Deception by Design

Author’s note – This post uses “deceptive design” and “deceptive design patterns” instead of “dark patterns.” Read more about this choice in the “dark UX” entry of Intuit’s content design manual.

Take a moment to study the following toggle button for the following privacy setting for “Don’t Not Sell My Personal Information”:

The California Consumer Privacy Act (CCPA) Opt-Out Icon. A long rounded horizontal oval containing a blue checkmark on white on one side, and a white X on blue on the other side.
The official California Consumer Privacy Act (CCPA) opt-out icon. You might have guessed that I have Opinions on this design. You guessed correctly.

Now answer this – are we telling the business not to sell our data or telling them that it’s okay? Which symbol is selected? Is it the blue checkmark with the white background? Or is it the white X with the blue background?

Confusing, isn’t it?

That is just one example of deceptive design patterns. Deceptive design creates confusion, obfuscating options or creating barriers to trick and frustrate users into making decisions that are not in their best interests. These patterns serve many purposes, ranging from making users pay more for services and products to extract personal information from users. It’s hard for users to protect their privacy when they are not aware that the company or designer uses deceptive patterns to prioritize their benefit over the user’s privacy.

There are many types of deceptive design patterns that users encounter daily. While commercial businesses tend to get the most attention in deceptive design discussions, library products and services also engage in deceptive design patterns. These design choices put patron privacy at risk in several ways, including creating confusion with patrons around their data privacy choices and rights and the additional collection of patron data by both libraries and library vendors.

Let’s take a short tour of deceptive design patterns in practice in libraries:

Did you really turn it off? – Some electronic resource products have a setting that lets patrons “turn off” borrowing history. What patrons might not know, though, is that their borrowing history hasn’t turned off.  It’s just that they can no longer visibly track their history on the app or site. Here’s an example from the OverDrive app:

A privacy setting option in the Overdrive App: "History - Display your borrowing history, with the option to add and remove individual titles. Learn more. [hyperlinked]"
Image screenshot from the OverDrive app.

At first read, patrons might think that not checking this box will tell OverDrive not to track their borrowing history. If patrons don’t click on the “Learn More” link, they most likely won’t know that this option only hides their borrowing history and that their digital reading/listening is still being tracked by the company.

Public by default – Being a library service or product means that the default settings for any new user account would be private, right? Not exactly. Patrons creating user accounts on library websites and services might not be aware that their account is sharing information with the public. For example, despite many libraries’ requests, user accounts in BiblioCore default to publicly sharing patron activity, such as what items are on a patron’s shelves. Some libraries have tried to work around this default through log-in page messages, FAQs, and blog posts informing patrons to change their privacy settings.

Fill in the blank – Find a fill-in box, fill in the box? Library patrons filling out forms for library cards or user accounts might not realize that they do not have to provide all their data to use the library. Library card registrations are a very good example of where libraries collect more patron data than absolutely needed. (Libraries who still collect gender identity data, I’m looking at you.) What data does the application ask from patrons? How many of those data fields are absolutely necessary for creating a library account? Does the application process mark those fields as required, or are there no clear indicators as to which fields are required and which fields are optional?

“Pay” to play – Similar to “fill in the blank”, patrons might not realize that there are ways they can use the library without having to give up more of their data, such as using the classic version of the library catalog over the discovery layer that requires a separate user account. Nonetheless, many vendors, along with some libraries, actively encourage patrons to “pay” with their data if patrons want to make full use of their services or products. How many of your library’s electronic resources or services direct patrons to create user accounts even though an account isn’t required to use the service? Does the website contain clear and accessible messaging to patrons that they can use the resource or service without creating an account or submitting to web tracking?

These are only a selected sample of the deceptive design patterns you can find at your library. Do you have any examples of these deceptive patterns you’ve come across as either a patron or a library worker? Share them with us at newsletter@ldhconsultingservices.com and we’ll do a follow-up post! These examples can help libraries in identifying and resolving deceptive patterns that put patron privacy at risk.

Vendor Ethics and You, Or Giving a Damn About Who’s Sharing Your Patron Data

A red sticker on a metal utility pole reads "do you want a future of decency, equality, and real social justice"
Photo by Jon Tyson on Unsplash

The news cycle did not stop during our Cherry Blossom Break last week, alas. Last week LexisNexis signed a contract with U.S. Immigration and Customs Enforcement (ICE) to provide massive amounts of personal information, including financial data, consumer data (such as purchases), and criminal data. The data provided by LexisNexis captures a very intimate view of a person’s personal and public life. As Sam Biddle states in the investigative article about the contract, “While you can at least attempt to use countermeasures against surveillance technologies… it’s exceedingly difficult to participate in modern society without generating computerized records of the sort that LexisNexis obtains and packages for resale.” If you haven’t already done so, read the article to get a sense of the contract details.

It is not the first time LexisNexis has been under scrutiny for its personal data dealings. We wrote about LexisNexis back in 2019 about their relationship with ICE, including LexisNexis’s interest in building an “extreme vetting” immigration system. This interest did not go unnoticed or unchallenged, particularly from library workers who led the calls to boycott the company. The latest contract news has renewed calls for libraries and scholarly communities – such as this statement from SPARC – to question their relationships with businesses such as LexisNexis that increasingly play significant roles in surveillance systems through their roles as data brokers.

“But Becky,” you might say, “we don’t do business with LexisNexis or Thomson Reuters. As long as we don’t do business with them, we don’t have anything to worry about.” While your vendors may have escaped the public scrutiny that LexisNexis has received throughout the years, your vendors are most likely, at the very least, collecting and sharing patron data as part of their business model (e.g. surveillance capitalism). Read the vendor contract:

  • What patron data does the vendor collect from patrons? From the library?
  • Under what circumstances does the vendor disclose patron data to fourth parties?
  • Does the vendor reserve the right to resell patron data collected from patrons and the library, even in aggregated or “anonymized” form?
  • Does the vendor reserve the right to keep patron data, even in aggregated or “anonymized” form, after the end of the business relationship? For what purposes do they keep the data?

After reading the vendor contract (as well as the vendor privacy policy), you might have a sense as to how a vendor works with patron data; however, the contract and policy are not telling the entire story. While a contract might state a vendor’s right to disclose or resell data, the details about where that data’s going and how it’s going to be used are sparse. Vendors like LexisNexis have multiple revenue streams. Your vendor might have another product not targeted toward the library market but still uses patron data in ways in which can harm patrons. How can a library figure out if a vendor’s business model doesn’t violate patron privacy?

This is where ethics comes into play. The library profession has several codes of ethics, such as the codes from ALA and IFLA. Library vendors by default are not beholden to these codes; however, this does not mean that libraries cannot hold vendors to a level of ethical practices or standards before they will do business with them. For example, Auraria Library conducts a comprehensive ethics review of library vendors, ranging from privacy and accessibility to sustainability and diversity, using both consultants and an internal ethics questionnaire. At the end of their article detailing the review process, Auraria Library’s Katy DiVittorio and Lorelle Gianelli make a call to other libraries to proactively review their relationships with vendors and taking measures in encouraging vendors to adopt a business model that aligns with Corporate Social Responsibility. As we have encountered in the past, a critical mass of libraries demanding changes to a vendor’s practices can make that change happen. Having more libraries conduct ethics reviews of vendors can prompt vendors to change their business models if their current models cause libraries to do business elsewhere.

Where should libraries start with reviewing vendors’ business ethics? The Auraria Library review process is one place to start. Even creating a statement such as Auraria’s can start the conversation about vendor ethics at your library, particularly with library patrons who might be at higher risk for harm due to the vendor’s business practices. The selection process of the vendor relationship lifecycle can be modified to include a review of the vendor’s business model, including checking the vendor against the Library Freedom Institute’s Vendor Privacy Scorecard or scorecards from independent third parties such as EcoVadis (if one is on file, that is).  Vendor assessments and audits are other places where scorecards and metrics can be used. Being detailed about the appropriate uses of patron data in the vendor contract – including details around patron data collection, processing, retention, and disclosure – can give libraries some legal leverage in protecting patron data from questionable vendor business practices. The more libraries demand ethical business practices from their vendors, the more likely vendors will notice.

With these suggestions, however, comes a warning for libraries. Vendors might start marketing themselves as socially responsible or abiding by library ethics codes as more libraries ask for details about the ethics of a vendor’s business model. If a vendor’s marketing around social responsibility and ethics centers around legal compliance or if the marketing lacks specific details about their practices, then you might have a case of “ethics washing.”  Commonly encountered in tech companies, “ethics washing” can obscure or obfuscate problematic business practices through the use of savvy marketing tactics or pointing customers to one non-problematic area of the business while not drawing attention to a more problematic area (e.g. Google’s ethical AI work and, well, Google being Google). While it is tempting for libraries to accept vendors at their word through their marketing materials and sales pitches, it is not enough. Libraries must actively review vendor practices throughout the entire business relationship to ensure that the vendor’s ethics are in line with the ethics of the library profession.

In the end, libraries compromise their ability to live up to our professional ethics when working with vendors that violate those ethics. If libraries cannot or will not work with vendors that respect and uphold patron privacy, we as a profession then must have the difficult conversation about the inclusion of a patron’s right to privacy in our professional ethics codes. At the very least, we owe patrons the truth about the library’s data practices, including our relationships with vendors who use patron data in ways that can come back to harm them and not engage in ethics washing of our own.

Cherry Blossom Break

We’re taking some time to appreciate the cherry blossoms this week.

The Space Needle framed by blossoms on the cherry trees on the side of a road.
Image source: https://www.flickr.com/photos/punkjr/416092591/ (CC BY ND 2.0)
Blossoming cherry trees lining the sidewalks on the UW Seattle campus.
Image source: https://www.flickr.com/photos/brianholsclaw/25617194540/ (CC BY ND 2.0
Cherry blossoms partially covering the street signs for Maiden Lane and Madrona Drive in Seattle
Image source: https://www.flickr.com/photos/joebehr/8607884604/ (CC BY ND 2.0)

Take some time to appreciate the flower blossoms wherever you are – we’ll be back next week with the latest library privacy news and updates.

In the meantime…

Do you have a library privacy question for us? Email us at newsletter@ldhconsultingservices.com with your question or idea and we’ll feature it in a future newsletter. We also welcome guest writers for the newsletter. If you have an idea for a guest post, let us know for a chance to be featured on the blog. We look forward to your questions and ideas!

Cookie Break

LDH is proud to announce that it will now serve cookies to our blog readers! Enjoy your digital cookie without guilt! Just be sure that you don’t leave any crumbs trailing behind you as you munch away while browsing the Web…

… yeah, we thought that was a cheesy* early April Fool’s joke, too.

With April Fool’s Day in a few days, let’s take a moment to appreciate the lighter side of data privacy. Cookies are a perennial privacy humor topic by the very nature of its name, and the infamous cookie banner has become the focus of many privacy humor skits. This skit answers the question of what happens when you hit a cookie wall when you want a cookie recipe:

Do you remember all those “We’ve Updated Our Privacy Policy” emails in May 2018 as GDPR came into enforcement? There’s a meme for that:

There are times where humor can educate users about data privacy, but only when it is done well and within an appropriate context. An example of this comes from The Onion. Another example is the segment from an Adam Ruins Everything episode explaining the cost of using “free” internet services:

[Yes, we are fully aware of the irony of linking to a YouTube video of this segment.]

We can’t forget that humor has a time and place for it to be effective, though. More often than not, humor backfires like Mark Zuckerberg’s joke about Facebook privacy at their developer conference in 2019. Going back to the beginning of this post, cookies are the subject of many privacy jokes because of the nature of the web tracker’s name. It’s an easy joke that doesn’t take much effort to think about, but the lack of thinking through a joke can leave users more frustrated with the person telling it than not. The context of when you use humor matters – cookie popups are already confusing and frustrating to end-users, and a joke in the popup is more likely to backfire than lighten the end user’s mood. And because the web tracker’s name is already confusing to end-users, joking that your staff like chocolate chip cookies in the popup banner doesn’t tell users anything about what the actual web tracker cookie does.

In short, humor has its place in communicating important privacy topics when done thoughtfully and within an appropriate context. Your privacy notice and cookie banners are not places for humor, but instead places where you need to be clear about your privacy practices and what the user can do to protect their privacy. This doesn’t mean that all data privacy jokes are off-limits. You can still serve cookies (accommodating for dietary considerations!) in the library staff area to start a discussion or awareness program about web tracking – but be mindful of your audience and the context of data privacy humor when attempting to add some levity to end-user communications.

* Cheesy cookies are a thing and are as delicious as their sweet counterparts.

#DataSpringCleaning 2021 – Email and Patron Data

A white and brown short-haired dog places their right front paw on top of a open laptop keyboard. The laptop screen shows a blurred Gmail inbox window.
Image source: https://www.flickr.com/photos/karenbaijens/16241866468/ (CC BY 2.0)

Welcome to the first week of Spring in the Northern Hemisphere! This month marks one year of working from home for some library workers and the hybrid remote/onsite work limbo for others. In both cases, this anniversary also marks a year’s worth of patron data collected and stored all over the place due to the abrupt switch to remote work and virtual services. It’s safe to say that many disaster or business continuity plans didn’t plan for a pandemic, and the resulting scramble to virtual or reduced physical services/work created new or exacerbated existing data privacy gaps. Last year’s #DataSpringCleaning focused on setting up the home office to address a common privacy problem – the over-retention of patron data. Check out the post and the companion workshop materials about protecting patron privacy while working from home if you haven’t already done so.

This year’s #DataSpringCleaning project is ambitious as it is daunting. This year is the Sisyphean project of data cleanup projects – no matter how many times we try and fail, we keep coming back to this one project in hopes of finally completing it. Let us go back once more into the breach, friends. It’s time to scrub our work email.

Email as Major Privacy Risk to Patron Privacy

While many library workers are aware that their emails can contain patron data, they might not be aware of how much patron data is stored in their accounts. Personally identifiable information, or PII, includes data about a patron as well as data of a patron’s activity. The former can be easy to identify and easy to email without much thought about the privacy risk of doing so:

  • Name
  • Physical and email addresses
  • Birthdate or age
  • Patron record number
  • Username and password

A patron’s activities, on the other hand, can be harder to identify once you factor in the types of emails a library worker can receive or send in any given day:

  • Help desk ticket threads
  • Reference form or chat tickets or transcripts
  • Direct email from patrons
  • System or application reports or alerts
  • Vendor service desk tickets or reports

This list is just a small selection of the types of emails that can contain data around a patron’s activities such as:

  • Reference questions
  • Search and circulation histories
  • IP addresses
  • Electronic resource authentication and access history
  • Library computer and wifi logs and activity

And that’s just the start of how much patron data is in staff emails!

The ease of storing and sharing data through email makes it difficult to control data sharing and retention once the data hits the email system. The risk to patron privacy compounds once the email containing patron data leaves the library’s email system and into a third-party email account, be it a vendor or even a personal email account. Another risk for many libraries is that staff emails are subject to public disclosure requests. Several state and local regulations protect patron record data from disclosure, but in some cases, this protection might not extend to patron data in staff email. If your library’s emails can be publicly requested, don’t assume that you’ll get a chance to redact patron data before the emails are released to the public.

Starting the Long Journey of Protecting Patron Privacy in Staff Email

Scrubbing patron data from library email is a Sisyphean task. You can tell patrons not to email PII only to have patrons send over their logins for the financial website they can’t log into on a public computer. You can tell staff not to store patron data in work email, only to have staff use email as their primary knowledgebase for reference chat questions and answers. However, you have more control over how staff uses library email than you do patrons – this is where we start our scrubbing journey.

We’ll break this journey into two parts: the short and long term. The following are some actions workers and organizations can take in mitigating patron privacy risk in library emails:

Short term (individual) actions

  • First, get familiar with your email system’s filter and search capabilities! These will make the deletion process less painful.
  • Find and delete system-generated emails that contain patron data. These can be found through searching by a shared email address or subject line.
  • Search for emails with attachments and delete attachments if they contain patron data
  • Before deleting the email, migrate patron data that absolutely must be retained for a demonstrated operational need from email to a secured storage area designated by work (if one is available)
  • Create email rules to automatically delete incoming system-generated emails containing patron data
  • Learn how to use the ticketing system or other help desk or information desk systems as the primary mode of communication with other library staff about tickets and other

Long term (organizational) actions

  • Create policies and procedures around restricting the use of staff email to transmit or store certain types of patron data based on data classification level and/or privacy risk
  • Create secured data/file transfer options for sharing patron data, particularly between staff and authorized third parties
  • Set up applications and systems to not include patron data in system-generated reports and emails
  • Set up retention policies in email systems to automatically delete email  based on organizational retention schedules or retention schedules set by legal regulation
  • Create procedures or processes to use the ticketing system or other help desk or information desk systems as the primary mode of communication between staff as well as between staff and patrons
  • Create secured storage outside of staff email for patron data that absolutely must be retained for a demonstrated operational need, and create retention schedules for the data retained in storage

The short-term actions can take a while with manual reviewing of attachments and individual emails. But, with the magic of search and filter options, you can quickly eliminate a good portion of privacy risks by deleting the archive of system-generated emails. The long-term actions require a team effort in the organization, from administration drafting policies to IT creating automatic retention policies and secured storage and transmission options.

None of us want to spend more time dealing with email than we have to, and trying to keep up with the current email inbox count is near impossible as it is. Nonetheless, we need to keep in mind that work email can put patron privacy at risk, and we must address that risk as part of our library duties. It’s a #DataSpringCleaning project that never ends, but as long as we have email, there will always be the need to clean our inboxes to protect patron privacy.

Librarians as Information Fiduciaries? Part Two

People sitting at tables and working at the Rose Main Reading Room of the NYPL. A blur/color filter has been applied to the photo.
Image source: https://www.flickr.com/photos/smoovey/3788235219/ (CC BY ND 2.0)

Welcome back to our series on information fiduciaries and libraries! We introduced the concept of information fiduciaries in Part One. In this series entry, we will focus on libraries as possible information fiduciaries.

A Question of Interest

Jack M. Belkin, who popularized the information fiduciary concept in 2014, expanded the traditionary fiduciary concept to a trusted party managing personal data on behalf of another. In the context of the library, what would be considered the best interest of the person? In the 10th edition of the Intellectual Freedom Manual, we have one possible interpretation of “best interest” in the way of privacy and confidentiality:

“In brief, libraries and library workers must act as information fiduciaries, assuring that in every circumstance the library user’s information is protected from misuse and unauthorized disclosure, and ensuring that the library itself does not misuse or exploit the library user’s information.”

On the surface, this appears straightforward enough. However, how a library defines “misuse or exploit” leads to a question about how libraries interpret “best interest” in the fiduciary relationship. Some organizations might interpret “best interest” in ways that others would consider exploitative. Such is the case with academic institutions and learning analytics as described in “A matter of trust: Higher education institutions as information fiduciaries in an age of educational data mining and learning analytics.” Jones, Rubel, and LeClere describe how current learning analytics initiatives violate not only student privacy but also student trust in the institution. At the same time, the institution is acting in the perceived best interest of both students and the institution.

Like academic institutions, libraries are under immense pressure to engage in data practices at the expense of patron privacy. A key component of fiduciary relationships is acting in the best interest of the represented person. While it might be in the best interest for libraries to extensively collect patron data for operations, marketing, and analysis, this level of collection and data processing would violate the best interest of their patrons’ privacy. Libraries committing to an information fiduciary relationship with their patrons must scrutinize their data privacy practices and recalibrate these practices to center on patron privacy interests.

A Question of Ownership

It becomes clear while evaluating practices and interests that the relationship between libraries, patrons, and third parties complicates matters not only in competing best interests but also in matters of data ownership. Personal data is collected in several ways. Sometimes the data collection is direct – an example is when a patron gives the library personal data to obtain a library card. Other times libraries collect personal data generated from a patron’s library resources and services use, even though the patron might not be aware of this data generation and collection. Patrons also directly give personal data to vendors when signing up for accounts and generate data when they use vendor services and resources, possibly unaware of such generation and collection happening on the vendor’s end. On top of all of this, libraries directly give vendors patron personal data. So, who owns what data?

Another component of a fiduciary relationship is the concept of management of valuable assets, particularly in sensitive matters. As demonstrated in the previous paragraph, data ownership can easily be contested if there is no clear sense as to who owns what data. Libraries can (and should!) use vendor contracts to state that the library and its patrons own the data collected by the vendor, defining some clearer ownership roles. Once again, however, technology and data practices can throw this clarity back to uncertainty, particularly with data aggregation and analytics practices by vendors and fourth parties, sometimes in the interests of the customers (libraries and patrons) and sometimes in the interest of the vendor which conflict with patron/library interests. As Jones, Thomson, and Arnold argue in “Questions of Data Ownership on Campus,” adopting an information fiduciary role can help navigate the issue of determining who owns what through focusing on shared ownership and asset management in the best interest of the patron. Even when libraries and third parties claim ownership over patron data collected through patron use of resources and services, any collection or processing of this data must center around the patrons’ best interests with regards to patron privacy.

We would be amiss, though, if we didn’t address a potential issue of treating data as an asset, even in a fiduciary role. In Kerry and Morris Jr.’s “Why data ownership is the wrong approach to protecting privacy,” commodifying data provides little protection for user privacy. Treating data as property reinforces current practices of placing market interests over individual interests. Placing the onus of data privacy management on the individual when there’s evidence that notice and consent currently fail to protect data privacy. Instead of focusing primarily on data ownership and transactional relationships, Kerry and Morris Jr. argue for federal regulation that falls in line with information fiduciary’s emphasis on acting in the interest of the individual. Nonetheless, the concept of data as property or an asset for individuals to manage and organizations to commodify has socioeconomic implications, including perpetuating harms created by the privacy violations embedded in societal systems and institutions, including the library.

Personal Data as a Collection…

We’ve only started to explore the concept of libraries as information fiduciaries. The last two posts focused on personal data collected and generated through a patron’s library use. What happens, then, when personal data is *part* of a collection? This often happens in special collections, archives, and institutional repositories that collect research data, to name a few places. What type of information fiduciary relationship exists between the people in the collection and the library or archive that hosts that collection, if any? Stay tuned for the next installment of the series!

Welcome To The Club, Virginia: The Consumer Data Protection Act

A white roadside billboard with the text "Virginia Welcomes You". An illustration of a cardinal sitting on a tree branch with two white flowers at the branches' ends separates the words Virginia and the rest of the billboard message.
Image source: https://www.flickr.com/photos/cgpgrey/4891418085/ (CC-BY 2.0), http://www.cgpgrey.com/

Virginia joined California last week in the data privacy regulation club as the state governor signed the Virginia Consumer Data Protection Act (CDPA) into law on March 2nd, 2021. This law shares some similarities with the CCPA and the upcoming CPRA, but there are just enough differences that will cause some possible confusion for library vendors who fall under the scope of the new law.

What Virginia Libraries Need to Know About CDPA Right Now

Virginia libraries paying attention to what happened in California might have a head start with what to expect in the coming years when the law comes into effect in 2023. If you were hoping that Virginia lawmakers would keep close to CCPA in an attempt to create consistent expectations and requirements for consumer data privacy, you might be out of luck. Nonetheless, there are some similarities: some good, others not so much.

First thing’s first – as was the case in California and CCPA, the vast majority of Virginia libraries do not fall under the scope of CDPA. The law pertains to entities conducting business in the state that meet a threshold of either controlling/processing personal data of at least 100,000 Virginia consumers in a calendar year OR controlling/processing personal data of at least 25,000 Virginia consumers and deriving at least 50% of their revenue from selling personal data. Combined with the exceptions made for government entities, non-profits, and higher education institutions, many libraries most likely are exempt from the CDPA, as well as non-profit library vendors.

CDPA stays close to the GDPR model of data controller (an entity determining the purpose of as well as the ways of processing personal data) and data processor (an entity that processes data on behalf of the controller). This eliminates the confusion that CCPA created by going with a different model (and CPRA added more to the confusion with the introduction of a new contractor role in that model!). Library vendors covered by CDPA could be both controller and processor in that the vendor collects and processes data on their behalf but also collects and processes data on behalf of the libraries and library patrons. Data controllers must include data collection and processing information in a publicly posted privacy notice, including what type of data is collected and shared with third parties.

Beyond scope and updates to vendor privacy notices, what do Virginia libraries need to know about CDPA?

Data rights – The new law grants the rights to access, correct, and delete their personal data with a data controller, as well as the right to request a copy of their personal data from the controller. Unlike CCPA, CDPA seems to not include household data in these rights; therefore, there might be a lesser chance of patrons requesting data that might include other patron data from their household.

Opt-out vs opt-in rights – Virginia consumers have the right to opt-out of the sale of their personal data, processing their personal data for targeted marketing, and using their personal data for profiling. This goes beyond the initial sale opt-out of CCPA. Even with the addition of “sharing” to the opt-out in CPRA, there might be confusion with vendors trying to accommodate different types of opt-out between CA and VA consumers.

Here’s where more confusion might set in – CDPA requires consumers to opt-inbefore their sensitive data is processed. Sensitive data in CDPA include race/ethnicity, sexual orientation, religious affiliation, mental and physical health, immigration status, biometric data, and precise geolocation data. On top of all this, sensitive data also includes any data collected from children under 13 years of age. CCPA requires affirmative opt-in of collecting personal data from 13- to 16-year-olds, so both laws are coming at collecting and processing minors’ data in very different ways.

Barring clarifications and amendments to either state’s regulations, expect some confusion from patrons when vendors attempt to comply with CDPA and the California data privacy laws.

A Heads Up to Libraries Outside of Virginia and California

While it took a while for another state outside of California to pass a data privacy law, the reality is that Virginia might be the first of a rapid succession of states to pass their own data privacy laws. At the time of this post, there are at least 13 states with active data privacy bills. Many of these bills share some similarities with CCPA/CPRA, but some have more in common with GDPR. The US currently has no federal data privacy law, and as time progresses, it might be that any successful federal data privacy regulation will not preempt stricter state laws. What we are looking at is a possible repeat of what we have with US data breach notification laws – 50+ different approaches, all just different enough to require their own processes. We’ll keep you updated on the latest regulations as they make their way through the legislative process, but it’s starting to look like 2021 might be a very busy year for data privacy regulation.

Related CDPA Resources and Commentary

Libraries as Information Fiduciaries? Part One

A adult black woman leans against a glass wall of a server room holding an open laptop.
Image source: https://www.flickr.com/photos/wocintechchat/25926827581/ (CC BY 2.0)

The Resolution on the Misuse of Behavioral Data Surveillance in Libraries, recently passed at ALA Midwinter, calls for libraries and vendors to reject behavioral data surveillance of patrons. While we are familiar with the concept of data surveillance, the last item in the resolution contains something that some in the library world are not as familiar with – information fiduciaries. This concept also appears in the recently published 10th edition of the Intellectual Freedom Manual. There’s a likely chance that “libraries as information fiduciaries” will continue to gain ground in the professional discourse around library privacy, so let’s take some time to explore this concept.

Information Fiduciaries Basics

The fiduciary concept is centuries old. Typically, a fiduciary is a person(s) who is entrusted with a valuable asset from another person(s). You might have come across the fiduciary term when dealing with finances – for example, a financial advisor might be considered a fiduciary for a client. A fiduciary relationship is built on trust. The fiduciary is trusted to act in the interest of the party that trusts them enough to manage valuable assets or represent them in sensitive matters.

The concept of information fiduciaries, popularized by Jack M. Balkin in his 2014 blog post about the concept, took the fiduciary concept of managing assets and expanded the assets definition to include information about a person. This expansion would then charge the fiduciary to manage the person’s information with the person’s interests. In Balkin’s post, the expansion to information assets would call on fiduciaries to practice a higher level of information privacy, including not using or disclosing personal information against the user’s interests.

If this seems similar to the legal concept of “duty of care,” it should be! Duty of care is a legal concept that can be a part of fiduciary duties. The fiduciary is required to act in an informed and responsible way that will not harm others in the relationship. In the case of information fiduciaries, the fiduciary duty of care would be on the company that collects the user’s data; therefore, the company would need to put the user’s interests ahead of their interest.

Too Little, Too Late?

Nonetheless, the information fiduciary concept isn’t without its critics. David E. Pozen and Lina M. Khan argue that the concept cannot reconcile the business models of social media companies who rely on using personal data with the interests of the person to sustain the company’s business model. Pozen and Khan point out the tension between the already existing financial fiduciary relationship with shareholders (that rely on the business model) and the proposed information fiduciary relationship with users. Even Balkin admits that behavioral advertising, which exploits personal information for business gain, might continue after a company takes on an information fiduciary role. In a sense, applying an information fiduciary model to existing digital company business models is trying to close the barn door after the horses escaped – you’re asking a company who has built their revenue model on exploiting user information to give up their revenue stream. Having a company become an information fiduciary after the fact isn’t going to resolve them to move away from personal information abuse.

There are other critiques of the information fiduciary concept to consider. While the Electronic Freedom Frontier generally supports information fiduciary regulations, they recognize that the concept has several limitations including governance of third-party data relationships with other third-parties, limitations around restricting the collection of user data, and the uncertainty of how the recently created concept of information fiduciary would work in practice concerning legal enforcement of any fiduciary regulations. EFF argues that information fiduciary must not replace other data privacy regulations and practices. Information fiduciaries are not comprehensive in protecting user privacy and must be approached as such.

What About Libraries?

The information fiduciary is still relatively new, but there have already been calls from the library world to adopt the fiduciary role in patron data management. We will explore some of these calls, as well as how information fiduciary might look like at the library, in part two in the coming weeks!

LastPass and Clubhouse and Virginia, Oh My!

A grey tabby cat curled up and sleeping between newspaper sheets.
It’s hard to get started on a Monday morning… image source: https://www.flickr.com/photos/cyawan/2325855567/ (CC BY 2.0)

A lot happened in the privacy world last week! Let’s go over a couple of news items that affect libraries and library patrons alike.

LastPass Free Tier Woes

The popular password manager LastPass announced changes to their free tier accounts last week that could leave many libraries and library patrons scrambling for an alternative. Starting March 16th, LastPass will require free account users to choose where to use LastPass: mobile or computer. Free account users will also lose access to email support to troubleshoot any problems with the password manager.  For many free tier account users, being forced to choose to have their primary password manager only installed on one platform severely limits the usefulness and protection of their chosen password manager.

If you have a LastPass free tier account and don’t want these restrictions, your options are limited:

  • If you have room in your budget and want to stay with LastPass, you can upgrade to a paid account. This option not only avoids migrating your passwords to another manager and instead unlocks additional features, such as encrypted file storage. While we’re used to having “free” accounts, it might be time to make peace with the fact that it’s time to start paying for password managers.
  • You can migrate to another password manager. There are several choices in the marketplace; however, not many have free tier accounts, which means you might end up paying for a password manager anyway. Bitwarden, an open-source password manager, does have a free tier account that allows for syncing between multiple devices if you need a free account. KeePassXP is another free option for the more technically-inclined who can self-host their password manager.

You can read more about the basics of password managers in our Obligatory Password Manager post from April 2020.

Clubhouse Is Not Your Library’s New Social Media App

So… Clubhouse, that new shiny app that everyone’s talking about. You’re curious about it, aren’t you? You’re wondering if you can add it to the family of social media accounts for your library when you get an invite to join.

Let us stop you right there.

In addition to being exclusive to iOS, being inaccessible, and being a free-for-all for harassment, Clubhouse’s privacy practices are almost non-existent. Literally – the privacy policy did disappear for a while! Nonetheless, the privacy policy is up, and it’s one of the more invasive privacy policies that should make you pause before using the product for any library program, service, or process. We’ve rounded up several articles that describe these invasive data privacy practices in detail:

Some folks will say that other social media companies engage in some of the same practices. However, the overall poor quality and construction of the privacy policy combined with privacy practices that violate several privacy laws in the US and the EU,  the best way to protect patron privacy while using Clubhouse at your library is to not use Clubhouse.

Virginia Getting a New Data Privacy Law?

Virginia libraries! You might have heard about a new data privacy bill that currently sits on the governor’s desk at the time of this writing (it might be signed by the time this post is published!). What is the library tl;dr of the Virginia Consumer Data Protection Act?

  • The bill provides similar data rights as California’s two new privacy regulations, CCPA and CPRA, including rights for consumers to request access and deletion of personal data, as well as the right to opt-out of businesses selling their data.
  • The bill’s scope is also similar to CCPA’s and CPRA’s scopes, targeting for-profit businesses doing business in the state who meet certain thresholds, such as controlling or processing data from 100,000 consumers. Non-profits and higher education institutions are exempt.

Once this bill is signed into law, library vendors who do business in the state and meet the scope thresholds will need to comply with the new law. Library vendors who already comply with CCPA have a head start, but libraries might find themselves with vendors who have to play catchup. It might be time to start reviewing contracts and vendor privacy policies as well as the Act to determine what data rights your patrons have and how they can exercise those rights with those vendors.

LDH in The News

LDH is proud to announce that our founder, Becky Yoose, will give the Keynote Address at the Evergreen International Online Conference on May 25th, 2021! This annual conference draws Evergreen users, developers, advocates, vendors, and others interested in the Evergreen ILS or open-source software community from around the library world and beyond. This year’s conference is online and registration is now open! If you want to join in on the presentation fun, the call for proposals is open until March. We look forward to seeing you at the conference!

Canaries and Reports – Transparency at The Library

A puffy canary sitting on a small tree branch.
Image Source: https://www.flickr.com/photos/starr-environmental/24899952889/ (CC BY 2.0)

Snow has come to Seattle and with it comes the covered evergreen trees, cars slipping and sliding on the many hills, and skiing down major roadways. The shift to remote work, schooling, and services has morphed traditional snow days into “work at home if the snow hasn’t knocked out power” days. We talked about protecting patron privacy while working from home or traveling in previous posts, but we haven’t covered much around possible changes to communicating to patrons about library privacy. Now that the dust (snow) has settled, there’s one aspect of shifting to virtual library operations that needs some attention – transparency around law enforcement requests for library data.

The Canary in The Library

This year marks the 20th anniversary of the passing of the USA PATRIOT Act. While this bill passed almost unanimously through Congress, public outcry over the bill’s erosion of privacy rights was strong throughout the bill’s lifespan and the bill’s successor, the USA Freedom Act. Libraries did not escape the PATRIOT Act’s reach, with Section 215 of the Act allowing for warrantless searches for “tangible things” which the section listed “books, records, papers, documents, and other items” as some of these tangible things. ALA and many US libraries voiced their concerns about the Act’s threat to patron privacy, and many libraries changed policies and procedures to reduce the amount of patron data retained that could be seized under the Act.

There was another part of the Act that changed how libraries communicated to patrons about their privacy. The PATRIOT Act allowed gag orders to be attached to National Security Letters, preventing library workers from disclosing that they received an NSL. An example of such a gag order was the lawsuit brought forward by the Connecticut Four, successfully challenging the validity of the gag order of receiving an NSL for records identifying patrons who used library computers.

The prospect of a gag order led libraries to explore ways to notify patrons about receiving an NSL without violating the gag order that came with it. One way to get around the gag order was a warrant canary. You might have seen some warrant canary signs designed by Jessamyn West posted in various libraries, including this one:

The FBI has not been here

(watch very closely for the removal of this sign)

The canaries popped up at libraries throughout the years, and the public took notice, making warrant canaries one of many ways that libraries communicated about patron privacy.

Shifting to Digital Canaries and Transparency Reports

While libraries have incorporated digital resources and services in library operations for decades, the rapid shift to virtual operations and services due to the pandemic raises some questions about library-patron communications. Physical types of communications such as signs, handouts, and pamphlets have limited reach with reduced physical services and hours. For libraries that use warrant canary signs, this restriction of in-building services limits the signs’ effectiveness. An option to work around this limitation is a digital version of the warrant canary on the library website, either as a separate page or as part of the library’s privacy notice page.

However, warrant canaries are specific to one type of government request for patron data. Tech companies such as Google, Apple, and Microsoft have started publishing transparency reports, providing a more comprehensive listing of the number and type of governmental request for user data. These reports can provide the number of requests that were fulfilled by the company as well as how many were not. Like any other public report, the data published in the report should be aggregated to reduce the risk of reidentification, the level of which depends on the size of the data set and the number of unique data points included in the set. Transparency reports can also be a place where libraries can reiterate their commitment to patron privacy, including how law enforcement request policies and procedures protect patron data.

Digital canaries and transparency reports provide greater reach in virtually communicating with patrons while in-person services are reduced due to the pandemic. Nonetheless, these communication tools will still be effective once restrictions on in-person services are lifted. Not only do they provide patrons information around governmental requests for library data, but they also serve as a way for libraries to hold themselves accountable in ensuring that patron data is not unnecessarily disclosed outside of regulation and policies.