Time for a Privacy Audit
By Walt Crawford
American Libraries Columnist
Senior analyst, Research Libraries Group
Column for August 2003
My June/July column included this throwaway paragraph: “How’s your 2003 privacy audit going? Can you assure readers that their circulation histories are private? You haven’t done a privacy audit? You should.”
Silly me. I assumed that systems vendors and librarians had learned the lessons of the 1970s—that today’s library automation systems automatically sever the link between patron and item as soon as the item is returned, or at worst, as soon as the item is borrowed again. That doesn’t assure confidentiality (it’s still possible to build circulation histories from backup tapes), but sensible institutions use rotating backups, which limits reconstruction possibilities.
Not so simple
Then I spoke to a meeting of librarians in an affiliated group of public colleges and universities. I went to some of the group discussions that made up the rest of the meeting. The systems librarians held an eyeopening session.
These institutions all use the same online system vendor. I won’t name any of the librarians, because they may have mended their ways, but they claim the system default is to retain circulation history. You can turn the default off, but you have to know that you need to turn it off.
I was further flabbergasted to hear representatives from several institutions say they had not changed the default: They were preserving records of who borrowed what. One of them said, “Well, we keep the history, but we preserve confidentiality.”
I had a three-word response to that: USA Patriot Act. Maybe this group’s state has a law that protects confidentiality of those records, but the federal law appears to override state laws.
Most of those attending encouraged me to write this column: It might give them more clout to get the system defaults changed.
If so, here’s the simple statement: It is, in my view, irresponsible to retain circulation histories that identify who borrowed what for any significant length of time after items are returned, except under special circumstances and with the clear and positive agreement of the patron. It violates the fundamental principles of librarianship and it probably means you’re lying to your patrons, implicitly or explicitly. It may also mean you’re violating state law.
I don’t believe there’s any excuse for maintaining those records (except for special patron categories, on their request). I don’t believe there’s any excuse for a general-purpose library system that ships with retention of circulation history as a default, or even as an option without loads of warnings.
We know agencies will look for those records. Right now, there’s the USA Patriot Act, which may or may not be temporary. Before, there were only FBI investigations and hackers: Do you truly believe your system is 100% secure against invasion?
The cases for retention
I’ve heard a few counterarguments. I don’t buy them. Here’s why I think you shouldn’t either:
“Will you risk protecting a terrorist?” I have two answers. First, clever terrorists will either read incriminating resources in the library, buy them using cash, or steal them—they won’t check them out. Second is the overall quandary: How much liberty do you give up in the name of security?
“I have nothing to hide. Do you?” There may be one or two people who have never in their lives done, thought, read, or said anything that they’d rather not have proclaimed in the local newspaper or used in the hands of the justice system. In most cases, this is sheer hypocrisy. My choice of reading matter is my own business, as with your patrons.
“We need the information to do demographic studies.” No you don’t. If you need demographic studies, store the demographic identifiers and break the individual links.
“With circulation histories, we can offer patron-friendly services.” So you can (although very few libraries do), but is the price worth it? If you believe patrons want you to maintain their circulation histories, for whatever reason, you should allow them to make that choice, but only with an appropriate caveat. Something like this:
“If you tell us to retain records of what you’ve borrowed in order to suggest books you might like or provide other services, those records are subject to inspection by federal and other agencies. You will not be notified of such inspections. We cannot assure that other inspections will not take place. Assume that your borrowing history is public knowledge.”
|
