Many library services are provided by third parties. Let's talk about how we can better protect patron privacy while working with vendors

 

Transcript

Davis: Hi Erin! When I first got to know you, you were working on advocating for library patrons privacy and accessing services provided by LinkedIn Learning. I think your efforts there were heroic, and I think our audience would love to know more.

Erin: Yeah, thank you, Davis. That was a crazy experience and in the summer of 2019, I discovered that libraries who are using Lynda were being transitioned over to LinkedIn Learning and, as part of this transition, users would be forced to create a public social media profile to use a service that libraries were paying for. And one of our values, and the law in many places, is that a patrons use the library should remain confidential. Forcing a user to create a public social media profile did not align with our core values, and also forcing a library patron to create a public social media profile when the library is also already paying for the product is not — you know, we shouldn’t be paying for something and then allowing that social media company to gain money more money or more revenue off of this public social media profile that they could advertise to as well.

One of our values, and the law in many places, is that a patrons use the library should remain confidential.

Well, I contacted a LinkedIn rep about this and, being in the Bay Area, I was able to meet with them directly in the headquarters in San Francisco. It was there that I was told that libraries were not a financial benefit to LinkedIn and so they wouldn’t be putting in a lot of time and resources to make the platform such that people could just use their library card to gain access. They told me that they felt they were acting in the “spirit” of our code of ethics. I explained that we wanted our vendors to follow our code not “act in the spirit of it.” I can’t say that I’ve ever felt more uncomfortable or talked down to before. I’ve worked with a lot of major tech companies during my time when I was with San Jose Public Library, and I honestly have never experienced anything quite like that. I left the meeting and I started organizing.

I reached out to everyone I knew, including all my contacts at ALA, to really condemn the practice that LinkedIn was implementing. I got libraries across the country to sign up to boycott the service. We even had our State Librarian in California issue a statement against the change. We were making a lot of noise, but LinkedIn continued to say this just isn’t possible. However, that apparently was not true, because by March of 2020, LinkedIn reversed its decision. It would no longer require the social media profile to access LinkedIn Learning.

I personally deleted my LinkedIn profile, just because I really don’t — I just lost all kind of respect for the process in that, but I think it goes to show that, collectively, we really can make changes happen, even with an organization as big as Microsoft, who owns LinkedIn.

Davis: We know that LinkedIn Learning is but one organization in a vast sea of third-party vendors who sell access to information to libraries. I know this is a huge question, but what’s the landscape like for privacy rights in third party vendors overall?

Erin: Yeah, you know, it’s really a mixed bag out there. Most library vendors who handle user data will be GDPR compliant. At the same time, there’s a lot of poor privacy practices, and a ton of surveillance happening, especially in school and academic libraries. And one thing that we haven’t seemed to be able to get across to most libraries is that surveilling our users without their consent is wrong, even if we’re the “good guys.”

What we’re now seeing is a lot of tools that were designed for the world of capitalism. They were designed to sell people things, and they’re being used by libraries. They’re being, you know, configured to be a library product. This includes customer relationship management tools that segment people into user groups by some kind of algorithm that determines what type of marketing the library should send to them. And I think even more insidious is when the library combines their own ILS data with Consumer Credit Data from companies like Experian. This is libraries directly paying into and supporting surveillance capitalism, and it is not the business that we should be in.

Don’t accept bad terms. If you see something that you think is violating user privacy, say something.

What we’re also seeing is libraries asking for products that violate privacy and the vendors providing it, although sometimes the vendors have to tell the libraries “that’s against the law” or “that’s a violation of privacy.” So there’s education to be done on both sides here. But there is a misalignment oftentimes with our practices and the stated values and ethics in order to try to align ourselves.

We’re actually in the process of starting a Library and Vendor Privacy Community of Practice, and our hope is to create trust and open dialogue between library workers and vendors, so that we can actually make movements to change these practices. And we’ve seen this happen on a small scale, at least with vendors who have come to work with the ALA’s Privacy Subcommittee directly.

Davis: Licensing with outside vendors is typically done by at best a small group of folks within the library. What can library staff do to advocate for better protections for user data, given everything that you’ve just said? How do we work alongside vendors to improve data privacy protections?

Erin: So we’ve actually just created a set of Privacy Field Guides that can help library workers in upholding their commitment to user privacy and there are a few guides in particular that I think will help library workers with vendors. The first is the Privacy Policies Guide, and this will walk you through commonly used phrases, it’ll highlight red flags and vendor privacy policies, and I should mention all of those red flags that you see in that guide are from library vendors. This tool is to help you understand how a vendor handles user data. You can then use our How to Talk About Privacy Guide to advocate for changes.

So if you’re not the one responsible for negotiating contracts, that’s okay. Go find out who is have a conversation with them. Our vendors and privacy guide will then give concrete tools to help in the selection and purchasing process. I think above all else is: don’t accept bad terms. If you see something that you think is violating user privacy, say something. And this is especially true for our larger libraries. So libraries with more resources have the ability to get vendors to change their products which benefits all libraries. United we are powerful.

People are often okay sharing their data, if it’s being gathered by a trusted source and get a choice in what data is used and how. So we need to be gathering real, informed consent.

Davis: Knowing that outside vendors often collect more data about users than libraries might otherwise wish, what can library workers do to inform patrons? What sorts of tips might they share with their users to let them know that library rules around data collection don’t necessarily apply to databases and other frequently used services?

Erin: Well, I think the first thing is to make sure that your library has an easily discoverable privacy policy. That Privacy Policy Field Guide I was talking about will walk you through writing one if your library doesn’t have a policy, or if it has one that hasn’t been updated in a while it needs to be revisited. So this policy should explicitly state that privacy policies of vendors are different from the libraries. If possible, you can link to where they can find the most current vendor privacy policy, or provide other tools that teach our patrons how to read privacy policies, how to understand what their rights are within these other vendors.

I do think, more than anything, you can actually inform people when you’re assisting them in the library. So are you talking to someone about checking out e-books from OverDrive? That’s a great time to talk about OverDrive’s privacy policy. Let them know that they store all of their browsing history even after they returned a book, so it’s not like when they use a library and check out a physical item. And if they’re using a Kindle, Amazon is also going to get the information on what book they checked out and then they use that to advertise to them.

Davis: Is there anything that I’ve missed in this conversation about libraries and third-party providers and privacy? What else would you like our viewers to know?

Erin: You know, I hear from a lot of our vendors that it’s the libraries that are asking for these privacy violating products, and they’re trying to meet that demand. And sometimes they have libraries telling them that they’re asking for something that’s illegal or unethical. So we as library workers also have to stand up for privacy.

People are often okay sharing their data, if it’s being gathered by a trusted source and get a choice in what data is used and how. So we need to be gathering real, informed consent and right now, especially with the analytics products out there, we’re not doing that and we’re failing our users.

Davis: Thank you so much, Erin, for all your Insight on this important topic.

Erin: Thank you.

Here's what you should know about the history of libraries and privacy

 

Transcript

Davis: Hello, everybody. Welcome along to the fifth and final series from New York City Digital Safety. I’m Davis Erin Anderson, your host for this series. This time around, we’ll be talking specifically about libraries and patron privacy. I’ve asked my friend Erin Berman, who you may remember from series one back to talk about all things library privacy. Hello, Erin!

Erin: Hi Davis!

Davis: Erin, since we last spoke, I’ve had quite the adventure. Together with experts in data privacy and information security, we filmed more than a dozen episodes on topics like why ads follow us around the internet, what to do about all the spam text messages and emails we receive, and all the steps we might consider taking in order to better protect our data. In this series I’d love to talk with you about why libraries have such a strong role to play in this discussion. So can you share with us your elevator speech on why privacy matters in the context of library services?

The possibility of surveillance, whether direct or through access to records of speech research and exploration actually undermines a democratic society.

Erin: Sure thing. Now, privacy is essential to the exercise of free speech, free thought, and free association. And we know that when people are surveilled, their behavior changes. The possibility of surveillance, whether direct or through access to records of speech research and exploration actually undermines a democratic society, and we are living through a moment in history when the preservation of democratic ideals is actually under attack from various fronts. So preserving a place where people have free private access to ideas and knowledge, where they will not be judged by others, is critical to upholding our democracy.

Davis: I think that in order to understand our stance on things, it’s helpful to have a bit of background, so I’m wondering if you can share a brief history of privacy in libraries. Why is it one of our core values? And when did it get this way?

Erin: Yeah, some of the first mentions about privacy and confidentiality in libraries comes from public librarian Arthur Bostwick, who gave speeches in 1909 and 1911 addressing concerns for the use of patron information by outside organizations. He said “except in obedience to a order of the court, it is not only unjust but entirely inexpedient from the library’s standpoint to betray to anyone a user’s whereabouts against that user’s wishes, or even where there is a mere possibility of his objection.”

So we’ve been talking about this for a long time as a profession, but privacy still wasn’t a universally accepted value at that point in history. Actually, in 1906, New York librarians helped Russian agents arrest a suspected anarchist immigrant who had checked out books they had flagged, and the only real pushback heard was from people decrying libraries holding these texts to begin with, not the fact that librarians had disclosed the checkout history to Russian agents.

So the first time privacy is mentioned in the library code of ethics is in the revised 1939 document, which stated it is a librarian’s obligation to treat as confidential any private information obtained through contact with library patrons.

And it it wasn’t until the 1930s when privacy and confidentiality began to enter the legal and professional worlds throughout the country. So the first time privacy is mentioned in the Library Code of Ethics is in the revised 1939 document, which stated it is a librarian’s obligation to treat as confidential any private information obtained through contact with library patrons. So while that’s the first mention of privacy and our code of ethics in 1939. It actually remained absent from the Library Bill of Rights until 2019, when article 7 was added.

Davis: How might you frame the reader’s right to privacy in among all the other values libraries hold so dear? For instance, as our audience certainly knows, one of our big values as an industry is the freedom to read. How does our right to privacy align with this value?

Erin: Yeah, we’re actually seeing this direct line from the current nationwide censorship movement, this, you know, trying to prevent people from having that freedom to read, to violations in privacy. And so it starts with censorship, right? We’re revoking the access to certain materials, and then from there, we’re seeing a move to surveillance, monitoring the habits of readers. And this is often done under some kind of perceived threat to the safety or well-being of the reader. And this has been most evident in school libraries, where parents are receiving the full checkout history of their students, right? There’s monitoring of everything going on.

There are other times where our value of privacy can actually butt heads with other values, and the most frequently seen one is with access. So this might happen when a vendor is the only source of accessing some type of information, yet they have poor privacy practices. So you could see library workers arguing that providing access is more important than the violation of privacy. I’d push back on that: they’re both values of ours, right, so in these instances, it’s our responsibility to make sure that our vendors are living up to all of our professions ethics and values.

Davis: Thank you, Erin. Any final thoughts on the right to privacy as a core value in libraries, or on how to communicate these values in a world that’s increasingly trading speed and convenience for sovereignty over personal data?

I think it’s a misnomer that people don’t want privacy. They do want it. They just can’t get it in the world of capitalism.

Erin: Yeah, I mean I think of privacy fundamentally as an equity issue. Libraries are not Amazon, we’re not Google, we’re not any private business. We’re fundamentally different. And one of the key ways that we differ is in this expectation of privacy that we give to our users. There’s, like I mentioned earlier, this abundance of research that says people change their behavior when they’re being surveilled, even when it’s the library doing the surveillance. And we operate in this world where there are virtually no options for accessing information without being tracked.

You know, I think of libraries as kind of the last bastion of privacy in this world, and that we’re also quickly losing that fundamental piece of who we are and what separates us all from other institutions and businesses that exist. I think it’s a misnomer that people don’t want privacy. They do want it. They just can’t get it in the world of capitalism. And so we can choose to be that space where it’s different, where people can decide what data is collected on them, and understand how and why it’s used.

Davis: So in our next video, let’s talk a little bit about how libraries and third-party vendors can work together, in the very best case scenario, to align with library values. I’ll see you then.