NASIG 2021 Background: Evelyn Flint, “Vintage Film 2” https://www.flickr.com/photos/evelynflint/16887278850/ CC-BY, proportions changed Hi, everybody, I’m Dorothea and ti me is short today, so let’s get on with Physical-Equivalent Privacy.
I do want to men ti on that I’m sorry we couldn’t all be together in my hometown of Madison, and to extend my invita ti on to all of you in NASIG to visit here another ti me, we’d love to have you!
Thank you, NASIG! And to thank NASIG, because the idea behind this talk comes from a talk NASIG invited me to give half a decade ago, and if you were there you may recognize the slide design!
Serials Librarian! And I also want to publicly thank the editors of Serials Librarian, because I sent them the paper a whole en ti re month late and they STILL accepted it. Thank you!
Physical-Equivalent Privacy All right. Back to our topic, physical-equivalent privacy. In libraries, overall ethics codes aside, we have kind of two formal ways of assessing and declaring our commitments to privacy.
and are doing And these amount to “what we claim we care about and are doing” about privacy. Whether we actually care more than performa ti vely, much less whether we’re actually doing privacy-protec ti ve things, well… if you fi nd that at all, it won’t be in the actual policy or statement, that’s not what policies and statements are for.
As an example privacy policy, here’s one I like that you can go check out from the San Francisco Public Library. As these things go it’s short and clear, and it’s honest, it isn’t trying to hide anything in doublespeak.
And as an example of a privacy statement, at ALA Midwinter, there was a resolu ti on on the misuse of behavioral data surveillance, which, I don’t love the ti tle because it implies that behavioral data can be used in some way that ISN’T misuse, but y’all know me, I’m hardcore about this stu ff . Anyway, it’s a good resolu ti on, check it out, and kudos to Erin Berman for shepherding it through.
Privacy Audits So because policies and statements aren’t designed to be where the rubber actually hits the road, we also have privacy audits, voluntary or in-.
What we’re actually doing* ** * ignores what third parties (like vendors, or campus/municipal IT) are doing ** ignores whether we’re actually doing what policies claim we are And these audits measure what we’re actually doing… with a couple of caveats. Caveat one, as ALA structures privacy audits, the audit is SOLELY of systems and services completely under the library’s control. There’s no audi ti ng of non-library third par ti es who also handle library or patron data, like campus or municipal IT, or an e-resource vendor.
Caveat two, audits don’t o ft en measure prac ti ces against claims in privacy policies or ethics codes or anywhere else. It’s just, okay, here’s what we do.
Duke Libraries did a privacy audit in twenty-nineteen and published their report in twenty-twenty. And it’s solid work, and I recommend it, but when I fi nished reading it, it le ft me curiously unsa ti s fi ed. There was all this detail about Duke’s prac ti ces, but at the end of the day, I couldn’t actually answer the ques ti on “are Duke Libraries protec ti ng patron privacy acceptably, especially with respect to e-resources?”
And that’s partly on me, actually, because I didn’t really know what protec ti ng patron privacy acceptably online MEANT.
Are we protecting privacy? Because nowhere in ALA’s audit guidelines is there anything that answers the ques ti on, what’s an acceptable amount of privacy? Or an acceptable amount of privacy viola ti on, if you want to turn it around.
Image: media.digest, “Ruler |” https://www.flickr.com/photos/photo-digest/8757143845/ CC-BY There’s no yards ti ck. Nothing to measure against, especially online where things get slippery and there are giant new modes of privacy viola ti on — Gabriel’s going to talk about this, I won’t steal his thunder — but giant new modes of privacy viola ti on that most of us, myself included some ti mes, have trouble even fi guring out how to think about.
Image: Mike Fernwood, “Jessy makes a movie” https://www.flickr.com/photos/ultimateslug/67568147/ CC-BY So then I got to thinking about that NASIG talk I gave, and there was this slide in it — yes, this is the actual slide! — where I posited some librarian saying “We’re going to follow you around the library and record what you’re reading with cameras and video, and we’ll keep that data inde fi nitely, but don’t worry, we totally won’t ask you your name, and we’re only following you around in order to Improve Our Services!”
And I was like, in what world would that not be totally creepy?
Physical-Equivalent Privacy And then I was like, whoa. That’s it. That’s the yards ti ck. And that’s what I want you all to take home, the idea that you can measure the privacy a ff ordances of an e-resource by fi guring out as best you can what-all data is being hoovered up, where it’s going, how iden ti fi able it is, and then imagining trying to hoover up and spread around the same kind of data for a patron using a bound volume in the stacks!
And if the bound-volume scenario just gets u tt erly intrusive and gross and we would never — well, I think the e-resource scenario is just as intrusive, just as gross, and it really shouldn’t be happening.
And that’s it. That’s physical-equivalent privacy in a nutshell.
Article I “We provide the highest level of service to all library users through… equitable service policies; equitable access…” And I think there are good reasons to do this comparison, beyond just the enlightenment of having a yards ti ck fi nally. One is captured in Ar ti cle I of the ALA Code of Ethics, which runs in part, “we provide the highest level of service to all library users through equitable service policies and equitable access.”
I just can’t construe privacy-viola ti ng service as the highest level of service. And I can’t see how a systema ti c decrease in privacy when patrons use electronic rather than physical resources is in any way equitable service or equitable access!
I think we can and should aim higher and do be tt er.
Article VI “We do not advance private interests at the expense of library users, colleagues, or our employing institutions.” And then there’s ar ti cle six, which goes “we do not advance private interests at the expense of library users.” I don’t think anybody is under ANY ILLUSIONS here that most systema ti c surveillance of e-resource users advances anything but private interests.
What data gets collected? Shared? Would we do that?
Should we be okay with it? What would we have to do
to collect or share the same data
about the user of a physical resource? So if that’s the yards ti ck, how do you use it?
In prac ti ce, it’s a three-step process. The fi rst step is fi guring out what data gets collected and shared, and I don’t have to tell you that’s an art not a science, but we do the best we can, I discuss methods in the paper. Once we have an idea what’s going on, we imagine the same patron using the same informa ti on, just in physical form, and we think about what it’d take to collect and share that same data about that same patron.
Then we ask ourselves, would we do that? And should we be okay with it? And that’s it. That’s how it works.
with respect to information sought or received and resources consulted, borrowed,
acquired or transmitted” NO EXCEPTIONS. library user reader My overall vision hasn’t changed since that last NASIG talk. ALA Code of Ethics, Ar ti cle III. {Read aloud if ti me.}
dsalo
miyayou
dahatake
signer
codeforeveryone
gmoriki
bernhardsvt
arumakan
ashitanoterakoya
olanetsoft
yasslab
matleenalaakso
junyaokabe
andyhume
pauljervisheath
lara
rasmusluckow
destraynor
bkeepers
addyosmani
revolveconf
kastner
trishagee
akosma
hursman