FTC report out - mentions case that tracked user library records

The long awaited FTC privacy report is out. It mentions a complaint against the retailer Sears, in which the Commission claimed that Sears paid $10 to consumers who visited its websites and agreed to download “research” software that the company said would confidentially track their “online browsing.”  See In re Sears Holdings Mgmt. Corp., No. C-4264 (Aug. 31, 2009), http://www.ftc.gov/os/caselist/0823099/090604searsdo.pdf (consent order). The complaint charged that the software in fact collected vast amounts of information, such as the contents of consumers’ shopping carts, online bank statements, drug prescription records, video rental records, and library borrowing histories. Only in the middle of a lengthy user license agreement, available to consumers at the end of a multi-step registration process, did Sears disclose the full extent of the information the software tracked. The Commission issued a consent order against Sears requiring the company to stop collecting data from the consumers who downloaded the software and to destroy all data it had previously collected.

Comments (1)

Neil Gaiman, Cory Doctorow, teenagers and others on What Privacy Means to Them

I just watched Neil Gaiman in the kick-off video (20 minutes) for the first-ever Choose Privacy Week.  I recommend it highly. Find out what he has to say,about his family’s privacy, and his idea for a sequel to his “I Google You” (late at night when I don’t know what to do) song.  Cory Doctorow tells the truth about why he cares about privacy. I also really liked all the students who say what privacy means to them. Not what I expected.   The week’s activities and resources  are sponsored by ALA’s Office for Intellectual Freedom, Choose Privacy Week, made possible in part by a grant from the Open Society Institute. Lots more resources on engaging the public in privacy awareness discussions at www.privacyrevolution.org, including possible events in your area. And yes, the inevitable ironic social media outreach at www.facebook.com/chooseprivacyweek and www.twitter.com/privacyala with #chooseprivacy tag.

One of my all time favorite resources is the epic privacy tools page, where you can go to find sources for snoop proof email, anonymous surfing, cookie busters etc.  More at Epic.org (scroll down for EPIC privacy tools), and policy news at epic.org, privacy.org and privacycoalition.org.

Comments (1)

Tags: privacy chooseprivacyweek chooseprivacy americanlibraryassociation ala

unstaffed libraries - privacy concerns

I just read about the King County unstaffed library. It's a great concept for the users - a spot where you can make and receive requests for books systemwide, drop off your books, browse paperbacks, and even use a telephone to get some assistance.

The concern I have is with privacy. If users must swipe their library card to get in, I assume this information is tracked. Surveillance cameras keep a close eye on what folks are doing. While I can appreciate the security basis for these measures, it seems that new types of records are being created that track not just our behavior, but what we choose to read as well.

Comments (2)

Action alert: reader privacy

From Larry Siems, Director, Freedom to Write and International Programs

Dear Core Freedoms Friends and Supporters,

Now is the time to raise your voice in support of reader privacy.

This week, the House Judiciary Committee approved a bill to amend the Patriot Act’s bookstore and library provisions. This proposed bill would essentially accomplish the principal goals we’ve been working towards with our partners in the Campaign for Reader Privacy. The USA Patriot Amendments Act of 2009 (H.R. 3845) will now head to the floor for a vote, which could come any day.

Your representatives need to hear from supporters like you.

Currently, Section 215 of the Patriot Act allows the FBI to secretly obtain any “tangible thing,” which includes any business records that are “relevant” to an ongoing investigation, including the records of people who are not suspected of any criminal acts.

The new legislation will prohibit the use of Section 215 to search the records of a library patron or bookstore customer unless there are “specific and articulable facts” to show that the person is “a suspected agent of a foreign power” or someone who is in contact with or known to the suspected agent. H.R. 3845 thus allows readers to borrow and purchase books without fear that the government is monitoring their reading selections.

Please take a moment to call, email or fax your representative and ask him or her to support H.R. 3845 in its present form with its welcome and necessary protections for the privacy of bookstore and library records.

To find your representative’s contact info, please visit http://www.house.gov/

You can read the Campaign for Reader Privacy’s press release on the legislation here: http://www.pen.org/viewmedia.php/prmMID/4293/prmID/1331

Thank you for taking action!



Comments (0)

California Library Association passes new Patriot Act Resolution

The California Library Association (CLA) has just announced a resolution calling on Congress to dramatically revise the up-for-renewal USA PATRIOT Act, passed hurriedly in the weeks following the 9/11 attacks.

CLA's resolution calls for Congress to allow Section 215 to sunset, to amend Section 505 to "include a clear exemption for library records," and in general to intensify Congressional oversight of the use of the Act.

Comments (1)

Tags: libraries, patriot act

Libraries and reader privacy - critical juncture / take action

Libraries have always respected reader privacy as essential to one's freedom to read. If someone is looking over your shoulder, you might not pick up that book on gay stories, witchcraft, communism or whatever the taboo topic du jour happens to be.  Libraries require either patron consent or actual legal process before disclosing patron records.

Fast forward to reading books online via Google Book Search. Fabulous new life for old books, but where in the complex proposed settlement agreement between Google and the publishers are reader privacy guarantees? I'll save you the pain of looking. Nowhere.

Every time you go online, you leave digital tracks, and with the settlement, you will generally need to authenticate yourself before viewing the out-of-print but in-copyright books at issue.

The final contours are not yet set.  The settlement is not yet in effect. It's time now to take action to make sure we build some privacy safeguards in. The ACLU of Northern California, the Electronic Frontier Foundation and Berkeley's Samuelson Clinic have joined in a letter to Google, requesting:

1- Protection against disclosure
2- Limited tracking
3- User control
4- User transparency

Our library users will be reading google books inside the library as well as at home/work.  If a reader borrows a book from the library, we protect her privacy. If she reads the same book on our computer terminals, she needs the same protection. 

Comments (4)

Tags: google book search, google privacy, google settlement, privacy, reader records

Congratulations to vermont libraries on strengthened patron privacy

Congratulations and kudos to the Vermont library folks. The state governor signed a bill on May 13, 2008 that substantially strengthens library user privacy. It changes the law from permissive protection (a library MAY keep records confidential), to a mandatory protection (a library MAY NOT disclose records unless certain conditions are met. 

It seems to assume that FERPA requires disclosure of student library records to parents, though this is not known for sure.  It does allow parents of children under 16 to look at their kids' records, though IMHO it's not clear that this is always in the child's best interest.

But the best part is that it allows a private right of action. That is, a patron whose records have been wrongly disclosed may bring a civil action against the library. 

Comments (9)

Tags: confidentiality, library records, patron confidentiality, patron records, privacy

State privacy laws and libraries

Paul Neuhaus has been busy updating his great wiki of state laws on the confidentiality of library records.  Thanks, Paul.

Comments (0)

Don't ask for social security numbers in library applications

Some libraries still ask for social security numbers on their library applications. Others have stopped that practice, but haven't purged their patron record databases of these numbers.   

Yes, collection agencies want the numbers, and perhaps having this information can increase your success rate in tracking down scofflaw patrons.   

But consider the downside.  If someone hacks your database, or if you have a bad employee, this highly sensitive information is at risk.  Once it's gone, it's gone. Patrons have little recourse once identity thieves get their hands on these numbers.

Comments, readers?

Comments (0)

Library Elf and the UK

From Philip Jones:

I know I am coming very late into this debate, but Elf is just beginning to get publicity here in the UK, and so the issues are becoming relevant. It has also widened its coverage to library management systems (LMSs) which are mainstream over here.

An interesting slant which is emerging is around Elf's choice not to develop full working agreements with the LMS suppliers themselves. I know of one LMS company which regards with concern and suspicion any attempt by a third-party system to draw down data from its LMS installations unless there is a formal agreement in place which formalises the whole process and includes all appropriate legal protections for both parties and their customers.

I think the LMS suppliers' view is that they implicitly authorise a library service, and its registered customers, to gain access to data on its system in specific ways defined by the system. However, they argue that they do not authorise a third-party system, such as Elf, to act as an intermediary between the end user and the LMS system and to manipulate the data provided. And further that one or more end users cannot legitimately empower Elf to act on their behalf as an intermediary service simply by the process of providing their card number and PIN code to Elf for that purpose. It all seems to hinge on whom the LMS supplier believe they have authorised to gain access to their data files.


Mary: This just came in as a comment to http://blog.librarylaw.com/librarylaw/2005/11/my_library_elf_.html but I figured no one would see it there.  I think that any smart tech person could figure out how to "roll your own" RSS feeds from a library's LMS system, needing only the user's library card number and PIN (if needed to get into the records).  Why do you say end users couldn't empower Elf to act on their behalf... wouldn't that be considered consent? Is consent sufficient in the UK?

What concerns me is that the users don't need to give consent if the LMS password system is weak, as it is in so many libraries in the U.S.  Your ex-girlfriend needs only your library card number and sometimes a (weak) PIN (often the last four digits of your phone number). Do UK LMS companies offer stronger PINs than four digits?

Many have told me that that this weak security has always been the case, Elf or no Elf.  The difference that Elf or any RSS feeds (laden with personal content) makes is the convenience of daily delivery of the records from hither and yon.   

By the way, I just happened to go back to the search box in Bloglines the other day, and typed in "library elf for" and then chose [Search for Feeds] and got about 200 personal feeds  from probably unwitting library users.  Gives me their first names and one more click shows their libraries, books out/requested etc.  At least Elf got rid of their email addresses.  Still, quite disconcerting to see so much personal information floating around, free for me to capture.  I could (but won't) add a screenshot of the names with the libraries and titles.

BloglinesElfScreenshot.doc

Comments (3)

Next »