I know I am coming very late into this debate, but Elf is just beginning to get publicity here in the UK, and so the issues are becoming relevant. It has also widened its coverage to library management systems (LMSs) which are mainstream over here.
An interesting slant which is emerging is around Elf's choice not to develop full working agreements with the LMS suppliers themselves. I know of one LMS company which regards with concern and suspicion any attempt by a third-party system to draw down data from its LMS installations unless there is a formal agreement in place which formalises the whole process and includes all appropriate legal protections for both parties and their customers.
I think the LMS suppliers' view is that they implicitly authorise a library service, and its registered customers, to gain access to data on its system in specific ways defined by the system. However, they argue that they do not authorise a third-party system, such as Elf, to act as an intermediary between the end user and the LMS system and to manipulate the data provided. And further that one or more end users cannot legitimately empower Elf to act on their behalf as an intermediary service simply by the process of providing their card number and PIN code to Elf for that purpose. It all seems to hinge on whom the LMS supplier believe they have authorised to gain access to their data files.
Mary: This just came in as a comment to http://blog.librarylaw.com/librarylaw/2005/11/my_library_elf_.html but I figured no one would see it there. I think that any smart tech person could figure out how to "roll your own" RSS feeds from a library's LMS system, needing only the user's library card number and PIN (if needed to get into the records). Why do you say end users couldn't empower Elf to act on their behalf... wouldn't that be considered consent? Is consent sufficient in the UK?
What concerns me is that the users don't need to give consent if the LMS password system is weak, as it is in so many libraries in the U.S. Your ex-girlfriend needs only your library card number and sometimes a (weak) PIN (often the last four digits of your phone number). Do UK LMS companies offer stronger PINs than four digits?
Many have told me that that this weak security has always been the case, Elf or no Elf. The difference that Elf or any RSS feeds (laden with personal content) makes is the convenience of daily delivery of the records from hither and yon.
By the way, I just happened to go back to the search box in Bloglines the other day, and typed in "library elf for" and then chose [Search for Feeds] and got about 200 personal feeds from probably unwitting library users. Gives me their first names and one more click shows their libraries, books out/requested etc. At least Elf got rid of their email addresses. Still, quite disconcerting to see so much personal information floating around, free for me to capture. I could (but won't) add a screenshot of the names with the libraries and titles.
On the 'interference with contract' point, my guess is that the LMS system suppliers may not have a clear point of law on which to act - particularly in this fast-paced web world of Web 2.0, 'mashups', open systems, etc., which they themselves happily espouse at user group meetings and promotional events. They just don't like the fact that a third party has 'mashed' them up without asking them about it first - and to be fair to them I do think they could make some reasonable data protection arguments in their defence.
The subtle area is around a library service's continued working relationship with its LMS provider if the service continues to promote Elf as a good customer service enhancement when the LMS provider is unhappy with the arrangement. It will be interesting to know how that scenario plays out.
Philip
Posted by: Philip Jones | August 09, 2007 at 10:55 PM
Good to hear about your PINs... and something to think about with regards to contract interference.
Philip writes: "there is no provision for a third party (such as an aggregator like Elf) to sit between the library customer and the LMS system"
While it's clearly important to see privacy safeguards protected by contract, I don't see how any contract could bind a third party who didn't sign the contract. Or is this perhaps some tort such as "interference with contract" ? Or broader UK privacy protection than in the U.S.?
Posted by: Mary | August 09, 2007 at 12:20 PM
Thanks for moving my comment to a more contemporary place, Mary. On the points you raise:
a) The impression I get from an LMS supplier that I have been talking to is that, just because customers may feel inclined to share their card number and PIN with a third party, this does not necessarily mean that those customers have the authority to invite that third party into the licensed working arrangement between the LMS and the library service in question. So, while on one level you could argue that the customer can give consent to their personal and transactional information being gathered and manipulated by Elf, there may be another level of approval required to allow Elf to make the connection to the LMS system in order to carry out that process. There may even be a specific limitation somewhere in the software licensing agreement which the library service has entered into with the system supplier which says, effectively, that library staff can go into specified files and do specified things, and library customers can go into a different range of files (e.g. WebOpac) and do other specified things, but there is no provision for a third party (such as an aggregator like Elf) to sit between the library customer and the LMS system. And it seems to be this intermediary/aggregator role that the supplier(s) seem to want to place on a properly contracted footing with agreed safeguards around privacy and data protection. Without any such contract, the LMS supplier seems to feel that their systems/installations are being invaded by a third party which customers have no authority to invite into the process.
b) Regarding PIN numbers on UK systems, my impressions of systems other than our own is that they can be set at a higher level of security than some of the experiences descibed in earlier postings. In our own system we can define a minimum length of PIN anywhere between 4 and 10 characters. There is, of course, the usual weakness around a default PIN until the customer changes it to something known only to themselves; however at least our system sets the default to the customer's date of birth, which is no safeguard against unauthorised use by close acquaintances and families, but is probably a slightly stronger default than phone numbers or address features.
Thanks,
Philip
Posted by: Philip Jones | August 09, 2007 at 12:18 AM