Yesterday I received my copy of the latest issue of a journal I subscribe to. On the front cover is an abstract image with the caption "under surveillance." As one might imagine, this is a nod to the ongoing government surveillance scandal (I think at this point, the term "scandal" is appropriate). So far, I've kept my discussions on this issue to verbal conversations with my fellow citizen, but the image on the cover of a scholarly journal about librarianship led me to wonder: "what role do libraries play to maintain patron privacy and what role should they play?"
To be sure, this is a topic that has been discussed at great length, and not just in the recent past. And for those that know and understand librarianship, this comes at no surprise; after all, as this ALA explanation of privacy shows, patrons have an right to privacy implied in the Library Bill of Rights (a document that defines policies all libraries should follow). However, in light of the recent revelations of the NSA's surveillance activities, one's actual level of privacy engaging in any activity is now suspect. This thought process is what spurred me to ask my question.
An interesting result of the NSA "revelations" has been seen in the consumer market. Products are now being evaluated and/or promoted based on their ability to protect consumers from NSA surveillance. The latest iPhone, for example, has a fingerprint reading security feature that stores the fingerprint information on the phone, not on Apple servers. This means that Apple will never have that data, so it would never be able to turn that data over to the government. John McAfee, a name known in the computer industry as the developer of a popular computer anti-virus software, has also announced a new product in the works that will supposedly protect people against NSA surveillance. Since libraries are big advocates for their patrons' privacy, what effort are they putting into keeping their patrons' information as private as possible?
For answers, I turned to the policies of three libraries I am familiar with. Two of the three are public libraries (Alameda County Library and MCFL), and one is an academic library (SJSU). I use all three fairly regularly. I was surprised to find no mention of patron confidentiality or privacy policies on the policy section of the Alameda County Library website (which is worrisome since this is the one I use the most). The MCFL policy was quite explicit in what information the library collected, how it was used, and in some cases how long it was kept. The SJSU library also has a confidentiality policy that outlines what information is collected, including what specific confidential information is collection, but no mention is made of how long the information is kept (which can imply it's kept indefinitely). What's interesting is that the MCFL and SJSU policies are years old; one was first instituted in 2003, the other in 2006. Existing library privacy/confidentiality policies are well-established.
So where does this information leave us? Well, we can assume that many libraries (but not all) are aware of and take pains to inform their patrons what information the library collects and how it can be used. Both available policies do explain that they will release information required by subpoena or court order, which put them in the same boat as many other law-abiding companies and organizations. In other words, there may not be a lot of "extra" protection that libraries give their patrons.
Except when they do. The MCFL policy notes the length of time that the library will keep certain kinds of information. On the list of information collected are materials that the patron has checked out, the information on who last checked out an item, transaction details for fines owed and late items, and transaction details on fines paid or waived. Each of these pieces of information is only kept for a limited amount of time, not indefinitely. If a patron returns an item on time and that item is checked out twice more (or up to six months pass before the item is checked out again), there is no record to link that patron to the item he or she borrowed; for a popular title, that information will disappear quite quickly. Because the library doesn't keep the information, the library would be unable to pass it on to, say, any government agency asking for it.
If we're going to talk about best practices, I would suggest that MCFL's policy become the ideal for libraries. I understand that libraries have to keep statistics on things like circulation, web usage, and other measures of use, but there are ways for the library to collect and maintain that information anonymously. Logically, MCFL has to be doing so to some extent since transaction details are deleted after a set amount of time, and if MCFL is managing other libraries probably are as well.
Libraries can be and should be the model for transparency and privacy. At the very least, all libraries should be openly providing access to their policies on what information is being collected from patrons. If such a policy does not exist, why not and how soon can that be recified? More libraries need to adopt of level of confidentiality and refrain from keeping patron information indefinitely. This will allow patrons to assume some anonymity and safeguard their privacy.
And now I will (temporarily) step down from my soap box.
Have you thought of submitting this to a few library journals? So relevent for these times.
ReplyDelete