Privacy at ALA Midwinter – 2021 Recap

Logo for the 2021 ALA Midwinter Meeting and Exhibits.

Patron privacy had several moments in the spotlight at last week’s ALA Midwinter Conference. If you missed the conference or the news updates, no worries! Here are the highlights to help you catch up.

A big moment for privacy resolutions

ALA Council passed two major privacy resolutions during ALA Midwinter, moving the organization and the profession to make a more deliberate stance against surveilling library patrons through facial recognition software and behavioral data tracking. You can read the full text of the original resolutions at the end of the Intellectual Freedom Committee Midwinter Report, but here are the actions called for in each resolution:

Resolution in Opposition to Facial Recognition Software in Libraries

  1. opposes the use of facial recognition software in libraries of all types on the grounds that its implementation breaches users’ and library workers’ privacy and user confidentiality, thereby having a chilling effect on the use of library resources;
  2. recommends that libraries, partners, and affiliate organizations engage in activities to educate staff, users, trustees, administrators, community organizations, and legislators about facial recognition technologies, their potential for bias and error, and the accompanying threat to individual privacy;
  3. strongly urges libraries, partners, and affiliate organizations that use facial recognition software to immediately cease doing so based on its demonstrated potential for bias and harm and the lack of research demonstrating any safe and effective use;
  4. encourages legislators to adopt legislation that will place a moratorium on facial recognition software in libraries; and
  5. directs the ALA Executive Director to transmit this resolution to Congress. [This clause was removed by amendment before the final vote in Council]

Resolution on the Misuse of Behavioral Data Surveillance in Libraries

  1. stands firmly against behavioral data surveillance of library use and users;
  2. urges libraries and vendors to never exchange user data for financial discounts, payments, or incentives;
  3. calls on libraries and vendors to apply the strictest privacy settings by default, without any manual input from the end-user;
  4. urges libraries, vendors, and institutions to not implement behavioral data surveillance or use that data to deny services;
  5. calls on libraries to employ contract language that does not allow for vendors to implement behavioral data surveillance or use that data to deny access to services;
  6. calls on libraries to oversee vendor compliance with contractual obligations;
  7. calls on library workers to advocate for and educate themselves about library users’ privacy and confidentiality rights; and
  8. strongly urges libraries to act as information fiduciaries, assuring that in every circumstance the library user’s information is protected from misuse and unauthorized disclosure, and ensuring that the library itself does not misuse or exploit the library user’s information.

[Disclosure – LDH participated in the Behavioral Data Surveillance Resolution working group]

Each resolution is a strong indictment against surveillance technology and practices, but the resolutions will have limited impact if no further action is taken by the organization or its members. While ALA and its vast array of committees start updating and creating policies, standards, and guidelines to assist libraries in enacting these resolutions, individual libraries can use these resolutions to guide decision-making processes around these technologies on the local level. Library workers can use these resolutions to start conversations about how their libraries should protect patrons against these specific surveillance technologies and practices.

Dystopian future, or dystopian present?

The Top Tech Trends session explored the dystopian aspects of technologies including deepfakes, surveillance practices normalized during the COVID-19 pandemic, and the connection between prison libraries and biometric technologies. The recorded session is available to Midwinter registrants, but if you do not have access to the on-demand video of the session, the American Libraries article on the session summarizes each aspect and the impact it can have on patron privacy and the ability for libraries to serve patrons. Take a moment to read the summary or watch the session and ask yourself – Is your library on its way toward a dystopian tech future, or has it already arrived? What can you do to protect patrons against this privacy dystopia at the library?

Security Without Privacy

Powerpoint slide listing the types of data collected by typical web app logs, including timestamps, user behavior, biometric data, and geographic location.
Slide from the SNSI October Webinar

Academic libraries have been in the information security spotlight due to the resurgence of Silent Librarian. The collection of academic user accounts gives attackers access to whatever the user has access to in the campus network, including personal data. Attackers gaining access to library patron data was not the reason why academic library information security was in the news again this past month, however.

Protecting The Bottom Line

In late October, the Scholarly Networks Security Initiative (SNSI) presented a webinar [slides, transcript] that made several controversial statements and proposals. The one that caught the attention of the academic researcher and library worlds is the proposal of a publisher proxy tool to monitor user access and use of publisher resources. In the transcript and slides, the proposal included tracking behavioral data in addition to other personally identifiable data. For example, the publisher would actively track the subjects of the articles that the user is searching and reading:

159

00:29:10.020 –> 00:29:17.280

Corey Roach: You can also move over to behavioral stuff. So it could be, you know, why is a pharmacy major suddenly looking up a lot of material on astrophysics or

160

00:29:18.300 –> 00:29:27.000

Corey Roach: Why is a medical professional and a hospital suddenly interested in internal combustion things that just don’t line up and we can identify fishy behavior.

While there are other points of contention in the presentation (we recommend reading the transcript and the slides, as well as the articles linked above), the publisher proxy tool brings up a perennial concern around information security practices that libraries need to be aware of when working with IT and publishers.

You Say Security, But What About Privacy?

Security and privacy are not one-to-one equivalents. We covered the differences in security and privacy in a previous post. Privacy focuses on the collection and processing of personal data while security focuses on protecting organizational assets that may include personal data. Privacy is impossible without security. Privacy relies on security to control access and use of personal data. However, there is the misconception that security guarantees privacy. Security is “do one thing and do it well” – protect whatever it’s told to protect. Security does not deal with the “why” in data collection and processing. It does the job, no questions asked.

When security measures like the proxy tool above are touted to protect publisher assets, the question of “why this data collection and tracking” gets lost in the conversation. Libraries, in part, also collect behavioral data through their proxies to control access to library resources. Even though this data collection by libraries is problematic in itself, the fact remains that the data in this proxy is collected by the library and is subject to library policy and legal regulations around library patron data. The same information collected by a vendor tool may not be subject to the same policies and regulations – outside of California and Missouri, there are no state laws specifically regulating vendor collection, processing, and disclosure of library patron data. Therefore, any data collected by the vendors are only subject to whatever was negotiated in the contract and the vendor privacy policies, both of which most likely allow for extensive collection, processing, and disclosure of patron data. Security that uses patron data doesn’t necessarily guarantee patron privacy and could even put patron privacy in jeopardy.

Bringing Privacy into Library InfoSec

Academic libraries are part of a campus system and are one of many ways an attacker can gain access to campus assets, including personal data, as demonstrated by Silent Librarian. However, academic libraries are also targets for increased surveillance in the name of information security, as illustrated by the SNSI presentation. The narrative of “academic library as the weak link in a campus network” can force libraries into a situation where patron privacy and professional ethics are both compromised.  This is particularly true if this narrative is driven by information security professionals not well acquainted with privacy and data ethics or by vendors who might financially benefit from the data collected by this increased surveillance of library patrons.

Library organizations and groups are weighing in on how information security should consider library privacy and data ethics. This Tuesday, ALA will be hosting a Town Hall meeting about surveillance in academic libraries. DLF’s Privacy and Ethics in Technology Working Group and the Library Freedom Project, co-collaborators with ALA’s Town Hall event, will most likely add to the conversation in the coming weeks with resources and statements. We’ll keep you updated as the conversation continues!

In the meantime…

A small postscript to the blog post – one reoccurring theme that we come across when talking to libraries about privacy is the importance of relationships with others in and outside the library. These relationships are key in creating buy-in for privacy practices as well as creating strong privacy advocates in the organization. What type of relationship do you have with your organizational information security folks? Check out this short presentation about building organizational relationships to promote a strong privacy and security culture if you are still wondering where to start.

Just Published – Data Privacy Best Practices Toolkit for Libraries

Welcome to this week’s Tip of the Hat!

Today we’re happy to announce the publication of the Data Privacy Best Practices Toolkit for Libraries. This toolkit is part of the Data Privacy Best Practices Training for Libraries project, an LSTA-funded collaborative project between the Pacific Library Partnership and LDH focusing on teaching libraries the basics of data privacy. This introduction into data privacy in libraries serves as a guide for both administration and front-line workers, providing practical advice and knowledge in protecting patron data privacy.

The cover page for Data Privacy Best Practices Toolkit for Libraries: A Guide for Managing and Protecting Patron Data.

What does the toolkit cover? The topics range from the data lifecycle and managing vendor relationships to creating policies and procedures to protect patron privacy. The toolkit covers specific privacy concerns in the library, including law enforcement requests, surveillance, and data analytics. We also get to meet Mel and Rafaël, two library patrons who have unique privacy issues that libraries need to consider when thinking about patron privacy.  At the end of the toolkit is an extensive resource section with library privacy scholarship, professional standards, and regulations for further reading.

This toolkit is part of a larger group of resources, including templates and examples libraries can use to develop contract addendums, privacy policies and procedures, and data inventories and privacy risk assessments. In short, there are a lot of resources that are freely available for you to use in your library! Please let us know if you have any questions about the project resources.

Finally, stay tuned – the project is going into its second year, focusing on “train the trainer” workshops for both data privacy and cybersecurity. We’ll keep you updated as more materials are published!

Black Lives Matter

Hello everyone,

Black Lives Matter.

If your library or archive is thinking about collecting photographs, videos, or other materials from the protests around George Floyd’s death caused by Minneapolis police, what are you doing to protect the privacy of the protesters? Black Lives Matter protestors and organizers, as well as many protesters and organizers in other activist circles, face ongoing harassment due to their involvement. Some have died. Recently Vice reported on a website created by white supremacists to dox interracial couples, illustrating how easy it is to identify and publish personal information with the intent to harm people. This isn’t the first website to do so, and it won’t be the last.

Going back to our question – if your response to the protests this weekend is to archive photos, videos, and other materials that personally identifiable information about living persons, what are you doing to protect the privacy and security of those people? There was a call made this weekend on social media to archive everything into the Internet Archive, but this call ignores the reality that these materials will be used to harass protesters and organizers. Here is what you should be considering:

  • Scrubbing metadata and blurring faces of protesters – a recently created tool is available to do this work for you: https://twitter.com/everestpipkin/status/1266936398055170048
  • Reading and incorporating the resources at https://library.witness.org/product-tag/protests/ into your processes and workflows
  • Working with organizations and groups such as Documenting The Now
    A tweet that summarizes some of the risks that you bring onto protestors if you collect protest materials: https://twitter.com/documentnow/status/1266765585024552960

You should also consider if archiving is the most appropriate action to take right now. Dr. Rachel Mattson lists how archives and libraries can do to contribute right now – https://twitter.com/captain_maybe/status/1267182535584419842

Archives, like libraries, are not neutral institutions. The materials archivists collect can put people at risk if the archives do not adopt a duty of care in their work in acquiring and curating their collections. This includes protecting the privacy of any living person included in these materials. Again, if your archive’s response is to archive materials that identify living people at these protests, how are you going to ensure that these materials are not used to harm these people?

Black Lives Matter.

Caring Who Is Sharing Your Patron Data

Welcome to this week’s Tip of the Hat! Last week Tom Boone stated his intent to boycott two vendors – Thomson Reuters and RLEX Group – at the American Association of Law Librarians annual conference based on the current business relationships that both companies have with U.S. Immigration and Customs Enforcement [ICE]. While the objections are based on the relationships themselves, the boycott posts brings us back to a question posed by Jason Griffey about LexisNexis’s interest in assisting ICE in building an “extreme vetting” system for immigrants to the US – what role would data collected from libraries that subscribe to those vendors’ products play in building such a system? For this week’s letter, we’ll broaden the – what do vendors do with library patron data and what say do libraries have in the matter?

Patron data is as valuable to vendors as it is to libraries. To vendors, patron data can be used to refine existing services while building newer services based off of patron needs and behaviors. The various recommendation systems in several library products are powered partially by patron borrowing activity, for example. Nonetheless, while vendors use patron data for their products and services, many vendors share patron data with other service providers and third-party businesses for a variety of reasons. For example, some vendors run their applications on commercial cloud servers, which could mean storing or transferring patron data to and from these servers. Depending on the agreement between the vendor and the commercial cloud service, the service might also have access to the data for performance tracking and analysis purposes.

How do you find out what vendors are doing with your patron data? One of the first places to look is their privacy policy. Like libraries, vendors too should inform patrons how they are handling patron data. The library should have a separate privacy policy that indicates how library data is shared with vendors, but vendors also need a privacy policy that clearly communicates to patrons using the vendor service on how the data is handled by the vendor, including any sharing of data with service providers or other third parties. LexisNexis’ privacy policy provides some of this information in their How We Use Your Information and Sharing of Your Information sections (which, BTW, you should read if you do use LexisNexis!).

If you can’t find the information you need in the privacy policy, the vendor contract might have some information regarding the collection, use, and sharing of patron data by the vendor. The vendor contract can also serve another purpose, particularly when you are at the contract negotiation or contract renewal stages. The contract can be a good place to lay out expectations to the vendor as to what level of data collection and sharing is permissible. Some data sharing is unavoidable or necessary, such as using aggregated patron data for analyzing infrastructure performance, so if you come to the negotiation table with a hardline “no reuse or sharing with third parties” position, you will most likely be making some compromises. This is also a good place to bring up the question about “selling” vs “sharing” data with service providers – while some vendors state in their privacy policy that they do not sell patron data, they might not mention anything about sharing it with others. Setting expectations and requirements at the point of negotiations or renewal can mitigate any surprises surrounding data use and sharing down the road for all parties involved.

Having the discussion about patron data use and sharing by the vendor will not only allow you to find out what exactly happens to your patrons’ data when they use vendor products, but it also opens up the opportunity for your library to introduce language in the contract that will protect your patrons’ data. You can do this through line edits, or through a contract addendum that has been vetted by your local legal team. Before going to the negotiation table with your proposed changes and requests, you will need to determine what points will you be willing to compromise on, and which points are dealbreakers. Ideally negotiations provide a workable outcome for all, but in reality, sometimes the best outcome for your patrons and staff is to leave the negotiations. Not giving a vendor your library’s business is a valid option – an option that could signal to the vendor that some of their practices need to change if enough libraries choose to follow suit.