NYC Digital Safety

Many library services are provided by third parties. Let's talk about how we can better protect patron privacy while working with vendors

 

Transcript

Davis: Hi Erin! When I first got to know you, you were working on advocating for library patrons privacy and accessing services provided by LinkedIn Learning. I think your efforts there were heroic, and I think our audience would love to know more.

Erin: Yeah, thank you, Davis. That was a crazy experience and in the summer of 2019, I discovered that libraries who are using Lynda were being transitioned over to LinkedIn Learning and, as part of this transition, users would be forced to create a public social media profile to use a service that libraries were paying for. And one of our values, and the law in many places, is that a patrons use the library should remain confidential. Forcing a user to create a public social media profile did not align with our core values, and also forcing a library patron to create a public social media profile when the library is also already paying for the product is not — you know, we shouldn’t be paying for something and then allowing that social media company to gain money more money or more revenue off of this public social media profile that they could advertise to as well.

One of our values, and the law in many places, is that a patrons use the library should remain confidential.

Well, I contacted a LinkedIn rep about this and, being in the Bay Area, I was able to meet with them directly in the headquarters in San Francisco. It was there that I was told that libraries were not a financial benefit to LinkedIn and so they wouldn’t be putting in a lot of time and resources to make the platform such that people could just use their library card to gain access. They told me that they felt they were acting in the “spirit” of our code of ethics. I explained that we wanted our vendors to follow our code not “act in the spirit of it.” I can’t say that I’ve ever felt more uncomfortable or talked down to before. I’ve worked with a lot of major tech companies during my time when I was with San Jose Public Library, and I honestly have never experienced anything quite like that. I left the meeting and I started organizing.

I reached out to everyone I knew, including all my contacts at ALA, to really condemn the practice that LinkedIn was implementing. I got libraries across the country to sign up to boycott the service. We even had our State Librarian in California issue a statement against the change. We were making a lot of noise, but LinkedIn continued to say this just isn’t possible. However, that apparently was not true, because by March of 2020, LinkedIn reversed its decision. It would no longer require the social media profile to access LinkedIn Learning.

I personally deleted my LinkedIn profile, just because I really don’t — I just lost all kind of respect for the process in that, but I think it goes to show that, collectively, we really can make changes happen, even with an organization as big as Microsoft, who owns LinkedIn.

Davis: We know that LinkedIn Learning is but one organization in a vast sea of third-party vendors who sell access to information to libraries. I know this is a huge question, but what’s the landscape like for privacy rights in third party vendors overall?

Erin: Yeah, you know, it’s really a mixed bag out there. Most library vendors who handle user data will be GDPR compliant. At the same time, there’s a lot of poor privacy practices, and a ton of surveillance happening, especially in school and academic libraries. And one thing that we haven’t seemed to be able to get across to most libraries is that surveilling our users without their consent is wrong, even if we’re the “good guys.”

What we’re now seeing is a lot of tools that were designed for the world of capitalism. They were designed to sell people things, and they’re being used by libraries. They’re being, you know, configured to be a library product. This includes customer relationship management tools that segment people into user groups by some kind of algorithm that determines what type of marketing the library should send to them. And I think even more insidious is when the library combines their own ILS data with Consumer Credit Data from companies like Experian. This is libraries directly paying into and supporting surveillance capitalism, and it is not the business that we should be in.

Don’t accept bad terms. If you see something that you think is violating user privacy, say something.

What we’re also seeing is libraries asking for products that violate privacy and the vendors providing it, although sometimes the vendors have to tell the libraries “that’s against the law” or “that’s a violation of privacy.” So there’s education to be done on both sides here. But there is a misalignment oftentimes with our practices and the stated values and ethics in order to try to align ourselves.

We’re actually in the process of starting a Library and Vendor Privacy Community of Practice, and our hope is to create trust and open dialogue between library workers and vendors, so that we can actually make movements to change these practices. And we’ve seen this happen on a small scale, at least with vendors who have come to work with the ALA’s Privacy Subcommittee directly.

Davis: Licensing with outside vendors is typically done by at best a small group of folks within the library. What can library staff do to advocate for better protections for user data, given everything that you’ve just said? How do we work alongside vendors to improve data privacy protections?

Erin: So we’ve actually just created a set of Privacy Field Guides that can help library workers in upholding their commitment to user privacy and there are a few guides in particular that I think will help library workers with vendors. The first is the Privacy Policies Guide, and this will walk you through commonly used phrases, it’ll highlight red flags and vendor privacy policies, and I should mention all of those red flags that you see in that guide are from library vendors. This tool is to help you understand how a vendor handles user data. You can then use our How to Talk About Privacy Guide to advocate for changes.

So if you’re not the one responsible for negotiating contracts, that’s okay. Go find out who is have a conversation with them. Our vendors and privacy guide will then give concrete tools to help in the selection and purchasing process. I think above all else is: don’t accept bad terms. If you see something that you think is violating user privacy, say something. And this is especially true for our larger libraries. So libraries with more resources have the ability to get vendors to change their products which benefits all libraries. United we are powerful.

People are often okay sharing their data, if it’s being gathered by a trusted source and get a choice in what data is used and how. So we need to be gathering real, informed consent.

Davis: Knowing that outside vendors often collect more data about users than libraries might otherwise wish, what can library workers do to inform patrons? What sorts of tips might they share with their users to let them know that library rules around data collection don’t necessarily apply to databases and other frequently used services?

Erin: Well, I think the first thing is to make sure that your library has an easily discoverable privacy policy. That Privacy Policy Field Guide I was talking about will walk you through writing one if your library doesn’t have a policy, or if it has one that hasn’t been updated in a while it needs to be revisited. So this policy should explicitly state that privacy policies of vendors are different from the libraries. If possible, you can link to where they can find the most current vendor privacy policy, or provide other tools that teach our patrons how to read privacy policies, how to understand what their rights are within these other vendors.

I do think, more than anything, you can actually inform people when you’re assisting them in the library. So are you talking to someone about checking out e-books from OverDrive? That’s a great time to talk about OverDrive’s privacy policy. Let them know that they store all of their browsing history even after they returned a book, so it’s not like when they use a library and check out a physical item. And if they’re using a Kindle, Amazon is also going to get the information on what book they checked out and then they use that to advertise to them.

Davis: Is there anything that I’ve missed in this conversation about libraries and third-party providers and privacy? What else would you like our viewers to know?

Erin: You know, I hear from a lot of our vendors that it’s the libraries that are asking for these privacy violating products, and they’re trying to meet that demand. And sometimes they have libraries telling them that they’re asking for something that’s illegal or unethical. So we as library workers also have to stand up for privacy.

People are often okay sharing their data, if it’s being gathered by a trusted source and get a choice in what data is used and how. So we need to be gathering real, informed consent and right now, especially with the analytics products out there, we’re not doing that and we’re failing our users.

Davis: Thank you so much, Erin, for all your Insight on this important topic.

Erin: Thank you.