This weekend marked the 20th anniversary of 9/11 in the US. Life changed in the US after the attacks. One of the many aspects of our lives that changed was the sudden erosion of privacy for everyone living in the States. One of the earliest visible examples of this rapid erosion of privacy was the Patriot Act. Let’s take a moment and revisit this turning point in library privacy history and what has happened since.
A Quick Refresher
The Patriot Act was signed in October 2001 after the attacks of September 11th. The law introduced or vastly expanded government surveillance programs and rights. US libraries are most likely familiar with Section 215. While in the past the government was limited in what information they could obtain through secret FISA orders, Section 215’s “tangible things” expanded the use of these secret orders to “books, records, papers, documents, and other items.” Given the examples included in the Section’s text, it wasn’t too much of a stretch to assume that “tangible things” included library records.
The good news – for now – is that Section 215 is not here to mark the 20th anniversary of the passage of the Patriot Act. The Section was sunsetted in 2020 after years of renewal and a second life through the USA Freedom Act. The Section did not die quietly, though – while support for renewal spanned across both parties in the Senate and the House, different versions of the renewal bill stalled the renewal process. The possibility of a renewal of Section 215 or a similar version of the Section is still present. However, it is unclear as to when talks of renewal will restart.
The Act’s Impact on Libraries
Libraries acted quickly after the passage of the Act. Right after the passage of the Patriot Act, those of us in the library profession might remember taking stacks of borrowing histories and other physical records containing patron data and sending them through the shredder. Other libraries adjusted privacy settings in their ILSes and other systems to not collect borrowing history by default. ALA promptly sent out guidance for libraries around updating privacy and law enforcement request policies and procedures. And it would be safe to assume that several people got into librarianship because of the profession’s efforts in protecting privacy and pushing back against the Patriot Act.
Even with the flurry of activity in the profession early on, questions about the use of Section 215 to obtain patron data persist today. Even though the Justice Department testified in 2011 that Section 215 was not used to obtain circulation records, the secrecy imposed on searches in Section 215 makes it difficult to determine precisely the extent of the Section’s library record collection activities.
While we cannot say for sure if Section 215 was used to obtain patron data, we know that other parts of the Act were used in an attempt to get patron data. Most notably was the use of National Security Letters (NSL) and gag orders by the government to obtain patron data. The Connecticut Four successfully challenged the gag order on an NSL served to the Connecticut library consortium Library Connection. While the Connecticut Four took their fight to court, other libraries proactively tried to work around the gag order by posting warrant canaries in the building to notify patrons if they had been served an NSL.
Lessons Learned or Business as Usual?
The Patriot Act reminded libraries of the threat governments pose to patron privacy. Libraries responded with considerable energy and focus to these threats, and these responses defined library privacy work in the 21st century library. Still, the lessons learned from the early days of the Act didn’t entirely transfer to other threats that pose as much of a threat to patron privacy as governments and law enforcement. While libraries could quickly dispose of risky patron data on paper after the Act’s passage, a substantial amount of today’s patron data lives on third-party databases and systems. The removal of control over patron data in third-party systems limits the ability to adjust to new privacy threats quickly. Technology has evolved to provide some possible protections, including encryption and other ways to restrict access to data. Legal regulations around privacy give both libraries and patrons some level of control over data privacy in third-party systems. Despite these progressions in technology and law, data privacy in the age of surveillance capitalism in the library brings new challenges that many libraries struggle to manage.
Some could argue that libraries sub-optimized data privacy protections in response to the Act’s threats, hyper-focusing on government and law enforcement at the expense of addressing other patron privacy risks. At the same time, the standards and practices developed to mitigate governmental threats to patron privacy can be (and to certain extents have been) adapted to minimize these other risks, particularly with third parties. One of the first lessons learned in the initial days of the Act came from the massive efforts of shredding and disposing of patron data in bulk in libraries throughout the country. Libraries realized at that moment that data collected is data at risk of being seized by the government. Data can’t be seized if it doesn’t exist in the first place. As libraries continue to minimize risks around law enforcement requests, we must remember to extend those privacy protections to the third parties that make up critical library operations and services.