I attended the annual EDUCAUSE/Cornell Institute for Computer Policy and Law last week. The Institute is a great experience for anyone interested in policy issues associated with IT systems, including copyright, privacy, and security. For me, spending time listening to campus IT policy folks for a week (and having to speak on library perspectives on the Patriot Act) has led me to think a lot more about authentication issues on library systems and their implications for patron privacy.
Libraries are involved with authentication issues in at least two areas. First, in colleges and universities, the licenses for some library licensed resources may limit access to faculty, staff, and students – access to the general public who might walk into the library is not allowed. In these situations, the library may require users to demonstrate that they are eligible to use the resource, often by authenticating themselves on the network.
Second, many libraries require users to identify themselves before they use public access workstations and other computers in the library. Some libraries require users to sign-up to use Internet accessible workstations; others require people to have an account and password in order to log onto a network.
The recent ARL SPEC kit on library public access workstation authentication makes it clear that more and more libraries are requiring users to identify themselves when using the network. What was clear to me at the ICPL Institute is that most IT people feel that everyone on their networks need to be authenticated and tracked. Their concern is understandable. If, for example, someone uses an Internet workstation in the library to hack into and destroy the institution’s payroll system, the library is going to be blamed. Both the institution and the police are going to want to know who was using that computer at that moment, and the library is going to look bad if they can’t say. At the institute, one network administrator at a major Midwestern university reported that someone at his institution was using a public access library workstation for “nefarious” purposes. As a consequence, the dean of libraries moved quickly to make sure that all use of library computers could be monitored.
The problem, of course, is that as soon as you start tracking who is on your network and when, it becomes possible to determine what they are looking at on the Internet and what they are reading. Authentication systems, therefore, can conflict with our traditional respect for confidentiality of patron records.
Libraries have traditionally tried to protect patron privacy by relying on three approaches. The first has been to allow anonymous use of the library (such as by allowing people to browse on open shelves). Because of required authentication on networks, anonymity is no longer possible.
The second tool librarians have used to protect patrons’ reading habits are state confidentiality laws (which usually require a court order or subpoena to gain access to reading records). Yet Leigh Estabrook’s most recent survey showed that almost half of the librarians surveyed voluntarily provided information on reading habits to law enforcement, apparently without requiring any court order. If librarians aren't very respectful of the privacy of patrons, it is doubtful that the systems people maintaining automated circulation and web browsing records would be more respectful of the confidentiality of these records.
The third approach for protecting patron privacy is to follow an aggressive data retention policy, such as deleting all circulation records from library systems as soon as a book is returned. If you don’t have the records, then law enforcement, overzealous administrators, and civic do-gooders can’t figure out what patrons have been reading (or browsing on the Internet). Of course, it is pretty hard to figure out what is the ideal records retention period. ALA's Guidelines for Developing a Library Privacy Policy talks about the importance of destroying patron records, but without specifying when. There is an interesting initiative underway in the University of California libraries to investigate patron privacy; it includes discussion of data retention policies. Lee Strickland, et al’s article on libraries and the Patriot Act points out as well the importance of data retention policies (without specifying what the ideal solution may be). Yet even without clear professional guidelines on data retention, most librarians realize that they may need to destroy as soon as possible records that can identify the reading habits of individual patrons.
The problem is that the librarian’s inclination to destroy personally identifiable information as soon as possible in order to protect the privacy of patrons is running into the desire of network security officials to track the activities of network users – and to maintain these records. In the struggle between librarians’ desire to destroy records to protect patron privacy and network administrators’ desire to preserve records in order to be able to track “nefarious” uses, the security concerns will win. We will no longer be able to destroy records about what patrons were reading on the web.
What does this mean for patron privacy? It means that state confidentiality laws are the best protection for library patrons. While state laws cannot stand up to Federal laws (such as the USA Patriot Act), they can protect to some extent library records. The key issue facing librarians, therefore, will be to educate network and systems staff about the principles of library confidentiality – and their responsibility to follow state confidentiality laws. Librarians may also need to inform their public that everything the patron looks at on the Internet will be tracked by systems – and could be retrieved by court order.
Will this have a chilling effect on patron’s reading? Probably – but if we can no longer destroy (or not capture in the first place) records of reading habits, we can no longer ensure the anonymity patrons once enjoyed.
point 2 - it depends on the state law - Arizona says patron information is protected, unlike most others which say patron records.
point 3 - same - most if not all state laws have the administrative exception. You'd have to look to see how this is defined. If the hacking affected the administration of the library it seems like a slam dunk that that exception fits. But you have grayer areas like using library computers to hack into OTHER systems... Then you'd have to make your arguments pro or con based on the language of the state law, I would say.
Posted by: Mary Minow | July 13, 2004 at 05:11 PM
For option 1, what I was hearing from the IT folks is that they don't want any anonymous users on their networks, even if it is technically possible. The goal is to make sure that if someone does something bad on the network, you can finger who that person is. I think we can agree that crashing the payroll system is bad, but what about gray areas (reading about metamphetamine production, bomb making, or a book by Michael Moore)?
In point 2, you note that librarians have to protect patron records by law. But if police ask for other information, is it ok to give it to them?
A few weeks ago I was watching a Law and Order:CI episode where the police visit a library and the helpful librarian points out which books the suspect had been reading. Was this good professional and ethical practice? There were no patron records involved - but the police learned about his reading habits just as surely as if the suspect had checked them out.
3. I think that IT folks should get court orders of some time to look at library records (including records of who was browsing where) - but I am sure they would just look, under the general escape clause that allows libraries to look at records for management purposes. Most network people also have policies that say they can look at traffic (or even your email) if the proper management of the network requires it. I wonder if state library confidentiality laws would trump these administrative policies?
Posted by: Peter | July 13, 2004 at 02:19 PM
1 - you mention that with authentication requirements, anonymity is no longer possible. I'm not sure that will always be true. I wish I were more of a techie to understand this, but I've had lots of conversations with techies who tell me that the use of tokens can be used to deal with this problem. That is, the user is authenticated, given an electronic token that is no longer attached in any way to their identity and let through the electronic gates to a database. The Shibboleth Project of Internet2, as I understand it, is concerned with this problem http://shibboleth.internet2.edu/ though as I understand it, it's not operational in a way that people are happy with yet.
2-You mention that half the librarians voluntarily give information to law enforcement. Although the rest of the study was interesting to me, that was the one piece that drove me crazy, since the questionnaire didn't distinguish between patron records (which state laws protect) and other patron information (which state laws generally don't protect.)
3- You raise the fascinating question of inter-institutional information sharing. I imagine it would be quite difficult for the library to ask the university's own IT department to get legal process such as a search warrant. Yet it would have to get such process if the nefarious activities happened elsewhere (and the location was, say a library that protected its patron records). Maybe that is the solution. If the IT dept has a good enough case, the extra hurdle is perhaps something that should be gone through...to protect the rest of the innocents. What do you think?
Posted by: Mary Minow | July 13, 2004 at 01:31 PM