LibraryLaw Blog

Paul Neuhaus has been busy updating his great wiki of state laws on the confidentiality of library records.  Thanks, Paul.

Some libraries still ask for social security numbers on their library applications. Others have stopped that practice, but haven't purged their patron record databases of these numbers.   

Yes, collection agencies want the numbers, and perhaps having this information can increase your success rate in tracking down scofflaw patrons.   

But consider the downside.  If someone hacks your database, or if you have a bad employee, this highly sensitive information is at risk.  Once it's gone, it's gone. Patrons have little recourse once identity thieves get their hands on these numbers.

Comments, readers?

The Wisconsin Library Association has a good explanation of the recent state attorney general opinion finding library surveillance tapes protected as library records under state law.   Unfortunately, in my estimation, the proposed amendment seems to be written more broadly than it need be.

5) Library records may be released for administrative library purposes, including establishment or maintenance of a system to manage the library records or to assist in the transfer of library records from one records management system to another, compilation of statistical data on library use, collection of fines and penalties, and the protection of library staff, library users, and library property.  Records released to third parties for administrative library purposes may not be used or disclosed for any other purpose.

Protection of staff, users, property? Who decides? Isn't that exactly the reason law enforcement generally ASKS for patron records?  The library shouldn't decide when patron records should be turned over, and neither should law enforcement.  A neutral, detached magistrate should decide, evaluating the context --  weighing both security and privacy. The magistrate will then issue court orders in some cases and deny them in others.

It seems that the problem could be better cured by defining library records more narrowly.

https://www3.oclc.org/app/ala_registration/

Friday June 22, 2007 1:30 – 4:30 pm, Grand Hyatt Washington, Independence Ballroom A
OCLC Symposium: Is the Library Open?
Join your colleagues and OCLC for an interesting afternoon discussion. Hear from three experts on the issues of information property law, copyright, digital communication, intellectual property and user privacy rights in relation to library policies. They are:

• Marc Rotenberg, Executive Director of the Electronic Privacy Information Center (EPIC) and professor of privacy law at Georgetown University Law Center
• Siva Vaidhyanathan, a cultural historian, media scholar and Associate Professor of culture and communication at New York University
• Mary Minow, Library Law Consultant with LibraryLaw.com, coauthor of The Library's Legal Answer Book and a public librarian for 10 years.

Here's a link to a paper I wrote with Paul Neuhaus on privacy and virtual reference for the American Library Association.  http://www.ala.org/ala/washoff/contactwo/oitp/MinowNeuhaus2005Sept15.pdf

As I suspected, it's much easier and more flexible.  So if any of you are looking for new posts based on categories, you may not find them. Use the technorati tags at the bottom of a post instead. If it works like I think it will, I'll probably stop using categories altogether.

Update: It looks as if users who click on a technorati tag below will get everyone in the world's posts with those tags. That's useful, but it would be nice to have an option to limit it to this blog, the way flickr does.  Well, there's always the search button in the blog...

I'm starting to hear about this trend. Is it happening to your library?  On the one hand, it sounds so far fetched that anyone would go to the trouble to get patron email addresses by making public records requests to libraries. Further, it seems so obvious that this personal information would/should be exempted, but you'd have to look at the wording of your state law to see if it is.    On the other hand, maybe its cheaper and better information than spammers could buy off other types of marketing lists.  After all, library patrons are, whatever else you can say about them, usually real people.

Library folks in Oregon recently told me that SB 950 is moving (and quite likely to pass) in their state legislature. It would exempt patrons' email addresses from public disclosure under the state public records law.

Just discovered a website on the Law of Libraries and Archives, by Bryan M. Carson. It's an adjunct to his book published in December 2006 by Scarecrow Press, which I just ordered :>

A librarian recently asked me about this situation:  Law enforcement rescue a woman from drowning, find a library card on her, and need to identify her quickly.  Maybe she's at risk of dying and they want to call her next of kin.   [The library tried the number and there was no answer.]

Do you turn over her name and phone number without a warrant or even a subpoena? 

This is a tough one.  What are readers' experiences?

I just came across a good discussion on responding to "exigent circumstances" in a sample CALEA compliance report posted at EDUCAUSE.  The American Library Association has Jan 2007 guidance on CALEA here. This applies to federal wiretaps - so it's not exactly the same situation. Nevertheless, it gives food for thought.

Law enforcement doesn't need a warrant when there are exigent circumstances involving a life threatening injury. This doesn't generally require library patron records - it's more like chasing a fleeing felon. What if they need the library's cooperation, however?

The procedures that follow are geared toward federal wiretapping. From http://www.educause.edu/ir/library/pdf/EPO0704.pdf page 10, at 1.3:

In certain limited situations, Law Enforcement personnel can declare that “Exigent Circumstances” exist that require that they be given access to customer information without a Subpoena or Court Order. Examples of Exigent Circumstances include kidnappings, hostage situations and other life threatening emergencies where the delay in obtaining the normal Subpoena or Court Order could result in death or serious injury. When this occurs, Law Enforcement Agencies can request that MetroPCS turn off a customer’s phone service or requests a Temporary PIN Register or Wiretap lasting up to 48 hours, without a Subpoena or Court Order. If MetroPCS field personnel receive an Exigent Circumstances request, they should immediately notify the Audit & Security Services Department to seek guidance before taking any action.

At a minimum, requests for interceptions citing Exigent Circumstances must include:

a. the information, facilities, or technical assistance required.
b. the period of time during which the provision of information, facilities, or technical assistance is  authorized
c. a statement that no warrant or court order is required by law.
d. a statement that all statutory requirements have been met.
e. a statement that the specific requested assistance is required.
f. the signature of EITHER (i) the Attorney Generol of the United States, OR (ii)  a law enforcement officer specially designated by the Attorney General, the Deputy Attorney General, the Associate  Attorney General, or by the principal prosecuting attorney of any state or subdivision thereof.