NISO: Striving for a Consensus Framework for Patron Privacy
by Todd A. Carpenter
No one likes someone reading over his shoulder or being monitored. Developing a sense of independence and agency about thoughts and opinions are traits developed early in childhood. These traits blossom later in youth and often lead to family tensions as children mature into teenagers. In a similar way, libraries, patrons, publishers, and systems vendors are starting to come to terms with the implications of a maturing digital environment with regard to privacy, independence, and responsibility. We are still in the process of understanding the implications of our maturing digital exchange environment and how to interact safely within it. It’s time we discussed it. As a prologue, this article frames the open discussion NISO (National Information Standards Organization) is planning to start this month in conjunction with the American Library Association (ALA) Annual Conference.
| Information systems are changing—and so should our approach to privacy.
Librarians as Privacy Advocates
It perhaps goes without saying that librarians have a tradition of respecting—and strenuously advocating for—patrons’ rights to privacy while pursuing their intellectual interests. This tradition dates back at least as far as World War I, when library patrons were often jailed or persecuted for reading the “wrong” types of books, nonfiction or fiction. In part, this led to the development of ALA’s “ Code of Ethics for Librarians” (1939), which asserts, “It is the librarian’s obligation to treat as confidential any private information obtained through contact with library patrons.” Subsequently, a variety of policies and guidelines have been issued to reinforce this principle. Therefore, it is hardly surprising that patrons have come to believe the library is doing its utmost to protect their intellectual freedom, while fostering an environment where the free exchange of ideas is respected.
Increasingly, as libraries continue to evolve as stewards and providers of digital content, this role as privacy protector—and its underlying values—needs a reassessment in light of the digital systems that underlie almost all of a library’s services. It is not just the digital content distribution systems or the digital collections, but also the records and circulation management systems, authentication, and discovery systems, as well as the variety of network services libraries provide that are generally integrated and digital, and generate significant amounts of secondary data about patrons’ activities.
The ownership and control of these systems and their associated data, along with system interactions, are stressing traditional principles around privacy. While it has been recognized since the early 2000s that ownership and control of user data should be contractually governed and handled by the library, in our increasingly interconnected world—in which activity information is required to fulfill services—it is not clear if our frameworks for privacy are keeping pace with technological developments. For example, while data contained within management systems might be “owned” by the library, the secondary usage data—interaction data generated between systems—is likely less explicitly controlled. There is a great opportunity for the library and information distribution community to build on its leadership role for other internet-connected communities.
Privacy Meets Security
At its most basic level, the security of the network services and data systems the library manages is a critical library IT function. Even basic best practices for securing services and data are not always implemented fully or appropriately. This is not just the case with libraries or content providers. Data security is a much broader issue, impacting large corporations with significant IT resources, as evidenced by the almost weekly announcement of some significant data breach during the past couple of years. However, because of the avowed interest in protecting privacy, it is incumbent on the library community to be more proactive and diligent, protecting against breaches by securing their own systems and data.
At a slightly higher level, the security of embedded systems and the integration of those systems is another vulnerability. This was exemplified in fall 2014 when it was revealed that Adobe Digital Editions was gathering information about its users’ reading behaviors and transmitting that information to Adobe’s servers using unencrypted transfer protocols. While surprising at the time, the number of systems transferring data over the web is significant. Certainly, not all of those exchanges are secure—which are, and which are not, has yet to be revealed.
Even NISO’s interchange standards, to cite another example, have embedded security as an option. But implementation of those security protocols is not required for conformance with the specifications. Should data security be made compulsory in more circumstances? Years ago, a case might have been made that the added layer of security was a burden on the network and computational systems, but this is no longer the case, given advances in transmission speed and processing power.
While librarians should continue to advocate for patron privacy, in our present environment, the library is no longer in control of patron data in ways that it has previously been. A framework for understanding and dealing with patron privacy needs to be crafted to address these new security realities.
Privacy Within Systems
Several things have changed in the past decade that reshaped the patron-privacy landscape. Among these is the nearly ubiquitous application of data and digital systems for nearly every aspect of library service, including RFID (radio frequency identification) tags on physical books, automated checkout systems, digital discovery, and online content delivery. Even more problematic is how interconnected and interactive these systems have become, including the ability to track and store a tremendous amount of data on nearly every engagement with content or services. It is now possible not only to track that a user checked out a particular book, but what specific pages were read, how long it was loaned, what was annotated, and how various concepts reviewed can be pieced together to form a more comprehensive picture of the explorations, opinions, or behavior of a reader.
These privacy issues are compounded by the increasing reality that libraries do not host many of these services or provide the content that patrons are using. Content is usually licensed by the publisher and hosted on the network by the publisher, not locally by the library. Discovery and library management systems are often managed by third parties or provided via a cloud-based interface. Even more traditional library services—such as circulation management—are headed to cloud-based systems. The trend is increasingly for greater connectivity, not less, so there is no reason to think we will be less challenged by the privacy of data in future systems.
Privacy vs. Service
There is also an important tension between patron privacy and the provision of digital systems or services. During a CNI (Coalition for Networked Information) panel last December, this tension was explored by Lisa Hinchliffe (from the University of Illinois–Urbana-Champaign) and Andrew Asher (from Indiana University). They discussed the increasing demand for data-driven analytics and the need to balance traditional library values regarding privacy, confidentiality, and informed consent.
Short of fully open access (OA) digital content systems, a patron needs to be authenticated at some point to access materials, and this fact will continue to present a problem for the protection of user privacy. Similarly, even if some patrons are willing to opt in to systems that are contextually aware, how can these systems be managed in a way that simultaneously protects the privacy of those who do not opt in? The most significant tension exists between how to compete with services that do not set the same priority on patron activity data protections. For example, a system that provides contextually aware or patron-data-enhanced discovery services will almost always outperform a system that does not, at least from the perspective of relevancy ranking. Certainly, relevancy ranking is not the only criterion for assessing a discovery service, but it is a significant priority to the users of those systems. If library systems are going to compete in service provision, they need to either provide similar service levels as their competitors (which could include patron activity data), or a concerted campaign is needed to inform users of the trade-offs of service levels in favor of greater privacy protection.
Privacy Outside Our Control
As information systems have expanded outside of the library community, mass-market internet-based service providers have stepped up to deliver discovery (Google, Bing, and Yahoo), ebook reading (Amazon and Kobo), content management (WordPress and Joomla!), and even bibliographic reference services (Mendeley). Readers’ experience with these systems and their willingness to agree to terms of service (which often explicitly run counter to privacy protections)—often without even reading them—also complicates privacy expectations.
Even those absolutists regarding patron privacy—who have policies of deleting patron activity data regularly to ensure that the data are not accessible—still do not have complete protections in place. It is likely they do not have complete control over all of the content and services systems patrons engage with. Even if libraries were strict adherents to every possible data protection practice for patron data, the reality is that they simply are not in a position to control all of the patron usage activity on the systems managed by vendors and publishers. Protection of patron data needs to be a community norm, governed by consensus best practices.
Toward a Privacy Framework
It is into this complex environment that NISO launched a project to explore the creation of a set of framework principles focused on privacy of patron data in these library systems. With generous support from The Andrew W. Mellon Foundation, NISO will organize a series of virtual conversations and an in-person invitational 2-day discussion in San Francisco following ALA’s Annual Conference this month. Three of the virtual meetings will focus discussions on the need for, protection of, and applications of patron data within publisher, vendor, and library systems. The fourth session focuses on the legal frameworks for patron privacy, both in the U.S. and abroad.
The virtual meetings will take place in May and June, with the in-person meeting scheduled for June 29 to 30. The in-person meeting will be streamed live to the community, and people interested in participating can RSVP to join the stream via the NISO website (niso.org/topics/tl/patron_privacy). All of the meetings will be recorded and posted to the project website for this initiative. The patron-privacy framework and a white paper outlining the entirety of the project will be circulated by the end of 2015.
The goal is to draft a set of consensus principles that will frame vendor and library conversations about the privacy and security of information systems. These broad principles are meant to advance the conversation around patron privacy and provide a springboard for further work, led by NISO, on the development of best practices that can be ratified and implemented in the community. These principles will not cover every situation. They are not likely to be concretely implementable, but they will serve as baseline expectations for how privacy can be practically applied in our community. We also hope, through this process, to identify areas in which agreement might be possible with further discussion and exploration, as well as highlight differences in opinion or application that might make it difficult to reach consensus.
What will distinguish this effort is that there has not been an open industry conversation about these issues that brings together those involved (the librarian community, the publishers that supply content, and the vendors that facilitate management and access) for a dialogue about how to approach patron data privacy. As this is a community problem, no single player can enforce her perspective on the other constituents. No single community member can fully grasp the complexities and interactions that shape how systems are created, interact, and collect data. By creating a forum in which these parties can engage in substantive dialogue, we hope NISO can advance the protection of patron’s data around the network. I hope you will participate.