[Content warning – reproductive rights, abortion]
One of the hazards of being a privacy professional is cultivated hypervigilance around identifying potential privacy threats in everyday life. While useful in my line of work, this hypervigilance also constantly puts me face to face with worst-case scenarios. Going through the risk calculus with such analysis brings some relief, particularly when you can control most of the variables in the risk equation. Things get scary, though, when there’s a lack of control or when control is taken away with no recourse. Think about, for instance, the lack of control activists have when libraries and archives collect identifiable data from protests without their knowledge or consent. What seems to be an innocuous act of recording history by the library/archive puts the activists in danger of retaliation or targeted attacks once bad actors identify them from those materials. In this instance, the collection’s subjects – the activists – are left with a risk they cannot mitigate due to the lack of control over the collection and sharing of the collection materials in the library/archive. The library/archive’s actions (or inactions) determine the severity and likelihood of the risk. We must also consider the power dynamics between the library and the activists that the perceived control over risks on one side might not reflect the reality of the other. The act of unconsented collection of identifiable data from protests is an inherently high-risk act that libraries might not consider as a high risk. The library is unlikely to pay the highest cost that comes from the realization of the risk (targeted attacks on activists identified in the materials).
Today’s post is going to be a bit different from the usual post topic and structure. We’re going to walk through some of my initial thoughts and analysis regarding patron privacy risks with SB 8, the Texas law outlawing abortions for pregnancies over six weeks. In particular, we will be focusing on the part of the law that grants private citizens the right to bring civil lawsuits against anyone found to be aiding someone seeking an abortion beyond the six-week cutoff.
[Obligatory disclaimer – I am not a lawyer. The following is for informational purposes only. Talk to a lawyer if you need legal advice. If you’re in Texas, I highly recommend you do this because the following analysis is likely to open up a few cans of worms.]
Let’s get some of the legal language out of the way. In SB 8, private citizens are given the right to sue not only abortion providers but anyone who provides some form of aid or assistance to someone obtaining an abortion. The language in Section 171.208 provides a couple of examples as to what “knowingly engages in conduct that aids or abets” but it’s still vague as to what counts as aiding or abetting:
Sec. 171.208. CIVIL LIABILITY FOR VIOLATION OR AIDING OR ABETTING VIOLATION. (a) Any person, other than an officer or employee of a state or local governmental entity in this state, may bring a civil action against any person who:
(1) performs or induces an abortion in violation of this chapter;
(2) knowingly engages in conduct that aids or abets the performance or inducement of an abortion, including paying for or reimbursing the costs of an abortion through insurance or otherwise, if the abortion is performed or induced in violation of this chapter, regardless of whether the person knew or should have known that the abortion would be performed or induced in violation of this chapter; or
(3) intends to engage in the conduct described by Subdivision (1) or (2).
There has been some legal commentary about what could constitute an act that would fall under “aids or abets.” Still, until the courts start hearing and deciding on civil suits brought under SB 8, some organizations and companies assume that the courts will have a very loose interpretation of what counts. Some companies, such as Lyft and Uber, are proactively preparing for civil suits if their drivers are sued for driving someone to receive an abortion. There’s also the question of what major tech companies such as Facebook or Google will do when handling requests for user data brought on from civil lawsuits under SB 8. The lack of a definitive definition of the terms “aids” or “abets” can easily lead to frivolous lawsuits or other tactics that focus on draining a person’s or organization’s resources (money, time, staff) through numerous cases, eventually causing the closure of the organization or financial/professional/personal ruin of an individual. The ultimate goal is not to create a good faith lawsuit but to sue someone out of existence, for lack of a better phrase.
So, what does this have to do with libraries? Consider a few everyday patron activities:
- check out a book
- ask a library worker a reference question
- look up information on a library public computer
- search for articles in a subscription database
All of these acts seem innocuous on the surface. Patrons use the library to search and access many different types of information, including reproductive health information. As libraries, we are not in the business of ascertaining why a patron is searching for a particular piece of information or asking them what they will use this information for. Patrons have a right to privacy at the library, which includes minding our own business regarding what information the patron searches for.
However, all of these acts create data:
- Checking out a book is recorded in the patron record and could also be stored in a patron’s borrowing history in several library and vendor databases.
- Reference questions are commonly stored in email or chat logs.
- Computer reservation systems log when a patron reserves and uses a computer.
- Content vendors log patron search queries and what articles the patron accessed.
It is difficult for a patron to use the library without generating some form of data, be it in the physical library or online. Where there’s library use, there’s most likely patron data.
In Texas Government Code Section 552.124, “A record of a library or library system, supported in whole or in part by public funds, that identifies or serves to identify a person who requested, obtained, or used a library material or service is excepted” from public disclosure and is confidential, with limited exceptions, such as a court-issued order. There is no requirement for third parties on behalf of the library to comply with the law. What constitutes a record is left to interpretation, unlike other laws like California’s that give more explicit guidance or definitions of what patron data is covered in the law. Patron records in the ILS are most likely covered under Section 552.124, but a chat log that’s stored in a vendor database may not depending on the interpretation of the “record of the library.”
Now we get to the part that keeps me up at night. Because we are dealing with vague definitions for “aids” or “abets” in SB 8, there will be people who will test the premise that providing the means for searching or accessing information about abortion falls under “aids or abets.” Providing access to information… helping people find or access information…
Why hello there, libraries.
I would not put it past certain people to bring a civil lawsuit against a Texas library (or an individual worker, volunteer, board member, etc.) on the basis that the library provides access to information that might lead to someone obtaining or inducing an abortion. This lawsuit could center around particular books in the collection or unfiltered internet access on public computers. This will most likely have chilling effects at the library, such as self-censorship in collection management and forcing more libraries to adopt filtering software that removes access to sites containing information about abortion on all public computers.
A more probable possibility from these new civil lawsuits will be the increased risks to patron privacy. The Protocol article mentioned earlier discusses the possibility of major tech companies such as Facebook and Google receiving subpoenas for data as part of these new civil lawsuits. As such, libraries are also likely to face the same types of requests for patron data if a patron is facing one of these lawsuits. According to Section 552.124, library records are confidential and exempt from disclosure except in limited circumstances, one being a court order or subpoena.
[Aside – It’s worth pointing out that the Section states that the court order has to satisfy one out of two conditions: disclosure of the record being necessary to protect public safety, or if the record is evidence of an offense or of a person committing an offense. While this would be relevant for criminal cases, I’m not sure if this would be the case in a civil lawsuit. IANAL, talk to yours.]
Therefore, there is some protection if the Texas library has a policy and procedure in dealing with law enforcement requests for patron data. However, this is not the only way to get patron data. Here are a handful of possible scenarios where someone can collect or access patron data without a court order:
- A patron observes another patron searching for or reading about abortion at the physical library (via public computer screen or watching the patron in a particular section of the library stacks or the materials the patron is looking through)
- A library worker providing a patron with another patron’s check out history
- A library worker accessing a patron’s record that contains currently checked out items or borrowing history
- A library worker working at the reference desk accessing reference question logs containing identifiable patron information
- A library vendor collecting and retaining patron data, including search logs and borrowing histories
- Campus or City IT retaining security camera footage of library patrons using library services or resources
Some of these scenarios are accidental disclosures, while some are disclosures permitted by library policy. Others are prime examples of insider threat. Still, others are disclosures to third parties who may not have robust data privacy and security policies and practices. A person can use this data to bring a civil lawsuit against the patron in question, which could trigger an additional patron data request for the library. I can go on, but these examples should illustrate the range of increased risks to patron privacy.
Again, this is all hypothetical – SB 8 just came into enforcement. There is no case law to determine how the courts will handle the civil lawsuits brought under the law. We’re left with assumptions and theoretical situations at this point. Nevertheless, if I was the privacy point person at a library in Texas, I might be doing the following right about now:
- First and foremost – talk to legal counsel about how SB 8’s “aids or abets” can be interpreted in the context of:
- current library services and collections
- patron confidentiality under Section 552.124
- Review the following for significant patron privacy risks:
- policies and procedures around patron data requests, including requests from law enforcement and other patrons
- which staff, administrators, and volunteers have access to patron data, and at what level of access
- what patron data the library collects and retains – this might mean reviewing the last data inventory or starting the process of a new inventory
- Depending on the outcome of the meeting with legal counsel, talk with library administration about potential communications to both library staff and patrons regarding patron rights to privacy and access to information through library services and collections under SB 8
- Review vendor privacy policies and contracts to determine if the vendor has a policy in place to handle law enforcement requests for patron data
The above actions are only the start. All of this and more would be a team effort involving people from all library levels. We would still have to find ways to address the risks identified in the reviews. This could mean policy/procedure revisions, creating new policies, conducting staff training, creating new scripts/FAQs for frontline staff for patron questions, changing processes to adhere to privacy and security best practices (data minimization, purpose limitation, etc.), and so on. We would also keep an eye on the Office for Intellectual Freedom for any guidance or support for Texas libraries. Then we have vendors and other third parties that collect and retain patron data to worry about if they don’t have a law enforcement request policy in place. All of this doesn’t come close to a comprehensive list of what could or should be done. It’s A Lot, but focusing first on talking to legal will guide where we should focus resources and staff time.
In all, my initial thoughts and analysis have many unknowns thanks to the vague language in SB 8 and the uncertainty around the potential enforcement of the law. The analysis is also not a neat one where I can point to a pre-determined list of actions and resources and say, “do this, and you’ll be fine!”. I hope that walking through some of the potential risks SB 8 presents to libraries and library patrons will help library workers in how they could respond to the new law. However, what libraries should not do is assume that they are exempt from consequences resulting from actions taken by society. Libraries should also not forget that their actions can have major consequences for patrons outside the library’s walls. Libraries collecting personal data without prior knowledge or consent for public collections could, in turn, endanger the people behind that data, as discussed in the protest collections example at the beginning of the post. However, we must remember that choosing not to act is an action in itself. Patrons have the right to access information and to privacy at the library – if SB 8 presents a challenge to either right, then libraries must act to protect those rights. Inaction to these challenges would not only further cement the library’s role in upholding and reinforcing oppressive systems such as white supremacy but would also be a betrayal to our patrons and our professional ethics.