Not In the Clear: Libraries and Privacy

We say we value patron privacy. If so, we have a lot of work to do.

February 12, 2015

I’m one of those people who others probably call a privacy nut when I’m not listening. (Because I would never listen in – trust me! I’m a privacy nut!) I get really cranky when people tell me privacy is impossible today or if they claim that Young People Today don’t care about it, so get with the program (in which case I tell them to ask danah boyd about that. She’ll tell you it’s complicated.) I get testy when I advocate for privacy as a library value and other librarians say “yeah, but access is a value, too, and that's what patrons care about. Why are you foisting your values on them?” I shudder at incorporating learning analytics into library assessment. Even though I’m very curious about how students learn, I don’t want to track them electronically, even if it’s good for them. I have this stubborn belief that freedom is good for them, too. And don’t talk to me about installing beacons in my library that will activate your cell phones to tell you about library stuff, not unless you want to document what a conniption fit looks like.

But guess what? Libraries are terrible at privacy! We put Google Analytics on our websites. We add buttons for social media platforms that feed information to third parties like woah. We don’t ask vendors why our catalogs don’t use end-to-end encryption. We get ebooks riddled with digital rights management and are shocked, shocked when it turns out Adobe is reading over our patrons' shoulders (and sending unencrypted information about them and their reading habits over the Internet - oopsie!) Adobe is encrypting, now, but they're still reading over your shoulder.

Of course, we’re not the only ones who fail to practice what we preach. Journalists are bullish on protecting sources. I’m just now reading James Risen’s Pay Any Price and am thankful that he stared down the Department of Justice, which was ready to imprison him for not revealing his sources. (I could do with a bibliography for non-sensitive sources, but oh well.) If I were reading a Kindle edition, Amazon would know exactly which pages I've read. I bought a paper copy at an independent bookstore, as it happens. I’ve been following the various reports based on information provided by Edward Snowden and other unnamed sources about the turnkey totalitarian system the NSA is building. But quite often I’m noticing how many trackers are on the pages of those newspapers, keeping track of my visits. (Ghostery is a plugin worth installing – it not only blocks trackers, it’ll blow your mind about how many there are.) We preach one thing and, for practical purposes, practice another.

Still, in an era when everybody’s doing data dragnets, it’s alarming to see how leaky our library websites are, how revealing our catalogs and databases are, and how cavalier we have been with patron data that we swear we will protect. Gary Price of Infodocket has just been scaring the beejebus out of me sharing some interesting links with me about our failings in this arena.

My regional consortium, Minitex, put out an RFP for statewide database  contracts and asked some questions about how passwords are stored. Ho boy. Big vendors, really big vendors are storing them in plain text. Uh, no. Nope. Not okay. And Minitex? Thanks for asking. Big hugs. We all need to ask these questions of vendors routinely and be prepared to walk away.

The other thing that made me sit up and take notice is this horror film informative Coalition of Networked Information conference presentation about libraries and privacy featuring people who’s work I’ve followed for a long time – Peter Brantley, Eric Hellman, Marshall Breeding, and the aforementioned Gary Price, who does a nifty trick of showing the data flowing across the meeting hall’s wifi in real time using Wireshark. Eee!

(What, no women on the panel? You’re forgiven, this once – and Andromeda Yelton gets a well-deserved shout-out.)

One thing that I learned from watching the video is that unencrypted information being transmitted over the Internet is called “in the clear.” There’s irony for you.  

Now, go watch it. It's terrifying great. 




Back to Top