Hello everyone! It’s been a while since our last post in April, and a lot has happened. A Supreme Court ruling that will change how courts interpret an individual’s right to privacy, a bipartisan federal data privacy bill gaining momentum, ICE dipping into LexisNexis data much more than initially thought – and all of that is just within the past month. A lot is going on in the privacy world right now! While we won’t be back on our regular post schedule for a little longer, we will have time to bring you analysis and updates as they come along.
Speaking of updates, we have a big one to announce – the publication of our first book! Managing Data for Patron Privacy: Comprehensive Strategies for Libraries breaks down what library workers need to do to protect the privacy of their patron’s data. In this book, Kristin Briney, Biology & Biological Engineering Librarian at the California Institute of Technology, and LDH founder Becky Yoose cover key topics as:
succinct summaries of major U.S. laws and other regulations and standards governing patron data management;
information security practices to protect patrons and libraries from common threats;
how to navigate barriers in organizational culture when implementing data privacy measures;
sources for publicly available, customizable privacy training material for library workers;
the data life cycle from planning and collecting to disposal;
how to conduct a data inventory;
understanding the associated privacy risks of different types of library data;
why the current popular model of library assessment can become a huge privacy invasion;
addressing key topics while keeping your privacy policy clear and understandable to patrons; and
data privacy and security provisions to look for in vendor contracts.
Managing Data for Patron Privacy is a great place to start for library workers and libraries looking to cultivate a sustainable, holistic approach to their data privacy practices. Come for the case studies and practical advice; stay for the cats, glitter, and pasty recipe. 😉 We hope you enjoy the book, and please let us know if you have any questions or comments as you dive into our new book!
Readers of the Tip of The Hat might be familiar with the ALA Privacy Guidelines and Checklists or even use them in their library privacy work. Created in 2015, the Guidelines aim to assist libraries and library vendors in providing patron privacy guidance around library technology and services. The Checklists give more guidance in turning this guidance into actionable checklists for libraries to incorporate into their work. The Guidelines and Checklists have provided valuable advice and direction for many a library and library vendor alike throughout the years.
As the privacy needs of libraries change, so have the Guidelines and Checklists. Nevertheless, the growing complexity of privacy work means a new set of challenges for libraries to face. Alongside this increasing set of challenges is the need for a group of resources that are easy to understand and provide the tools necessary for library workers to advocate for privacy practices on all levels, from the public to administration to vendors.
The Privacy Field Guides, an IMLS sponsored project in collaboration with ALA, aims to meet this need. These just-published guides offer practical guidance around major library privacy topics:
Data Lifecycles (If you’re familiar with our work at LDH, you might not be surprised that we helped out with the creation of this guide!)
Digital Security Basics
How To Talk About Privacy
Non-Tech Privacy
Privacy Audits
Privacy Policies
Vendors and Privacy
What sets these guides apart from other library privacy resources is that they serve as a starting point for library workers who are unsure where and how to start doing privacy work at their libraries. Each guide contains hands-on exercises where library workers can immediately impact how their library practices privacy. Does your library lack a privacy policy that patrons can easily read and understand? The Privacy Policy walks you through creating a draft privacy policy that is informative and readable for your patrons. The guides also provide talking points for library workers communicating about library privacy. How To Talk About Privacy focuses on building those talking points for a variety of audiences – be it patrons, administration, and everyone in between – but you will also find talking points in the other guides focused on specific topics, such as privacy in the vendor selection and contract negotiation processes or protecting patron privacy in physical library spaces.
These guides are a valuable addition to your library’s privacy toolkit and are a great way to start privacy discussions in your library. Take some time to go through the digital versions of the Field Guides and let us know what you think!
There’s a saying that makes the rounds at the LDH office – “same problems, different day.” While there is no shortage of unique and exciting privacy challenges out there, eventually there will be a version of a previous privacy issue we dealt with in the past that pops up in our daily work. The same goes for the general privacy discourse in the library world. It’s been a busy couple of weeks in the library discourse where we see versions of the same topics and issues discussed in the past. It can feel like we’re stuck in a time loop, reliving the same conversations.
We know we’re a couple months away from Groundhog Day, but still… GIF source – https://giphy.com/gifs/pr-13USAwkGCTd6xy
Luckily, this gives LDH the opportunity to highlight relevant posts from the Tip of The Hat! Whether you missed the posts the first time around or are looking to revisit some of our older content, the newsletter-turned-blog has covered a lot of ground in the library privacy world. Let’s take some time to review some of those posts as the library world revisits several privacy conversations this week.
Mergers and Acquisitions and Consolidation oh my!
It’s official – Clarivate’s acquisition of Proquest is finally complete, furthering the consolidation of the library vendor marketplace. The acquisition isn’t the first one that led many in the library community to worry about the consequences of having only a handful of companies controlling the marketplace and what effects this consolidation would have on data privacy. In addition, there’s the practical concern of what exactly happens to patron data when a business is acquired or goes bankrupt. Here are some previous posts that touch on the relationship between vendors and library data privacy:
Libraries full of dusty books. Librarians reading all day on the job. Librarians shushing patrons. No matter where you go, there’s always a version of one of these tropes whenever libraries come up in the conversation. Most of the time, you find these tropes being brought up by people who don’t work at libraries, be it news reporters with cringeworthy article openers (“Libraries are no longer for books!”) to everyday conversation (“library quiet”). However, sometimes libraries themselves indulge in using library tropes for their own purposes. This week was no different with a social media account for a public library system in the US creating a meme about how the library doesn’t track patron use of library materials.
Longtime readers of the blog might recall our library privacy trope post from last year detailing the dangers of the trope to libraries and patrons. While the profession has a strong ethical mandate to protect patron privacy, including patron data, the reality is that libraries are subject to the same data privacy constraints and issues that show up in any other industry. For example, libraries and their vendors keep track of which patrons use specific resources and services. A library failing to let patrons know how the library or vendor collects, processes, and shares patron data or misrepresents library data privacy practices in communications to patrons is at risk of an ethics breach, losing the trust of their patrons.
When Privacy and Security Become a Barrier unto Themselves
A recent Twitter thread touched on many patrons’ struggles with multifactor authentication and how library workers encounter this struggle daily. Take some time to read the thread and the replies. It is a good reminder that not all privacy and security controls work for everyone. In some cases, these controls create barriers to using the library. These controls can disproportionally affect patrons who, for example, do not have reliable access to a mobile phone or limited phone service if the library or vendor requires all patrons to use multifactor authentication for using library resources or services.
[Related – sometimes your data privacy and security policies for staff are a liability in themselves! We touched on this liability last October using administrator privileges on work computers. As you think about what data privacy and security measures to put in place at your library, take some time to think about the costs and benefits of each measure. Sometimes it’s better – both for the bottom line and for data privacy and security – to accept certain risks.]
Image source: https://www.flickr.com/photos/miz_curse_10/1404420256/ (CC BY SA 2.0)
Librarians like our acronyms, but we’re not the only profession to indulge in linguistic gymnastics. The technology field is awash in acronyms: HTTP, AWS, UI, LAN, I/O, etc. etc. etc. One acronym you might know from working in libraries, though, is OSS – Open Source Software.
Library technology is no stranger to OSS. The archived FOSS4LIB site lists hundreds of free and open source library applications and systems ranging from integrated library systems and content management systems to metadata editing tools and catalogs. Many libraries use OSS not specific to libraries – a typical example is installing Firefox and Libre Office on public computers. Linux and its multitude of distributions ensure that many library servers and computers run smoothly.
It’s inevitable, though, that when we talk about OSS, we run into another acronym – FUD, or Fear, Uncertainty, and Doubt. FUD is commonly used to create a negative picture of the target in question, usually at the gain of the person making the FUD. In the technology world, OSS often is depicted by proprietary software companies as being inferior to proprietary software – the Microsoft section in the FUD Wikipedia page gives several good examples of such FUD pieces.
It should be no surprise that FUD exists in the library world as well. One example comes from a proprietary software company specializing in library management systems (LMS). We’ll link to an archived version of the page if the page is taken down soon after this post is published; if nothing else, companies do not like being called out on their marketing FUD. The article poses as an article talking about the disadvantages of an LMS. In particular the company claims that OS LMSes are not secure: they can be easily breached or infected by a computer virus, or you can even lose all your data! The only solution to addressing all these disadvantages is to have the proprietary software company handle all of these disadvantages for you!
The article is a classic example of OSS FUD – the use of tactics to sow fear, hesitation, or doubt without providing a reasoned and well-supported argument about the claims made in the article. However, this is probably not the first time you ran into the idea that OSS is insecure. A talking point about OSS insecurity is OSS security bugs stay unaddressed in the software for years. For example, the Heatbleed bug that caused so much havoc in 2014 was introduced into the OpenSSL code in 2012, resulting in a two-year gap where bad actors could exploit the vulnerability. You’ve also probably run into various versions of the thinking around OSS security that Bruce Schneier describes below:
“Open source does sound like a security risk. Why would you want the bad guys to be able to look at the source code? They’ll figure out how it works. They’ll find flaws. They’ll — in extreme cases — sneak back-doors into the code when no one is looking.”
OSS is open for all to use, but it’s also available for all to exploit if you go down the path described in the above line of thinking.
The good news is that, despite the FUD, OSS is not more insecure than its proprietary counterparts. However, we also must be weary of the unchecked optimism in statements claiming that OSS is more secure than proprietary software. The reality is that OS and proprietary software are subject to many of the same information security risks mixed with the unique risks that come with each type of software. It’s not uncommon for a small OSS project to become dormant or abandoned, leaving the software vulnerable due to a lack of updates. Conversely, a business developing proprietary software might not prioritize security tests and fixes in its work, leaving their customers vulnerable if someone exploits a security bug. While there are differences between the two examples, both share the risk of threat actors exploiting unaddressed security bugs in the software.
OSS, therefore, should be assessed and audited like its proprietary counterparts for security (and privacy!) practices and risks. The nature of OSS requires some adjustment to the audit process to consider the differences between the two types of software. A security audit for OSS would, for example, take into account the health of the project: maintenance and update schedules, how active the community is, what previous security issues have been reported and fixed in the past, and so on. Looking at the dependencies of the OSS might uncover possible security risks if a dependency is from an OSS project that is no longer maintained. Addressing any security issues that might arise from an audit could take the form of working on and submitting a bug fix to the OSS project or finding a company that specializes in supporting OSS users that can address the issue. As we wrap up Cybersecurity Awareness Month in the runup to Halloween, let’s get our scares from scary movies and books and not from OSS FUD.
This latest acquisition continues the trend of consolidation in the library vendor marketplace. With this consolidation of products and services comes the ability for companies to create more complete profiles of library patrons through increased data collection and tracking capabilities. In fact, during the company call regarding the acquisition on May 17th, company representatives commented that with the ProQuest acquisition, the company “can serve the entire research value chain, early stage and K12 setting, thru postgrad.” Put another way by another company representative, “We can touch every student in K through doctoral degrees everywhere. There is no product overlap.” Combine that quote with phrases from the press release such as “long-term predictive and prescriptive analytics opportunities from the enhanced combination of ProQuest’s data cloud with the billions of harmonized data points in the Clarivate Research Intelligence Cloud” (emphasis mine). You start to understand why this acquisition is a patron privacy concern.
This isn’t the first time a merger or acquisition brought up library privacy concerns. However, the size of this acquisition is cause for all libraries to stop and review their vendor management practices. The vendor relationship lifecycle can assist libraries in reviewing some of their vendor management practices. It’s difficult to determine if a vendor will still be around as an independent company in a few years when you’re shopping for a product or service. Nonetheless, it’s still worthwhile to do some research around the company. For example, you can find the latest vendor news in various library industry publications and sites such as Computers in Libraries and Library Technology Guides. Doing some research ahead of time (including asking around your professional network) can flag potentially problematic or unsustainable businesses to remove from consideration in the selection process.
The onboarding stage provides opportunities for libraries to mitigate privacy risks throughout the rest of the vendor lifecycle. Contracts usually do the heavy lifting when determining the fate of customer data after an acquisition, merger, or bankruptcy. We won’t get into the detailed legal aspects of mergers and acquisitions – we are not lawyers at LDH. Still, you can read a two-part blog series about pre- and post-closing liabilities around privacy and acquisitions/mergers if you want the nitty-gritty legal details. Nonetheless, vendor contracts should have something in the contract about what will happen to patron data in the case of a merger, acquisition, or bankruptcy. Though the concept of data ownership is fraught with equating data to a commodity, retaining ownership of patron data by the library addresses some of the risks, including patron data in the list of company assets during a sale or bankruptcy. Another contract negotiation point is reserving the right to withdraw the library’s data from the company after a sale or bankruptcy. This withdrawal needs to address how the data should be securely transferred and deleted from the vendor’s systems, treating this process as the separation process at the end of a business relationship. Yet another control strategy is requiring explicit and affirmative informed consent from patrons if the vendor wants to include the patrons’ data in the acquisition or merger. The more control the library has over the fate of the data after a company is bought or goes under, the better chances the library has to mitigate privacy risks.
Thanks to the trend toward monopolies in the library marketplace, libraries subscribing to ProQuest or Clairvate products and services have limited options outside of using the contract in controlling data flows and disclosures during a merger or acquisition. When discussed with your legal staff, the contract strategies mentioned earlier can mitigate data privacy risks when the vendor eventually becomes part of a giant conglomerate. Conglomerates (or monopolies) can go beyond the basic user profiles and analytics with more invasive behavioral tracking and analytic practices traditionally absent in libraries. Until there is a critical mass of libraries combining their political capital to push vendors to engage in privacy-preserving data management, individual libraries will need to continue navigating contract languages and “what if” scenarios on a vendor-by-vendor basis.
We sometimes like to say that something happens because of “magic” – in reality, that “magic” is the result of the (invisible) labor of real and unmagical people. To some patrons, this “magic” takes the form of the many programs, resources, and services the library provides daily. It takes the work of people in both the public and back-office spaces of the library. What happens, then, if you take the “magic” created by people and replace it with the “magic” of technology?
Last month the Santa Monica Public Library announced their plans to reopen a branch closed to the public due to staff cuts last year. The branch opening wasn’t made possible by regaining staff positions but instead made possible through a state grant to expand physical services through a suite of self-service technology. This grant uses existing technologies that many libraries use, including self-checkout machines, security cameras, and a controlled entry card swipe/tap or keypad. Combining these technologies to create a self-service library without staff isn’t new, either – for example, several Europeanlibraries expanded physical library hours through self-service technologies. The technology behind Santa Monica Library’s branch reopening, Open+, has been piloted in other US libraries such as Gwinnett County Public Library to expand library hours and service sans on-site staff.
This open library model comes with tradeoffs that leave many library workers worried. Library workers and patrons alike raised valid concerns around open libraries replacing staff to save costs. Another tradeoff that some might miss is the increased collection, processing, and retention of data generated from patron use of the physical library. While the individual technologies are not new, the combination of existing technologies to create an open library expands the amount of surveillance and data collection to a level that exponentially exposes patrons to various privacy harms.
We might as well start with the elephant in the room. The use of security cameras in libraries has been contested throughout the years, with libraries trying to balance using cameras for physical library security and patron privacy. ALA created guidelines about security camera use for libraries but the use of cameras in library spaces brings the risk of violating patron privacy throughout each stage of the patron data lifecycle:
Collection – where are the cameras located? Are they recording footage of patrons using library resources, such as browsing shelves, computer usage, or other identifiable usages of materials in the library?
Storage, retention, and deletion – where is the recorded footage being stored? Is it locally stored in the library? If not, where is that storage? Is it with a vendor, organizational IT, or even local law enforcement? How long are recordings kept? How many copies, including backups, exist, and how long are they kept?
Access and disclosure – who has access to the footage? Library workers, the vendor, the parent organization? Can law enforcement access the footage without a court-issued order? What are the policies around disclosing footage?
Depending on the library’s location, some state and local regulations around library privacy can potentially include security camera footage as part of their definition of protected patron data. However, this protection cannot be guaranteed even if the regulations include such footage if the vendor recording and retaining footage is not legally obligated to protect this footage or if the footage is stored and retained by law enforcement.
The use of controlled entry technology brings another privacy risk to patrons in an open library setting. Academic, school, and other special libraries might be familiar with using card swipe or tap machines that control access to physical library spaces. These technologies are uncommon in public libraries, however.[1] These controlled access systems can create logs of patron data: who came into the library at what time. This patron log can potentially put patron privacy at risk through a data breach or misuse through secondary use (the reuse of data collected for another purpose) in the form of learning analytics and marketing campaigns.
Security cameras and controlled entry onto themselves create some privacy risks; nonetheless, these risks can be mitigated if particular care is put into the planning and implementation of each technology. Pairing these technologies with other monitoring technologies creates a profile of a patron’s library use through the combination of data sets. Who is doing the data collecting, storing, and retaining determines the level of risk to patron privacy. That is where libraries considering open library models need to spend considerable time assessing the privacy risks associated with who controls the surveillance technologies used to collect and store patron data. Currently, open library models consist of third-party technologies and services to coordinate all of these technologies. These third parties are not subject to state and local regulations around library data privacy (outside of California and Missouri). Trying to replace one “magic” (people) with another (technology services provided by a third party) doesn’t get rid of cost. Instead, it transfers and transforms it to the point where some library workers might not realize that the open library “magic” comes at the cost of patron privacy.
[1] The use of controlled entry technology in public libraries is also an equity issue concerning which groups of patrons can access the library outside of staffed hours. Who is excluded from the physical library in an open library model, and what are the implications of excluding them?
The news cycle did not stop during our Cherry Blossom Break last week, alas. Last week LexisNexis signed a contract with U.S. Immigration and Customs Enforcement (ICE) to provide massive amounts of personal information, including financial data, consumer data (such as purchases), and criminal data. The data provided by LexisNexis captures a very intimate view of a person’s personal and public life. As Sam Biddle states in the investigative article about the contract, “While you can at least attempt to use countermeasures against surveillance technologies… it’s exceedingly difficult to participate in modern society without generating computerized records of the sort that LexisNexis obtains and packages for resale.” If you haven’t already done so, read the article to get a sense of the contract details.
It is not the first time LexisNexis has been under scrutiny for its personal data dealings. We wrote about LexisNexis back in 2019 about their relationship with ICE, including LexisNexis’s interest in building an “extreme vetting” immigration system. This interest did not go unnoticed or unchallenged, particularly from library workers who led the calls to boycott the company. The latest contract news has renewed calls for libraries and scholarly communities – such as this statement from SPARC – to question their relationships with businesses such as LexisNexis that increasingly play significant roles in surveillance systems through their roles as data brokers.
“But Becky,” you might say, “we don’t do business with LexisNexis or Thomson Reuters. As long as we don’t do business with them, we don’t have anything to worry about.” While your vendors may have escaped the public scrutiny that LexisNexis has received throughout the years, your vendors are most likely, at the very least, collecting and sharing patron data as part of their business model (e.g. surveillance capitalism). Read the vendor contract:
What patron data does the vendor collect from patrons? From the library?
Under what circumstances does the vendor disclose patron data to fourth parties?
Does the vendor reserve the right to resell patron data collected from patrons and the library, even in aggregated or “anonymized” form?
Does the vendor reserve the right to keep patron data, even in aggregated or “anonymized” form, after the end of the business relationship? For what purposes do they keep the data?
After reading the vendor contract (as well as the vendor privacy policy), you might have a sense as to how a vendor works with patron data; however, the contract and policy are not telling the entire story. While a contract might state a vendor’s right to disclose or resell data, the details about where that data’s going and how it’s going to be used are sparse. Vendors like LexisNexis have multiple revenue streams. Your vendor might have another product not targeted toward the library market but still uses patron data in ways in which can harm patrons. How can a library figure out if a vendor’s business model doesn’t violate patron privacy?
This is where ethics comes into play. The library profession has several codes of ethics, such as the codes from ALA and IFLA. Library vendors by default are not beholden to these codes; however, this does not mean that libraries cannot hold vendors to a level of ethical practices or standards before they will do business with them. For example, Auraria Library conducts a comprehensive ethics review of library vendors, ranging from privacy and accessibility to sustainability and diversity, using both consultants and an internal ethics questionnaire. At the end of their article detailing the review process, Auraria Library’s Katy DiVittorio and Lorelle Gianelli make a call to other libraries to proactively review their relationships with vendors and taking measures in encouraging vendors to adopt a business model that aligns with Corporate Social Responsibility. As we have encountered in the past, a critical mass of libraries demanding changes to a vendor’s practices can make that change happen. Having more libraries conduct ethics reviews of vendors can prompt vendors to change their business models if their current models cause libraries to do business elsewhere.
Where should libraries start with reviewing vendors’ business ethics? The Auraria Library review process is one place to start. Even creating a statement such as Auraria’s can start the conversation about vendor ethics at your library, particularly with library patrons who might be at higher risk for harm due to the vendor’s business practices. The selection process of the vendor relationship lifecycle can be modified to include a review of the vendor’s business model, including checking the vendor against the Library Freedom Institute’s Vendor Privacy Scorecard or scorecards from independent third parties such as EcoVadis (if one is on file, that is). Vendor assessments and audits are other places where scorecards and metrics can be used. Being detailed about the appropriate uses of patron data in the vendor contract – including details around patron data collection, processing, retention, and disclosure – can give libraries some legal leverage in protecting patron data from questionable vendor business practices. The more libraries demand ethical business practices from their vendors, the more likely vendors will notice.
With these suggestions, however, comes a warning for libraries. Vendors might start marketing themselves as socially responsible or abiding by library ethics codes as more libraries ask for details about the ethics of a vendor’s business model. If a vendor’s marketing around social responsibility and ethics centers around legal compliance or if the marketing lacks specific details about their practices, then you might have a case of “ethics washing.” Commonly encountered in tech companies, “ethics washing” can obscure or obfuscate problematic business practices through the use of savvy marketing tactics or pointing customers to one non-problematic area of the business while not drawing attention to a more problematic area (e.g. Google’s ethical AI work and, well, Google being Google). While it is tempting for libraries to accept vendors at their word through their marketing materials and sales pitches, it is not enough. Libraries must actively review vendor practices throughout the entire business relationship to ensure that the vendor’s ethics are in line with the ethics of the library profession.
In the end, libraries compromise their ability to live up to our professional ethics when working with vendors that violate those ethics. If libraries cannot or will not work with vendors that respect and uphold patron privacy, we as a profession then must have the difficult conversation about the inclusion of a patron’s right to privacy in our professional ethics codes. At the very least, we owe patrons the truth about the library’s data practices, including our relationships with vendors who use patron data in ways that can come back to harm them and not engage in ethics washing of our own.
It’s hard to get started on a Monday morning… image source: https://www.flickr.com/photos/cyawan/2325855567/ (CC BY 2.0)
A lot happened in the privacy world last week! Let’s go over a couple of news items that affect libraries and library patrons alike.
LastPass Free Tier Woes
The popular password manager LastPass announced changes to their free tier accounts last week that could leave many libraries and library patrons scrambling for an alternative. Starting March 16th, LastPass will require free account users to choose where to use LastPass: mobile or computer. Free account users will also lose access to email support to troubleshoot any problems with the password manager. For many free tier account users, being forced to choose to have their primary password manager only installed on one platform severely limits the usefulness and protection of their chosen password manager.
If you have a LastPass free tier account and don’t want these restrictions, your options are limited:
If you have room in your budget and want to stay with LastPass, you can upgrade to a paid account. This option not only avoids migrating your passwords to another manager and instead unlocks additional features, such as encrypted file storage. While we’re used to having “free” accounts, it might be time to make peace with the fact that it’s time to start paying for password managers.
You can migrate to another password manager. There are several choices in the marketplace; however, not many have free tier accounts, which means you might end up paying for a password manager anyway. Bitwarden, an open-source password manager, does have a free tier account that allows for syncing between multiple devices if you need a free account. KeePassXP is another free option for the more technically-inclined who can self-host their password manager.
Clubhouse Is Not Your Library’s New Social Media App
So… Clubhouse, that new shiny app that everyone’s talking about. You’re curious about it, aren’t you? You’re wondering if you can add it to the family of social media accounts for your library when you get an invite to join.
Some folks will say that other social media companies engage in some of the same practices. However, the overall poor quality and construction of the privacy policy combined with privacy practices that violate several privacy laws in the US and the EU, the best way to protect patron privacy while using Clubhouse at your library is to not use Clubhouse.
Virginia Getting a New Data Privacy Law?
Virginia libraries! You might have heard about a new data privacy bill that currently sits on the governor’s desk at the time of this writing (it might be signed by the time this post is published!). What is the library tl;dr of the Virginia Consumer Data Protection Act?
The bill provides similar data rights as California’s two new privacy regulations, CCPA and CPRA, including rights for consumers to request access and deletion of personal data, as well as the right to opt-out of businesses selling their data.
The bill’s scope is also similar to CCPA’s and CPRA’s scopes, targeting for-profit businesses doing business in the state who meet certain thresholds, such as controlling or processing data from 100,000 consumers. Non-profits and higher education institutions are exempt.
Once this bill is signed into law, library vendors who do business in the state and meet the scope thresholds will need to comply with the new law. Library vendors who already comply with CCPA have a head start, but libraries might find themselves with vendors who have to play catchup. It might be time to start reviewing contracts and vendor privacy policies as well as the Act to determine what data rights your patrons have and how they can exercise those rights with those vendors.
LDH in The News
LDH is proud to announce that our founder, Becky Yoose, will give the Keynote Address at the Evergreen International Online Conference on May 25th, 2021! This annual conference draws Evergreen users, developers, advocates, vendors, and others interested in the Evergreen ILS or open-source software community from around the library world and beyond. This year’s conference is online and registration is now open! If you want to join in on the presentation fun, the call for proposals is open until March. We look forward to seeing you at the conference!
Academic libraries have been in the information security spotlight due to the resurgence of Silent Librarian. The collection of academic user accounts gives attackers access to whatever the user has access to in the campus network, including personal data. Attackers gaining access to library patron data was not the reason why academic library information security was in the news again this past month, however.
Protecting The Bottom Line
In late October, the Scholarly Networks Security Initiative (SNSI) presented a webinar [slides, transcript] that made several controversial statements and proposals. The one that caught the attention of the academic researcher and library worlds is the proposal of a publisher proxy tool to monitor user access and use of publisher resources. In the transcript and slides, the proposal included tracking behavioral data in addition to other personally identifiable data. For example, the publisher would actively track the subjects of the articles that the user is searching and reading:
159
00:29:10.020 –> 00:29:17.280
Corey Roach: You can also move over to behavioral stuff. So it could be, you know, why is a pharmacy major suddenly looking up a lot of material on astrophysics or
160
00:29:18.300 –> 00:29:27.000
Corey Roach: Why is a medical professional and a hospital suddenly interested in internal combustion things that just don’t line up and we can identify fishy behavior.
While there are other points of contention in the presentation (we recommend reading the transcript and the slides, as well as the articles linked above), the publisher proxy tool brings up a perennial concern around information security practices that libraries need to be aware of when working with IT and publishers.
You Say Security, But What About Privacy?
Security and privacy are not one-to-one equivalents. We covered the differences in security and privacy in a previous post. Privacy focuses on the collection and processing of personal data while security focuses on protecting organizational assets that may include personal data. Privacy is impossible without security. Privacy relies on security to control access and use of personal data. However, there is the misconception that security guarantees privacy. Security is “do one thing and do it well” – protect whatever it’s told to protect. Security does not deal with the “why” in data collection and processing. It does the job, no questions asked.
When security measures like the proxy tool above are touted to protect publisher assets, the question of “why this data collection and tracking” gets lost in the conversation. Libraries, in part, also collect behavioral data through their proxies to control access to library resources. Even though this data collection by libraries is problematic in itself, the fact remains that the data in this proxy is collected by the library and is subject to library policy and legal regulations around library patron data. The same information collected by a vendor tool may not be subject to the same policies and regulations – outside of California and Missouri, there are no state laws specifically regulating vendor collection, processing, and disclosure of library patron data. Therefore, any data collected by the vendors are only subject to whatever was negotiated in the contract and the vendor privacy policies, both of which most likely allow for extensive collection, processing, and disclosure of patron data. Security that uses patron data doesn’t necessarily guarantee patron privacy and could even put patron privacy in jeopardy.
Bringing Privacy into Library InfoSec
Academic libraries are part of a campus system and are one of many ways an attacker can gain access to campus assets, including personal data, as demonstrated by Silent Librarian. However, academic libraries are also targets for increased surveillance in the name of information security, as illustrated by the SNSI presentation. The narrative of “academic library as the weak link in a campus network” can force libraries into a situation where patron privacy and professional ethics are both compromised. This is particularly true if this narrative is driven by information security professionals not well acquainted with privacy and data ethics or by vendors who might financially benefit from the data collected by this increased surveillance of library patrons.
A small postscript to the blog post – one reoccurring theme that we come across when talking to libraries about privacy is the importance of relationships with others in and outside the library. These relationships are key in creating buy-in for privacy practices as well as creating strong privacy advocates in the organization. What type of relationship do you have with your organizational information security folks? Check out this short presentation about building organizational relationships to promote a strong privacy and security culture if you are still wondering where to start.
What does the toolkit cover? The topics range from the data lifecycle and managing vendor relationships to creating policies and procedures to protect patron privacy. The toolkit covers specific privacy concerns in the library, including law enforcement requests, surveillance, and data analytics. We also get to meet Mel and Rafaël, two library patrons who have unique privacy issues that libraries need to consider when thinking about patron privacy. At the end of the toolkit is an extensive resource section with library privacy scholarship, professional standards, and regulations for further reading.
This toolkit is part of a larger group of resources, including templates and examples libraries can use to develop contract addendums, privacy policies and procedures, and data inventories and privacy risk assessments. In short, there are a lot of resources that are freely available for you to use in your library! Please let us know if you have any questions about the project resources.
Finally, stay tuned – the project is going into its second year, focusing on “train the trainer” workshops for both data privacy and cybersecurity. We’ll keep you updated as more materials are published!
