Issues concerning libraries and the law - with latitude to discuss any other interesting issues Note: Not legal advice - just a dangerous mix of thoughts and information. Brought to you by Mary Minow, J.D., A.M.L.S. [California, U.S.] and Peter Hirtle, M.A., M.L.S. Follow us on twitter @librarylaw
Karen Coyle, who has worked on privacy audits and forms in the past, has just issued a one-pager. This is great for those of us who would like to evaluate one or two new library services and privacy, rather than tackle a full library priacy audit. Look for SINGLE PAGE FORM at her Infopeople site.
But legal methods only go so far. They do not anonymize, they merely require confidentiality which can be broken.
Tech folks - how are you ensuring that users' searches aren't trackable?
Authentication usually happens through the ILS (Integrated Library Service), right? Can readers enlighten me as to their own ILS practices? Once the authentication takes place, the patron is permitted to connect to the database vendor. Does your library log those authentications in a way that makes it possible to track a particular patron to a particular search?
I notice that many public libraries offer users only a four digit PIN to secure patron records. Some only offer users a pre-set PIN corresponding to their phone number digits. My question is: do the major ILS vendors offer stronger user PINs? Eight digits? Can libraries offer users an option of setting up easy weak PINs (for those who prefer convenience) while offering other users stronger PINs?
The Wisconsin Library Association has a good explanation of the recent state attorney general opinion finding library surveillance tapes protected as library records under state law. Unfortunately, in my estimation, the proposed amendment seems to be written more broadly than it need be.
5)Library records may
be released for administrative library purposes, including establishment or
maintenance of a system to manage the library records or to assist in the
transfer of library records from one records management system to another,
compilation of statistical data on library use, collection of fines and
penalties, and the protection of library staff, library users, and library
property. Records released to third parties for administrative library purposes
may not be used or disclosed for any other purpose.
Protection of staff, users, property? Who decides? Isn't that exactly the reason law enforcement generally ASKS for patron records? The library shouldn't decide when patron records should be turned over, and neither should law enforcement. A neutral, detached magistrate should decide, evaluating the context -- weighing both security and privacy. The magistrate will then issue court orders in some cases and deny them in others.
It seems that the problem could be better cured by defining library records more narrowly.
Friday June 22, 2007 1:30 – 4:30 pm, Grand Hyatt Washington, Independence Ballroom A OCLC Symposium: Is the Library Open? Join your colleagues and OCLC for an interesting afternoon discussion. Hear from three experts on the issues of information property law, copyright, digital communication, intellectual property and user privacy rights in relation to library policies. They are:
Marc Rotenberg, Executive Director of the Electronic Privacy Information Center (EPIC) and professor of privacy law at Georgetown University Law Center
Siva Vaidhyanathan, a cultural historian, media scholar and Associate Professor of culture and communication at New York University
Mary Minow, Library Law Consultant with LibraryLaw.com, coauthor of The Library's Legal Answer Book and a public librarian for 10 years.
From Charlie Parker, Executive Director Tampa Bay Library Consortium:
The Florida public library folks are increasingly dealing with E-Government services - first, all agencies, federal, state, local, are pushing as much of their customer interaction to the web as possible.
We're literally seeing state agencies close their customer service locations and advising their clients who need help to go to their public library.
To the extent that they have any concern about the whether they reach their clients or not, they seem to think that this is alright because, hey, everyone knows libraries have computers, successful story, they save carloads of bucks, get bosses praise, happy ending. They ignore the fact that often clients have limited skills, or English speaking ability, or that, maybe, the agencies' website usability is so bad that it doesn't really matter.
Increasingly library public service staff are being called on to provide what are essentially social work services. And then there is the Medicare part B, where they provide health care consultation. And the old reliable IRS forms where they get to serve as tax form preparers. And the job applications where the government employer only accepts applications over the web. And you're (Mary) wondering why is this person(Charlie) ranting at me..?
Have you encountered anyone who has looked at the policy issues in this area? Should libraries just say no to some of the things they are being asked to do? Should libraries be asking members of the public to sign disclaimer forms prior to providing certain services? Are there liability concerns for staff individually and the library as an organization? What does privacy mean when someone pleads with you to make sense out of a stack of w-2 forms?
Are you aware of any positive, guideline statements that inform the public in an inviting manner about the services of this nature that they can expect the library to provide and those that it cannot? We're pretty close to approaching the University of South Florida about developing a "Social Work Skills for Librarians Workshop."
Due 5 pm today Eastern time. Send comments to [email protected] with subject line: Docket No. DHS-2006-0030. Or fax the Department of Homeland Security (DHS): FAX 1-866-466-5370.
The American Library Association is part of a broader privacy coalition to stop REAL ID. The coalition has sample comments (see below). The ACLU's RealID action center has talking points. As for library impact, see the ALA resolution (below the fold), and just think about this: Most libraries use drivers licenses as identification for library cards, and many add that number to the patron database. With the REAL ID's greatly expanded use of drivers license numbers, attaching much more personal information (e.g. divorce records), the demand by law enforcement for library patron records can only go UP.
Department of Homeland Security
Attn: NAC 1-12037
Washington, D.C. 20538
RE: Notice of Proposed Rulemaking DHS-2006-0030
Dear Secretary Chertoff:
Because the Department of Homeland Security is creating an illegal
national identification system, I write to urge the agency to withdraw
the regulations and seek repeal of the REAL ID Act. The attempt to
create rules for the establishment of a national identification system
is unlawful for the following reasons:
The law that created the Department of
Homeland Security prohibited a national identification system. By
trying to implement REAL ID, the Department of Homeland Security is
breaking the law and violating the public trust.
The plan will create a massive national identification system
without adequate privacy and security safeguards. It will also make it
more difficult for people to get driver's licenses. And it will make it
too easy for identity thieves, stalkers, and corrupt government
officials to get access to such personal information as a home address,
age, and Social Security number.
The regulations endanger the privacy of domestic violence
survivors' personal information, exposing them to stalkers in all 50
If the regulations are not withdrawn, then the Department of
Homeland Security must FULLY APPLY all provisions of the Privacy Act of
1974 to this REAL ID system, including the right to limit the use of
personal information collected by the federal government, access the
data collected about them; correct any mistakes in the data; and turn
to the court system to apply for redress.
We the people were unable to speak during the rushed passage of REAL
ID. We are speaking now and we are demanding that the Department of
Homeland Security reject this illegal national identification system.
Loriene Roy, ALA President-Elect said:
“ALA has expressed deep concern about standardized machine-readable driver's
licenses and national identification cards because of the potential privacy
implications for library users, as well as the increased potential for identity
theft for all individuals.”
Under the REAL ID Act, states
and federal government could access everything about you - in a database that could have images of your birth certificate, marriage license, divorce papers...
Interview with Linda Wilson, City Librarian, Monterey Park Bruggemeyer Library (CA)
Minow: Tell us about the latest MySpace incident in your library.
Wilson: A Monterey Park Police Officer came to me and said that they had a report of a 14-year-old runaway. She had a fight with her mother and took off. They were sure that she was still around, and her friends said that she would come to the library to check MySpace. The officer wanted us to put a block on her library card so that she could not sign-up to use the computers and would come to the Reference Desk to find out why she could not sign-up.
Minow: What did they want the library to do then?
Wilson: They wanted us to call the Police when she did this. The Police were not asking to look at her library card record. Could we have done this without a court order? Should we have required a court order?
Minow: California law only protects library registration and circulation records. Federal law protects electronic communications, but as you say, the police were not asking to look at her records. What happened?
Wilson: We do have some quick lookup Internet computers that do not require a library card so she could have been using them to access her MySpace account. I believe, though, that either the girl came home or the Police found her elsewhere as we did not have to get involved further. I still am curious, though, about how we should have handled it if it came to putting a block on her library card.
Minow: I can blog this and ask for reader comments if you like.
Edward N. Albro writes about his experience setting up a google search history for himself. Surprise! He finds his old searches back to Dec. 2005, even though he didn't opt in until now.
WORSE yet, I notice in the google FAQ that you can get your (or presumably anyone's) search history via RSS feeds. You need the person's username and password, but who knows how strong those are.
On the one hand, google search history can be far more invasive into your mind than library records.
On the other hand, google users opt in, sort of. As I understand it, search histories are only available for people who already have some type of google account, like gmail... and who use the google toolbar. But do gmail users know that their histories are out there, available to anyone who knows their username/passwords? Sounds like you no longer need to get your hands on someone's actual computer to look at browser search histories. At least if you're a google account holder, and know about this, you can "pause," edit your search history, or opt out altogether.
Library users, however, don't have a choice but to leave a trail of library records of current items, holds and fines. These records are all potentially available via RSS with only a library card number and weak PIN number to protect them. Libraries need to offer strong PIN numbers to those users who care about their privacy.