[Content warning – reproductive rights, abortion]Continue reading “The Trials to Come – An Initial Analysis of SB 8’s Impact on Libraries and Patrons”
When we asked readers last week about library discussions around campus or organization mandates requiring COVID-19 vaccinations, we expected that libraries would have time to plan to adjust to the mandate. Responses from last week indicated as such. The consensus was various employee groups meeting and discussing who must be vaccinated and how workplaces can confirm vaccination status.
Then Thursday came around, and the CDC escalated things a tiny bit with their new mask guidelines. And by “a tiny bit,” we mean “blowing away any incremental steps in loosening mask guidelines and went straight to a free-for-all mask honor system.”
This sudden decision took many businesses and organizations – libraries included – by surprise. Most planned for a multi-month phased reduction in mask requirements, but here we are. After a year of struggling to get even the most reluctant patrons to mask up in the library, library workers now face several conundrums including dealing with patrons who refuse to follow library mask requirements based on the CDC announcement and libraries required by their parent organization to check for vaccination status for patrons going maskless in the library.
Libraries that can still require masks for everyone regardless of vaccination status can bypass the privacy issues around checking patron vaccination status. The libraries relying on local or state mask mandates to enforce their own can’t rely on them, though, given how quickly some state and local governments are dropping their mask mandates. While the CDC said that only fully vaccinated people can be maskless in most public spaces, the lifting of state and local mask mandates when many places haven’t reached the 50% vaccination mark (such as Washington State at the time of the announcement) turns this privacy issue into a privacy and health issue for both patrons and library workers. What we have is the privacy risks discussed last week now compounded by health risks presented with the new guidelines.
Managing risk is rarely a clear-cut process. Reducing one risk could inadvertently create or increase the chances for another risk. Keeping a detailed access log of who logs into a particular electronic resource through a proxy server can aid in investigations and quicker resolutions to issues around systematic unauthorized content harvesting, but this mitigation comes at the cost of privacy through increased collection and retention of detailed patron data, increasing the risk of improper reuse of this data through the library or third parties (such as creating user profiles for targeted marketing or reselling this data to fourth parties) or through a data breach or leak. Risk management is a process of checks and balances where one needs to consider the consequences of choosing risk management strategies and avoiding a “min-max” outcome with unaddressed risk.
Libraries who want or are now required by their organization to enforce CDC guidelines in their libraries now face the issue of suddenly needing to manage the risks around checking the vaccination status of maskless patrons. The US has not widely adopted a vaccine passport system (which has privacy issues), and fake vaccination cards abound. We listed the issues around contact tracing in libraries in a previous post, and all of those privacy concerns apply to libraries required to check vaccination status. The equitable service issues also apply, but it is compounded with health risks. Library workers who are still waiting to be vaccinated or cannot get vaccinated for medical reasons are stuck in limbo alongside patrons in the same situations.
These risks around privacy, service, and health would have been easier to manage through a gradual phasing out of mask mandates. Unfortunately, we are in the timeline where that isn’t happening. Requiring masks mitigates the privacy and health risks until the local population reaches a vaccination threshold where the health risks are at acceptable levels for both patrons and library workers. Libraries mitigated equitable service risks created by mask requirements by offering free masks to patrons or making alternative service arrangements for patrons who medically cannot wear a facial covering. This sudden turnabout from the CDC makes this strategy more fraught with risk. It creates a new type of service issue in the form of maskless patrons claiming vaccination status, which then creates new privacy and health issues alongside additional service issues for those who do not want to or cannot prove their vaccination status.
Some libraries that can no longer mandate masks for all might go with an honor system and allow patrons to go maskless without proving their vaccination status. That avoids the privacy and ethical risks involved in checking vaccination status but, depending on local population vaccination levels, the policy could increase the health risks to both unvaccinated patrons and library workers. It’s also an equitable service risk for patrons wanting to use the physical library but at the same time are not fully vaccinated due to medical reasons or are still waiting to start/complete their vaccination schedule.
This is all to say that there’s no good way to address the chaos created by the CDC last Thursday. We’re 14 months into the pandemic, and the pandemic fatigue settling in at the start of the year has grown at a rapid pace. Libraries – like other service and retail industries – are stuck in the middle of this, struggling with a public who are tired, confused, and ready to be done with all of this back and forth with guidelines and restrictions. Any decisions around COVID-19 policies at the library, including masks and vaccination checks, need to balance the privacy, equity, and health risks while acknowledging how that decision will impact library workers’ morale and safety.
tl;dr – Your library doesn’t need to collect data about your patrons’ gender identity.
Longer tl;dr – Your library doesn’t need to collect data about your patrons’ gender identity for library workers to do their daily work.
Nuanced tl;dr – Your library doesn’t need to collect data about your patrons’ gender identity 99% of the time, and in that 1% where the data is required, you’re probably doing more harm than good in your collection methods.
This post is brought to you by yet another conversation about including gender identity data in patron records. Libraries collected this data on their patrons for decades; it’s not uncommon to have a “gender” field in the patron record of many integrated library systems and patron-facing vendor services and applications. But why collect this data in the first place?
Two explanations that come up are that gender identity data can be used for marketing to patrons and for reading recommendations. However, these explanations do not account for the problem of relying on harmful gender stereotypes. Take the belief that boys are reluctant readers, for example. Joel A. Nichols wrote about his experience as a children’s librarian and how libraries do more harm than help in adopting this belief:
These efforts presume that some boys are not achieving well in school because teachers and librarians (who are mostly women) are offering them books that are not interesting to them (because they are boys). I find this premise illogical and impracticable, in particular because I am queer: the things that were supposed to interest boys did not necessarily interest me, and the things that were supposed to interest girls sometimes did. Additionally, after years of working in children’s departments, I found over and over again that lots of different things interested lots of different kids. In my experience, it was the parents that sometimes asked for “boy books” or “girl books.” The premise that boys need special “boy” topics shortchanges librarians and the children themselves, and can alienate kids who are queer or genderqueer.
This collection of patron data can be used to harm patrons in other ways, such as library staff misgendering and harassing patrons based on the patron’s gender identity. A recent example comes from the 2019 incident where library staff repeatedly misgendered a minor patron when she was with her parent to sign up for her library card. While the library decided to stop collecting gender identity data on library card applications as a result of the incident, the harm done cannot be remedied as easily as changing the application form.
The ALA Rainbow Round Table recommends that libraries do not collect gender identity data from patrons unless absolutely needed. Since the recommendation in 2015, several libraries evaluated their collection of gender identity data only to find that they were not using that data. Collecting data for “just in case” opens library patrons to additional harm if the library suffers a data breach. If there is no demonstrated business need for a data point, do not collect that data point.
In the rare case that your library absolutely must collect data about the gender identity of your patrons (such as a requirement to report on aggregated patron demographic data for a grant-funded project), care must be taken in collecting this data to mitigate additional harms through alienation and exclusion. The Rainbow Round Table recommends the Williams Institute’s report “Best Practices for Asking Questions to Identify Transgender and Other Gender Minority Respondents on Population-Based Surveys” as a guide to collecting such data. The Williams Institute has also created a short guide to create survey questions around gender identity. Here are more resources that can guide respectful demographic data collection:
- Designing forms for gender diversity and inclusion
- Respectful Collection of Demographic Data
- How to Ask About Sexuality/Gender
Again, the resources above are only for the rare case that your library absolutely must collect this data from your patrons. Libraries considering collecting gender identity data must review the rationale behind the collection. A patron should not be required to tell the library their gender identity to use the library’s collections and services. Even the act of collecting this data can harm and disenfranchise patrons.
tl;dr – Your library doesn’t need to collect data about your patrons’ gender identity.
Welcome to this week’s Tip of the Hat!
Contact tracing has been used in the past with other diseases which helped curve infection rates in populations, so health and government officials are looking at contact tracing once again as a tool to help control the spread of disease, this time with COVID-19. There have been various reports and concerns about contact tracing through mobile apps, including ones developed by Google and Apple. However, mobile contact tracing will not stop local health and government officials in taking other measures when it comes to other contact tracing methods and requirements, and libraries should be prepared when their local government or health officials require contact tracing as part of the reopening process.
While there are no known cases of libraries doing contact tracing as part of their reopening process, there are some ways in which libraries can satisfy contact tracing requirements while still protecting patron privacy.
Collect only what you absolutely need
What is the absolute minimum you need to contact a patron: name, email address, and/or telephone number are all options. Sometimes patrons do not have a reliable way of contacting them outside the library – health and government officials should have recommendations in handling those cases.
But what about having patrons scan in with their library card and using that as the contact tracing log? What seems to be a simple technological solution is, in reality, one that introduces complexity in the logging process as well as privacy risks:
- Some of the people visiting the library will not have their library card or are not registered cardholders.
- Contact logs can be subject to search or request from officials – maintaining the separation between the contact log and any other patron information in the library system will minimize the amount of patron data handed over to officials when there is a request for information.
Paper or digital log?
Some libraries might be tempted to have patrons scan in with their barcodes (see above section as to why that’s not such a good idea) or keep an electronic log of patrons coming in and out of the building. However, an electronic log introduces several privacy and security risks:
- Where is the digital file being stored? Local drive on a staff computer that isn’t password protected? Network storage? Google Drive (yikes!)?
- Who has access to the digital file? All staff in the library?
- How many other copies of the file are floating around the library’s network, drives, or even printed out?
In this instance, however, a paper log will provide better privacy and security protections when you take the following precautions:
- The paper log should be securely stored in a locked cabinet or desk in a secured area, preferably a locked office or other controlled entry space.
- During business hours, the paper log should be filled out by designated staff members tasked to collect information from patrons. Do not leave the paper log out for patrons to sign – not only you give patrons the names of others in the building (for example, a law enforcement agent can read the log and see who’s in the building without staff knowledge) you also potentially expose patrons and staff to health risks by having them share the same hard surfaces and pen.
- Restrict access to the paper log to only staff who are designated to keep logs, and prohibit copying (both physical or electronic copies) of the log.
Equitable service and privacy
Some patrons might not have reliable contact information or might refuse to give information when asked. If the local government or health officials state that someone can’t enter a building if they don’t provide information, how can your library work with your officials in addressing the need for libraries to provide equitable service to all patrons who come to the library?
Retention and disposal
Keep the contact tracing logs for only as long as the government or health officials require. If there is no retention period, ask! Your logs should be properly disposed of – a paper log should be shredded and the shredded paper should go to a secured disposal area or service.
Keeping a log of visits to the library is something not to be taken lightly – you are creating a log of a patron’s use of the library. Several other privacy concerns might be specific to your library that could affect how you go about contact tracing, such as unaccompanied minors. Contact tracing is an effective tool in containing disease outbreaks in the past, but it doesn’t have to come at the expense of losing entire personal privacy if the library works with its staff and government officials in creating a process that minimizes patron data collection, access, and retention.
Welcome to this week’s Tip of the Hat!
Remember when the online library catalog was just a telnet client? For some of you, you might even remember the process of moving from the card catalog to an online catalog. The library catalog has seen many different forms in recent decades.
The most recent wave of transitions is the migration from an old web catalog – in most cases an OPAC that came standard with an ILS – to a newer discovery layer. This discovery layer is typically hosted by the vendor and offers the ability to search for a wider array of collections and materials. Another main draw of the discovery layers in the market is the enhanced user experience. Many discovery layers allow users to add content to the site, including ratings, comments, and sharing their reading lists to others on the site.
While being able to provide newer services to patrons is important, this also brings up a dilemma for libraries. Many discovery layers are hosted by vendors, and many have separate Terms of Service and Privacy Policies attached to their products outside of the library’s policies. The majority of library catalogs that the discovery layers are meant to replace are locally hosted by the library, and fall under the library’s privacy policies. Libraries who made the transition to the discovery layer more often than not left their older catalog up and running, marketed as the “classic” catalog. However, the work necessary to keep up two catalogs can be substantial, and some libraries have retired their classic catalogs, leaving only the discovery layer for patrons to use.
We can use the Library Bill of Rights [LBR] interpretations from ALA to help guide us through this dilemma. The digital access interpretations of the LBR provides some guidance:
Users have the right to be free of unreasonable limitations or conditions set by libraries, librarians, system administrators, vendors, network service providers, or others. Contracts, agreements, and licenses entered into by libraries on behalf of their users should not violate this right… As libraries increasingly provide access to digital resources through third-party vendors, libraries have a responsibility to hold vendors accountable for protecting patrons’ privacy. [Access to Digital Resources and Services: An Interpretation of the Library Bill of Rights]
The classic catalog/discovery layer dilemma is a good example of how offering newer third-party platforms to provide core library services can create privacy dilemmas for your patrons and potentially lock them out from using core services. If your library finds itself making such a transition – be it the library catalog or another core service platform – the ALA Privacy Checklists and the interpretations of the LBR can help guide libraries through the planning process. Regardless of the actions taken by the library, ensuring that all patrons have access to core library services should be a priority, and that includes taking privacy concerns to account when replacing core service platforms.
Welcome to this week’s Tip of the Hat! Last week Tom Boone stated his intent to boycott two vendors – Thomson Reuters and RLEX Group – at the American Association of Law Librarians annual conference based on the current business relationships that both companies have with U.S. Immigration and Customs Enforcement [ICE]. While the objections are based on the relationships themselves, the boycott posts brings us back to a question posed by Jason Griffey about LexisNexis’s interest in assisting ICE in building an “extreme vetting” system for immigrants to the US – what role would data collected from libraries that subscribe to those vendors’ products play in building such a system? For this week’s letter, we’ll broaden the – what do vendors do with library patron data and what say do libraries have in the matter?
Patron data is as valuable to vendors as it is to libraries. To vendors, patron data can be used to refine existing services while building newer services based off of patron needs and behaviors. The various recommendation systems in several library products are powered partially by patron borrowing activity, for example. Nonetheless, while vendors use patron data for their products and services, many vendors share patron data with other service providers and third-party businesses for a variety of reasons. For example, some vendors run their applications on commercial cloud servers, which could mean storing or transferring patron data to and from these servers. Depending on the agreement between the vendor and the commercial cloud service, the service might also have access to the data for performance tracking and analysis purposes.
Having the discussion about patron data use and sharing by the vendor will not only allow you to find out what exactly happens to your patrons’ data when they use vendor products, but it also opens up the opportunity for your library to introduce language in the contract that will protect your patrons’ data. You can do this through line edits, or through a contract addendum that has been vetted by your local legal team. Before going to the negotiation table with your proposed changes and requests, you will need to determine what points will you be willing to compromise on, and which points are dealbreakers. Ideally negotiations provide a workable outcome for all, but in reality, sometimes the best outcome for your patrons and staff is to leave the negotiations. Not giving a vendor your library’s business is a valid option – an option that could signal to the vendor that some of their practices need to change if enough libraries choose to follow suit.
Welcome to this week’s Tip of the Hat!
Last Saturday LDH attended the All Tech Is Human Summit with 150+ other technologists, designers, ethics professionals, academics, and others in discussing issues surrounding technology and social issues. There were many good conversations, some of which we’re passing along to you all as you consider how your organization could approach these issues.
The summit takes inspiration from the Ethics OS Toolkit which identifies eight risk zones in designing technology:
- Truth, Disinformation, Propaganda
- Addiction & the Dopamine Economy
- Economic & Asset Inequalities
- Machine Ethics & Algorithmic Biases
- Surveillance State
- Data Control & Monetization
- Implicit Trust & User Understanding
- Hateful & Criminal Actors
Each risk zone has the potential to create social harm, and the Toolkit helps planners, designers, and others in the development process to mitigate those risks. One of the ways you can mitigate risk in many of the areas in the design process (like the Data Control and Surveillance zones) is incorporating privacy into the design and development processes. Privacy by Design is an example of integrating privacy throughout the entire process, instead of waiting to do it at the end. Much like technical debt, incorporating privacy and other risk mitigation strategies throughout the design and development process will lessen the need for intensive resource investment on short notice when something goes wrong.
- Good design honors reality
- Good design creates ownership
- Good design builds power
Viewed through a privacy lens (or, in the case of LDH, with our data privacy hat on), these qualities can also help approach designers and planners in addressing the realities surrounding data privacy:
- Honoring reality – how can the product or service meet the demonstrated/declared needs of the organization while honoring the many different expectations of privacy among library patrons? Which patron privacy expectations should be elevated, and what is the process to determine that prioritization? What societal factors should be taken into account when doing privacy risk assessments?
- Creating ownership – how can the product or service give patrons a sense that they have ownership over their data and privacy? How can organizations cultivate that sense of ownership through various means, including policies surrounding the product? For vendors, what would it take to cultivate a similar relationship between library customers and the products they buy or license?
- Building power – building off of the ownership questions, what should the product or service do in order to provide agency to patrons surrounding data collection and sharing when using the product or service? What data rights must be present to allow patrons control over their interactions with the product or process? Libraries – how can patrons have a voice in the design process, including those more impacted by the risk of privacy harm? Vendors – how can customers have a voice in the design process? All – how will you ensure that the process will not just be a “mark the checkbox” but instead an intentional act to include and honor those voices in the design process?
There’s a lot to think about in those questions above, but the questions illustrate the importance of addressing those questions while still in the design process. It’s hard to build privacy into a product or services once the product is already out there collecting and sharing high-risk data. Addressing the hard ethical and privacy questions during the design process not only avoids the pitfalls of technical debt and high-risk practices, but also provides the valuable opportunity to build valuable relationships between libraries, patrons, and vendors.
Welcome to this week’s Tip of the Hat! This week marks the start of Choose Privacy Week, hosted by the ALA Office of Intellectual Freedom. We briefly covered CPW in our National Library Week newsletter, but we couldn’t pass up the chance to join in the festivities of a week dedicated to library privacy.
This year’s Choose Privacy Week is focusing on how privacy in libraries is vital for those who are otherwise targeted for surveillance and data-based discrimination elsewhere in the US. Library workers stress privacy as a core tenet of Intellectual Freedom; however, this focus can be very narrow with regard to protecting a subset of patron information from specific unauthorized uses and access, e.g. a government entity accessing a patron’s circulation records. This narrow interpretation of the role privacy plays in the library does not take into account the evolution of the role of data in libraries and in society. Data has taken its place as a critical tool in ensuring funding and continued operations. We see this evolution with the increasing prevalence of customer relations management systems, learning analytics, and identity-based services (such as RA21) in the library environment.
With the rise of data-as-valuable-asset, comes the dark side, or taking a cue from Bruce Schneier, the toxicity of data. Data has been used to target marginalized populations via surveillance and other means. How can data harm vulnerable populations? Taking a look around the Seattle area, here are two recent cases in which data collection inflicted real-world harm on people:
- ‘Privacy Is Becoming a Luxury’: What Data Leaks Are Like for the Poor
- Motel 6 to pay Washington $12M for giving information on 80,000 guests to ICE
Another resource highlighting past and potential harms is http://neveragain.tech/. This pledge site started when the current US president proposed a registry of Muslims in the US. The page highlights some of the ways that technology was used against marginalized populations throughout recent times, as well as the harms that come with data collection.
Reframing the conversation about why privacy is important in libraries requires rethinking the field’s approaches surrounding privacy practices and policies. Privacy with regard to pursuing intellectual interests needs to take into account the social factors that come into play when someone from a vulnerable population uses the library. Many libraries market themselves as a “third place” or a place where the community can gather together for a variety of reasons, be it studying, meetings, programs, or even a safer space to spend free time outside of the home, work, or school. While data is useful in relation to building and maintaining operations that best benefit all patrons in the library’s third place role, care needs to be taken to ensure that the same data is not used to harm patrons as demonstrated in the cases above.
If you are looking for how to approach your privacy practices with an equity lens, you will hear from a variety of backgrounds and viewpoints during this year’s CPW. Maybe you’ll find something that you haven’t considered in relation to your privacy practices, or find an opportunity to be proactive in building trust with patrons. In either case, we’re looking forward to finding out more about how libraries can align privacy with equity during Choose Privacy Week!