Chris Cunningham
LIS 600
especially when there is a notable breach thereof (celebrity accounts being hacked,
phishing schemes, identity theft incidents, etc.). In the age of digitization the issue of
privacy and the ever increasing erosion of it seem all so pressing as most people leave
personal digital footprints on the internet everyday. These footprints can often be seen
by others and can come to haunt those who are not so discreet in the words and
images they use to craft their digital personas. Employers, for example, can and have
fired employees for what they deemed to be imprudent photos or posts projected on a
social media site such as Facebook or Twitter. In other words, the concept of privacy
and the management of social privacy expectations is extremely important for our
society.
Libraries have long fought to protect patron privacy rights, especially since the
lack thereof could very well discourage potential patrons from using their library's
services and freely pursuing intellectual interests (the very thing libraries strive to
promote). The passing of the PATRIOT Act in 2001 has entailed potentially worrisome
implications for the institution of libraries across the country. In general the issue of
protecting privacy is important because in order for a society to function smoothly and
happily people need to feel sure that they can be free to pursue intellectual interests
and/or fairly protest or offer opposing opinions or beliefs in the public and private
spheres without fear of political sanction or censorship. As such, this paper's intent is to
lay out the issue of privacy in light of the the passing of the PATRIOT Act and show what
some libraries do to protect patron privacy, detail what constitutes a sound and effective
library privacy policy with intent of such information serving as a potential model by
which a library may construct a solid policy if one is not already in place, and show what
According to Michele M. Reid (2009) section 215 of the Patriot Act allows for the
FBI to apply warrants from the FISC (Foreign Intelligence Surveillance Court) to obtain
library patron records to the end of combating terrorism and helping intelligence
investigations. Even more worrisome about this provision is that the FBI does not have
to demonstrate probable cause, only declare it has reasonable grounds to suspect that
library records may be relevant to an investigation (Reid). Reid goes on further to say
that the provision also puts gag orders on librarians who are called upon to relinquish
The PATRIOT Act has one other provision that directly pertains to libraries in
section 505. 505 states, according to Hill and Delaney of the Illinois Library Association
(2013), the FBI may issue National Security Letters to obtain records of electronic
communication in the library or from consortiums. Also according to Hill and Delaney,
such requests are not subjected to the judicial oversights that Section 215 issues are.
quite vague in regards to what may constitute sufficient cause for obtaining library
consortium in Connecticut. The FISC ruled that the gag orders issued violated the First
Amendment. Similar rulings were also found in Internet Archive v. Mukasey and Doe v.
Holder. The point of showing these cases is to show that the encroachment of the
PATRIOT Act in regards to libraries is indeed being contested to some extent and that
issue raises serious questions about the ethical soundness of the provisions.
A good and pertinent example of how a library policy can be designed to protect
patrons may be seen in the privacy of UNCG. UNCG's privacy policy quotes the ALA's
policy on privacy that a library should never disclose any record that identifies a person
used the library, except when necessary for the reasonable operation of the library,
upon the written consent of the user; or pursuant to subpoena, court order, or where
otherwise required by law. In seeing this privacy policy there is a reflection of the
PATRIOT Act's influence in that libraries would be forced to relinquish patrons required
under the influence of court order. While there is no mention of the gag order
specifically, one could presume such would be entailed by the issue of a court order.
Another good example of a privacy policy can be seen with San Francisco's Public
Library. The library's policy states that it does not collect information about patrons when
they visit the web and will only collect data when the patron voluntarily consents to
divulge such information to the library (such as for library user surveys, etc.). The library
will, however, retain information on items checked out if the patron has an outstanding
charge or has overdue items on the account. The policy page also states that patron
information is stored on a secure server. The end of the page mentions the PATRIOT
Act specifically, including the two 'library' provisions. The page says that the Library
Commission and the San Francisco Board of Supervisors have formally opposed the
act and that they have tried to subvert the act by adopting Proposition E which
stipulates that any requests for library, health, or other personal records goes through to
the Board of Supervisors rather than other city departments to analyze them to
The primary purpose of paraphrasing and describing some library privacy policies
in writing was not only to demonstrate how the PATRIOT Act affects everday library
functioning nor was it simply to highlight some components of a library's privacy policy.
The main purpose was to expose some key traits that make up a good library privacy
policy so that a library could use the information to go about establishing a privacy
policy if one is not in place or if a librarian feels it is missing some crucial aspects. Trina
Magi (2006), an associate professor of the University of Vermont, wrote an article that
details a great deal of what all should go on in formulating a robust privacy policy for a
library. To the end of providing a groundwork for such a task, it will be assumed that the
library that stands to be serviced by the following information would be one that is just
been established and has been staffed by a group of library science and information
studies graduates who are charged with the task of instituting library policies.
confidentiality/privacy audit. What this means is that when constructing a privacy policy,
one should familiarize oneself with all the sources that could potentially carry patron
identifiers such as: circulation records, overdue materials records, ILL requests,
database searches, web searches, chat and email, computer usage sign ups, etc. This
key point is interesting as it touches on a point that is easy to lose in sight of pursuing
the goal of purveying information: it is not enough to know what information you can
give to patrons and how you can most effectively give it to them; you also must be sure
that you know what information they are giving you. Further along that line Magi also
recommends not keeping more information than is needed and not keeping it longer
than necessary. It likely is not necessary to keep, for example, extensive medical files
on patrons. If the information does not meaningfully serve the goal of providing user
kept, the greater the opportunity that the information could fall into the wrong hands.
Some libraries will detail how long they keep records such as computer log ins and
patron records. For example, the Seattle Public Library's policy (2015) states that when
a customer logs off a Library computer, information about that user session is
automatically deleted. Also when a customer returns materials, information about what
was checked out is automatically deleted at day-end, unless the customer has fines or
has been referred to a materials recovery agency. As can be seen in such a policy,
Seattle Public Library has their institution set up to delete certain patron records by day-
end or after a patron stops using a service thereby potentially mitigating the chance that
Seattle's library keeps patrons of overdue books and fines, this is to be expected as the
system.
There are many other steps Magi suggests for developing a privacy policy. Some
other key points she details are to divorce patron names from interlibrary loan requests
and not deliver patron records in such a way that they can feasibly be accessed by
unintended parties (e.g.: not delivering information about reserved items or interlibrary
loans on an answering machine, keeping staff computers out of public view, etc.).
A good portion of the checklist Magi put forth stresses advocacy in the form of
educating staff of policies and patrons of their rights. As the adage goes, knowledge is
power and no one knows this more than librarians and information specialists. When
patrons are armed with the knowledge of their rights and are given options for managing
their privacy, they will feel much more secure and confident in their library's
management. Another important part of advocacy Magi mentions that must not be
overlooked is to ensure that other agencies and institutions dealt with have privacy
policies that fall in line with the library's. It would be an egregious oversight to spend a
good deal of time crafting a sound policy only to institute a consortium network with
other libraries that have not updated their privacy policies in years or have not
(federal requests or hacking attempts). This also applies to third party agencies such as
ISPs (internet service providers) and database suppliers. If the librarians in an institution
spend a good deal of time instituting a good privacy policy it would be a a shame for all
the good, hard work to be undone by partnering with an agency that did not put in the
In the course of developing a privacy policy, you will have to address the
elephant in the room that is the PATRIOT Act. As Dorotea Szkolar of Syracuse
University's School of Information Studies (2013) states, While the Patriot Act is
controversial, it has existed for over 10 years and been reauthorized by two presidents.
It appears the Patriot Act is here to stay and therefore libraries should expect at some
point to be approached by the FBI under the Patriot Act. It would be best to have a
policy and procedure in place when that happens. This quote captures a big part of
why a privacy policy is necessary for a library. It also serves to stress that one should
prepare for FBI requests and the like. This goes hand in hand with the aforementioned
things one should do in formulating a policy as well as the previous section giving a
cursory overview of Sections 215 and 505 of the PATRIOT Act. While many librarians
and libraries have and will continue to resist the PATRIOT Act, it will remain woven into
the fabric of the United States' social and legal makeup for years to come. It would be
irresponsible to craft a privacy policy without accounting for this. This also goes in hand
with advocacy as it would wise for librarians and libraries to educate patrons as to the
implications of the PATRIOT Act for their privacy and what the library is doing to protect
There is one other thing that can be done and should be offered to patrons.
Joseph Janes (2013) mentions the idea of allowing patrons to opt in to a system in
which they can voluntarily disclose their patron records to the end of enhancing library
user services. The libraries could use the data the way Amazon uses your search
history to recommend items to you on subsequent visits, only the library would inform
the users of this feature and give them the option to freely opt out without threat of
penalty if they wish. This could be a win-win for both parties. Libraries could better tailor
their services to benefit the patrons they serve will keeping the patron informed and in
control of their privacy rights. While Joseph Janes does not provide thoroughly worked
out examples of how this would play out and what exactly a library should do in this
situation to keep the data out of unwanted hands, this idea is certainly one that is
interesting and worthy of being discussed if one is in the process of working a policy.
Finally, Engaging Privacy and Information Technology in a Digital Age (2007, p.239)
mentions how self checkout systems can be used to further contribute to promoting
patron privacy. Stating that patrons may be more willing to borrow sensitive or
controversial material if they know that the transactions will be handled entirely by the
checkout machine.
As the issue of privacy is not merely theoretical but a grounded, practical issue in
everyday life, so is the information provided above. The information was designed to
help construct a solid privacy policy for a library. By doing audits on patron information
within the library system librarians will better understand what they are looking at and
how to manage so as to protect the patron. The hypothetical library and its hypothetical
staff would be well equipped to deal with privacy issues by following the information
given. The library in question would likely win the respect and admiration of the
community and its members by showing the community that it cares by taking steps to
ensure that patrons are informed about their rights. Lack of information about privacy
rights or tenebrous information management practices have been reasons why sites
such as Facebook and search engines such as Google have been criticized in the
recent past. These sites offer good examples of what a library should not do when
attempting to establish itself and provide satisfactory service. With the idea Joseph
Janes put forth, the need for clearly detailing patron privacy rights would be crucial. If a
library made sure to keep its patrons aware of their rights while giving them options for
how to potentially allow their information to be used for their benefit, the library would
likely see success from implementing such a feature. Check out terminals are also a
great idea. UNCG's Jackson Library, Greensboro Public Library, and High Point Public
Library all have self check out terminals. They are not only excellent for allowing patrons
nature without the fear or discomfort of having to divulge the contents of the pursuit to
another person, they are also expedient as they can be used if other patrons are
engaging the librarians at the check out desk. I have used them several and think they
are a wonderful addition to any library. Any library that can afford to spare the expense
of buying, installing, and servicing self checkout terminals should do so. If such an
project could be made to the authorities in question to allow for this feature.
All that being said, it bears reminding that the issue of privacy is not merely a
concern for libraries. As Engaging Privacy (p.231) states, Unlike some who see privacy
as a right or good in and of itself, the library community sees privacy as a necessary
condition for the accomplishment of its primary goal, which is to provide the atmosphere
and the resources for patrons to educate themselves in whatever way they desire. This
statement accurately sums up why protecting patron privacy is absolutely necessary for
a library to maintain its integrity (figurative and financial). Libraries simply cannot
function if their users do not feel safe in pursuing information due to lack of protection.
The ALA, of course, has served as a foundation for many libraries in the
formation of a privacy policy. As stated in the ALA's official privacy statement, Everyone
users. Users have the responsibility to respect each others' privacy. In other words, this
is not a one person effort. Protecting privacy should be seen as a collaborative effort in
which library staff and administration work together to build a policy using the
information given above and informing patrons once the policy has been given the
green light.
As the public grows increasingly concerned with the encroachment upon privacy
by corporations who seek to profit from the information gleaned from web searches
(targeted ads, spam, weblining, etc.) it is becoming ever more important to have an
institution dedicated to protecting user rights. Hopefully, libraries will continue to keep
abreast of the latest developments in the political sphere and the implications for privacy
management in the library and thereby continue to protect patron information as many
libraries have been doing for years. As we move into the future, responsible, ethical
librarians will work to ensure that they are doing all they can to empower and inform
their patrons; for the more you know the more you can do.
References
Waldo, J., Lin, H. S., & Millett, L. (Eds.). (2007). Engaging Privacy and Information
Technology in the Digital Age. Washington D.C.: The National Academies Press.
E-book.