My readings on privacy for the NISO committee to develop a Consensus Framework to Support Patron Privacy in Digital Library and Information Systems have led me down a rabbit hole. In part, I think, because I often feel like the only dissenting member during the conference calls. There is a lot of focus on “improving services” at the cost of patron privacy. There is condescension when I question the ease at which librarians have handed over patron data to vendors and other third parties in the form of remarks such as “you can dislike it, but it is a law” and “Revisiting federal law might be a bit above our pay grade” (I am glad the Connecticut Four didn’t think so) and accusing those of us who are concerned about privacy of “hand wringing”. There are words like “compete” framing libraries in competition with for-profit agencies whose stance on privacy is that it is dead, and we should get over it. These meetings often feel less like an attempt to reach a consensus on privacy based upon values and ethics that are essential to librarianship and more like an attempt to create a framework that will justify the abandonment of privacy by librarians.
I feel a little guilty writing those words, after all NISO asked me to serve on this committee and someone recommended me for it. As I typed them I wondered what will happen when they are read – will I be asked to leave the committee? But at the same time I believe in transparency and I have been struggling to decide what I will do if the framework that comes out of this is not something I can support. I haven’t decided yet, but I did decide it would be best to share my troubles on this blog as I have done with some many other issues. This post is a culmination of thoughts and questions as I have worked my way through readings.
If you are interested in what I am reading I initially created a reading list to share with others what I was reading for this committee work, however, I grew tired of updating that blog post so I created a new site on Tumblr which makes it much easier to add items.
The conversation about privacy also includes issues surrounding security; however, I am going to attempt to focus on the privacy issues rather than security. When we talk about privacy in libraries we are largely talking about data collection and use.
There is this idea, not just in libraries, but in society that more data is better, that the collection of data makes us “safe” or ensures better “service”. I question if either are true. There seems to be no evidence that the collection of data is making society safer, but I don’t want to get into national security issues in this post. As for service what that really means is getting you to purchase more stuff and spend more money so it is in the best interest of the company, not the individual. As for the improvement of library services I am not convinced that the collection of personally identifiable information can provide better services. Certainly not services that are so much better as to justify sacrificing privacy.
Data is collected in libraries by many different parties and there are many different types of data. There might be the most basic data that is needed to function, for example that a book is checked out and to whom. However, once that book is returned it is no longer necessary to retain the data of who check it out. It might be necessary to retain information about when the book was checked out for usage and weeding but that is not tied to the patron. Libraries might also keep track of how many books a patron has checked out without keeping track of what those titles were. A patron might opt-in to keeping what books they have checked out using that data to keep track of what they read, many libraries offer this option. Then there is the usage of that data to say make a book recommendations based on past reading history. Each step is a different type of data for a different purpose. The type and amount of data collected grows increasingly complicated as you add in third party vendors to the equation.
This data seems innocuous but data collected for one purpose can be used for other purposes and the combination of data sets can create a violation of privacy.
Library data could reveal sensitive and sometimes protected information such as race/ethnicity, political beliefs, and sexual preferences. Does the collection of library data disproportionally affect minority populations? Protected populations?
Libraries negotiate with vendors on behalf of their patrons. Library users trust the library, and the choices librarians make need to be worthy of that trust. Librarians should be able to tell users exactly what information vendors are collecting about them and what they are doing with that data. Many principles and regulations surrounding data and privacy outside of the U.S. include a provision that a user can request access to all of her data and how it is being used. If a library patron walked into your library today and asked for all the data you have collected about her, including the vendors you provide services through, could provide the data? Would you even know all the third parties that have data and what that data is?
The people who keep telling us that privacy is dead and that we should just get used to it tend to be white males. These are the people who benefit the most from the status quo and who are harmed the least when privacy is violated. I realize this is broad generalization but privacy is different for women and minorities of race, religion, and sexual preferences.
Yes, we have entered into an era where many of us share information about ourselves publicly and widely on social network sites that is not an indication that we have given up on privacy. There is a real and distinct difference between choosing to share something about yourself and someone else gathering data about you. Intent matters.
There are many reasons people relinquish person information, perhaps they don’t know how it will be used or they don’t have a choice or they do it willingly, none of this is an indication that expectations about privacy have changed. The argument that this behavior is an indication that people no longer expect privacy and therefore it is acceptable to collect and use data is deeply problematic. The idea of reasonable expectation of privacy reinforces the status quo and ignores the needs of minorities. It benefits large corporations and an elite few. Instead we should endeavor that policies, rules, and guidelines reflect what we want, not what we have come to expect.