Patron Privacy in a Surveillance State

Adam Chandler

Electronic Resources and Libraries 2014March 18, 2014

2

July 5, 1993

3

“They are intent on making every conversation and every form of behaviour in the world known to them” - July 2, 2013

Post-Snowden reality

4

5

6

7

8

Gellman, Barton, and Ashkan Soltani. “NSA Infiltrates Links to Yahoo, Google Data Centers Worldwide, Snowden Documents Say.” The Washington Post, November 1, 2013,

9

10

11

12

13

“First half of 2013, American authorities made 12,444 requests of 40,322 accounts. Yahoo handed over content in 37 percent of cases, whereas in 55 percent of the cases, the company handed over only ‘non-content data’ (NCD).”*

*Basic subscriber information including the information captured at the time of registration such as an alternate e-mail address, name, location, and IP address, login details, billing information, and other transactional information (e.g., “to,” “from,” and “date” fields from e-mail headers).

14

321,000 legal orders for user data in 2013. Of those, over 6,000 were court orders to provide metadata in real time.”

15

16

“State and federal agencies made 301,816 separate demands for data from AT&T in 2013.

“Governments asked for location-related data 37,839 times”

17

“Sprint Accused of Overcharging US for Spying Assistance.” Network World, March 4, 2014. http://www.networkworld.com/news/2014/030414-sprint-accused-of-overcharging-us-279362.html.

“What eludes Mr. Snowden – along with most of his detractors and supporters – is that we might be living through a transformation in how capitalism works, with personal data emerging as an alternative payment regime. The benefits to consumers are already obvious; the potential costs to citizens are not. As markets in personal information proliferate, so do the externalities – with democracy the main victim.”

18

Evgeny Morozov

19

“With little or no revenue from its users, Google still manages to turn a healthy profit by selling advertisements within its products that rely in substantial part on users’ personal identification information … in this model, the users are the real product.“

- after dismissing a class action lawsuit brought by Google users who claimed the search giant broke the law when it combined the privacy policies of Gmail, YouTube and a variety of other services. 20

US Magistrate Judge Paul Grewal

“Surveillance is the business model of the

Internet.”

21

Bruce Schneier

22

"We have a stalker

economy."

Um. Since we work in libraries… what does all this mean for patron privacy?

23

Statement on Access to Personally Identifiable Information in Historical Records

Librarians should recognize an obligation to monitor their governments’ legislation in regard to confidentiality of data records. In particular, librarians should support the need for privacy laws to protect library users from such abuses as government agencies monitoring their reading and research habits. - IFLA Governing Board

24

ALA Code of Ethics

III. We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted. - American Library Association

25

26

27

28

29

30

David Weinberger, co-director of the Harvard Library Innovation Lab.

"The privacy that libraries traditionally have been preserving is not always valued by their patrons, especially in an age of social networking."

Library 2.0

32

33

“Librarian 2.0 is the guru of the information age.”

Stephen Abram

34

35

36

37

Zimmer, Michael. “Patron Privacy in the ‘2.0’ Era: Avoiding the Faustian Bargain of Library 2.0.” Journal of Information Ethics 22, no. 1 (April 1, 2013): 44–59. doi:10.3172/JIE.22.1.44.

7.5%

38

Zimmer, Michael. “Patron Privacy in the ‘2.0’ Era: Avoiding the Faustian Bargain of Library 2.0.” Journal of Information Ethics 22, no. 1 (April 1, 2013): 44–59. doi:10.3172/JIE.22.1.44.

1.6%

Contextual integrity

39

Nissenbaum, Helen Fay. Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford, Calif.: Stanford Law Books, 2010.

Case study: How are these competing paradigms playing out

in Cornell University Library?

40

Library systems that collect patron usage data inside Cornell campus

42

43

44

45

46

47

48

Library systems that collect patron usage data outside Cornell campus

50

51

52

53

54

55

56

57

4. Postings to Question Point Services

You acknowledge and agree that OCLC may store all electronic transactions carried out between you and the library on this service and any information provided by you on this web form, as described in the Privacy Statement, for an indefinite period, with this exception: your name and all but the domain of your e-mail address will be deleted after 90 days. As such, OCLC may disclose the data in its possession only as described in the Privacy Statement and if required to do so by law.

You hereby grant to OCLC the perpetual, nonexclusive, world-wide right to edit, compile, and make searchable by libraries and the public all completed question-and-answer pairs

58

How many of you negotiate for content or software?

59

Of those who raised your hand, what demands, if any, do you make of vendors to protect user privacy?

60

“This study used content analysis to determine the degree to which the privacy policies of 27 major vendors meet standards articulated by the library profession and information technology industry. While most vendors have privacy policies, the policy provisions fall short on many library profession standards and show little support for the library Code of Ethics” (Magi, 2010).

Magi, Trina J. “A Content Analysis of Library Vendor Privacy Policies: Do They Meet Our Standards?” College & Research Libraries 71, no. 3 (May 1, 2010): 254–272.

61

62

Percentage polled who trust the following organizations “not at all”

63

“For Privacy, Americans Trust Facebook Less Than The NSA.” BuzzFeed. Accessed October 9, 2013. http://www.buzzfeed.com/charliewarzel/survey-for-privacy-americans-trust-facebook-less-than-the-ns.

Privacy online is still valued

64

86%65

Rainie, Lee, Sara Kiesler, Ruogu Kang, and Mary Madden. Anonymity, Privacy, and Security Online. Pew Research Center’s Internet & American Life Project, September 5, 2013. http://pewinternet.org/Reports/2013/Anonymity-online.aspx.

66

Rainie, Lee, Sara Kiesler, Ruogu Kang, and Mary Madden. Anonymity, Privacy, and Security Online. Pew Research Center’s Internet & American Life Project, September 5, 2013. http://pewinternet.org/Reports/2013/Anonymity-online.aspx.

55%

67

Kiss, Jemima. “Privacy Tools Used by 28% of the Online World, Research Finds.” The Guardian, January 21, 2014, sec. Technology. http://www.theguardian.com/technology/2014/jan/21/privacy-tools-censorship-online-anonymity-tools.

56% say Internet is eroding their personal privacy

68

Kiss, Jemima. “Privacy Tools Used by 28% of the Online World, Research Finds.” The Guardian, January 21, 2014, sec. Technology. http://www.theguardian.com/technology/2014/jan/21/privacy-tools-censorship-online-anonymity-tools.

28% (415 million) use tools to disguise their identity or location

69

70

Recommendations

• Conduct a privacy audit.

• Educate library technologists and marketing staff about patron privacy

• Weigh the pros and cons of adding social network features

• Find alternative to Google Analytics (or at least activate the IP address anonymization switch)

• Pressure vendors to implement SSL encryption

• Advocate for a log file/usage data anonymization best practice for library eresource vendors

• Consider teaching data encryption in your library

72

http://youtu.be/8wa_4G0_xi0

Discussion

Adam Chandleralc28@cornell.edu twitter.com/alc28

73