State of The Hat: What’s Brewing and Reader Survey

A black plushie llama flanked by two blocky yellow and green rubber duckies. The llama has a sticker of a brown hat on top of their head. Text on the hat: "follow the hat, libdataprivacy.com"
Back in our early days…

Welcome to June! Today marks the start of the blog’s “summer schedule,” where we post on a bi-weekly basis. This month also marks the beginning of the summer for many in the Northern Hemisphere. We say “many” because in Seattle the summer season is replaced by construction season. For our East Coast readers, summer is becoming Brood X season.

Now that we are halfway through 2021 let’s take a peek behind the scenes of the blog, including a chance to help shape the future of the Hat!

What’s brewing at The Hat?

There are few certainties in today’s world: death and taxes are two. The third is the rapid pace of change in the privacy world. It’s hard to keep up with all the updates, even for privacy professionals such as ourselves at LDH! The Tip of The Hat is doing its best to keep up with the latest news and updates in the library privacy world. From major vendor acquisitions and library policies around COVID-19 to tracking privacy implications of the newest library technology trends and significant tech company developments, we’ll keep you covered! We are also keeping track of the ongoing deluge of state and federal data privacy bills. While we are not lawyers at LDH, we will continue to alert our readers of new data privacy laws that will affect how libraries work with vendors in protecting patron privacy.

We also have several ongoing series and reader requests in the middle of all these news and updates! The third installment of our “Librarians as Information Fiduciaries?” is in the works, as well as additional writeups for tools to add to your privacy tech toolkit or cybersecurity awareness programming. We might even make a habit of doing our #DataSpringCleaning throughout the year, particularly for library workers who are making the transition back to the office or who are now planning to continue a hybrid of onsite and virtual work and programming. And we will never not post about the patron data lifecycle, including posts questioning why we are collecting data that, if we are honest, is not needed for our patrons to use the library.

We’ve had several requests for more content around the privacy, ethical, and equity implications of handling data in libraries, particularly around data analytics and how libraries use customer relationship management systems (CRMs) for market segmentation projects. More posts are in the works as major library vendors release new data analytics and CRMs into the library market. Yes, we did notice the “Target Acquired” article in the May 2021 issue of American Libraries (page 52-53). Yes, we plan to write about where that article misses the privacy mark with its product profiles. Analytics is not far removed from surveillance. We will continue to highlight how libraries can avoid becoming another major player in the surveillance economy, including the various privacy risks involved in tracking patron use of libraries, be it by libraries or by vendors.

How you can shape the future of The Hat

We at LDH are doing our best to keep the library world up to date with the latest news and updates in the privacy world, as well as delivering more in-depth pieces around library privacy. The Tip of The Hat has been going strong since February 2019 – this post is #102! Best of all, every blog post is free for all to read and will continue to be free to the library world and beyond.

This free model has been sustainable, but up to a point. Each week (or every other week during our summer posting schedule), we research, write, edit, and post timely and thought-provoking content about all matters of library privacy. We want to explore a few ways in which those who can financially support this work can help us continue the blog for the long term.

If you visited the blog last week, you might have noticed a new link in the blog menu inviting people to buy us tea. Readers of the blog can now donate a few dollars through our new Buy Me a Coffee page! Currently, we have the page set up for readers interested in a one-time donation to keep The Tip of The Hat running via cups of tea. No site account is required to donate – you only need a credit card or PayPal account for a one-time donation.

[The fine print – Readers can visit the privacy policy to learn more about what information is and is not collected and processed on the donation site. Readers who want to donate without attaching a name to the donation can do so following the instructions on the Supporter FAQ page.]

We also want to hear from our readers! We created a quick reader survey asking about other possibilities for the future of The Hat, including future content ideas and possible membership levels to help fund the continued work on the blog. Again, we will continue to make the content on the blog free for all to access, even if we introduce a membership level for those who want to make a monthly donation to support the blog.

The survey will be open to our readers until June 15th, 2021. Please take a few moments to let us know your thoughts about the future of The Hat! Thank you all again for your support and readership throughout the years. We look forward to hearing from you all about the future of the blog and beyond.

We’ll be back on June 14th – enjoy the start of the new month!

A Quick Chat About Patron Data Privacy During Company Acquisitions and Mergers

Another week, another acquisition. The latest news in the library vendor world came last Monday, with Clairvate purchasing ProQuest at the small sum of $5.63 billion. Academic libraries that subscribe to Web of Science and EndNote with Clairvate and Alma and Primo with ProQuest face the reality that now all of these products are owned by one company. We can’t forget that ProQuest has its fair share of mergers and acquisitions, though, as illustrated in Marshal Breeding’s ProQuest mergers and acquisitions chart.

This latest acquisition continues the trend of consolidation in the library vendor marketplace. With this consolidation of products and services comes the ability for companies to create more complete profiles of library patrons through increased data collection and tracking capabilities. In fact, during the company call regarding the acquisition on May 17th, company representatives commented that with the ProQuest acquisition, the company “can serve the entire research value chain, early stage and K12 setting, thru postgrad.” Put another way by another company representative, “We can touch every student in K through doctoral degrees everywhere. There is no product overlap.” Combine that quote with phrases from the press release such as “long-term predictive and prescriptive analytics opportunities from the enhanced combination of ProQuest’s data cloud with the billions of harmonized data points in the Clarivate Research Intelligence Cloud” (emphasis mine). You start to understand why this acquisition is a patron privacy concern.

This isn’t the first time a merger or acquisition brought up library privacy concerns. However, the size of this acquisition is cause for all libraries to stop and review their vendor management practices. The vendor relationship lifecycle can assist libraries in reviewing some of their vendor management practices. It’s difficult to determine if a vendor will still be around as an independent company in a few years when you’re shopping for a product or service. Nonetheless, it’s still worthwhile to do some research around the company. For example, you can find the latest vendor news in various library industry publications and sites such as Computers in Libraries and Library Technology Guides. Doing some research ahead of time (including asking around your professional network) can flag potentially problematic or unsustainable businesses to remove from consideration in the selection process.

The onboarding stage provides opportunities for libraries to mitigate privacy risks throughout the rest of the vendor lifecycle. Contracts usually do the heavy lifting when determining the fate of customer data after an acquisition, merger, or bankruptcy. We won’t get into the detailed legal aspects of mergers and acquisitions – we are not lawyers at LDH. Still, you can read a two-part blog series about pre- and post-closing liabilities around privacy and acquisitions/mergers if you want the nitty-gritty legal details. Nonetheless, vendor contracts should have something in the contract about what will happen to patron data in the case of a merger, acquisition, or bankruptcy. Though the concept of data ownership is fraught with equating data to a commodity, retaining ownership of patron data by the library addresses some of the risks, including patron data in the list of company assets during a sale or bankruptcy. Another contract negotiation point is reserving the right to withdraw the library’s data from the company after a sale or bankruptcy. This withdrawal needs to address how the data should be securely transferred and deleted from the vendor’s systems, treating this process as the separation process at the end of a business relationship. Yet another control strategy is requiring explicit and affirmative informed consent from patrons if the vendor wants to include the patrons’ data in the acquisition or merger. The more control the library has over the fate of the data after a company is bought or goes under, the better chances the library has to mitigate privacy risks.

Thanks to the trend toward monopolies in the library marketplace, libraries subscribing to ProQuest or Clairvate products and services have limited options outside of using the contract in controlling data flows and disclosures during a merger or acquisition. When discussed with your legal staff, the contract strategies mentioned earlier can mitigate data privacy risks when the vendor eventually becomes part of a giant conglomerate. Conglomerates (or monopolies) can go beyond the basic user profiles and analytics with more invasive behavioral tracking and analytic practices traditionally absent in libraries. Until there is a critical mass of libraries combining their political capital to push vendors to engage in privacy-preserving data management, individual libraries will need to continue navigating contract languages and “what if” scenarios on a vendor-by-vendor basis.

A Forced Exercise in Risk Management

A mustached adult white man leaning back in his office chair holding a beer. Text overlay "well that escalated quickly"
Image Source: https://knowyourmeme.com/photos/353279-that-escalated-quickly

When we asked readers last week about library discussions around campus or organization mandates requiring COVID-19 vaccinations, we expected that libraries would have time to plan to adjust to the mandate. Responses from last week indicated as such. The consensus was various employee groups meeting and discussing who must be vaccinated and how workplaces can confirm vaccination status.

Then Thursday came around, and the CDC escalated things a tiny bit with their new mask guidelines. And by “a tiny bit,” we mean “blowing away any incremental steps in loosening mask guidelines and went straight to a free-for-all mask honor system.”

Britney Spears grimacing while listening to a contestant on a popular singing competition show.
Yikes.

This sudden decision took many businesses and organizations – libraries included – by surprise. Most planned for a multi-month phased reduction in mask requirements, but here we are. After a year of struggling to get even the most reluctant patrons to mask up in the library, library workers now face several conundrums including dealing with patrons who refuse to follow library mask requirements based on the CDC announcement and libraries required by their parent organization to check for vaccination status for patrons going maskless in the library.

Libraries that can still require masks for everyone regardless of vaccination status can bypass the privacy issues around checking patron vaccination status. The libraries relying on local or state mask mandates to enforce their own can’t rely on them, though, given how quickly some state and local governments are dropping their mask mandates. While the CDC said that only fully vaccinated people can be maskless in most public spaces, the lifting of state and local mask mandates when many places haven’t reached the 50% vaccination mark (such as Washington State at the time of the announcement) turns this privacy issue into a privacy and health issue for both patrons and library workers. What we have is the privacy risks discussed last week now compounded by health risks presented with the new guidelines.

Managing risk is rarely a clear-cut process. Reducing one risk could inadvertently create or increase the chances for another risk. Keeping a detailed access log of who logs into a particular electronic resource through a proxy server can aid in investigations and quicker resolutions to issues around systematic unauthorized content harvesting, but this mitigation comes at the cost of privacy through increased collection and retention of detailed patron data, increasing the risk of improper reuse of this data through the library or third parties (such as creating user profiles for targeted marketing or reselling this data to fourth parties) or through a data breach or leak. Risk management is a process of checks and balances where one needs to consider the consequences of choosing risk management strategies and avoiding a “min-max” outcome with unaddressed risk.

Libraries who want or are now required by their organization to enforce CDC guidelines in their libraries now face the issue of suddenly needing to manage the risks around checking the vaccination status of maskless patrons. The US has not widely adopted a vaccine passport system (which has privacy issues), and fake vaccination cards abound. We listed the issues around contact tracing in libraries in a previous post, and all of those privacy concerns apply to libraries required to check vaccination status. The equitable service issues also apply, but it is compounded with health risks. Library workers who are still waiting to be vaccinated or cannot get vaccinated for medical reasons are stuck in limbo alongside patrons in the same situations.

These risks around privacy, service, and health would have been easier to manage through a gradual phasing out of mask mandates. Unfortunately, we are in the timeline where that isn’t happening. Requiring masks mitigates the privacy and health risks until the local population reaches a vaccination threshold where the health risks are at acceptable levels for both patrons and library workers. Libraries mitigated equitable service risks created by mask requirements by offering free masks to patrons or making alternative service arrangements for patrons who medically cannot wear a facial covering. This sudden turnabout from the CDC makes this strategy more fraught with risk. It creates a new type of service issue in the form of maskless patrons claiming vaccination status, which then creates new privacy and health issues alongside additional service issues for those who do not want to or cannot prove their vaccination status.

Some libraries that can no longer mandate masks for all might go with an honor system and allow patrons to go maskless without proving their vaccination status. That avoids the privacy and ethical risks involved in checking vaccination status but, depending on local population vaccination levels, the policy could increase the health risks to both unvaccinated patrons and library workers. It’s also an equitable service risk for patrons wanting to use the physical library but at the same time are not fully vaccinated due to medical reasons or are still waiting to start/complete their vaccination schedule.

This is all to say that there’s no good way to address the chaos created by the CDC last Thursday. We’re 14 months into the pandemic, and the pandemic fatigue settling in at the start of the year has grown at a rapid pace. Libraries – like other service and retail industries – are stuck in the middle of this, struggling with a public who are tired, confused, and ready to be done with all of this back and forth with guidelines and restrictions. Any decisions around COVID-19 policies at the library, including masks and vaccination checks, need to balance the privacy, equity, and health risks while acknowledging how that decision will impact library workers’ morale and safety.

Ask The Readers – Academic Libraries and Campus Vaccine Requirements

A black plushie llama wearing a "I got my COVID-19 vaccine!" sticker.
#PrivacyLlama got their shot!

We’re taking it a bit easy this week for a good reason – the designated blog writer just received her second COVID shot. The Executive Assistant isn’t quite ready for the blog writer position just yet, so her writing debut on the blog will have to wait a bit longer.

We have a question for our readers that we would appreciate any help with answering! Many organizations are starting to reopen for in-person services and operations as the US vaccine rollout continues. Several colleges and universities plan to reopen for in-person classes for the fall semester, but on one condition – students, faculty, and staff must be vaccinated for COVID-19. This trend of requiring vaccines to access physical spaces goes beyond academic institutions. Offices, schools, travel companies (and choice destinations), dining, and live event venues are either planning to or currently requiring proof of vaccination as part of their in-person reopening plans. The legality of some of these requirements varies by state, but it’s safe to assume that there will be an area in your life that will have some form of vaccine requirement.

Academic libraries on campuses requiring vaccination are in a unique position. While some campus libraries are restricted to those enrolled or employed at the university, many other campus libraries are open to the public. Details about vaccine requirements for campus visitors are scant, though details might emerge as we get closer to the fall semester. It’s most likely that visitors will be exempt from the requirements, but we want to find out if that is the case from our academic library readers of the blog. We’ve written about the privacy implications of libraries tracking patrons through contract tracing and medical screenings, and it could be that the vaccine requirements might add another data collection point that has privacy implications for a particular patron group.

If you work at an academic library whose campus is requiring vaccinations, we’d like to hear from you. Is your campus library being asked to track campus visitors’ vaccination status under the new vaccine requirements? Public and school libraries, too – is your organization planning similar requirements? Email us at newsletter@ldhconsultingservices.com with your answers, concerns, or questions! We will keep your replies confidential. Depending on the feedback, we will write a follow-up post about what libraries that find themselves required to track patron vaccination status can do to minimize privacy risks.

In the meantime, best of luck with your vaccination journeys, and we’ll catch you next week!

Open Data of Another Kind

Entryway door with the words "OPEN" and "NOW" written in tape on the two steps leading up to the door, respectively.
Photo by Kadir Celep on Unsplash

We sometimes like to say that something happens because of “magic” – in reality, that “magic” is the result of the (invisible) labor of real and unmagical people. To some patrons, this “magic” takes the form of the many programs, resources, and services the library provides daily. It takes the work of people in both the public and back-office spaces of the library. What happens, then, if you take the “magic” created by people and replace it with the “magic” of technology?

Last month the Santa Monica Public Library announced their plans to reopen a branch closed to the public due to staff cuts last year. The branch opening wasn’t made possible by regaining staff positions but instead made possible through a state grant to expand physical services through a suite of self-service technology. This grant uses existing technologies that many libraries use, including self-checkout machines, security cameras, and a controlled entry card swipe/tap or keypad. Combining these technologies to create a self-service library without staff isn’t new, either – for example, several European libraries expanded physical library hours through self-service technologies. The technology behind Santa Monica Library’s branch reopening, Open+, has been piloted in other US libraries such as Gwinnett County Public Library to expand library hours and service sans on-site staff.

This open library model comes with tradeoffs that leave many library workers worried. Library workers and patrons alike raised valid concerns around open libraries replacing staff to save costs. Another tradeoff that some might miss is the increased collection, processing, and retention of data generated from patron use of the physical library. While the individual technologies are not new, the combination of existing technologies to create an open library expands the amount of surveillance and data collection to a level that exponentially exposes patrons to various privacy harms.

We might as well start with the elephant in the room. The use of security cameras in libraries has been contested throughout the years, with libraries trying to balance using cameras for physical library security and patron privacy. ALA created guidelines about security camera use for libraries but the use of cameras in library spaces brings the risk of violating patron privacy throughout each stage of the patron data lifecycle:

  • Collection – where are the cameras located? Are they recording footage of patrons using library resources, such as browsing shelves, computer usage, or other identifiable usages of materials in the library?
  • Storage, retention, and deletion – where is the recorded footage being stored? Is it locally stored in the library? If not, where is that storage? Is it with a vendor, organizational IT, or even local law enforcement? How long are recordings kept? How many copies, including backups, exist, and how long are they kept?
  • Access and disclosure – who has access to the footage? Library workers, the vendor, the parent organization? Can law enforcement access the footage without a court-issued order? What are the policies around disclosing footage?

Depending on the library’s location, some state and local regulations around library privacy can potentially include security camera footage as part of their definition of protected patron data. However, this protection cannot be guaranteed even if the regulations include such footage if the vendor recording and retaining footage is not legally obligated to protect this footage or if the footage is stored and retained by law enforcement.

The use of controlled entry technology brings another privacy risk to patrons in an open library setting. Academic, school, and other special libraries might be familiar with using card swipe or tap machines that control access to physical library spaces. These technologies are uncommon in public libraries, however.[1] These controlled access systems can create logs of patron data: who came into the library at what time. This patron log can potentially put patron privacy at risk through a data breach or misuse through secondary use (the reuse of data collected for another purpose) in the form of learning analytics and marketing campaigns.

Security cameras and controlled entry onto themselves create some privacy risks; nonetheless, these risks can be mitigated if particular care is put into the planning and implementation of each technology. Pairing these technologies with other monitoring technologies creates a profile of a patron’s library use through the combination of data sets. Who is doing the data collecting, storing, and retaining determines the level of risk to patron privacy. That is where libraries considering open library models need to spend considerable time assessing the privacy risks associated with who controls the surveillance technologies used to collect and store patron data. Currently, open library models consist of third-party technologies and services to coordinate all of these technologies. These third parties are not subject to state and local regulations around library data privacy (outside of California and Missouri). Trying to replace one “magic” (people) with another (technology services provided by a third party) doesn’t get rid of cost. Instead, it transfers and transforms it to the point where some library workers might not realize that the open library “magic” comes at the cost of patron privacy.

[1] The use of controlled entry technology in public libraries is also an equity issue concerning which groups of patrons can access the library outside of staffed hours. Who is excluded from the physical library in an open library model, and what are the implications of excluding them?

Beyond Web Cookies: Google’s FLoC

A lone Canadian Goose sits among a flock of ducks sitting in the snow.
You’re about as “anonymous” as the goose in this flock with FLoC.
Image source – https://www.flickr.com/photos/see-through-the-eye-of-g/5480240484/ (CC BY 2.0)

It’s been a while since we last wrote about the many ways companies track users with cookies and beyond. This week we’re coming back to our “Beyond Web Cookies” series with the latest development in site tracking and why your library should consider opting out to protect patron privacy.

(Puns in this post are fully intended.)

Ditching the Cookie for the FLoC

 Web cookies come in several flavors, from session and persistent cookies to first- and third-party cookies. A cookie can track your behavior online, across sites, and collect personal information for marketing, advertising, and other purposes. End users can block cookies through various browser settings and plugins, but that blocking can only go so far when websites find alternative ways to track users beyond web cookies, such as privacy-invasive WordPress plugins. Nonetheless, the majority of companies rely on cookies to collect information for marketing and advertising to end-users. When end users block cookies, the company that relies on advertising revenue has limited options in creating targeted marketing.

Enter Google. Early in 2021, Google announced a new ad-tech called the Federated Learning of Cohort, or FLoC, that reports being less privacy-invasive than web cookies. This “privacy-first” technology aims to create large groups of people with similar interests based on browsing activity. Advertisers can then target these large groups grouped by topics without the possibility of identifying unique individuals through tracking data. Sounds too good to be true, right?

FLoC’ing Problems

While FloC promises a privacy-preserving way to continue making money through advertising, the ad-tech does not escape the potential of violating user privacy. The first problem is, well, Google. Google already has many ways to track users outside of Google Analytics through their products and sites that use Google APIs and services. As Shoshana Wodinsky points out, FLoC expands Google’s access to user data in the online advertising world, giving Google almost full unrestricted access to user data used for targeted advertising. Wodinsky points out that FLoC’s grouping of people by topics can lead the system to create groups of people around sensitive, personal topics. That grouping creates potential future harm and discrimination if these groups were part of a data leak or breach. Grouping people by topic will most likely increase predatory targeting, scams, and discrimination practices.

FLoC’s promise of privacy is weakened further by continuing the cross-site tracking behavior we find in web cookies, but with a twist. According to FLoC, the information gathered about a user’s browsing history can be matched up to other trackers that already have personally identifiable information. If a user logs into a site and doesn’t log back out for the duration of their browsing session, this service can potentially take the FLoC information and tie it back to the user account.

Getting the FLoC Out to Protect Patron Privacy

Google recently rolled out a “test” of FLoC to a random group of Chrome users. If you are not sure if you are in this test group, visit EFF’s Am I FloCed? to check if your Chrome browser has FLoC enabled. Google claims that there will be an opt-out option for Chrome users by April, but it’s late April and there is no sign of the opt-out option. Libraries can help patrons protect their privacy by disabling third-party cookies in the Chrome browser settings on public computers in addition to installing privacy-preserving browser plugins and privacy-preserving browsers such as Brave and Tor.

How can libraries protect patrons from having their activity tracked on library websites and services? Libraries that have some control over their library website can include an opt-out in the HTTP header of the library website. However, this might not be an option for libraries that do not have that level of control over their website or the server that hosts their library website. There are some workarounds to this, such as the FLoC opt-out plugins for WordPress (disclosure – LDH has installed the Disable FLoC plugin to opt-out of the FLoC test).

But what about vendor sites? You can use https://tanck.nl/floc-check/ to find out if a website has opted out of FLoC. Vendor sites that have not opted out of FLoC might not be aware that their website is included in this test. Use this opportunity to talk to your vendor about FLoC and ask how they will protect the privacy of your patrons on their site. This is also an opportunity to check your vendor’s privacy policy and contracts to find if your vendor is collecting patron data for advertising and marketing purposes. Now is the time to renegotiate those terms or start shopping for other vendors that better protect patron privacy if the vendor won’t budge on their use of patron data for advertising.

In short, FLoC doesn’t really replace cookies. Instead, it adds more personal information – some of it sensitive – into the targeted advertising environment controlled by one company. Because FLoC includes all websites into the FLoC test by default, libraries must take action to protect patron privacy now to ensure that patron data does not end up in the ever-growing collection of and access to user data by Google.

Deception by Design

Author’s note – This post uses “deceptive design” and “deceptive design patterns” instead of “dark patterns.” Read more about this choice in the “dark UX” entry of Intuit’s content design manual.

Take a moment to study the following toggle button for the following privacy setting for “Don’t Not Sell My Personal Information”:

The California Consumer Privacy Act (CCPA) Opt-Out Icon. A long rounded horizontal oval containing a blue checkmark on white on one side, and a white X on blue on the other side.
The official California Consumer Privacy Act (CCPA) opt-out icon. You might have guessed that I have Opinions on this design. You guessed correctly.

Now answer this – are we telling the business not to sell our data or telling them that it’s okay? Which symbol is selected? Is it the blue checkmark with the white background? Or is it the white X with the blue background?

Confusing, isn’t it?

That is just one example of deceptive design patterns. Deceptive design creates confusion, obfuscating options or creating barriers to trick and frustrate users into making decisions that are not in their best interests. These patterns serve many purposes, ranging from making users pay more for services and products to extract personal information from users. It’s hard for users to protect their privacy when they are not aware that the company or designer uses deceptive patterns to prioritize their benefit over the user’s privacy.

There are many types of deceptive design patterns that users encounter daily. While commercial businesses tend to get the most attention in deceptive design discussions, library products and services also engage in deceptive design patterns. These design choices put patron privacy at risk in several ways, including creating confusion with patrons around their data privacy choices and rights and the additional collection of patron data by both libraries and library vendors.

Let’s take a short tour of deceptive design patterns in practice in libraries:

Did you really turn it off? – Some electronic resource products have a setting that lets patrons “turn off” borrowing history. What patrons might not know, though, is that their borrowing history hasn’t turned off.  It’s just that they can no longer visibly track their history on the app or site. Here’s an example from the OverDrive app:

A privacy setting option in the Overdrive App: "History - Display your borrowing history, with the option to add and remove individual titles. Learn more. [hyperlinked]"
Image screenshot from the OverDrive app.

At first read, patrons might think that not checking this box will tell OverDrive not to track their borrowing history. If patrons don’t click on the “Learn More” link, they most likely won’t know that this option only hides their borrowing history and that their digital reading/listening is still being tracked by the company.

Public by default – Being a library service or product means that the default settings for any new user account would be private, right? Not exactly. Patrons creating user accounts on library websites and services might not be aware that their account is sharing information with the public. For example, despite many libraries’ requests, user accounts in BiblioCore default to publicly sharing patron activity, such as what items are on a patron’s shelves. Some libraries have tried to work around this default through log-in page messages, FAQs, and blog posts informing patrons to change their privacy settings.

Fill in the blank – Find a fill-in box, fill in the box? Library patrons filling out forms for library cards or user accounts might not realize that they do not have to provide all their data to use the library. Library card registrations are a very good example of where libraries collect more patron data than absolutely needed. (Libraries who still collect gender identity data, I’m looking at you.) What data does the application ask from patrons? How many of those data fields are absolutely necessary for creating a library account? Does the application process mark those fields as required, or are there no clear indicators as to which fields are required and which fields are optional?

“Pay” to play – Similar to “fill in the blank”, patrons might not realize that there are ways they can use the library without having to give up more of their data, such as using the classic version of the library catalog over the discovery layer that requires a separate user account. Nonetheless, many vendors, along with some libraries, actively encourage patrons to “pay” with their data if patrons want to make full use of their services or products. How many of your library’s electronic resources or services direct patrons to create user accounts even though an account isn’t required to use the service? Does the website contain clear and accessible messaging to patrons that they can use the resource or service without creating an account or submitting to web tracking?

These are only a selected sample of the deceptive design patterns you can find at your library. Do you have any examples of these deceptive patterns you’ve come across as either a patron or a library worker? Share them with us at newsletter@ldhconsultingservices.com and we’ll do a follow-up post! These examples can help libraries in identifying and resolving deceptive patterns that put patron privacy at risk.

Vendor Ethics and You, Or Giving a Damn About Who’s Sharing Your Patron Data

A red sticker on a metal utility pole reads "do you want a future of decency, equality, and real social justice"
Photo by Jon Tyson on Unsplash

The news cycle did not stop during our Cherry Blossom Break last week, alas. Last week LexisNexis signed a contract with U.S. Immigration and Customs Enforcement (ICE) to provide massive amounts of personal information, including financial data, consumer data (such as purchases), and criminal data. The data provided by LexisNexis captures a very intimate view of a person’s personal and public life. As Sam Biddle states in the investigative article about the contract, “While you can at least attempt to use countermeasures against surveillance technologies… it’s exceedingly difficult to participate in modern society without generating computerized records of the sort that LexisNexis obtains and packages for resale.” If you haven’t already done so, read the article to get a sense of the contract details.

It is not the first time LexisNexis has been under scrutiny for its personal data dealings. We wrote about LexisNexis back in 2019 about their relationship with ICE, including LexisNexis’s interest in building an “extreme vetting” immigration system. This interest did not go unnoticed or unchallenged, particularly from library workers who led the calls to boycott the company. The latest contract news has renewed calls for libraries and scholarly communities – such as this statement from SPARC – to question their relationships with businesses such as LexisNexis that increasingly play significant roles in surveillance systems through their roles as data brokers.

“But Becky,” you might say, “we don’t do business with LexisNexis or Thomson Reuters. As long as we don’t do business with them, we don’t have anything to worry about.” While your vendors may have escaped the public scrutiny that LexisNexis has received throughout the years, your vendors are most likely, at the very least, collecting and sharing patron data as part of their business model (e.g. surveillance capitalism). Read the vendor contract:

  • What patron data does the vendor collect from patrons? From the library?
  • Under what circumstances does the vendor disclose patron data to fourth parties?
  • Does the vendor reserve the right to resell patron data collected from patrons and the library, even in aggregated or “anonymized” form?
  • Does the vendor reserve the right to keep patron data, even in aggregated or “anonymized” form, after the end of the business relationship? For what purposes do they keep the data?

After reading the vendor contract (as well as the vendor privacy policy), you might have a sense as to how a vendor works with patron data; however, the contract and policy are not telling the entire story. While a contract might state a vendor’s right to disclose or resell data, the details about where that data’s going and how it’s going to be used are sparse. Vendors like LexisNexis have multiple revenue streams. Your vendor might have another product not targeted toward the library market but still uses patron data in ways in which can harm patrons. How can a library figure out if a vendor’s business model doesn’t violate patron privacy?

This is where ethics comes into play. The library profession has several codes of ethics, such as the codes from ALA and IFLA. Library vendors by default are not beholden to these codes; however, this does not mean that libraries cannot hold vendors to a level of ethical practices or standards before they will do business with them. For example, Auraria Library conducts a comprehensive ethics review of library vendors, ranging from privacy and accessibility to sustainability and diversity, using both consultants and an internal ethics questionnaire. At the end of their article detailing the review process, Auraria Library’s Katy DiVittorio and Lorelle Gianelli make a call to other libraries to proactively review their relationships with vendors and taking measures in encouraging vendors to adopt a business model that aligns with Corporate Social Responsibility. As we have encountered in the past, a critical mass of libraries demanding changes to a vendor’s practices can make that change happen. Having more libraries conduct ethics reviews of vendors can prompt vendors to change their business models if their current models cause libraries to do business elsewhere.

Where should libraries start with reviewing vendors’ business ethics? The Auraria Library review process is one place to start. Even creating a statement such as Auraria’s can start the conversation about vendor ethics at your library, particularly with library patrons who might be at higher risk for harm due to the vendor’s business practices. The selection process of the vendor relationship lifecycle can be modified to include a review of the vendor’s business model, including checking the vendor against the Library Freedom Institute’s Vendor Privacy Scorecard or scorecards from independent third parties such as EcoVadis (if one is on file, that is).  Vendor assessments and audits are other places where scorecards and metrics can be used. Being detailed about the appropriate uses of patron data in the vendor contract – including details around patron data collection, processing, retention, and disclosure – can give libraries some legal leverage in protecting patron data from questionable vendor business practices. The more libraries demand ethical business practices from their vendors, the more likely vendors will notice.

With these suggestions, however, comes a warning for libraries. Vendors might start marketing themselves as socially responsible or abiding by library ethics codes as more libraries ask for details about the ethics of a vendor’s business model. If a vendor’s marketing around social responsibility and ethics centers around legal compliance or if the marketing lacks specific details about their practices, then you might have a case of “ethics washing.”  Commonly encountered in tech companies, “ethics washing” can obscure or obfuscate problematic business practices through the use of savvy marketing tactics or pointing customers to one non-problematic area of the business while not drawing attention to a more problematic area (e.g. Google’s ethical AI work and, well, Google being Google). While it is tempting for libraries to accept vendors at their word through their marketing materials and sales pitches, it is not enough. Libraries must actively review vendor practices throughout the entire business relationship to ensure that the vendor’s ethics are in line with the ethics of the library profession.

In the end, libraries compromise their ability to live up to our professional ethics when working with vendors that violate those ethics. If libraries cannot or will not work with vendors that respect and uphold patron privacy, we as a profession then must have the difficult conversation about the inclusion of a patron’s right to privacy in our professional ethics codes. At the very least, we owe patrons the truth about the library’s data practices, including our relationships with vendors who use patron data in ways that can come back to harm them and not engage in ethics washing of our own.

Cherry Blossom Break

We’re taking some time to appreciate the cherry blossoms this week.

The Space Needle framed by blossoms on the cherry trees on the side of a road.
Image source: https://www.flickr.com/photos/punkjr/416092591/ (CC BY ND 2.0)
Blossoming cherry trees lining the sidewalks on the UW Seattle campus.
Image source: https://www.flickr.com/photos/brianholsclaw/25617194540/ (CC BY ND 2.0
Cherry blossoms partially covering the street signs for Maiden Lane and Madrona Drive in Seattle
Image source: https://www.flickr.com/photos/joebehr/8607884604/ (CC BY ND 2.0)

Take some time to appreciate the flower blossoms wherever you are – we’ll be back next week with the latest library privacy news and updates.

In the meantime…

Do you have a library privacy question for us? Email us at newsletter@ldhconsultingservices.com with your question or idea and we’ll feature it in a future newsletter. We also welcome guest writers for the newsletter. If you have an idea for a guest post, let us know for a chance to be featured on the blog. We look forward to your questions and ideas!

Cookie Break

LDH is proud to announce that it will now serve cookies to our blog readers! Enjoy your digital cookie without guilt! Just be sure that you don’t leave any crumbs trailing behind you as you munch away while browsing the Web…

… yeah, we thought that was a cheesy* early April Fool’s joke, too.

With April Fool’s Day in a few days, let’s take a moment to appreciate the lighter side of data privacy. Cookies are a perennial privacy humor topic by the very nature of its name, and the infamous cookie banner has become the focus of many privacy humor skits. This skit answers the question of what happens when you hit a cookie wall when you want a cookie recipe:

Do you remember all those “We’ve Updated Our Privacy Policy” emails in May 2018 as GDPR came into enforcement? There’s a meme for that:

There are times where humor can educate users about data privacy, but only when it is done well and within an appropriate context. An example of this comes from The Onion. Another example is the segment from an Adam Ruins Everything episode explaining the cost of using “free” internet services:

[Yes, we are fully aware of the irony of linking to a YouTube video of this segment.]

We can’t forget that humor has a time and place for it to be effective, though. More often than not, humor backfires like Mark Zuckerberg’s joke about Facebook privacy at their developer conference in 2019. Going back to the beginning of this post, cookies are the subject of many privacy jokes because of the nature of the web tracker’s name. It’s an easy joke that doesn’t take much effort to think about, but the lack of thinking through a joke can leave users more frustrated with the person telling it than not. The context of when you use humor matters – cookie popups are already confusing and frustrating to end-users, and a joke in the popup is more likely to backfire than lighten the end user’s mood. And because the web tracker’s name is already confusing to end-users, joking that your staff like chocolate chip cookies in the popup banner doesn’t tell users anything about what the actual web tracker cookie does.

In short, humor has its place in communicating important privacy topics when done thoughtfully and within an appropriate context. Your privacy notice and cookie banners are not places for humor, but instead places where you need to be clear about your privacy practices and what the user can do to protect their privacy. This doesn’t mean that all data privacy jokes are off-limits. You can still serve cookies (accommodating for dietary considerations!) in the library staff area to start a discussion or awareness program about web tracking – but be mindful of your audience and the context of data privacy humor when attempting to add some levity to end-user communications.

* Cheesy cookies are a thing and are as delicious as their sweet counterparts.