Yesterday Bobbi Newman posted Thinking Out Loud About Patron Privacy and Libraries on her blog. Both of us are on the NISO committee to develop a Consensus Framework to Support Patron Privacy in Digital Library and Information Systems, and her article sounded a note of discouragement that I hope to dispel while also outlining what I’m hoping to see come out of the process. I think we share a common belief: the privacy of our patron’s activity data is paramount to the essence of being a library. I want to pull out a couple of sentences from her post:
Libraries negotiate with vendors on behalf of their patrons. Library users trust the library, and the choses librarians make need to be worthy of that trust.
Librarians should be able to tell users exactly what information vendors are collecting about them and what they are doing with that data.
This is why I am engaged in the NISO effort. As librarians, I don’t think we do have a good handle on the patron activity data that we are collecting and the intersection of our service offerings with what third parties might do with it. Eric Hellman lays out a somewhat dark scenario in his Towards the Post-Privacy Library? article published in the recent American Libraries Digital Futures supplement. 1 What I’m hoping comes out of this is a framework for awareness and a series of practices that libraries can take to improve patron privacy.
- A statement of principles of what privacy means for library patrons in the highly digital distributed environment that we are in now.
- A recognition that protecting privacy is an incremental process, so we need something like the “SANS Critical Security Controls” (https://www.sans.org/critical-security-controls) to help libraries take an inventory of their risks and to seek resources to address them.
- A “Shared Understanding” between service subscribers and service providers around expectations for privacy.
A statement of principles…
We have lived through a radical shift in how information and services are delivered to patrons, and I’d argue we haven’t thought through the impacts of that shift. There was a time when libraries collected information just in case for the needs of their patrons: books, journals/periodicals, newspapers and the catalogs and indexes that covered them. Not so long ago — at least in my professional lifetime — we were making the transition from paper indexes to CD-ROM indexes. We saw the beginnings of online delivery in services like Dialog and FirstSearch, but for the most part everything was under our roof.
Nowadays, however, we purchase or subscribe to services where information is delivered just in time. Gone are the days of shelf-after-shelf of indexes and the tedium of swapping CD-ROMs in large towers. “The resource is online, and it is constantly updated!” we trumpeted. And in recent years even the library’s venerable online catalog is often hosted by service providers. It makes for more efficient information delivery, but it also brings more actors into the interaction between our patrons and our information providers. It is that reality we need to account for, and to educate each other on the privacy implications of those new actors.
A recognition that protecting privacy is an incremental practice…
One of the important lessons from the information security field is that protecting software systems is never “done” — it is never a checklist or a completed audit or a one-time task. Security professionals developed the “Critical Security Controls” list to get a handle on persistent and new forms of attack. From the introduction:
Over the years, many security standards and requirements frameworks have been developed in attempts to address risks to enterprise systems and the critical data in them. However, most of these efforts have essentially become exercises in reporting on compliance and have actually diverted security program resources from the constantly evolving attacks that must be addressed. … The Critical Security Controls focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on “What Works” – security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness.
The current edition has 20 items, and they are listed in a priority order. If an organization does nothing more than the first five, then it has already done a lot to protected itself from the most common threats.
Patron privacy needs to be addressed in the same way. There are things we can do that will have the most impact for the effort, and once we get a handle on those then we can move on to other less impactful areas. And just as the SANS organization regularly convenes professionals to review and make recommendations based on new threats and practices, so too must our “critical privacy controls” be updates as new service models are introduced and new points of privacy threats are found.
A shared understanding…
Libraries will not be able to raise the privacy levels of their patrons activities without involving the service providers that we new rely on. At the second open teleconference of the NISO patron privacy effort, I briefly presented my thoughts on why a shared understanding between libraries and service providers was important. I found it interesting that during the same teleconference we identified a need from service providers need a “service level agreement” of sorts that covers how the libraries must react to detected breaches in proxy systems2. With NISO acting as an ideal intermediary, the parties can come together and create a shared understanding of what each other need in this highly distributed world.
The TL;DR-at-the-bottom summary? Take heart, Bobbi. I think we are seeing the part of the process where a bunch of ideas are thrown out (including mine above!) and we begin the steps to condense all of those ideas into a plan of action. I, for one, am not interested in improving services at the expense of our core librarian ethic to hold in confidence the activities of our patrons. I don’t see it as a matter of matching the competition; in fact, I see this activity as a distinguishing characteristic for libraries. This week the news outlet TechCrunch reported on a study by the Annenberg School for Communication on how “a majority of Americans are resigned to giving up their data” when they “[believe] an undesirable outcome is inevitable and [feel] powerless to stop it.” If libraries can honestly say — because we’ve studied the issue and proactively protected patrons — that we are a reliable source of exceptional information provided in a way that is respectful of the patron’s desire to control how their activity information is used, then I think we have a good story to tell and a compelling service to offer.
- While I have a stage, can I point out
Is there any irony in ALA's "Digital Futures" document being a hunkin' flash app leading to a 4.5MB PDF? http://t.co/hjrO14buxr
— Peter Murray (@DataG) May 28, 2015
- A proxy server, while enabling a patron to get access to third-party information services while not on the library’s network, also acts as an anonymizing agent of sorts. The service provider only sees the aggregate activity of all patrons coming through the proxy server. That makes it impossible, though, for a service provider to fight off a bulk-download attack without help from the library. [↩]