I made a major discovery since my last post, in which I mused that I didn't think it made any difference to my privacy if I was a Library Elf subscriber or not.
It does, and how. Turns out anyone can see
your [12/28- some] Library Elf RSS feeds.* Doesn't matter if they know your card number, PIN, or even your name.
Here's what happened: I had my Bloglines.com reader open for blog reading. I typed "library elf" in the SEARCH ALL BLOGS box. Imagine my surprise when I got 228 results, most of which are individuals' accounts - one more click gives you first names, email addresses, titles borrowed, on hold, etc.
Maybe that's why libraries haven't been offering RSS feeds for user accounts. I suspect it's a hole in RSS itself. Anyone know?
Unless you really don't care if anyone sees your record, you'll want to delete any ELF accounts now [12/28- if you use Bloglines or possibly other web-based RSS readers]. If not, personal information about you may be floating around - great for bringing you email scams targeted to your reading interests - or worse.
Personal note: I'm sad to find this - as it means I have to go back to horse-and-buggy days to check when my books are due. Well, not literally, but it's amazing how quickly we become accustomed to convenience.
*(At least if you use Bloglines as your RSS reader - though for all I know it may be true for all Elf users with RSS feeds)[Update 12/28 - Only true for users who sign up with Bloglines and possibly other web-based RSS readers-mm]
Added later 12/27- It seems to me that even if libraries offered strong passwording, this RSS leak would remain. I'm speaking now about library users who voluntarily type in their library passwords when they sign up for an Elf account. The Elf apparently stores this forever unless the user changes or terminates the account. A strong password would only be a higher quality key left in an open door.