection, use, and sharing of data by the company behind the smart speaker at the library? What can your library do to better protect patron privacy around the smart speaker? Chances are, you might end up relocating that smart speaker from the top of the desk to the bottom of a desk drawer.

Posted on

The Lasting Impact of The Patriot Act on Libraries

A man wearing sunglasses holds a white sign as he walks through a street protest. The sign has two human eyes looking up and to the right. The sign message - 'The "Patriot" Act is watching you"
Image source – https://flickr.com/photos/crazbabe21/2303197115/ (CC BY 2.0)

This weekend marked the 20th anniversary of 9/11 in the US. Life changed in the US after the attacks. One of the many aspects of our lives that changed was the sudden erosion of privacy for everyone living in the States. One of the earliest visible examples of this rapid erosion of privacy was the Patriot Act. Let’s take a moment and revisit this turning point in library privacy history and what has happened since.

A Quick Refresher

The Patriot Act was signed in October 2001 after the attacks of September 11th. The law introduced or vastly expanded government surveillance programs and rights. US libraries are most likely familiar with Section 215. While in the past the government was limited in what information they could obtain through secret FISA orders, Section 215’s “tangible things” expanded the use of these secret orders to “books, records, papers, documents, and other items.” Given the examples included in the Section’s text, it wasn’t too much of a stretch to assume that “tangible things” included library records.

The good news – for now – is that Section 215 is not here to mark the 20th anniversary of the passage of the Patriot Act. The Section was sunsetted in 2020 after years of renewal and a second life through the USA Freedom Act. The Section did not die quietly, though – while support for renewal spanned across both parties in the Senate and the House, different versions of the renewal bill stalled the renewal process. The possibility of a renewal of Section 215 or a similar version of the Section is still present. However, it is unclear as to when talks of renewal will restart.

The Act’s Impact on Libraries

Libraries acted quickly after the passage of the Act. Right after the passage of the Patriot Act, those of us in the library profession might remember taking stacks of borrowing histories and other physical records containing patron data and sending them through the shredder. Other libraries adjusted privacy settings in their ILSes and other systems to not collect borrowing history by default. ALA promptly sent out guidance for libraries around updating privacy and law enforcement request policies and procedures. And it would be safe to assume that several people got into librarianship because of the profession’s efforts in protecting privacy and pushing back against the Patriot Act.

Even with the flurry of activity in the profession early on, questions about the use of Section 215 to obtain patron data persist today. Even though the Justice Department testified in 2011 that Section 215 was not used to obtain circulation records, the secrecy imposed on searches in Section 215 makes it difficult to determine precisely the extent of the Section’s library record collection activities.

While we cannot say for sure if Section 215 was used to obtain patron data, we know that other parts of the Act were used in an attempt to get patron data. Most notably was the use of National Security Letters (NSL) and gag orders by the government to obtain patron data. The Connecticut Four successfully challenged the gag order on an NSL served to the Connecticut library consortium Library Connection. While the Connecticut Four took their fight to court, other libraries proactively tried to work around the gag order by posting warrant canaries in the building to notify patrons if they had been served an NSL.

Lessons Learned or Business as Usual?

The Patriot Act reminded libraries of the threat governments pose to patron privacy. Libraries responded with considerable energy and focus to these threats, and these responses defined library privacy work in the 21st century library. Still, the lessons learned from the early days of the Act didn’t entirely transfer to other threats that pose as much of a threat to patron privacy as governments and law enforcement. While libraries could quickly dispose of risky patron data on paper after the Act’s passage, a substantial amount of today’s patron data lives on third-party databases and systems. The removal of control over patron data in third-party systems limits the ability to adjust to new privacy threats quickly. Technology has evolved to provide some possible protections, including encryption and other ways to restrict access to data. Legal regulations around privacy give both libraries and patrons some level of control over data privacy in third-party systems. Despite these progressions in technology and law, data privacy in the age of surveillance capitalism in the library brings new challenges that many libraries struggle to manage.

Some could argue that libraries sub-optimized data privacy protections in response to the Act’s threats, hyper-focusing on government and law enforcement at the expense of addressing other patron privacy risks. At the same time, the standards and practices developed to mitigate governmental threats to patron privacy can be (and to certain extents have been) adapted to minimize these other risks, particularly with third parties. One of the first lessons learned in the initial days of the Act came from the massive efforts of shredding and disposing of patron data in bulk in libraries throughout the country. Libraries realized at that moment that data collected is data at risk of being seized by the government. Data can’t be seized if it doesn’t exist in the first place. As libraries continue to minimize risks around law enforcement requests, we must remember to extend those privacy protections to the third parties that make up critical library operations and services.

Posted on

Summer Homework – Requesting Your Data

Welcome to this week’s Tip of the Hat!

Have you ever wondered what data OverDrive collects while you’re reading the latest ebook? Or what Kanopy collects when you’re watching a documentary? As library workers, we have some sense as to what vendors are collecting, but we are also patrons – what exactly are vendors collecting about *us*?

GDPR and CCPA both give different sets of users (EU residents and CA consumers, respectively) the right to access the data collected by organizations and businesses; however, some organizations extended that right to all users, regardless of geographic residency. Below are some of the more well-known library vendors who are offering some form of data request process for their users (aka library patrons, including you!):

  • Cengage
  • Elsevier
  • Kanopy’s data request appears only to apply to CA consumers: “Under California Civil Code Section 1798.83, if you are a California resident and your business relationship with us is primarily for personal, family or household purposes, you may request certain data regarding our disclosure, if any, of personal information to third parties for the third parties’ direct marketing purposes. To make such a request, please send an email to privacy@kanopy.com with “Request for California Privacy Information” in the subject line. You may make such a request up to once per calendar year. If applicable, we will provide to you via email a list of the categories of personal information disclosed to third parties for their direct marketing purposes during the immediately-preceding calendar year, along with the third parties’ names and addresses. Please note that not all personal information sharing is covered by Section 1798.83’s requirements.”
  • LexisNexis
  • OverDrive
  • ProQuest
    • ExLibris, owned by ProQuest, appears to have a different data request process: “You may request to review, correct or delete the personal information that you have previously provided to us through the Ex Libris Sites. For requests to access, correct or delete your personal information, please send your request along with any details you may have regarding the method by which the information was submitted to privacy@exlibrisgroup.com. Requests to access, change, or delete your information will be addressed within a reasonable timeframe.”

What is surprising is that there are not more library vendors that offer this option, or not extending the option to all users. This might change over time, depending on how the newest data privacy ballot initiative in California goes in November, or if additional regulations are passed in other states or even in the federal government. If more companies provide this right to access for all users, then it’s more likely that this practice will become a standard practice industry-wide. LDH will provide the latest updates around data access options from library vendors when they come along!