My readings on privacy for the NISO committee to develop a Consensus Framework to Support Patron Privacy in Digital Library and Information Systems have led me down a rabbit hole. In part, I think, because I often feel like the only dissenting member during the conference calls. There is a lot of focus on “improving services” at the cost of patron privacy. There is condescension when I question the ease at which librarians have handed over patron data to vendors and other third parties in the form of remarks such as “you can dislike it, but it is a law” and “Revisiting federal law might be a bit above our pay grade” (I am glad the Connecticut Four didn’t think so) and accusing those of us who are concerned about privacy of “hand wringing”. There are words like “compete” framing libraries in competition with for-profit agencies whose stance on privacy is that it is dead, and we should get over it. These meetings often feel less like an attempt to reach a consensus on privacy based upon values and ethics that are essential to librarianship and more like an attempt to create a framework that will justify the abandonment of privacy by librarians.
I feel a little guilty writing those words, after all NISO asked me to serve on this committee and someone recommended me for it. As I typed them I wondered what will happen when they are read – will I be asked to leave the committee? But at the same time I believe in transparency and I have been struggling to decide what I will do if the framework that comes out of this is not something I can support. I haven’t decided yet, but I did decide it would be best to share my troubles on this blog as I have done with some many other issues. This post is a culmination of thoughts and questions as I have worked my way through readings.
If you are interested in what I am reading I initially created a reading list to share with others what I was reading for this committee work, however, I grew tired of updating that blog post so I created a new site on Tumblr which makes it much easier to add items.
The conversation about privacy also includes issues surrounding security; however, I am going to attempt to focus on the privacy issues rather than security. When we talk about privacy in libraries we are largely talking about data collection and use.
There is this idea, not just in libraries, but in society that more data is better, that the collection of data makes us “safe” or ensures better “service”. I question if either are true. There seems to be no evidence that the collection of data is making society safer, but I don’t want to get into national security issues in this post. As for service what that really means is getting you to purchase more stuff and spend more money so it is in the best interest of the company, not the individual. As for the improvement of library services I am not convinced that the collection of personally identifiable information can provide better services. Certainly not services that are so much better as to justify sacrificing privacy.
Data is collected in libraries by many different parties and there are many different types of data. There might be the most basic data that is needed to function, for example that a book is checked out and to whom. However, once that book is returned it is no longer necessary to retain the data of who check it out. It might be necessary to retain information about when the book was checked out for usage and weeding but that is not tied to the patron. Libraries might also keep track of how many books a patron has checked out without keeping track of what those titles were. A patron might opt-in to keeping what books they have checked out using that data to keep track of what they read, many libraries offer this option. Then there is the usage of that data to say make a book recommendations based on past reading history. Each step is a different type of data for a different purpose. The type and amount of data collected grows increasingly complicated as you add in third party vendors to the equation.
This data seems innocuous but data collected for one purpose can be used for other purposes and the combination of data sets can create a violation of privacy.
Library data could reveal sensitive and sometimes protected information such as race/ethnicity, political beliefs, and sexual preferences. Does the collection of library data disproportionally affect minority populations? Protected populations?
Libraries negotiate with vendors on behalf of their patrons. Library users trust the library, and the choices librarians make need to be worthy of that trust. Librarians should be able to tell users exactly what information vendors are collecting about them and what they are doing with that data. Many principles and regulations surrounding data and privacy outside of the U.S. include a provision that a user can request access to all of her data and how it is being used. If a library patron walked into your library today and asked for all the data you have collected about her, including the vendors you provide services through, could provide the data? Would you even know all the third parties that have data and what that data is?
The people who keep telling us that privacy is dead and that we should just get used to it tend to be white males. These are the people who benefit the most from the status quo and who are harmed the least when privacy is violated. I realize this is broad generalization but privacy is different for women and minorities of race, religion, and sexual preferences.
Yes, we have entered into an era where many of us share information about ourselves publicly and widely on social network sites that is not an indication that we have given up on privacy. There is a real and distinct difference between choosing to share something about yourself and someone else gathering data about you. Intent matters.
There are many reasons people relinquish person information, perhaps they don’t know how it will be used or they don’t have a choice or they do it willingly, none of this is an indication that expectations about privacy have changed. The argument that this behavior is an indication that people no longer expect privacy and therefore it is acceptable to collect and use data is deeply problematic. The idea of reasonable expectation of privacy reinforces the status quo and ignores the needs of minorities. It benefits large corporations and an elite few. Instead we should endeavor that policies, rules, and guidelines reflect what we want, not what we have come to expect.
Photo by EFF Photos CC BY 2.0
9 thoughts on “Thinking Out Loud About Patron Privacy and Libraries #nisoprivacy”
Excellent discussion–and, as I found when going through some of my own writing from more than twenty years ago, the struggle to get NISO to pay more attention to privacy than to convenient data gathering is nothing new. Keep up the good fight.
Thank you Walt!
Since I am on the NISO group, I can’t help but hope that I haven’t been the source of a comment in our discussions that was perceived as condescending or dismissive. But, I also hope that Bobbie will tell me if I was since, though not my intention, I care about impact beyond what I might intend and would want to apologize and do better.
I’m a huge advocate for privacy so I also take Bobbie’s posting here to heart – clearly I’m not communicating this as well as I should be in our group conversations. But, what it means to “protect privacy” isn’t a straightforward/obvious thing to me.
Bobbie writes: “As for the improvement of library services I am not convinced that the collection of personally identifiable information can provide better services. Certainly not services that are so much better as to justify sacrificing privacy.”
This is what I’d love to be discussing and hashing over. I have examples where I believe, and have some evidence our users also believe, that we have made services better through tracking user data. We do so under an IRB approved protocol that includes specifications for data storage, management, protection, disposal, etc. But, we do collect it.
How do we work through the reality that Bobbie and I believe differently? What evidence do I accept? What would others accept? This isn’t a librarians vs the vendors question at the level I’m talking here (though that adds another layer to the NISO work) – this is intra-librarianship and we need to be able to talk about it and work through it.
Bobbie and I are on, I believe, the same side that we need to reign in the current situation of sharing user data with third-parties without any attention to what is going on. But, how far to reign it in? And, whether to expand the data tracking that libraries themselves did in the print world (and still do) to those in the digital?
We can’t back away from this challenge. To my knowledge no one on the NISO group would ask Bobbie to leave the group and I can pledge she would have at least one (me) staunch protester if she was. And, I am confident that there would be others.
And now of course I must issue a public apology for misspelling your name throughout my first reply. I am so sorry, Bobbi. Inexcusable.
You are not alone in one important aspect of the NISO work, Bobbi: I think the privacy of our patron’s activity data is paramount to the essence of being a library. I started to reply here, but then it got lengthy, so I turned it into a post on my blog.