I was delighted to find the following email in my inbox the other day. From ALA’s president Barbara Stripling:

ALA is saddened by recent news that the government has obtained vast amounts of personal information and electronic communications of millions of innocent people. The extent of the personal information received by the government is very troubling. Those of you who have been long-time members of ALA know that we have always argued that provisions in the USA PATRIOT Act encroach on the privacy expectations of library users. Worse, the surveillance law erodes our basic First Amendment rights, all while undermining the very fabric of our democracy […]

We need to restore the balance between individual rights and terrorism prevention, and libraries are one of the few trusted American institutions that can lead true public engagement on our nation’s surveillance laws and procedures. Libraries have the tools, resources and leaders that can teach Americans about their First Amendment privacy rights and help our communities discuss ways to improve the balance between First Amendment rights and government surveillance activities. And patrons are ready to learn about their privacy rights from their libraries.

How academic libraries can join the fight for privacy has been buzzing around my head of late. Thankfully, Stripling’s email also links to some helpful resources: the Choose Privacy Week website and a Moderator’s Guide [pdf]. I haven’t given this enough thought to craft a decent post, but three things immediately come to mind as actions academic librarians can take (in addition to hosting discussion forums):

1) Prominently display a link to your library’s privacy statement and data retention policies on the homepage. Wait, you don’t have one? Well, now is a better time than any to get started!

2) Know your university’s policies on user data and find out what third parties (esp. email platform providers) have access to it.

3) Start talking to electronic resources vendors about how they use your patrons’ data. What do they collect? What is their retention policy? What other third-parties have access to that data?

I don’t imagine I’ll have many discussions at the reference desk about protecting user privacy and data, but that doesn’t mean I can’t fight for it. More thoughts on this later. Happy Friday!

The March 2011 issue of Wired Magazine has an article by Andrew Keen, the author of The Cult of the Amateur, in which Keen discusses the implications of sharing enormous amounts of personal information online. What these implications may be, he is not exactly clear about. There is a strange mix of paranoia and nostalgia underlying his words, motivations that don’t usually offer specific examples.

He oversimplifies the nature of sharing (“we will all know what everyone is doing all the time” and be able to inspect everyone “every instant”), he blames the tools and the tool makers rather than the users (“[the] increasingly ubiquitous social network” that “invades” our private spaces), and he assumes that everyone online is motivated primarily by their need “to broadcast [their] uniqueness to the world” (Ok, I’ll give him that one).

On the other hand, Keen brings up a number of legitimate concerns. As businesses and advertisers learn how to monetize social networks, all the information that we normally consider private (or, at least, wouldn’t normally give to a person holding a clipboard in a mall) is ripe for harvesting.

And I would add, personally, that there is something to the idea that the increasingly public nature of our daily lives changes us, sometimes in undesirable ways. (For a more than dramatic example, check out the documentary on  dot com boomer, Josh Harris, We Live In Public). We come to expect more of ourselves, perhaps too much as we continually project ourselves into cyberspace and await the feedback of the masses.

But I digress. Give Keen’s article a read and let me know what you think. There is much here to disagree with, but what is there in this article that we can agree on?

As an academic librarian, what do you need to know about your library’s privacy and confidentiality policy?

Today’s move by the U.S. House of Representatives to deny extending certain provision of the US Patriot Act (one of which pertains to libraries) and the call for protests leading up to it remind us that privacy is still an important issue for libraries. This caused me to think about my own library’s privacy policies and what we would do if approached by federal officials requesting information.

I’ve spent the last few days looking over the privacy statements of university libraries and reviewing the American Library Association’s stand on privacy. The following is what I consider to be the essential questions that academic librarians should be asking in order to understand where their library stands concerning the privacy and confidentiality of personally identifiable information gathered through everyday library use.

A Definition?

What do I mean by privacy? Is it a right? A condition? Defining privacy is difficult because no matter how you slice it, most claims tend to assume privacy to be essential value. Perhaps it is, but it is tricky to argue that point.

Let us assume for the sake of argument that privacy is indeed an essential value; what does it apply to? I think we can divide privacy into three categories: informational privacy, behavioral privacy, and locational privacy. The first includes information that a person or a society generally assumes to be private. This can include health information, financial data, and personal opinions. The second type of privacy is often equated (one could say, incorrectly) with the right to personal choice and includes the right to abortion, sexual rights, or the right to view pornographic material. The third refers to activities that, because they function within a private space, are themselves considered to be private and include those activities violated by invasions into one’s home or office space.

As academic librarians, we are primarily concerned with the first of these: information privacy (though many of us are advocates for certain behavioral privacy rights as well).

What You Need To Know

What personally identifiable information does your library collect? In order to set up a borrower’s account, the library usually needs certain pieces of personally identifiable information (PII) from a student,* including his/her name, email address, local address, student ID, and degree level. Where does this information come from? Is it provided by the student or the records department? Does the student need to give consent for the library to use this information or is there a university policy that grants consent?

In the course of daily operations, the library may collect all types of information, including what a user checks out or requests via Inter-library loan, what library websites they navigate to and from, or what items they are searching for in the online catalog. This information is extremely useful to librarians and can be used for collection development, improving online services, and budgeting. But how much of this information is retained, for how long, and how much of it is personally identifiable? These are questions that librarians should have answers to or clearly state in their privacy statements. Many libraries collect a minimum amount of user information, much of it not personally identifiable, and regularly scrub that information from their servers.

What other privacy or confidentiality policies also apply? Whether you are developing a policy for a library or trying to better understand you own, you need to understand other policies that may already be in place. At a federal level, all libraries are affected by the U.S.A. Patriot Act. Universities receiving federal aid are additionally affected by the Federal Educational Rights and Privacy Act of 1974, which regulates what student information is considered private and who is permitted to access that information.  Some states, like Illinois and North Carolina, have laws specifically referencing the confidentiality of library records. Librarians should also consider any university statements on student privacy and the privacy policies of the American Library Association.

What data are vendors collecting? Vendors are the wildcard in any privacy policy. While you have some wiggle room when negotiating contracts, ultimately librarians cannot control how vendors and other third-party information providers use the data they acquire. This is especially true in cases where vendors have set up Web 2.0 functions that allow users to set up personal profiles and share info (e.g. CQ Press, Wilson Web, Ebsco, Elsevier, CSA, to name a few).

In a 2010 College & Research Libraries article, Trina Maji of the University of Vermont concluded that

the privacy policies of major vendors of online library resources fail to express a commitment to many of the standards articulated by the librarian profession and information technology industry for the handling and protection of user information. […] They are unspecific in disclosing how they protect that information from unauthorized access or disclosure, and they offer no clear recourse for users who feel the terms of the policy have been violated.

This conclusion is based on content analysis of vendor privacy statement and not a reached by examining actual practice. Nonetheless, I think we are wise to be wary of any company that does not publicize its stance on the confidentiality of user data, especially given the rising value of personal information in a market partially based on behavioral targeting practices. We should advise our students that the library has little or no control over what data they share online once they move to a third-party site.

What if someone requests personally identifiable information? Nine times out of ten, the answer to this question is “Don’t give it to them!” but there are some exceptions. Through a subpoena or court order, records can be accessed by state and federal officials. Currently under the provisions of the U.S. Patriot Act (unless they are allowed to expire), federal officials can demand access to library user data. There is nothing that restricts libraries from scrubbing the PII beforehand, unless there are state laws  in place demanding the retention of “public records,” which can include any email sent to and from librarians (state employees) or via the campus network, server logs, and data submitted via online forms.

In short, it can get sticky. That’s why it’s important for librarians to know who is the appropriate authority (usually the University Librarian) to make the decision whether or not the data should be handed over in legitimate circumstance. But additionally, librarians and student workers alike should have a strong knowledge of local policies, practices and privacy expectations.

Recommendations For Developing a Privacy Statement

To quickly sum things up, here are my recommendations for academic libraries that have yet to develop a privacy statement or are thinking to revise their current one.

1. Publicize your statement on privacy and confidentiality.
2. Detail the information that you collect, how you collect it, what you plan to use it for, and how users can opt out (if that is an option).
3. Provide information on local, state, and federal privacy standards.
4. State your intended response to inquiries from individuals or agencies seeking user information.
5. Warn users about third-party vendors.
6. Give users contact info for expressing their concerns.

Examples of Academic Library Privacy Statements

• University of California — Los Angeles
• Harvard University
• University of North Carolina — Chapel Hill
• Princeton University
• University of Illinois at Urbana-Champaign

References

Magi, T. (2010). A content analysis of library vendor privacy policies: Do they meet our standards? College & Research Libraries, 71(3), 254–72.

*To make things simple, I’ll just use the term student, but I’m actually referring to anyone who uses an academic library: students, staff, faculty, visiting scholars, international students, and non-enrolled, non-staff patrons.

This month, I’ll be focusing my off-the-clock reading habits on issues of privacy in academic libraries. The term “privacy” carries a lot of baggage and calls to mind many different issues. In the context of the internet and social networks, the discourse tends to focus on regulation (who should do it, how much should be done) and advertising (esp. behavioral targeting). In the context of health or medical privacy, there are concerns over access to patient records, both print and electronic. On the whole, privacy discussions in the popular media tend to focus on information collection, storage, and use and the difficulty of determining which information should be public and which should be private.

Some of these issues relate to academic libraries, though many do not. In future posts, I’ll be looking at the privacy statements of academic libraries, issues in the blogosphere, and ALA’s official stance on current issues related to individual and consumer privacy, especially online and through mobile devices. In the meantime, I’ve put together a short list of useful resources for learning more about privacy in today’s cultural environment.

• Electronic Privacy and Information Center: a public interest research center in Washington, D.C created “to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.” Check out the “Hot Issues” topic in the left sidebar for latest news and thorough summaries of current issues.
• Center for Democracy and Technology’s Guide to Online Privacy: a guide developed “to educate Internet users about online privacy and offer practical suggestions and policy recommendations.” It includes privacy basics, current issues, existing regulations, and national surveys. The CDT site also contains information on health privacy, internet openness, and free expression.
• Cornell University Law School’s Legal Information Institute: this page contains info on existing privacy laws, rights extended by the constitution, and court decisions.
• Electronic Frontier Foundation: the “first line of defense” when freedoms in the networked world come under attack. EFF works with citizens and other advocacy groups to influence legislation in favor of individual privacy rights.
• American Library Association’s Privacy Resources for Librarians, Library Users, and Families: related to all types of libraries, this guide outlines ALA’s stance on the confidentiality of patron records, an explanation of the Library Bill of Rights, and help for developing an institutional privacy policy.
• CQ Researcher: If you have access to this resource, check out Patrick Marshall’s 2009 article on privacy. It includes a bibliography, a summary of current issues, pros and cons of various federal actions, directions for further research. (Marshall, P. (2009, November 6). Online privacy. CQ Researcher, 19, 933–956.)
• Wikipedia on Privacy: always a good starting place.

What resources on privacy do you recommend? What issues on privacy are most important to academic librarians? Share your thoughts in the comments!