Categories

Subscribe to my Podcast
Subscribe to this blog's feed

Recent Comments

Recent Posts

Blog powered by TypePad
Member since 04/2004
AddThis Social Bookmark Button

Categories

PATRIOT Act

July 30, 2006

Good LJ article on ELF

Elizabeth Burns has a very interesting article  in the 15 July issue of Library Journal on ELF and other attempts to make library ciruclation records more accessible to patronsShe is concerned about what happens when "the long-held tradition of patron record privacy is violated by patrons themselves."  Mary Minow's analyses of ELF are cited in the article, as is Paul Neuhaus's page on "Digital Reference and Privacy."

Burns doesn't have any answers, but it is a good summary of some of the policy questions involved as we try to balance privacy and convenience.

Posted by on July 30, 2006 in PATRIOT Act, Patron Records, Privacy | | Comments (0)

| | | |

May 11, 2006

Query: How to respond to reauthorized Patriot Act?

I was recently asked how the changes in the reauthorized Patriot Act affect libraries - specifically, how should administrators respond?  Are there more points at which they need to excercise judgment or discretion?  The American Library Association's analysis is here.  Other thoughts?

Posted by on May 11, 2006 in PATRIOT Act | | Comments (0)

| | | |

March 09, 2006

Patriot Act Reauthorization Fails to Include Sufficent Protection for Libraries and Bookstores

Susan Nevelow Mart writes: The library and bookstore community didn't get the protections it wanted in the Patriot Act reauthorization.  It didn't get language to require that  the person whose records were being requested was strongly suspected of terrorism.  However, the fight goes on. Senator Arlen Specter (R-PA) introduced a bill in Congress on Monday to amend the Patriot Act to protect civil liberties. The bill has eleven co-sponsors, and the text of the bill, S. 2369, is available online.

The bill would require a sunset for the Patriot Act's expanded authority for issuing National Security Letters. The bill would also amend Section 501(b)(2)(A) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861(b)(2)(A)), to include a relevancy standard for a FISA order.  The application for an order would have to include a statement of facts showing that the records or things sought in the order are:

"relevant to an authorized investigation (other than a threat assessment) conducted in accordance with subsection (a)(2) to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities; and either pertain to a foreign power or an agent of a foreign power; are relevant to the activities of a suspected agent of a foreign power who is the subject of such authorized investigation; or pertain to an individual in contact with, or known to, a suspected agent of a foreign power.

Currently, the standard is only that the documents and things requested have some “relevance” to a terrorist investigation, which is very broad. The new language would require that the records relate to a person with some demonstrable connection to a terrorist or terrorist group.

The co-sponsors are Larry Craig (ID), Richard Durbin (IL), Russell Feingold (WI), Dianne Feinstein (CA), Chuck Hagel (NE), John Kerry (MA), Patrick Leahy (VT), Lisa Murowski (AK), Barack Obama (IL), Ken Salazar (CO), and John Sununu (NH).

I'm sending my senator a letter of support.

    Posted by on March 09, 2006 in PATRIOT Act | | Comments (0)

    | | | |

    February 06, 2006

    Protecting Library Patrons is Not the Same as Protecting Terrorists

    Susan Nevelow Mart:   Today's Boston Globe ran a story called When Librarians Protect Terrorists. The author, Richard L. Cravatts, believes that no one, and particularly no librarian, has the right (or the training) to deny a law enforcement request for patron computer terminal records, even when law enforcement has only made a verbal request. For a discussion of the kinds of legal process that are available to require a library to turn over records, see Mary Minow's article Library Records Post-Patriot Act. But according to Cravatts. when the law shows up, you have no option but to turn over anything a law enforcement officer asks for. In support, he quotes Heather Mac Donald:

    Like it or not, once you've disclosed information to someone else, the Constitution no longer protects it.  This diffuse-it-and-lose-it rule applies to library borrowing and Web surfing as well, however much librarians may claim otherwise.

    Merely "disclosing," however, is not enough to lose one's 4th Amendment rights. Flawed as it is in the modern day, the Supreme Court's Smith v. Maryland is still the law: that was the case that held that the police can't listen to the content of a phone call, where John is disclosing something to Mary, without a warrant, because, among other things, of the speaker's expectation of privacy. Similarly, the police can't "listen" to the computer traffic of everyone on a public computer, just because they want to. Unless there are exigent circumstances, the police need a warrant. Even the FBI in this case thought so, as they waited for one. Mr. Cravatts is incensed because the library director insisted on enforcing the rights of her patrons.

    The police and FBI sought the computer because they had received a "credible" bomb threat at Brandeis University, and had traced the threat to a public computer at the local public library. There is no information in the article about what the library director was told, or how the officers acted, what direct observation evidence the librarians could have given, or, for that matter, why it took ten hours (a very long time)  to get a warrant. 

    There is a distinction between investigating a crime in progress and a crime that has already been committed, and if there were exigent circumstances the police could have acted without a warrant. In this case. they were clearly not willing to bet that the circumstances allowed them to perform a warrantless search and seizure.

    I suspect there is more to this story than has currently been reported.

    Thanks, Jack, for the correct spelllings.

    Posted by on February 06, 2006 in PATRIOT Act | | Comments (5)

    | | | |

    January 05, 2006

    Summary of what I learned about library patron records, RSS feeds, Library Elf in plain English - plus a new way to look at lobsters

    Although I've gotten some good comments to my postings about patron privacy and RSS feeds, I've gotten lots of reactions that make me feel like I "have lobsters crawling out of my ears." (description borrowed from Paul Holliday, Cranston Public Library.)

    That is, just seeing "RSS Feed Security" makes some folks feel a little gooey, even when they otherwise have great clarity on the importance of patron privacy. Yet what good does it do to take a stand against the PATRIOT Act if library records are not terribly private in the first place?

    Here's a summary of a series of posts on what I've learned as I've tried out Library Elf - a third party service that offers email and RSS delivery of your own patron record, as well as the records of other cards you input.  This can be done without your library's involvement, since the Elf finds library patron databases on its own.

    Problem One: By signing up for RSS feeds, some library users can unwittingly show others what they have checked out.

    I accidentally stumbled on live patron records, including email addresses, first names, and titles of books checked out, on hold etc.  I found them by typing "library elf" into a bloglines search box.  What I saw were records of patrons from various libraries who signed up for Library Elf's RSS delivery to Bloglines.com, a popular web-based RSS reader.

    Library Elf took quick action (A+ on responsiveness) after my discovery and immediately stopped sending out those particular RSS feeds. It also issued a warning to users about this issue. Today it says "error error error" if you do the search. In fact, if you've never seen an RSS feed, congratulations for reading so far into this post.  To see one, do the Bloglines search right now and click on one of the matches. You'll see a frozen snapshot of pretty much what I saw. You may have to scroll down to see the actual patron records.

    The Seattle and Ann Arbor public libraries offer direct RSS feeds from their libraries (don't need Elf) to deliver patron records. Maybe your library does too.  These libraries have apparently been grappling with the privacy issue for some time, and do not show the patron's email address in the RSS feed. Seattle shows the patron's first name (not bad for "Joe" but not so great for "Esmerelda").   Ann Arbor shows no names, no identifying information

    Both Seattle and Ann Arbor issue warnings to users that their feeds may be public, though Seattle's warning makes it sound like you can set your feeds to "private." (In reality, even setting a feed to "private" when using Bloglines does not make it private).

    How to fix it: Probably look to Ann Arbor District Library as a model - no names, no identifying information, warnings to patrons.

    Problem Two: Even when patrons don't sign up for RSS feeds or even know what they are, snoops can sometimes get RSS feeds to see what other people have checked out -- if the library has weak patron database security.

    Libraries that let you see your record just by typing in the card number (and sometimes a PIN like the last four digits of your phone number) have pretty-poor-privacy-security.  At one level, I guess I always knew that, but using Library Elf made me realize that it's a bigger problem than I realized. 

    That is, signing up with Elf (or a related service if there is one), allows you to enter multiple library cards all at once, and get the records sent to you regularly, by RSS or by email.  Either way, you don't have to go back time after time to hunt for records.  Takes 99% of the work out it - just take five minutes to set it up one time, and get other-people's-library-records delivered to your computer til the end of time.  Quick, easy, convenient snooping.

    How to fix it:  (1) Libraries could stop letting patrons into library patron databases or (2) Libraries could greatly strengthen the passwords needed to get in.  Don't use card numbers and phone numbers. Let patrons set up their own user names and strong passwords. 

    ----------

    As always, feel free to comment with clarifications or corrections.  I'm not a techie, but a library law consultant, concerned with privacy of patron records.

    -----

    Jan 6 note - I'm still tinkering with some wording in this post to try to make it clearer - if I think I'm changing any substance I'll try to indicate that.  - MM

    Posted by on January 05, 2006 in PATRIOT Act, Patron Records, Privacy | | Comments (4)

    | | | |

    December 09, 2005

    How will the PATRIOT Act reauthorization affect ordinary people?

    I just got a call from a national reporter with that question today - so I ask readers to contact me via blog or email before Monday when I give her my reply.  How will the reauthorization affect ordinary folks, if the latest conference version is passed by the full Congress?  (See readerprivacy comments and excerpt from latest conference report below). How has the Act already affected ordinary folks? If I can use your name, be sure to indicate that.

    Mary

    ---------

    From ReaderPrivacy:

    Dear Reader Privacy supporters,

    As you probably already know, House and Senate negotiators reached an agreement on the USA PATRIOT Act's extension yesterday, Thursday, December 8. The agreement would extend for four years Section 215, which permits secret warrants for books, records, and other items from businesses, hospitals, and organizations such as libraries. No changes were made to the standards for obtaining these orders, nor for those for obtaining National Security Letters (NSLs). Section 505 of the PATRIOT Act, authorizing NSLs, still has no sunset.

    While we do appreciate that the conference report now sunsets Section 215 in four years instead of seven, this change is not sufficient to protect the privacy of library users from fishing expeditions by the FBI.

    Six senators (three Republicans, three Democrats) are committed to filibustering the House conference report when it comes to the Senate; they are requesting a three-month extension of the current provision to allow time for Congress to make further improvements to the bill. Senators Durbin, Feingold, Craig, Sununu, and Salazar said today: "We still can—and must—make sure that our laws give law enforcement agents the tools they need while providing safeguards to protect the constitutional rights of all Americans."

    The Campaign agrees and now asks for your assistance. Please let your Senators and Representatives know that you strongly support efforts to delay a vote on the PATRIOT Act bill until Congress restores full protections for bookstore and library records.

    Please call or fax your Senators today and urge them to vote as follows:

        (1) NO on a motion for cloture (ending debate for an immediate vote);
        (2) NO on the conference report; and
        (3) YES on a motion for a continuing resolution.

    Please contact your Representative and urge them to vote:

        (1) NO on the conference report; and
        (2) YES on a motion for a continuing resolution

    For a good summary, please visit the Bill of Rights Defense Committee's web site.

    Thank you for your support!

    -------------------------------------------------
    The Campaign for Reader Privacy is a joint initiative of the American Library Assocation, the American Booksellers Association, the Association of American Publishers, and PEN American Center.

    www.readerprivacy.org

    --------------------

    The Federation of American Scientists posted the latest conference report from the Congressional record   http://www.fas.org/irp/congress/2005_rpt/hrpt109-333.html

    Excerpt below:

    Continue reading "How will the PATRIOT Act reauthorization affect ordinary people? " »

    Posted by on December 09, 2005 in PATRIOT Act | | Comments (4)

    | | | |

    November 29, 2005

    My library elf - the joy and the horror

    I had to see it for myself as soon as Deborah Caldwell-Stone told me about the library elf.

    It's a service that offers me email alerts and even an RSS feed when my reserved library books are ready for me to come on down and reminders when the books I have are due back. It tells me if I have fines, and I think if I'm nice enough, it'll bring my books back for me.

    Oh my.  I can put in other people's library cards and get their information too - all I need is their card numbers, and if their library requires it, their PINs.  Library Elf helpfully tells me that in many libraries, it's just the last four digits of their phone number, and that some libraries don't use PINs at all.  How wonderful for parents who want to see what their teenagers are reading. Or vice versa. [clarification update: my tone here is peevish and churlish.  My Ann Arbor confidante called today to make sure you know that]

    Legitimate users "opt-in," but I bet I could pretty easily get into other folks' records even if they don't live with me.  I could just paw through some libraries' user accessible hold shelves, or perhaps peer at someone's self-checkout screen or pick up their receipts.

    My local libraries are on their list.  I signed up.  In less time than it took to blog this, I now have both the email and RSS service.  In a nanosecond I saw my whole library record - much more convenient than slogging through my own library's website which scatters my records on various screens

    I saw three titles waiting for me, and every title I have out. I'd show you a screenshot, but frankly, I don't want the world to see what I'm reading. Here's their demo screenshot.

    I don't work at a library any more ... and believe me, this is handy for those of us regular folks who don't go there every day.

    Privacy? Did someone say privacy?

    It's a Canadian company that says it doesn't think it's subject to PATRIOT Act orders...that part I like.  But although its FAQ says it won't give out my personal information without a court order, its privacy policy says something different.  It tells me they might give my information to respond to government investigations too .... a much broader reach. 

    Did my library actually agree to this, or was it a Dynix-wide decision?  Any librarians reading this who want to chime in?  Am I putting my privacy at risk by using it, or does it matter, since the weaknesses that could compromise my privacy are in the system whether I make use of it or not?  If I choose email delivery, isn't that the same compromise I made when I signed up for unencrypted email notices from my library?  Is RSS any more or less secure?

    While I'm on this topic, is there someone who can tell me an easy way to encrypt email for sender and receiver? I tried ziplip years ago without success.

    Posted by on November 29, 2005 in PATRIOT Act, Patron Records, Privacy, Search warrants, subpoenas, surveillance | | Comments (18)

    | | | |

    November 18, 2005

    Charts to Understand Patriot Act Reauthorization

    Thanks to Patrice McDermott of the American Library Association, via Anne Reuland, we now have up-to-date side-by-side comparison charts to explain the Patriot Act reauthorization bill's impact on library records, at least as of today.

    PATRIOT Act "library records" Sect. 215 Reauthorization - handy chart

    PATRIOT Act "national security letters" Sect. 505 Reauthorization - handy chart

    Posted by on November 18, 2005 in PATRIOT Act | | Comments (0)

    | | | |

    November 16, 2005

    Full Protection for Libraries & Booksellers Doesn't Make It Into the Compromise Final Version of the Patriot Act Reauthorization Legislation

    Hot off the press from the Campaign for Reader Privacy, is news from the joint conference committee whose mandate was to reconcile the House (H.R. 3199) and Senate (S. 1266) versions of the Patriot Act re-authorization legislation. The joint committee version did not include some of the key protections the library and bookseller communities had requested and which were included in the Senate version of the bill, including requirements that:

    • the FBI must show that the individual whose records are being sought is suspected of involvement in terrorism or other criminal activity;
    • that booksellers and librarians who receive PATRIOT Act orders be allowed to challenge their validity in court;
    • that the current permanent and generalized gag order that accompanies PATRIOT Act warrants be replaced by temporary orders in specific circumstances.

    The Senate version of the legislation included a requirement of individual specific suspicion; this was dropped in the joint version of the bill. The new version only allows challenges to a Section 215 order in the FISA court, whose proceedings (and rules) are secret. The joint version of the bill has Section 215 sunset in seven years.

    According to the Campaign for Reader Privacy, the House of Representatives rules require that a conference report be published for three days before a final vote on the legislation.  However, House leaders say they will waive this requirement. The vote could happen Thursday or Friday.

    It's time once again to contact your Senators and Representatives and request them to vote against this bill.

    Posted by on November 16, 2005 in PATRIOT Act | | Comments (2)

    | | | |

    Miranda warning to library users

    Connecticut attorney and rare bookshop owner Norman A. Pattis asks if we need something akin to Miranda warnings "to folks brave enough to check a book out from a library, or to use a database"

    "You have the right to enter this library and to use its contents, but understand that by doing so, you are waiving your right to privacy, and your right to consult with an attorney should the government decide your taste in reading is relevant to the national security."

    -Crime and Federalism blog entry November 7, 2005

    Read the whole entry.  It's vivid writing for an attorney:

    No judge authorizes the request for information. No prosecutor even reviews the request. No grand jury asks for it. We are told simply to bend and to spread because a G-man in heat wants to poke and prowl. What became of the Fourth Amendment?

    Posted by on November 16, 2005 in PATRIOT Act, Patron Records, Privacy | | Comments (3)

    | | | |

    « Previous | Next »