Antonio Gross

April 12, 2015

Chris Cunningham

LIS 600

Library Advocacy Research Paper: Privacy in the Library

The issue of privacy is one that is constantly brought up in public discussions

especially when there is a notable breach thereof (celebrity accounts being hacked,

phishing schemes, identity theft incidents, etc.). In the age of digitization the issue of

privacy and the ever increasing erosion of it seem all so pressing as most people leave

personal digital footprints on the internet everyday. These footprints can often be seen

by others and can come to haunt those who are not so discreet in the words and

images they use to craft their digital personas. Employers, for example, can and have

fired employees for what they deemed to be imprudent photos or posts projected on a

social media site such as Facebook or Twitter. In other words, the concept of privacy

and the management of social privacy expectations is extremely important for our

society.

Libraries have long fought to protect patron privacy rights, especially since the

lack thereof could very well discourage potential patrons from using their library's

services and freely pursuing intellectual interests (the very thing libraries strive to

promote). The passing of the PATRIOT Act in 2001 has entailed potentially worrisome

implications for the institution of libraries across the country. In general the issue of

protecting privacy is important because in order for a society to function smoothly and

happily people need to feel sure that they can be free to pursue intellectual interests
and/or fairly protest or offer opposing opinions or beliefs in the public and private

spheres without fear of political sanction or censorship. As such, this paper's intent is to

lay out the issue of privacy in light of the the passing of the PATRIOT Act and show what

some libraries do to protect patron privacy, detail what constitutes a sound and effective

library privacy policy with intent of such information serving as a potential model by

which a library may construct a solid policy if one is not already in place, and show what

would be the intended results of implementing said aspects of a good policy.

According to Michele M. Reid (2009) section 215 of the Patriot Act allows for the

FBI to apply warrants from the FISC (Foreign Intelligence Surveillance Court) to obtain

library patron records to the end of combating terrorism and helping intelligence

investigations. Even more worrisome about this provision is that the FBI does not have

to demonstrate probable cause, only declare it has reasonable grounds to suspect that

library records may be relevant to an investigation (Reid). Reid goes on further to say

that the provision also puts gag orders on librarians who are called upon to relinquish

records to the FBI.

The PATRIOT Act has one other provision that directly pertains to libraries in

section 505. 505 states, according to Hill and Delaney of the Illinois Library Association

(2013), the FBI may issue National Security Letters to obtain records of electronic

communication in the library or from consortiums. Also according to Hill and Delaney,

such requests are not subjected to the judicial oversights that Section 215 issues are.

As the language of the PATRIOT Act provision, as demonstrated by Michele Reid, is

quite vague in regards to what may constitute sufficient cause for obtaining library

patrons records many libraries have policies in place to protect patrons.

 The PATRIOT Act has not gone unchallenged. According to Reid, Library

Connection v. Gonzales involved an NSL (National Security Letter) served to a library

consortium in Connecticut. The FISC ruled that the gag orders issued violated the First

Amendment. Similar rulings were also found in Internet Archive v. Mukasey and Doe v.

Holder. The point of showing these cases is to show that the encroachment of the

PATRIOT Act in regards to libraries is indeed being contested to some extent and that

issue raises serious questions about the ethical soundness of the provisions.

A good and pertinent example of how a library policy can be designed to protect

patrons may be seen in the privacy of UNCG. UNCG's privacy policy quotes the ALA's

policy on privacy that a library should never disclose any record that identifies a person

as having or obtained specific materials, information, or services, or otherwise having

used the library, except when necessary for the reasonable operation of the library,

upon the written consent of the user; or pursuant to subpoena, court order, or where

otherwise required by law. In seeing this privacy policy there is a reflection of the

PATRIOT Act's influence in that libraries would be forced to relinquish patrons required

under the influence of court order. While there is no mention of the gag order

specifically, one could presume such would be entailed by the issue of a court order.

Another good example of a privacy policy can be seen with San Francisco's Public

Library. The library's policy states that it does not collect information about patrons when

they visit the web and will only collect data when the patron voluntarily consents to

divulge such information to the library (such as for library user surveys, etc.). The library

will, however, retain information on items checked out if the patron has an outstanding

charge or has overdue items on the account. The policy page also states that patron
information is stored on a secure server. The end of the page mentions the PATRIOT

Act specifically, including the two 'library' provisions. The page says that the Library

Commission and the San Francisco Board of Supervisors have formally opposed the

act and that they have tried to subvert the act by adopting Proposition E which

stipulates that any requests for library, health, or other personal records goes through to

the Board of Supervisors rather than other city departments to analyze them to

ascertain their constitutionality.

The primary purpose of paraphrasing and describing some library privacy policies

in writing was not only to demonstrate how the PATRIOT Act affects everday library

functioning nor was it simply to highlight some components of a library's privacy policy.

The main purpose was to expose some key traits that make up a good library privacy

policy so that a library could use the information to go about establishing a privacy

policy if one is not in place or if a librarian feels it is missing some crucial aspects. Trina

Magi (2006), an associate professor of the University of Vermont, wrote an article that

details a great deal of what all should go on in formulating a robust privacy policy for a

library. To the end of providing a groundwork for such a task, it will be assumed that the

library that stands to be serviced by the following information would be one that is just

been established and has been staffed by a group of library science and information

studies graduates who are charged with the task of instituting library policies.

One of the first things Magi recommends that a librarian should do is to do a

confidentiality/privacy audit. What this means is that when constructing a privacy policy,

one should familiarize oneself with all the sources that could potentially carry patron

identifiers such as: circulation records, overdue materials records, ILL requests,
database searches, web searches, chat and email, computer usage sign ups, etc. This

key point is interesting as it touches on a point that is easy to lose in sight of pursuing

the goal of purveying information: it is not enough to know what information you can

give to patrons and how you can most effectively give it to them; you also must be sure

that you know what information they are giving you. Further along that line Magi also

recommends not keeping more information than is needed and not keeping it longer

than necessary. It likely is not necessary to keep, for example, extensive medical files

on patrons. If the information does not meaningfully serve the goal of providing user

oriented library service, it is probably unnecessary. Of course, the longer information is

kept, the greater the opportunity that the information could fall into the wrong hands.

Some libraries will detail how long they keep records such as computer log ins and

patron records. For example, the Seattle Public Library's policy (2015) states that when

a customer logs off a Library computer, information about that user session is

automatically deleted. Also when a customer returns materials, information about what

was checked out is automatically deleted at day-end, unless the customer has fines or

has been referred to a materials recovery agency. As can be seen in such a policy,

Seattle Public Library has their institution set up to delete certain patron records by day-

end or after a patron stops using a service thereby potentially mitigating the chance that

such confidential information could be obtained by force of federal request. While

Seattle's library keeps patrons of overdue books and fines, this is to be expected as the

information in question would be used to provide a necessary function in the library

system.

There are many other steps Magi suggests for developing a privacy policy. Some
other key points she details are to divorce patron names from interlibrary loan requests

and not deliver patron records in such a way that they can feasibly be accessed by

unintended parties (e.g.: not delivering information about reserved items or interlibrary

loans on an answering machine, keeping staff computers out of public view, etc.).

A good portion of the checklist Magi put forth stresses advocacy in the form of

educating staff of policies and patrons of their rights. As the adage goes, knowledge is

power and no one knows this more than librarians and information specialists. When

patrons are armed with the knowledge of their rights and are given options for managing

their privacy, they will feel much more secure and confident in their library's

management. Another important part of advocacy Magi mentions that must not be

overlooked is to ensure that other agencies and institutions dealt with have privacy

policies that fall in line with the library's. It would be an egregious oversight to spend a

good deal of time crafting a sound policy only to institute a consortium network with

other libraries that have not updated their privacy policies in years or have not

accounted for potential unwanted consequences in the handling of patron information

(federal requests or hacking attempts). This also applies to third party agencies such as

ISPs (internet service providers) and database suppliers. If the librarians in an institution

spend a good deal of time instituting a good privacy policy it would be a a shame for all

the good, hard work to be undone by partnering with an agency that did not put in the

effort to protect patrons as thoroughly.

In the course of developing a privacy policy, you will have to address the

elephant in the room that is the PATRIOT Act. As Dorotea Szkolar of Syracuse

University's School of Information Studies (2013) states, While the Patriot Act is
controversial, it has existed for over 10 years and been reauthorized by two presidents.

It appears the Patriot Act is here to stay and therefore libraries should expect at some

point to be approached by the FBI under the Patriot Act. It would be best to have a

policy and procedure in place when that happens. This quote captures a big part of

why a privacy policy is necessary for a library. It also serves to stress that one should

prepare for FBI requests and the like. This goes hand in hand with the aforementioned

things one should do in formulating a policy as well as the previous section giving a

cursory overview of Sections 215 and 505 of the PATRIOT Act. While many librarians

and libraries have and will continue to resist the PATRIOT Act, it will remain woven into

the fabric of the United States' social and legal makeup for years to come. It would be

irresponsible to craft a privacy policy without accounting for this. This also goes in hand

with advocacy as it would wise for librarians and libraries to educate patrons as to the

implications of the PATRIOT Act for their privacy and what the library is doing to protect

them if ever the government should knocking.

There is one other thing that can be done and should be offered to patrons.

Joseph Janes (2013) mentions the idea of allowing patrons to opt in to a system in

which they can voluntarily disclose their patron records to the end of enhancing library

user services. The libraries could use the data the way Amazon uses your search

history to recommend items to you on subsequent visits, only the library would inform

the users of this feature and give them the option to freely opt out without threat of

penalty if they wish. This could be a win-win for both parties. Libraries could better tailor

their services to benefit the patrons they serve will keeping the patron informed and in

control of their privacy rights. While Joseph Janes does not provide thoroughly worked
out examples of how this would play out and what exactly a library should do in this

situation to keep the data out of unwanted hands, this idea is certainly one that is

interesting and worthy of being discussed if one is in the process of working a policy.

Finally, Engaging Privacy and Information Technology in a Digital Age (2007, p.239)

mentions how self checkout systems can be used to further contribute to promoting

patron privacy. Stating that patrons may be more willing to borrow sensitive or

controversial material if they know that the transactions will be handled entirely by the

checkout machine.

As the issue of privacy is not merely theoretical but a grounded, practical issue in

everyday life, so is the information provided above. The information was designed to

help construct a solid privacy policy for a library. By doing audits on patron information

within the library system librarians will better understand what they are looking at and

how to manage so as to protect the patron. The hypothetical library and its hypothetical

staff would be well equipped to deal with privacy issues by following the information

given. The library in question would likely win the respect and admiration of the

community and its members by showing the community that it cares by taking steps to

ensure that patrons are informed about their rights. Lack of information about privacy

rights or tenebrous information management practices have been reasons why sites

such as Facebook and search engines such as Google have been criticized in the

recent past. These sites offer good examples of what a library should not do when

attempting to establish itself and provide satisfactory service. With the idea Joseph

Janes put forth, the need for clearly detailing patron privacy rights would be crucial. If a

library made sure to keep its patrons aware of their rights while giving them options for
how to potentially allow their information to be used for their benefit, the library would

likely see success from implementing such a feature. Check out terminals are also a

great idea. UNCG's Jackson Library, Greensboro Public Library, and High Point Public

Library all have self check out terminals. They are not only excellent for allowing patrons

to comfortably pursue intellectual interests of a potentially sensitive or controversial

nature without the fear or discomfort of having to divulge the contents of the pursuit to

another person, they are also expedient as they can be used if other patrons are

engaging the librarians at the check out desk. I have used them several and think they

are a wonderful addition to any library. Any library that can afford to spare the expense

of buying, installing, and servicing self checkout terminals should do so. If such an

expenditure is out of reach given a parsimonious budget limit, perhaps an advocacy

project could be made to the authorities in question to allow for this feature.

All that being said, it bears reminding that the issue of privacy is not merely a

concern for libraries. As Engaging Privacy (p.231) states, Unlike some who see privacy

as a right or good in and of itself, the library community sees privacy as a necessary

condition for the accomplishment of its primary goal, which is to provide the atmosphere

and the resources for patrons to educate themselves in whatever way they desire. This

statement accurately sums up why protecting patron privacy is absolutely necessary for

a library to maintain its integrity (figurative and financial). Libraries simply cannot

function if their users do not feel safe in pursuing information due to lack of protection.

The ALA, of course, has served as a foundation for many libraries in the

formation of a privacy policy. As stated in the ALA's official privacy statement, Everyone

(paid or unpaid) who provides governance, administration or service in libraries has a

responsibility to maintain an environment respectful and protective of the privacy of all

users. Users have the responsibility to respect each others' privacy. In other words, this

is not a one person effort. Protecting privacy should be seen as a collaborative effort in

which library staff and administration work together to build a policy using the

information given above and informing patrons once the policy has been given the

green light.

As the public grows increasingly concerned with the encroachment upon privacy

by corporations who seek to profit from the information gleaned from web searches

(targeted ads, spam, weblining, etc.) it is becoming ever more important to have an

institution dedicated to protecting user rights. Hopefully, libraries will continue to keep

abreast of the latest developments in the political sphere and the implications for privacy

management in the library and thereby continue to protect patron information as many

libraries have been doing for years. As we move into the future, responsible, ethical

librarians will work to ensure that they are doing all they can to empower and inform

their patrons; for the more you know the more you can do.

References

American Library Association. (2014). Privacy: An Interpretation of the Library Bill of

 Rights. http://www.ala.org/advocacy/intfreedom/librarybill/interpretations/privacy

---Questions and Answers on Privacy and confidentiality (2006).

http://www.ala.org/advocacy/intfreedom/librarybill/interpretations/qa-privacy
Delaney, J. & Hill, J. (2013). The US PATRIOT Act in 2013: What it Currently Means for
Libraries. Illinois Library Association. http://www.ila.org/the-usa-patriot-act-in-
2012-what-it-currently-means-for-libraries
Janes, J. (2013). Balancing Privacy and Innovation. Library Journal.
http://lj.libraryjournal.com/2013/08/future-of-libraries/balancing-privacy-
innovation-reinventing-libraries/#_
Magi, T. (2006). Protecting Library Confidentiality-- Checklist of Best Practices.
http://www.ila.org/advocacy-files/pdf/Confidentiality_Best_Practices.pdf
Reid, M. The USA PATRIOT Act and Academic Libraries: An Overview. (2009). College
and Research Libray News vol. 70, no.11 pp. 646-650 Retrieved from
http://crln.acrl.org/content/70/11/646.full

San Francisco Public Library. Privacy Policy. 15 January 2015.

http://sfpl.org/index.php?pg=2000001301
Seattle Public Library. Confidentiality and the USA PATRIOT Act.
http://www.spl.org/privacy/confidentiality-and-the-usa-patriot-act
Skolzar, D. (2013). The USA Patriot Act: Should your Library Have an Official Policy?
Information Space School of Information Syracuse University.
http://infospace.ischool.syr.edu/2013/04/10/the-usa-patriot-act-should-your-
library-have-an-official-policy/

The University of North Carolina at Greensboro. Privacy Policy.

https://library.uncg.edu/info/policies/privacy.aspx

Waldo, J., Lin, H. S., & Millett, L. (Eds.). (2007). Engaging Privacy and Information
Technology in the Digital Age. Washington D.C.: The National Academies Press.
E-book.