Reader privacy update: Association of Research Libraries sends in comments to FTC

There is still time to send in library or individual comments and make a difference. ARL just sent in comments and I'm reproducing their blog post here:
In Comments to FTC, ARL Suggests Privacy Oversight for Google Books

Yesterday, ARL filed comments with the Federal Trade Commission (FTC) to suggest that it require strong protection for reader privacy in the Google Books service. You can comment, too, but comments are due by May 2. Go here for an easy way to comment.

Is Someone Reading Over Your Shoulder?

As part of a wide-ranging draft consent order, the FTC plans to require that Google devise a comprehensive privacy program that will govern all of its products and services. Google will be subject to regular privacy audits for the next 20 years to ensure its compliance with the order. Privacy watchdog EPIC, which was a major force behind the inquiry, believes this is the most ambitious privacy settlement the FTC has ever entered into, and they have even created a form for others to submit comments to the FTC on a host of Google privacy issues.

The FTC order is the result of an investigation of the Google Buzz social networking service, which raised serious privacy concerns when Google automatically enrolled its Gmail email users without their consent and revealed their contacts to the public. The FTC found that Google engaged in deceptive privacy practices in the deployment of the Buzz service.

In its comments to the FTC, ARL points out the privacy concerns libraries and other organizations had raised about the proposed Google Books settlement. While the proposed settlement has been rejected by the court, many of the privacy concerns raised in that context are still relevant to the existing Google Books service. The FTC’s order provides an opportunity to ensure that Google addresses those concerns. Read the full (but concise!) comments here.

 

And reproducing the comments here (with some loss in formating):

 

TO:    Federal Trade Commission
RE:    Proposed Consent Agreement In the Matter Google, Inc. (Google Buzz), File No. 1023136
We appreciate this opportunity to comment on the proposed consent agreement, specifically, regarding privacy issues raised by the Google Books product, which involves both searching and selling books. We believe it is very important for readers’ rights that Google take adequate steps to protect the privacy of Google Books users. The Commission’s proposed consent order offers a unique opportunity to protect reader privacy and free inquiry.


The Association of Research Libraries (ARL) is a nonprofit organization of 126 research libraries in North America. Its mission is to influence the changing environment of scholarly communication and the public policies that affect research libraries and the diverse communities they serve.

Like many stakeholders, ARL expressed concern about reader privacy and intellectual freedom in connection with the proposed settlement of litigation concerning the Google Books project.1 Although Judge Chin rejected the proposed settlement on other grounds, he acknowledged the privacy concerns in his opinion.2 The novel business arrangements contemplated by the settlement are less likely to come about, but Google Books as it currently exists already poses significant challenges for reader privacy.3 Google is still selling e-books and offering a book search service, and these services give Google the opportunity to collect huge amounts of data about what users read and research, the books they own, and even the books (and pages of books) they browse. Because Google’s business model involves using data collected from its free services to sell targeted advertising online, Google has ample motive to collect highly granular information about its users’ reading habits. This behavior should be constrained by reasonable privacy protections.


The United States has a long tradition of protection for reader privacy. Indeed, 48 states and the District of Columbia have laws to ensure that information about what we read in libraries is protected from unreasonable intrusion, and the remaining two states have analogous executive branch policies. This tradition has strong roots in the First Amendment right of expression as well as the Fourth Amendment right of privacy. Academic freedom requires the freedom to search, browse, and read on any subject without fear of undue intrusion by government or private industry. That tradition of robust protection for reader privacy should continue for online reading.4

Accordingly, the comprehensive privacy program required by Part III of the proposed consent order should reflect this deep tradition by putting in place appropriate protections for the information Google might gather about its Google Books users. In our submissions to Judge Chin, ARL and our allies supported the many helpful privacy recommendations put forward by the Center for Democracy and Technology,5 including:

•    Posting a dedicated Google Books privacy policy

•    Limiting collection of usage data

•    Limiting use of users’ book annotation data

•    Providing users with access to their account data

•    Allowing users to delete purchase histories and annotations

•    Seeking a probable cause standard for disclosure of user data to the government, and a compelling-interest standard for civil litigant access touser data

•    Notifying users when complying with any government or third party
request for user information, unless required by law not to do so

•    Releasing aggregate information about requests for user data

•    Retaining identifying data no longer than necessary, and

•    Securing user data.

The Electronic Frontier Foundation (representing a group of privacy authors and publishers)6 and the Electronic Privacy Information Center7 also raised privacy concerns about the proposed settlement that the Commission should consider as it evaluates the comprehensive privacy program in relation to Google Books.
This consent order presents a unique opportunity to shape best practices in reader privacy for a major online service provider. The marketplaces for e-books and for book search are both in formative stages, and the standards adopted by Google can be highly influential for other market participants. We urge the Commission to confirm that reader privacy deserves the same respect in the online world that it has long demanded in the physical world by insisting on strong protections for reader privacy in the comprehensive privacy program.

 

1 See, e.g., Supplemental Library Association Comments On the Proposed Settlement at 7, Authors Guild v. Google, No. 05-8136 (S.D.N.Y. Sept. 2, 2009), available at http://www.arl.org/bm~doc/library-associations-supp-filing-sept-2-09.pdf; Letter from Privacy Authors and Publishers, et al., to Daralyn J. Durie, Esq., and Joseph C. Gratz, Esq. (Oct. 6, 2009), available at http://www.arl.org/bm~doc/gbs_groupprivacy.pdf.

2 Authors Guild v. Google, No. 05-8136 (S.D.N.Y. Mar. 22, 2011) (order rejecting proposed settlement) at 13, 39. 3 See, e.g., Andrew McDiarmid, Reader Privacy Issues Remain Following Google Books Settlement Rejection, CENTER FOR DEMOCRACY AND TECHNOLOGY BLOG, April 13, 2011, http://cdt.org/blogs/andrew-mcdiarmid/reader-privacy-issues-remain-following-google-
books-settlement-rejection.

4 See Cindy Cohn and Kathryn Hashimoto, The Case for Book Privacy Parity: Google Books and the Shift from Offline to Online Reading, HARV. L. & POL’Y REV. (May 16, 2010), http://hlpronline.com/2010/05/the-case-for-book-privacy-parity-google-books- and-the-shift-from-offline-to-online-reading/.


5 Center for Democracy and Technology, Privacy Recommendations for the Google Book Settlement, July 27, 2009, http://cdt.org/copyright/20090727_GoogleRecs.pdf.

6 Privacy Authors and Publishers’ Objection to Proposed Settlement at 21-24, Authors Guild v. Google, No. 05-8136 (S.D.N.Y. Sept. 8, 2009), available at http://thepublicindex.org/docs/letters/privacy_authors.pdf.

7 Brief for Electronic Privacy Information Center as Amicus Curiae, Authors Guild v. Google, No. 05-8136 (S.D.N.Y. Sept. 4, 2009), available at http://thepublicindex.org/docs/letters/epic.pdf.

Comments (0)

FTC report out - mentions case that tracked user library records

The long awaited FTC privacy report is out. It mentions a complaint against the retailer Sears, in which the Commission claimed that Sears paid $10 to consumers who visited its websites and agreed to download “research” software that the company said would confidentially track their “online browsing.”  See In re Sears Holdings Mgmt. Corp., No. C-4264 (Aug. 31, 2009), http://www.ftc.gov/os/caselist/0823099/090604searsdo.pdf (consent order). The complaint charged that the software in fact collected vast amounts of information, such as the contents of consumers’ shopping carts, online bank statements, drug prescription records, video rental records, and library borrowing histories. Only in the middle of a lengthy user license agreement, available to consumers at the end of a multi-step registration process, did Sears disclose the full extent of the information the software tracked. The Commission issued a consent order against Sears requiring the company to stop collecting data from the consumers who downloaded the software and to destroy all data it had previously collected.

Comments (1)

C&CI Update: Student Papers and FERPA

(by Peter Hirtle)

In Section 12.9 of Copyright & Cultural Institutions, I discuss briefly whether FERPA, the Family Educational Rights and Privacy Act of 1974, governs the digitization of student papers and theses.  I concluded “In order to digitize and distribute papers from its students, therefore, the cultural heritage institution will need to secure the student’s permission.”

A much more thorough discussion of the issue was recently published in D-Lib Magazine.  In “FERPA and Student Work: Considerations for Electronic Theses and Dissertations,” Marisa Ramirez and Gail McMillan share several campus approaches to FERPA and electronic student work.  I was particularly pleased to learn about a 1993 opinion from the FERPA office that suggested that if the normal practice at a school was to make student papers available through the library, no change in practice was required (so long as students were made aware of this policy).  Some of the examples given in the article of how to notify students that their papers will be available online are also very useful. 

This article will be required reading for anyone who wishes to digitize student work.

Comments (0) | TrackBack (0)

Neil Gaiman, Cory Doctorow, teenagers and others on What Privacy Means to Them

I just watched Neil Gaiman in the kick-off video (20 minutes) for the first-ever Choose Privacy Week.  I recommend it highly. Find out what he has to say,about his family’s privacy, and his idea for a sequel to his “I Google You” (late at night when I don’t know what to do) song.  Cory Doctorow tells the truth about why he cares about privacy. I also really liked all the students who say what privacy means to them. Not what I expected.   The week’s activities and resources  are sponsored by ALA’s Office for Intellectual Freedom, Choose Privacy Week, made possible in part by a grant from the Open Society Institute. Lots more resources on engaging the public in privacy awareness discussions at www.privacyrevolution.org, including possible events in your area. And yes, the inevitable ironic social media outreach at www.facebook.com/chooseprivacyweek and www.twitter.com/privacyala with #chooseprivacy tag.

One of my all time favorite resources is the epic privacy tools page, where you can go to find sources for snoop proof email, anonymous surfing, cookie busters etc.  More at Epic.org (scroll down for EPIC privacy tools), and policy news at epic.org, privacy.org and privacycoalition.org.

Comments (1)

Tags: privacy chooseprivacyweek chooseprivacy americanlibraryassociation ala

unstaffed libraries - privacy concerns

I just read about the King County unstaffed library. It's a great concept for the users - a spot where you can make and receive requests for books systemwide, drop off your books, browse paperbacks, and even use a telephone to get some assistance.

The concern I have is with privacy. If users must swipe their library card to get in, I assume this information is tracked. Surveillance cameras keep a close eye on what folks are doing. While I can appreciate the security basis for these measures, it seems that new types of records are being created that track not just our behavior, but what we choose to read as well.

Comments (2)

Action alert: reader privacy

From Larry Siems, Director, Freedom to Write and International Programs

Dear Core Freedoms Friends and Supporters,

Now is the time to raise your voice in support of reader privacy.

This week, the House Judiciary Committee approved a bill to amend the Patriot Act’s bookstore and library provisions. This proposed bill would essentially accomplish the principal goals we’ve been working towards with our partners in the Campaign for Reader Privacy. The USA Patriot Amendments Act of 2009 (H.R. 3845) will now head to the floor for a vote, which could come any day.

Your representatives need to hear from supporters like you.

Currently, Section 215 of the Patriot Act allows the FBI to secretly obtain any “tangible thing,” which includes any business records that are “relevant” to an ongoing investigation, including the records of people who are not suspected of any criminal acts.

The new legislation will prohibit the use of Section 215 to search the records of a library patron or bookstore customer unless there are “specific and articulable facts” to show that the person is “a suspected agent of a foreign power” or someone who is in contact with or known to the suspected agent. H.R. 3845 thus allows readers to borrow and purchase books without fear that the government is monitoring their reading selections.

Please take a moment to call, email or fax your representative and ask him or her to support H.R. 3845 in its present form with its welcome and necessary protections for the privacy of bookstore and library records.

To find your representative’s contact info, please visit http://www.house.gov/

You can read the Campaign for Reader Privacy’s press release on the legislation here: http://www.pen.org/viewmedia.php/prmMID/4293/prmID/1331

Thank you for taking action!



Comments (0)

California Library Association passes new Patriot Act Resolution

The California Library Association (CLA) has just announced a resolution calling on Congress to dramatically revise the up-for-renewal USA PATRIOT Act, passed hurriedly in the weeks following the 9/11 attacks.

CLA's resolution calls for Congress to allow Section 215 to sunset, to amend Section 505 to "include a clear exemption for library records," and in general to intensify Congressional oversight of the use of the Act.

Comments (1)

Tags: libraries, patriot act

Can library management legally access employee's Facebook and Myspace pages?

A New Jersey jury recently found that a restaurant did not violate employee privacy or cause emotional distress by accessing an invitation-only Myspace page. The page served as a venting spot for employees.  The restaurant was, however, found to be in violation of federal and New Jersey laws prohibiting accessing the information without permission. The employer asked another employee for her password, and she testified that she thought she “would have gotten in some sort of trouble” if she refused to cooperate. Shortly thereafter, the company terminated plaintiffs based on their comments on the site and involvement in creating it. Pietrylo v. Hillstone Restaurant Group. 

Mr. Victor Schacter of Fenwick & West LLP writes in the Fenwick Employent Brief (Sept. 2009):

"This case highlights the challenges employers face with respect to employees’ blogs and social networking sites that contain work-related speech. While this decision does not restrict an employer’s right to monitor communications and information within its own computer networks, it demonstrates the risks of attempting to access an employee’s restricted online content without the employee’s authorization. Employers should consider implementing written policies that address employee work-related speech on social networking and other online sites to require that employees observe appropriate guidelines when referring to the company, its employees, services, and customers."

Comments (1)

Google, libraries, and readers' privacy

(posted by Peter Hirtle)

So Google, perhaps in response to Mary Minow's post, has issued a new privacy policy for Google Books.  To no one's great surprise, EFF finds it a good start but insufficient.

I would point out that Google's statement is entirely compatible with current library standards for confidentiality in licensed resources.  Specifically, it begins by stating that "We do not share your personal information with third parties, except in the narrow circumstances described in the Privacy Policy, such as emergencies or in response to valid legal process."  The CLIR/DLF Model License has this to say about confidentiality:

Licensor and Licensee agree to maintain the confidentiality of any data relating to the usage of the Licensed Materials by Licensee and its Authorized Users. Such data may be used solely for purposes directly related to the Licensed Materials and may only be provided to third parties in aggregate form. Raw usage data, including but not limited to information relating to the identity of specific users and/or uses, shall not be provided to any third party.

Similarly, SERU, Shared E-Resource Understanding, has this to say on confidentiality of user data:

The subscribing institution and the publisher respect the privacy of the users of the content and will not disclose or distribute personal information about the user to any third party without the user’s consent unless required to do so by law. The publisher should develop and post its privacy policy on its website.

And the International Coalition of Library Consortia's statement on "Privacy Guidelines for Electronic Resources Vendors" gives two primary requirements: that publishers do not share information with 3rd parties and that they have a published privacy policy. 

The bottom line: Google is more than compliant with current library standards for 3rd-party privacy protection.  EFF argues that "Given the important free expression interests at stake and the long history of protecting reader privacy by libraries and bookstores, readers need a durable guarantee of protection enforceable by a court."  No library has been demanding such a guarantee before now.  One has to wonder if the current criticism of Google wouldn't be better directed at libraries and their privacy requirements when working with outside vendors. 

Comments (6)

Tags: confidentiality, libraries, licenses, privacy

Rate Obama's privacy record

The Electronic Privacy Information Center (EPIC) is promoting the Privacy Coalition campaign to get the public to weigh in on the Obama Administration's work on privacy. Cast your vote on its privacy report card.

It's short, fun, and because you're actively engaged in voting, you're more likely to read the quick summaries of Obama's progress (or lack thereof) on key privacy issues.

Cast your vote and get instant feedback.

Comments (0)

Tags: electronic privacy information center, epic, obama, privacy, privacy coalition, report card

Next »