Contact Tracing At The Library

Welcome to this week’s Tip of the Hat!

Contact tracing has been used in the past with other diseases which helped curve infection rates in populations, so health and government officials are looking at contact tracing once again as a tool to help control the spread of disease, this time with COVID-19. There have been various reports and concerns about contact tracing through mobile apps, including ones developed by Google and Apple. However, mobile contact tracing will not stop local health and government officials in taking other measures when it comes to other contact tracing methods and requirements, and libraries should be prepared when their local government or health officials require contact tracing as part of the reopening process.

While there are no known cases of libraries doing contact tracing as part of their reopening process, there are some ways in which libraries can satisfy contact tracing requirements while still protecting patron privacy.

Collect only what you absolutely need

What is the absolute minimum you need to contact a patron: name, email address, and/or telephone number are all options. Sometimes patrons do not have a reliable way of contacting them outside the library – health and government officials should have recommendations in handling those cases.

But what about having patrons scan in with their library card and using that as the contact tracing log? What seems to be a simple technological solution is, in reality, one that introduces complexity in the logging process as well as privacy risks:

  • Some of the people visiting the library will not have their library card or are not registered cardholders.
  • Contact logs can be subject to search or request from officials – maintaining the separation between the contact log and any other patron information in the library system will minimize the amount of patron data handed over to officials when there is a request for information.

Paper or digital log?

Some libraries might be tempted to have patrons scan in with their barcodes (see above section as to why that’s not such a good idea) or keep an electronic log of patrons coming in and out of the building. However, an electronic log introduces several privacy and security risks:

  • Where is the digital file being stored? Local drive on a staff computer that isn’t password protected? Network storage? Google Drive (yikes!)?
  • Who has access to the digital file? All staff in the library?
  • How many other copies of the file are floating around the library’s network, drives, or even printed out?

In this instance, however, a paper log will provide better privacy and security protections when you take the following precautions:

  • The paper log should be securely stored in a locked cabinet or desk in a secured area, preferably a locked office or other controlled entry space.
  • During business hours, the paper log should be filled out by designated staff members tasked to collect information from patrons. Do not leave the paper log out for patrons to sign – not only you give patrons the names of others in the building (for example, a law enforcement agent can read the log and see who’s in the building without staff knowledge) you also potentially expose patrons and staff to health risks by having them share the same hard surfaces and pen.
  • Restrict access to the paper log to only staff who are designated to keep logs, and prohibit copying (both physical or electronic copies) of the log.

Equitable service and privacy

Some patrons might not have reliable contact information or might refuse to give information when asked. If the local government or health officials state that someone can’t enter a building if they don’t provide information, how can your library work with your officials in addressing the need for libraries to provide equitable service to all patrons who come to the library?

Retention and disposal

Keep the contact tracing logs for only as long as the government or health officials require. If there is no retention period, ask! Your logs should be properly disposed of – a paper log should be shredded and the shredded paper should go to a secured disposal area or service.

Keeping a log of visits to the library is something not to be taken lightly – you are creating a log of a patron’s use of the library. Several other privacy concerns might be specific to your library that could affect how you go about contact tracing, such as unaccompanied minors. Contact tracing is an effective tool in containing disease outbreaks in the past, but it doesn’t have to come at the expense of losing entire personal privacy if the library works with its staff and government officials in creating a process that minimizes patron data collection, access, and retention.

Leaving Platforms and Patrons Behind

Welcome to this week’s Tip of the Hat!

Remember when the online library catalog was just a telnet client? For some of you, you might even remember the process of moving from the card catalog to an online catalog. The library catalog has seen many different forms in recent decades.

The most recent wave of transitions is the migration from an old web catalog – in most cases an OPAC that came standard with an ILS – to a newer discovery layer. This discovery layer is typically hosted by the vendor and offers the ability to search for a wider array of collections and materials. Another main draw of the discovery layers in the market is the enhanced user experience. Many discovery layers allow users to add content to the site, including ratings, comments, and sharing their reading lists to others on the site.

While being able to provide newer services to patrons is important, this also brings up a dilemma for libraries. Many discovery layers are hosted by vendors, and many have separate Terms of Service and Privacy Policies attached to their products outside of the library’s policies. The majority of library catalogs that the discovery layers are meant to replace are locally hosted by the library, and fall under the library’s privacy policies. Libraries who made the transition to the discovery layer more often than not left their older catalog up and running, marketed as the “classic” catalog. However, the work necessary to keep up two catalogs can be substantial, and some libraries have retired their classic catalogs, leaving only the discovery layer for patrons to use.

The dilemma – How will the library provide a core library service to patrons objecting to the vendor’s TOS or privacy policy when the library only offers one way to access that core service?

We can use the Library Bill of Rights [LBR] interpretations from ALA to help guide us through this dilemma. The digital access interpretations of the LBR provides some guidance:

Users have the right to be free of unreasonable limitations or conditions set by libraries, librarians, system administrators, vendors, network service providers, or others. Contracts, agreements, and licenses entered into by libraries on behalf of their users should not violate this right… As libraries increasingly provide access to digital resources through third-party vendors, libraries have a responsibility to hold vendors accountable for protecting patrons’ privacy. [Access to Digital Resources and Services: An Interpretation of the Library Bill of Rights]

Moving core services to third-party vendors can create a barrier between patrons and the library, particularly when that barrier is the vendor’s TOS or privacy policy. The library then needs to decide what next steps to take. One step is to negotiate with the vendor regarding changes to the TOS and privacy policy-based to address patron concerns. Another step is a step that several libraries have opted for – keeping the classic catalog available to patrons alongside the discovery layer. Each step has its advantages and disadvantages in terms of resources and cost.

The classic catalog/discovery layer dilemma is a good example of how offering newer third-party platforms to provide core library services can create privacy dilemmas for your patrons and potentially lock them out from using core services. If your library finds itself making such a transition – be it the library catalog or another core service platform – the ALA Privacy Checklists and the interpretations of the LBR can help guide libraries through the planning process. Regardless of the actions taken by the library, ensuring that all patrons have access to core library services should be a priority, and that includes taking privacy concerns to account when replacing core service platforms.

Caring Who Is Sharing Your Patron Data

Welcome to this week’s Tip of the Hat! Last week Tom Boone stated his intent to boycott two vendors – Thomson Reuters and RLEX Group – at the American Association of Law Librarians annual conference based on the current business relationships that both companies have with U.S. Immigration and Customs Enforcement [ICE]. While the objections are based on the relationships themselves, the boycott posts brings us back to a question posed by Jason Griffey about LexisNexis’s interest in assisting ICE in building an “extreme vetting” system for immigrants to the US – what role would data collected from libraries that subscribe to those vendors’ products play in building such a system? For this week’s letter, we’ll broaden the – what do vendors do with library patron data and what say do libraries have in the matter?

Patron data is as valuable to vendors as it is to libraries. To vendors, patron data can be used to refine existing services while building newer services based off of patron needs and behaviors. The various recommendation systems in several library products are powered partially by patron borrowing activity, for example. Nonetheless, while vendors use patron data for their products and services, many vendors share patron data with other service providers and third-party businesses for a variety of reasons. For example, some vendors run their applications on commercial cloud servers, which could mean storing or transferring patron data to and from these servers. Depending on the agreement between the vendor and the commercial cloud service, the service might also have access to the data for performance tracking and analysis purposes.

How do you find out what vendors are doing with your patron data? One of the first places to look is their privacy policy. Like libraries, vendors too should inform patrons how they are handling patron data. The library should have a separate privacy policy that indicates how library data is shared with vendors, but vendors also need a privacy policy that clearly communicates to patrons using the vendor service on how the data is handled by the vendor, including any sharing of data with service providers or other third parties. LexisNexis’ privacy policy provides some of this information in their How We Use Your Information and Sharing of Your Information sections (which, BTW, you should read if you do use LexisNexis!).

If you can’t find the information you need in the privacy policy, the vendor contract might have some information regarding the collection, use, and sharing of patron data by the vendor. The vendor contract can also serve another purpose, particularly when you are at the contract negotiation or contract renewal stages. The contract can be a good place to lay out expectations to the vendor as to what level of data collection and sharing is permissible. Some data sharing is unavoidable or necessary, such as using aggregated patron data for analyzing infrastructure performance, so if you come to the negotiation table with a hardline “no reuse or sharing with third parties” position, you will most likely be making some compromises. This is also a good place to bring up the question about “selling” vs “sharing” data with service providers – while some vendors state in their privacy policy that they do not sell patron data, they might not mention anything about sharing it with others. Setting expectations and requirements at the point of negotiations or renewal can mitigate any surprises surrounding data use and sharing down the road for all parties involved.

Having the discussion about patron data use and sharing by the vendor will not only allow you to find out what exactly happens to your patrons’ data when they use vendor products, but it also opens up the opportunity for your library to introduce language in the contract that will protect your patrons’ data. You can do this through line edits, or through a contract addendum that has been vetted by your local legal team. Before going to the negotiation table with your proposed changes and requests, you will need to determine what points will you be willing to compromise on, and which points are dealbreakers. Ideally negotiations provide a workable outcome for all, but in reality, sometimes the best outcome for your patrons and staff is to leave the negotiations. Not giving a vendor your library’s business is a valid option – an option that could signal to the vendor that some of their practices need to change if enough libraries choose to follow suit.

Humans, Tech, and Ethical Design: A Summit Reflection

Welcome to this week’s Tip of the Hat!

Last Saturday LDH attended the All Tech Is Human Summit with 150+ other technologists, designers, ethics professionals, academics, and others in discussing issues surrounding technology and social issues. There were many good conversations, some of which we’re passing along to you all as you consider how your organization could approach these issues.

The summit takes inspiration from the Ethics OS Toolkit which identifies eight risk zones in designing technology:

  1. Truth, Disinformation, Propaganda
  2. Addiction & the Dopamine Economy
  3. Economic & Asset Inequalities
  4. Machine Ethics & Algorithmic Biases
  5. Surveillance State
  6. Data Control & Monetization
  7. Implicit Trust & User Understanding
  8. Hateful & Criminal Actors

Each risk zone has the potential to create social harm, and the Toolkit helps planners, designers, and others in the development process to mitigate those risks. One of the ways you can mitigate risk in many of the areas in the design process (like the Data Control and Surveillance zones) is incorporating privacy into the design and development processes. Privacy by Design is an example of integrating privacy throughout the entire process, instead of waiting to do it at the end. Much like technical debt, incorporating privacy and other risk mitigation strategies throughout the design and development process will lessen the need for intensive resource investment on short notice when something goes wrong.

Another way to approach ethical design comes from George Aye, co-founder of the Greater Good Studio. In his lightning talk, George identified three qualities of good design:

  • Good design honors reality
  • Good design creates ownership
  • Good design builds power

Viewed through a privacy lens (or, in the case of LDH, with our data privacy hat on), these qualities can also help approach designers and planners in addressing the realities surrounding data privacy:

  • Honoring reality – how can the product or service meet the demonstrated/declared needs of the organization while honoring the many different expectations of privacy among library patrons? Which patron privacy expectations should be elevated, and what is the process to determine that prioritization? What societal factors should be taken into account when doing privacy risk assessments?
  • Creating ownership – how can the product or service give patrons a sense that they have ownership over their data and privacy? How can organizations cultivate that sense of ownership through various means, including policies surrounding the product? For vendors, what would it take to cultivate a similar relationship between library customers and the products they buy or license?
  • Building power – building off of the ownership questions, what should the product or service do in order to provide agency to patrons surrounding data collection and sharing when using the product or service? What data rights must be present to allow patrons control over their interactions with the product or process? Libraries – how can patrons have a voice in the design process, including those more impacted by the risk of privacy harm? Vendors – how can customers have a voice in the design process? All – how will you ensure that the process will not just be a “mark the checkbox” but instead an intentional act to include and honor those voices in the design process?

There’s a lot to think about in those questions above, but the questions illustrate the importance of addressing those questions while still in the design process. It’s hard to build privacy into a product or services once the product is already out there collecting and sharing high-risk data. Addressing the hard ethical and privacy questions during the design process not only avoids the pitfalls of technical debt and high-risk practices, but also provides the valuable opportunity to build valuable relationships between libraries, patrons, and vendors.

#ChoosePrivacy 2019: Privacy and Equity

Welcome to this week’s Tip of the Hat! This week marks the start of Choose Privacy Week, hosted by the ALA Office of Intellectual Freedom. We briefly covered CPW in our National Library Week newsletter, but we couldn’t pass up the chance to join in the festivities of a week dedicated to library privacy.An image of two arms coming together in front of a padlock, with the text "Inclusive Privacy, Closing the Gap" below it. To the right of the image is the text "May 1-7 Choose Privacy Week #chooseprivacy".

This year’s Choose Privacy Week is focusing on how privacy in libraries is vital for those who are otherwise targeted for surveillance and data-based discrimination elsewhere in the US. Library workers stress privacy as a core tenet of Intellectual Freedom; however, this focus can be very narrow with regard to protecting a subset of patron information from specific unauthorized uses and access, e.g. a government entity accessing a patron’s circulation records. This narrow interpretation of the role privacy plays in the library does not take into account the evolution of the role of data in libraries and in society. Data has taken its place as a critical tool in ensuring funding and continued operations. We see this evolution with the increasing prevalence of customer relations management systems, learning analytics, and identity-based services (such as RA21) in the library environment.

With the rise of data-as-valuable-asset, comes the dark side, or taking a cue from Bruce Schneier, the toxicity of data. Data has been used to target marginalized populations via surveillance and other means. How can data harm vulnerable populations? Taking a look around the Seattle area, here are two recent cases in which data collection inflicted real-world harm on people:

Another resource highlighting past and potential harms is http://neveragain.tech/. This pledge site started when the current US president proposed a registry of Muslims in the US. The page highlights some of the ways that technology was used against marginalized populations throughout recent times, as well as the harms that come with data collection.

Reframing the conversation about why privacy is important in libraries requires rethinking the field’s approaches surrounding privacy practices and policies. Privacy with regard to pursuing intellectual interests needs to take into account the social factors that come into play when someone from a vulnerable population uses the library. Many libraries market themselves as a “third place” or a place where the community can gather together for a variety of reasons, be it studying, meetings, programs, or even a safer space to spend free time outside of the home, work, or school. While data is useful in relation to building and maintaining operations that best benefit all patrons in the library’s third place role, care needs to be taken to ensure that the same data is not used to harm patrons as demonstrated in the cases above.

If you are looking for how to approach your privacy practices with an equity lens, you will hear from a variety of backgrounds and viewpoints during this year’s CPW. Maybe you’ll find something that you haven’t considered in relation to your privacy practices, or find an opportunity to be proactive in building trust with patrons. In either case, we’re looking forward to finding out more about how libraries can align privacy with equity during Choose Privacy Week!