Coming Full Circle
Toward a More Practical Patriotism
by Andrew K. Pace
PATRIOT Act. Ashcroft. Terror.
ACLU. ALA. There, now I have my Justice Department Total Information Awareness
keywords out of the way. That should expedite the Feds' latest entry in my
FBI file (I now proudly say that I had one before I became a librarian).
I have to admit that I have a little trouble getting fired up about "Uniting
and Strengthening America by Providing Appropriate Tools Required to Intercept
and Obstruct Terrorism," otherwise known as the USA PATRIOT Act. But I guess
what does get me riled is watching a lot of political reactivism in libraries
when there are plenty of practical implications for security and patron privacy
to keep us busy.
I think the PATRIOT Act and various other attacks on privacy have created
a marketing advantage for libraries. I hope that most Americans know that librarians
are not a bunch of hysterical porn-pushers, as members of the current presidential
administration and their proxies would have the public believe. So far, the
ALA and its editorial and press support have shown that we outclass our detractors.
But I worry about appropriate response: Librarians are quick to a political
fight, but often neglect practicalities. What would you do if law enforcement
officials arrived at your door today with a PATRIOT subpoena? Does your circulation
staff (often the front line in these skirmishes) even know what a subpoena
looks like or how it differs from a warrant? Moreover, what should we all be
doing to prepare ourselves, and what should we not let ourselves be distracted
from in the meantime?
I sorta chuckle at the fact that John Ashcroft came off looking like a boob
with the whole "hysterical librarians" play in the press. On the other hand,
if we look at that incident as objective disparagement instead of frustrated
name-calling (I still think it was really the latter), then it's criticism
that we might put into action. For example, a while back, there were some PATRIOT-mocking
signs floating around the Internetthings like "No one has requested your
personal information today. Check back for the absence of this sign later"that
got a lot of attention.
I thought they were funny until I heard that libraries were actually posting
them. Frankly, this seems more like a misguided political statement than a
proactive library campaign to protect patron privacy and anonymity. We deride
Chicken Little because she ran around disrupting others' comfortable existence
by claiming that the sky was about to fall. I think we could have ignored her
if instead she had quietly gone about building herself a shelter from the imagined
doom. Similarly, if librarians concentrated on ensuring short-term retention
of usage records, and developing procedures for dealing with law enforcement
information requests, instead of employing political scare-tactics, patrons
would truly be better off.
Law Enforcement Realities
Some of the vague anecdotes that follow are based on real stories. They are
meant as cautionary tales, and involve various criminal investigations in libraries,
not PATRIOT Act (and accompanying gag order) scenarios.
"WHILE YOU DON'T PARTICULARLY WANT TO PROTECT THE PRIVACY OF A CRIMINAL,
YOU KNOW THAT ANY COMPUTER IN YOUR LIBRARY MIGHT CONTAIN INFORMATION ABOUT
INNOCENT PATRONS AS WELL."
Imagine that someone has used a computer in your library to perpetrate some
unlawful activity. What might you expect when an FBI agent comes to your office?
Even the most likable agent is an intimidating figure. His requests might seem
innocent enoughhe just wants to see where "workstation 24" is located.
You show him. Now he wants to know if there is any data on that computer that
might identify its previous usersspecifically, any who had logged on
1 week ago between 3 p.m. and 5 p.m. "That depends," sounds like a good answer.
Now he wants to know about the computers next to the one that was used criminally.
Is there anything on them that might identify possible witnesses to the crime?
While you're thinking that one over, you might put together a list of staff
members who were on duty nearbythey might have noticed the perpetrator
You're in luck, because you sanitize your computers every week. While you
don't particularly want to protect the privacy of a criminal, you know that
any computer in your library might contain information about innocent patrons
as well. You know that the surrounding computers should be free from
legal intrusion; if you're in an academic library, you realize that giving
up such information might violate the Family Educational Rights and Privacy
Act, or FERPA. (Or do you realize that?) You show the officer your data-retention
policy. If you think your assurances of data deletion will send the lawman
packing, think again. He might even admit to how quaint he finds it that you
think that a good computer forensics professional would fail to find what he's
looking for. Does your technical infrastructure ensure patron privacy and confidentiality?
None of this is meant to suggest that libraries should strive to protect
terrorists and criminals from routine investigation. Libraries are not criminal
sanctuaries, but educational ones. However, they have a responsibility to protect
not only the freedom to read, but also the freedom to research. There is (or
should be) a reasonable expectation of privacy among library clientele that
if the computers they use for research are shared by criminals, their innocent
activity will not be caught in a widely cast information net.
Security Versus Privacy
The problem with security is that it requires the erosion of privacy. And
it's not just government erosion that we have to worry about; we do it every
day. Sometimes it's through willful decisions to foster a more secure library
environment. Other times, it's through benign neglect of record-retention procedures
and inattention to detail.
Whether librarians are asking patrons to log on to a computer workstation,
or asking them to sign in at the door, we should require written policies that
relate to the confidentiality of the patron activity that takes place in the
library. This is not just my opinion; it's the librarian's code of ethics:
We protect each library user's right to privacy and confidentiality with
respect to information sought or received and resources consulted, borrowed,
acquired or transmitted.
Principle III, American
Code of Ethics, 1995
But anyone who has cleaned up after an Internet Worm attack, tried to stop
a malicious hacker, or tried to protect children from Internet predators knows
that privacy is the first casualty of security. This does not mean, however,
that libraries have to completely abandon their standards of privacy and confidentiality
to attain more security.
"WHAT WOULD YOU DO IF LAW ENFORCEMENT OFFICIALS ARRIVED AT YOUR DOOR TODAY
WITH A PATRIOT SUBPOENA?"
The responsibility includes knowing what IT departments do to track online
computer usage. The questions are more practical than paranoid: What do vendors
who provide subscription databases do with your patron data, and is the policy
in your contract? Does your turnkey library system provider have root access
to your servers and accompanying data, and have they ever used it to fulfill
a law enforcement request for information? Do your personalization services
disclose retention of patron data? Are your online systems in compliance with
state laws regarding patron privacy (which might include more than just circulation
There's one last casualty of services that offer personalization and require
more securityanonymity. Librarians need to be looking beyond privacy
and confidentiality to the right of complete anonymity. While not explicitly
covered in the code of ethics, the use of analog materials in the library has
always implied some level of anonymity. How far can or should our profession
go to offer its patrons anonymous access to online materials?
Be Prepared, Be Vigilant, Be Reasonable
There are plenty of good resources out there about preparing libraries for
the PATRIOT Act, and hardly any library conference can get away with a program
that does not address the issue in theory or in practice. In a handy four-page
briefing for Library Issues, Kathleen Hoeth succinctly describes the
real dangers of the USA PATRIOT Act to libraries, and gives rational advice
about preparing for the law's enforcement. The article also includes a boilerplate
model for policies and procedures (Kathleen Hoeth, "The USA PATRIOT Act: How
Will Your Library Respond?" Library Issues, 24(3), Jan. 2004). This
informative article should be required for all library administrators.
"LIBRARIANS NEED TO BE LOOKING BEYOND PRIVACY AND CONFIDENTIALITY TO THE
RIGHT OF COMPLETE ANONYMITY."
I don't really think enforcement of the act is the equivalent of Chicken
Little's falling skyI think enforcement really will come. But I do think
the first library that joins the hysterical fray without preparatory action
might end up bringing shame upon itself. Moreover, we should not let PATRIOT
Act obsession distract us from other serious, related issues, such as the Digital
Millennium Copyright Act, the Children's Internet Protection Act, and various
battles for more reasonable copyright protections. I would be willing to guarantee
that DMCA, CIPA, and copyright enforcement will have earlier and longer-lasting
impacts on libraries than PATRIOT will.
Happy Anniversary to Me
This column marks a milestone for me. It's my 20th column for Computers
in Libraries, and I've celebrated by getting a little preachy. Please
forgive me. Although if you've been following my columns, you'll know that
I'm not usually one to de-politicize an issue. I was born inside the Beltwayit's
in my blood. But I wonder whether the politicization of the freedom to read
and the library sovereignty of patron privacy are distracting us from some
basically simple rules of engagement. This is not an argument against the
ALA Washington Office. God bless their David-and-Goliath struggle against
the Justice Department, Congressional copyright zealots, the recording industry,
and filtering fanatics (95 percent of whom, I would bet, would be hard-pressed
to produce a library card). While I would hardly advocate dropping everything
to answer the yet-to-be-determined social injustices allowed under the USA
PATRIOT Act, I do think that librarians should act reasonably to remain informed,
educate their staff and patrons, and stand prepared for their first law enforcement
Andrew K. Pace is head of the systems department at
North Carolina State University Libraries. His e-mail
address is firstname.lastname@example.org. You can also reach him
through his Web site at http://www.lib.ncsu.edu/staff/pace.