Subscribe to this blog's feed

Contributing Authors

Recent Comments

Recent Posts

Blog powered by TypePad
Member since 04/2004
AddThis Social Bookmark Button

Categories

Privacy

April 11, 2008

State Attorney in Florida complies with library request to get a court order for circulation records

Mary,

Just thought I'd let you know about another subpoena we received for patron circulation records. If you recall, the last time I received a subpoena and challenged it, I was surprised to learn that this one of the first times in Florida a motion to quash a subpoena for library records had been filed.

In this case, we asked the State Attorney (in a different judicial circuit) to rescind the subpoena and provide a court order. The State Attorney had no problem with the request and within 3 weeks we had a court order directing us to turn over information.

This was different than our previous situation where we had to file a motion to quash and then have a judge direct me to release records.

It seems, despite the reluctance from our own city and county attorneys to challenge subpoenas, State Attorneys are willing to follow a process to ensure the protected information they request is obtained without the possibility of appeal.

Best wishes,

Sol

Sol M. Hirsch, Director
Alachua County Library District

------------------
From: Mary Minow
Sent: Friday, April 11, 2008 12:56 PM
To: Sol Hirsch
Subject: RE: Another Subpoena for Records

This is a great story.  Was it really circ records or was it internet use records? Just curious, but do you know what the case was (esp was it trying to establish a time/place for a suspect, or was it centered on the content of the items circulated)?

I'd love to post this on my blog. May I? As is?

Best,
Mary

----------------------------

Mary,

The request was for circulation records only seeking titles and dates checked out and returned. We couldn't comply with the request for the entire time period (one year) because we purge satisfied circulation transactions quarterly. We had about 5 months worth of circulation records available.

Too bad we may lose the person as a patron. He checked out a lot of materials and returned them all on time!

No problem with placing it on the blog.

Best wishes,

Sol

Sol M. Hirsch, Director
Alachua County Library District

Posted by Mary in Privacy | | Comments (7)

Technorati Tags: , , , ,

November 07, 2007

Do you teach your library users how to use your computers safely?

Vesna Gronosky has put together a pamphlet that libraries can use to teach their users how to use the Internet safely. Thanks, Vesna!

computersafety.doc

Posted by Mary in Privacy | | Comments (0)

November 04, 2007

Wiki of state privacy laws in libraries updated

Paul Neuhaus has updated his wiki of state privacy laws in libraries.  Send comments his way - or put them here and I'll get them to him. Thanks, Paul!

Posted by Mary in Privacy | | Comments (0)

Technorati Tags: , , , , ,

October 05, 2007

Privacy 2.0

Reprinted with permission:

Mary--Though I'd keep you updated on what I'm doing with our privacy policy at MCL related to 2.0. Recently added these two paragraphs:

Under Choice and Consent:
If we make a service available for your convenience that may in some way lessen our ability to protect the privacy of your personally identifiable information or the confidentiality of information about your use of library materials and services, we will: 1.) Provide you with a privacy warning regarding that service; and 2.) Make it possible for you to "opt in" or "opt out" of that service. (Here I was contemplating things like saved reading history in the ILS)

Under Third Party Security

Some users may choose to take advantage of RSS feeds from the library catalog, public blogs, hold and overdue notices via e-mail or text message, and similar services that send personal information related to library use via public communication networks. These users must also be
aware that the library has limited ability to protect the privacy of this information once it is outside our control.

Also, note that the change to the Oregon privacy exemption passed and was signed by the Governor:

Oregon Revised Statute 192.502 (22) exempts from disclosure under open records law:

The records of a library, including: (a) Circulation records, showing use of specific library material by a named person; (b) The name of a library patron together with the address or telephone number of the patron; and (c) The electronic mail address of a patron.
Multnomah County Library's privacy and confidentiality policies are in compliance with applicable federal, state, and local laws.

I did a privacy workshop a couple weeks ago for library managers in Washington County--I thought it went very well. I adapted the presentation from the PORTALS Privacy 2.0 workshop.

Hope all is well with you!

Cindy

Posted by Mary in Privacy | | Comments (0)

Technorati Tags: ,

September 14, 2007

State privacy laws and libraries

Paul Neuhaus has been busy updating his great wiki of state laws on the confidentiality of library records.  Thanks, Paul.

Posted by Mary in Patron Records, Privacy, State laws | | Comments (0)

August 08, 2007

Library Elf and the UK

From Philip Jones:

I know I am coming very late into this debate, but Elf is just beginning to get publicity here in the UK, and so the issues are becoming relevant. It has also widened its coverage to library management systems (LMSs) which are mainstream over here.

An interesting slant which is emerging is around Elf's choice not to develop full working agreements with the LMS suppliers themselves. I know of one LMS company which regards with concern and suspicion any attempt by a third-party system to draw down data from its LMS installations unless there is a formal agreement in place which formalises the whole process and includes all appropriate legal protections for both parties and their customers.

I think the LMS suppliers' view is that they implicitly authorise a library service, and its registered customers, to gain access to data on its system in specific ways defined by the system. However, they argue that they do not authorise a third-party system, such as Elf, to act as an intermediary between the end user and the LMS system and to manipulate the data provided. And further that one or more end users cannot legitimately empower Elf to act on their behalf as an intermediary service simply by the process of providing their card number and PIN code to Elf for that purpose. It all seems to hinge on whom the LMS supplier believe they have authorised to gain access to their data files.


Mary: This just came in as a comment to http://blog.librarylaw.com/librarylaw/2005/11/my_library_elf_.html but I figured no one would see it there.  I think that any smart tech person could figure out how to "roll your own" RSS feeds from a library's LMS system, needing only the user's library card number and PIN (if needed to get into the records).  Why do you say end users couldn't empower Elf to act on their behalf... wouldn't that be considered consent? Is consent sufficient in the UK?

What concerns me is that the users don't need to give consent if the LMS password system is weak, as it is in so many libraries in the U.S.  Your ex-girlfriend needs only your library card number and sometimes a (weak) PIN (often the last four digits of your phone number). Do UK LMS companies offer stronger PINs than four digits?

Many have told me that that this weak security has always been the case, Elf or no Elf.  The difference that Elf or any RSS feeds (laden with personal content) makes is the convenience of daily delivery of the records from hither and yon.   

By the way, I just happened to go back to the search box in Bloglines the other day, and typed in "library elf for" and then chose [Search for Feeds] and got about 200 personal feeds  from probably unwitting library users.  Gives me their first names and one more click shows their libraries, books out/requested etc.  At least Elf got rid of their email addresses.  Still, quite disconcerting to see so much personal information floating around, free for me to capture.  I could (but won't) add a screenshot of the names with the libraries and titles.

BloglinesElfScreenshot.doc

Posted by Mary in Europe, Patron Records, Privacy | | Comments (3)

June 23, 2007

Privacy audit - one pager by Karen Coyle

Karen Coyle, who has worked on privacy audits and forms in the past, has just issued a one-pager. This is great for those of us who would like to evaluate one or two new library services and privacy, rather than tackle a full library priacy audit.  Look for SINGLE PAGE FORM at her Infopeople site.

Posted by Mary in Privacy | | Comments (0)

June 14, 2007

Does your library make sure that vendors aren't able to track library users' seaches?

Legally, there are ways by contract.  See ICOLC Privacy Guidelines, California Digital Library, Columbia University Information Sheet for Database Vendors - Authentication/Authorization/Privacy

But legal methods only go so far. They do not anonymize, they merely require confidentiality which can be broken. 

Tech folks - how are you ensuring that users' searches aren't trackable?

Authentication usually happens through the ILS (Integrated Library Service), right? Can readers enlighten me as to their own ILS practices? Once the authentication takes place, the patron is permitted to connect to the database vendor.  Does your library log those authentications in a way that makes it possible to track a particular patron to a particular search?

Posted by Mary in Privacy | | Comments (1)

May 29, 2007

Weak PINs: Question for tech folks about ILS vendors

I notice that many public libraries offer users only a four digit PIN to secure patron records. Some only offer users a pre-set PIN corresponding to their phone number digits.  My question is:  do the major ILS vendors offer stronger user PINs?  Eight digits?  Can libraries offer users an option of setting up easy weak PINs (for those who prefer convenience) while offering other users stronger PINs?

Posted by Mary in Privacy | | Comments (5)

May 24, 2007

Library patron records confidentiality? A proposed exception you could drive a truck through

The Wisconsin Library Association has a good explanation of the recent state attorney general opinion finding library surveillance tapes protected as library records under state law.   Unfortunately, in my estimation, the proposed amendment seems to be written more broadly than it need be.

5) Library records may be released for administrative library purposes, including establishment or maintenance of a system to manage the library records or to assist in the transfer of library records from one records management system to another, compilation of statistical data on library use, collection of fines and penalties, and the protection of library staff, library users, and library property.  Records released to third parties for administrative library purposes may not be used or disclosed for any other purpose.

Protection of staff, users, property? Who decides? Isn't that exactly the reason law enforcement generally ASKS for patron records?  The library shouldn't decide when patron records should be turned over, and neither should law enforcement.  A neutral, detached magistrate should decide, evaluating the context --  weighing both security and privacy. The magistrate will then issue court orders in some cases and deny them in others.

It seems that the problem could be better cured by defining library records more narrowly.

Posted by Mary in Patron Records, Privacy | | Comments (0)

Technorati Tags: , , , , ,

Next »