The end of the year tends to bring some of the most interesting writing. And so my tbr list of articles is already longer than Santa’s list. Here’s what I’ve enjoyed reading so far this week.

On regulating AI

“We need trustworthy AI. AI whose behavior, limitations, and training are understood. AI whose biases are understood, and corrected for. AI whose goals are understood. That won’t secretly betray your trust to someone else. The market will not provide this on its own.” 

“AI and trust” by Bruce Schneier

On web analytics

“Lots of likes is an okay-ish signal. Lots of comments is a clearer signal. A small handful of comments or private replies from people saying they’ve never felt so seen or understood by a piece of writing—that’s the kind of thing I’m trying to discern and quantify here.” 

“Measuring what matters” by Rob Hardy

On privacy and college students

“Few institutions collect as much data about the people inside of them as colleges and universities do. Residential campuses, in particular, mean students not only interact with their schools for academics, but for housing, home internet, dining, health care, fitness, and socialization. Still, whether living on campus or off, taking classes in person or remotely, students simply cannot opt out of most data collection and still pursue a degree.” 

“He wanted privacy. His college gave him none” by Tara García Mathewson

On libraries and platforms

“After all, we’re the libraries. We have plenty of experience with corporate entities that don’t reflect our values. We deal with the journal publishers who practice a business model that hoards the world’s knowledge and maximizes profit from the research that our university’s scholars conduct. When it comes to the academic publishing system, institutions of higher learning have made a deal with the devil, and we, the libraries, are the campus units who pay the bill.” 

Why we’re dropping Basecamp” by Duke University Libraries

On social media trends

“In 2024, strategic organizations will push back against unjustified expectations to be on every platform. They’ll unlock their top-performing channels based on ROI, and focus their attention on those—and only those. If they’re really confident (and brave), they might even abandon one or two altogether.”

Hootsuite’s Social Media Trends 2024

On attention

“The platforms that control search were conceived in sin. Their business model auctions off our most precious and limited cognitive resource: attention. […] Critical ignoring is the ability to choose what to ignore and where to invest one’s limited attentional capacities. Critical ignoring is more than just not paying attention – it’s about practising mindful and healthy habits in the face of information overabundance.”

When critical thinking isn’t enough: to beat information overload, we need to learn ‘critical ignoring’” by Hertwig, Kozyreva, Wineburg, and Lewandowsky

Three posts on student surveillance at colleges and universities came through my feeds recently.

From Drew Harwell at The Washington Post, “Colleges are turning students’ phones into surveillance machines, tracking the locations of hundreds of thousands” focuses primarily on the SpotterEDU app, which calls itself an “automated attendance monitoring and early alerting platform” and is utilized by athletics departments to monitor track student athletes.

Harwell’s article is full of quotes from IHE staff that are troubling at best and illustrate an ignorance about the [lack of] actual benefits that these tracking systems provide and a blind belief in the unconfirmed benefits of “big data.” As one librarian quoted in the article notes, IHE’s are completely missing the point:

“[The use of these systems] embodies a very cynical view of education — that it’s something we need to enforce on students, almost against their will,” said Erin Rose Glass, a digital scholarship librarian at the University of California San Diego. “We’re reinforcing this sense of powerlessness … when we could be asking harder questions, like: Why are we creating institutions where students don’t want to show up?”

Source: “Colleges are turning students’ phones into surveillance machines, tracking the locations of hundreds of thousands”, Washington Post

Furthermore, these systems tend to reinforce white, upper-middle class expectations of “normal” student activity, putting students from already vulnerable populations into even more vulnerable positions. Jenny Davis, responding to Harwell’s article, writes:

“These tracking technologies veer towards [mechanisms of control], portending a very near future in which extrinsic accountability displaces intrinsic motivation and data extraction looms inevitable. […] Speaking of data extraction, these tracking technologies run on data. Data is a valuable resource. Historically, valuable resources are exploited to the benefit of those in power and the detriment of those in positions of disadvantage.”

Source: “A Clear Care for Resisting Student Tracking”, Cyborgology

Finally, Erin Glass (the librarian quoted above), has provided a useful “Ten weird tricks for resisting surveillance capitalism in and through the classroom.” I especially love #2, 4 and 5:

2.  “Inform your students on your syllabus — say, by adding a sentence or two in that section about academic integrity — that many of the technologies they use to support their educational activities likely practice forms of data collection that are ethically dubious even if legally accepted.”

4.  “Ask students to make a list of at least ten digital tools they’ve used formally or informally in the most recent two months of their educational activities. […] Ask each student to (a) find and (b) copy/paste at least one ToS into a clean text-searchable file. Then spend a meeting engaging in some good ol’ close reading of these Terms as a class and discussing.”

5. “Get to know your campus IT.”

Source: “Ten weird tricks for resisting surveillance capitalism in and through the classroom . . . next term!”, HASTAC

Librarians, whether they teach classes or not, might consider starting #4 on their own to learn more about the systems they use and encourage students to use. With our core professional values to support us, there’s a good chance we will be the last holdouts on this trend toward increased surveillance of student life. Let’s get in-formation.

A Guide for Resisting Edtech: the Case against Turnitin, by Hybrid Pedagogy

There is so much to unpack here, but this was my favorite part: “Plagiarism detection services ‘undermine students’ authority’ over their own work; place students in a role of needing to be ‘policed’; ‘create a hostile environment’; supplant good teaching with the use of inferior technology; violate student privacy.”

Currently, I’m reading two articles by journalist and blogger Quinn Norton. The first discusses the convergence of encryption, journalism ethics, and digital literacy in light of recent hacks and data dumps. Of particular interest to librarians and teachers, Quinn urges that:

“Kids should be learning about networks from a young age, and the basics of how computers work. This means teachers need to learn about these things, need to make it their business, if their business is still preparing child to be functional 21st century people. From there, kids will know how to demand a better network as consumer and political actors when they grow up.”

The second article is also a good read for those interested in digital literacy. In “The Hypocrisy of the Internet Journalist,” Quinn describes her experience building tools that track consumer behavior online. As she notes, credit card companies have been doing this for decades and most people probably wouldn’t bat an eye at it. What is more insidious is the way in which, Quinn claims, these tools can change your behavior.

“What I’d do next is: create a world for you to inhabit that doesn’t reflect your taste, but over time, creates it. I could slowly massage the ad messages you see, and in many cases, even the content, and predictably and reliably remake your worldview. I could nudge you, by the thousands or the millions, into being just a little bit different, again and again and again.”

My reaction to consumer “analytics” oscillates between a stoic agnosticism and utter Stallmanism. I like seeing ads for bow ties when I visit the New York Times. At the same time, I often contemplate building my own secure system at home and completely dropping off the social media landscape.

Somewhat related is Jennifer Granick’s recent talk at blackhat 2015:

Berners-Lee:

“We need our lawyers and our politicians to understand programming, to understand what can be done with a computer. We also need to revisit a lot of legal structure, copyright law – the laws that put people in jail which have been largely set up to protect the movie producers … None of this has been set up to preserve the day to day discourse between individuals and the day to day democracy that we need to run the country.”

Source: An online Magna Carta: Berners-Lee calls for bill of rights for web

I was delighted to find the following email in my inbox the other day. From ALA’s president Barbara Stripling:

ALA is saddened by recent news that the government has obtained vast amounts of personal information and electronic communications of millions of innocent people. The extent of the personal information received by the government is very troubling. Those of you who have been long-time members of ALA know that we have always argued that provisions in the USA PATRIOT Act encroach on the privacy expectations of library users. Worse, the surveillance law erodes our basic First Amendment rights, all while undermining the very fabric of our democracy […]

We need to restore the balance between individual rights and terrorism prevention, and libraries are one of the few trusted American institutions that can lead true public engagement on our nation’s surveillance laws and procedures. Libraries have the tools, resources and leaders that can teach Americans about their First Amendment privacy rights and help our communities discuss ways to improve the balance between First Amendment rights and government surveillance activities. And patrons are ready to learn about their privacy rights from their libraries.

How academic libraries can join the fight for privacy has been buzzing around my head of late. Thankfully, Stripling’s email also links to some helpful resources: the Choose Privacy Week website and a Moderator’s Guide [pdf]. I haven’t given this enough thought to craft a decent post, but three things immediately come to mind as actions academic librarians can take (in addition to hosting discussion forums):

1) Prominently display a link to your library’s privacy statement and data retention policies on the homepage. Wait, you don’t have one? Well, now is a better time than any to get started!

2) Know your university’s policies on user data and find out what third parties (esp. email platform providers) have access to it.

3) Start talking to electronic resources vendors about how they use your patrons’ data. What do they collect? What is their retention policy? What other third-parties have access to that data?

I don’t imagine I’ll have many discussions at the reference desk about protecting user privacy and data, but that doesn’t mean I can’t fight for it. More thoughts on this later. Happy Friday!

The March 2011 issue of Wired Magazine has an article by Andrew Keen, the author of The Cult of the Amateur, in which Keen discusses the implications of sharing enormous amounts of personal information online. What these implications may be, he is not exactly clear about. There is a strange mix of paranoia and nostalgia underlying his words, motivations that don’t usually offer specific examples.

He oversimplifies the nature of sharing (“we will all know what everyone is doing all the time” and be able to inspect everyone “every instant”), he blames the tools and the tool makers rather than the users (“[the] increasingly ubiquitous social network” that “invades” our private spaces), and he assumes that everyone online is motivated primarily by their need “to broadcast [their] uniqueness to the world” (Ok, I’ll give him that one).

On the other hand, Keen brings up a number of legitimate concerns. As businesses and advertisers learn how to monetize social networks, all the information that we normally consider private (or, at least, wouldn’t normally give to a person holding a clipboard in a mall) is ripe for harvesting.

And I would add, personally, that there is something to the idea that the increasingly public nature of our daily lives changes us, sometimes in undesirable ways. (For a more than dramatic example, check out the documentary on  dot com boomer, Josh Harris, We Live In Public). We come to expect more of ourselves, perhaps too much as we continually project ourselves into cyberspace and await the feedback of the masses.

But I digress. Give Keen’s article a read and let me know what you think. There is much here to disagree with, but what is there in this article that we can agree on?

As an academic librarian, what do you need to know about your library’s privacy and confidentiality policy?

Today’s move by the U.S. House of Representatives to deny extending certain provision of the US Patriot Act (one of which pertains to libraries) and the call for protests leading up to it remind us that privacy is still an important issue for libraries. This caused me to think about my own library’s privacy policies and what we would do if approached by federal officials requesting information.

I’ve spent the last few days looking over the privacy statements of university libraries and reviewing the American Library Association’s stand on privacy. The following is what I consider to be the essential questions that academic librarians should be asking in order to understand where their library stands concerning the privacy and confidentiality of personally identifiable information gathered through everyday library use.

A Definition?

What do I mean by privacy? Is it a right? A condition? Defining privacy is difficult because no matter how you slice it, most claims tend to assume privacy to be essential value. Perhaps it is, but it is tricky to argue that point.

Let us assume for the sake of argument that privacy is indeed an essential value; what does it apply to? I think we can divide privacy into three categories: informational privacy, behavioral privacy, and locational privacy. The first includes information that a person or a society generally assumes to be private. This can include health information, financial data, and personal opinions. The second type of privacy is often equated (one could say, incorrectly) with the right to personal choice and includes the right to abortion, sexual rights, or the right to view pornographic material. The third refers to activities that, because they function within a private space, are themselves considered to be private and include those activities violated by invasions into one’s home or office space.

As academic librarians, we are primarily concerned with the first of these: information privacy (though many of us are advocates for certain behavioral privacy rights as well).

What You Need To Know

What personally identifiable information does your library collect? In order to set up a borrower’s account, the library usually needs certain pieces of personally identifiable information (PII) from a student,* including his/her name, email address, local address, student ID, and degree level. Where does this information come from? Is it provided by the student or the records department? Does the student need to give consent for the library to use this information or is there a university policy that grants consent?

In the course of daily operations, the library may collect all types of information, including what a user checks out or requests via Inter-library loan, what library websites they navigate to and from, or what items they are searching for in the online catalog. This information is extremely useful to librarians and can be used for collection development, improving online services, and budgeting. But how much of this information is retained, for how long, and how much of it is personally identifiable? These are questions that librarians should have answers to or clearly state in their privacy statements. Many libraries collect a minimum amount of user information, much of it not personally identifiable, and regularly scrub that information from their servers.

What other privacy or confidentiality policies also apply? Whether you are developing a policy for a library or trying to better understand you own, you need to understand other policies that may already be in place. At a federal level, all libraries are affected by the U.S.A. Patriot Act. Universities receiving federal aid are additionally affected by the Federal Educational Rights and Privacy Act of 1974, which regulates what student information is considered private and who is permitted to access that information.  Some states, like Illinois and North Carolina, have laws specifically referencing the confidentiality of library records. Librarians should also consider any university statements on student privacy and the privacy policies of the American Library Association.

What data are vendors collecting? Vendors are the wildcard in any privacy policy. While you have some wiggle room when negotiating contracts, ultimately librarians cannot control how vendors and other third-party information providers use the data they acquire. This is especially true in cases where vendors have set up Web 2.0 functions that allow users to set up personal profiles and share info (e.g. CQ Press, Wilson Web, Ebsco, Elsevier, CSA, to name a few).

In a 2010 College & Research Libraries article, Trina Maji of the University of Vermont concluded that

the privacy policies of major vendors of online library resources fail to express a commitment to many of the standards articulated by the librarian profession and information technology industry for the handling and protection of user information. […] They are unspecific in disclosing how they protect that information from unauthorized access or disclosure, and they offer no clear recourse for users who feel the terms of the policy have been violated.

This conclusion is based on content analysis of vendor privacy statement and not a reached by examining actual practice. Nonetheless, I think we are wise to be wary of any company that does not publicize its stance on the confidentiality of user data, especially given the rising value of personal information in a market partially based on behavioral targeting practices. We should advise our students that the library has little or no control over what data they share online once they move to a third-party site.

What if someone requests personally identifiable information? Nine times out of ten, the answer to this question is “Don’t give it to them!” but there are some exceptions. Through a subpoena or court order, records can be accessed by state and federal officials. Currently under the provisions of the U.S. Patriot Act (unless they are allowed to expire), federal officials can demand access to library user data. There is nothing that restricts libraries from scrubbing the PII beforehand, unless there are state laws  in place demanding the retention of “public records,” which can include any email sent to and from librarians (state employees) or via the campus network, server logs, and data submitted via online forms.

In short, it can get sticky. That’s why it’s important for librarians to know who is the appropriate authority (usually the University Librarian) to make the decision whether or not the data should be handed over in legitimate circumstance. But additionally, librarians and student workers alike should have a strong knowledge of local policies, practices and privacy expectations.

Recommendations For Developing a Privacy Statement

To quickly sum things up, here are my recommendations for academic libraries that have yet to develop a privacy statement or are thinking to revise their current one.

  1. Publicize your statement on privacy and confidentiality.
  2. Detail the information that you collect, how you collect it, what you plan to use it for, and how users can opt out (if that is an option).
  3. Provide information on local, state, and federal privacy standards.
  4. State your intended response to inquiries from individuals or agencies seeking user information.
  5. Warn users about third-party vendors.
  6. Give users contact info for expressing their concerns.

Examples of Academic Library Privacy Statements

References

Magi, T. (2010). A content analysis of library vendor privacy policies: Do they meet our standards? College & Research Libraries, 71(3), 254–72.

*To make things simple, I’ll just use the term student, but I’m actually referring to anyone who uses an academic library: students, staff, faculty, visiting scholars, international students, and non-enrolled, non-staff patrons.

This month, I’ll be focusing my off-the-clock reading habits on issues of privacy in academic libraries. The term “privacy” carries a lot of baggage and calls to mind many different issues. In the context of the internet and social networks, the discourse tends to focus on regulation (who should do it, how much should be done) and advertising (esp. behavioral targeting). In the context of health or medical privacy, there are concerns over access to patient records, both print and electronic. On the whole, privacy discussions in the popular media tend to focus on information collection, storage, and use and the difficulty of determining which information should be public and which should be private.

Some of these issues relate to academic libraries, though many do not. In future posts, I’ll be looking at the privacy statements of academic libraries, issues in the blogosphere, and ALA’s official stance on current issues related to individual and consumer privacy, especially online and through mobile devices. In the meantime, I’ve put together a short list of useful resources for learning more about privacy in today’s cultural environment.

  • Electronic Privacy and Information Center: a public interest research center in Washington, D.C created “to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.” Check out the “Hot Issues” topic in the left sidebar for latest news and thorough summaries of current issues.
  • Center for Democracy and Technology’s Guide to Online Privacy: a guide developed “to educate Internet users about online privacy and offer practical suggestions and policy recommendations.” It includes privacy basics, current issues, existing regulations, and national surveys. The CDT site also contains information on health privacy, internet openness, and free expression.
  • Cornell University Law School’s Legal Information Institute: this page contains info on existing privacy laws, rights extended by the constitution, and court decisions.
  • Electronic Frontier Foundation: the “first line of defense” when freedoms in the networked world come under attack. EFF works with citizens and other advocacy groups to influence legislation in favor of individual privacy rights.
  • American Library Association’s Privacy Resources for Librarians, Library Users, and Families: related to all types of libraries, this guide outlines ALA’s stance on the confidentiality of patron records, an explanation of the Library Bill of Rights, and help for developing an institutional privacy policy.
  • CQ Researcher: If you have access to this resource, check out Patrick Marshall’s 2009 article on privacy. It includes a bibliography, a summary of current issues, pros and cons of various federal actions, directions for further research. (Marshall, P. (2009, November 6). Online privacy. CQ Researcher19, 933–956.)
  • Wikipedia on Privacy: always a good starting place.

What resources on privacy do you recommend? What issues on privacy are most important to academic librarians? Share your thoughts in the comments!