Privacy

Privacy and Academic Libraries Right Now

I have a kid in high school whom I’ve often jokingly referred to as my in-house research subject. I’ve been interested to observe and think about the ways that he accesses information for school and non-school reasons, especially as he gets closer to the age of many of the students who use the library where I work. When he started high school I was initially surprised by the number of educational technology products he was required to use. Much of my grumbling around these systems stems from my concern that some of his classmates likely don’t have good access to computers or the internet at home, and that use of these systems puts a strain on some kids to find time to use the school or public libraries to do their homework. But lately I’ve also been concerned about the number of products my kid has to use, which is only growing. Beyond the very real password management considerations, I’m also increasingly uncomfortable with the amount of information these systems collect about him.

That’s one reason I’m looking forward to digging in to the new EFF report Spying on Students: School-Issued Devices and Student Privacy. From the executive summary of the report:

Throughout EFF’s investigation over the past two years, we have found that educational technology services often collect far more information on kids than is necessary and store this information indefinitely. This privacy-implicating information goes beyond personally identifying information (PII) like name and date of birth, and can include browsing history, search terms, location data, contact lists, and behavioral information. Some programs upload this student data to the cloud automatically and by default. All of this often happens without the awareness or consent of students and their families.

Yes, this report covers only K-12 schooling, but it’s of relevance to us in college and university libraries, too, and not only because we’ll be seeing many of those students at our institutions soon. The proliferation of learning analytics across campuses has been fueled by their highly-touted potential for using institutional student data to help them stay on track, ultimately increasing student retention and graduation rates. Libraries (and the vendors we do business with) have data about our patrons, too — how can we ensure that students’ privacy is protected when we (or other college offices) use that data?

A recent preprint of an article by Kyle M. L. Jones and Dorothea Salo — Learning Analytics and the Academic Library: Professional Ethics Commitments at a Crossroads — does a fantastic, thorough job of walking us through these issues. From the abstract:

[T]he authors address how learning analytics implicates professional commitments to promote intellectual freedom; protect patron privacy and confidentiality; and balance intellectual property interests between library users, their institution, and content creators and vendors. The authors recommend that librarians should embed their ethical positions in technological designs, practices, and governance mechanisms.

Beyond reading this report and preprint, what can we do to learn more and help protect our patrons’ privacy (and our own)? Keeping up with these issues is a good first step. For starters, I recommend the terrific work of education technology journalist Audrey Watters published on her Hack Education blog. Her longer pieces and transripts of her presentations go in depth on many privacy-related topics, and her Hack Education Weekly News tracks edtech across a huge range of publications and outlets.

We can also work to audit our own internal library systems and practices, and to push the vendors we work with to protect patron privacy. Further, we can increase digital privacy awareness among ourselves, our coworkers, and our patrons. At the library where I work we hosted a data privacy training for all library faculty and staff a few months ago, run by some of the smart folks from the Data Privacy Project. They covered digital privacy protection for us as technology users as well as ways that we can shore up privacy protections in the library. Their presentation materials are all available on their website, too, for any library to use to offer digital privacy workshops for their community; my college’s library is running one next week during Choose Privacy Week.

Once More to the Breach

ACRLog welcomes a guest post from Mark Herring, Dean of Library Services at Winthrop University.

Summer’s over, I know, but we must go once more to the breach of web privacy. A California librarian recently complained about Amazon’s new Kindle ebooks lending program for libraries. The complaint focuses on Amazon’s privacy policy and advertising. In a ten minute video (the transcript of which is here), the librarian argues that in our hasty “greed” to get books into the hand of readers, librarians violated one of our sacred trusts: privacy protection. Amazon keeps a record of all books lent on Kindles via corporate servers. This information is later used like it is on the website, both to recommend new titles and of course advertise products by selling that information elsewhere. While the story was picked up in the library press and on Slashdot, it wasn’t widely publicized, at least not to the extent of the story of Amazon’s lending program. The reason why is simple: web privacy is now a non-starter.

This isn’t the first such story about Web privacy (or lack thereof), and it is not likely to be the last. But it is a non-issue and will remain so as far as cyberspace extends. It’s not as if we weren’t warned.

As long as go as 1999, in a widely publicized story (perhaps forgotten now?), Scott McNealy, CEO of Sun Microsystems, told a group that the issue of privacy on the Web was a “red herring” (no relation by the way). McNealy went on to say that “You have zero privacy anyway. Get over it.” McNealy wasn’t the only one to argue in this manner, and neither is Amazon the only company with a patent disregard for privacy. Frankly, any company or social network on the Web puts privacy on low priority. Don’t get me wrong. Privacy isn’t an absolute right. I can think of times when not disclosing someone’s shenanigans would border on the criminal. But our patrons should be able to do basic library business without being hounded.

To be sure, the strength of the poisoned privacy varies among various Web apothecaries. With Facebook rapidly approaching one billion users, only a tiny minority remain who can care about privacy. Only last year Zuckerberg reminded all of us that “the age of privacy is over.” At the time, some saw this as an about-face. But anyone who followed Facebook helter-skelter knew otherwise. James Grimmelmann remarked once that of all the social networks, Facebook had the best privacy statement, and it was awful.

But I like the way Zuckerberg phrased it because I think it sums up nicely where we are about the Web and privacy. It’s a brave new world, and those not yet on board are from another, older and quite possibly, flat one. This was never made clearer to me than a few years ago.

I had the distinct pleasure to visit MIT in 2009 and learn of new web-related inventions in the proverbial “pipeline.” Amid our somewhat graying profession were these twentysomethings, naturally, all exceedingly bright. Some of what we saw has already come to pass, while others remain in development. There were toys, apps, and so on. But what really caught my eye was a broach or lapel pin.

This pin, our attractive, late twentysomething, explained to us, made certain you never forgot a name or a face again. I’m terrible with names, so naturally I perked up even more. When you approach a person, she said, the pin casts his or her “vitals” on their chest, visible to you but not to them. Commonly known things, she said, like age, marital status, number of children, where they work, recent vacations or even recent accomplishments. This way, she told us cheerfully, you’re never at a loss what to talk about. You know, how are the kids, is Peter enjoying Harvard, and how was the vacation in the Caymans?

Several of us, all over 50, let out an audible gasp. But isn’t that a violation of privacy, we asked, almost in unison. Oh, no, she reassured us. It’s all on the Web anyway. And then she said something that I don’t think I’ll ever forget. When asked about the ethics of it all, she replied, again cheerily, “Those are issues taken up by another department. We don’t really engage in the ethics part of it.” And that’s when I knew. We are of a different age because even the developers no longer think about these things, assuming they once did. Ethics will ponder that matter and get back to you. But don’t call us; we’ll call you.

None of us want to remain fully anonymous, but many of us–at least those of us over 50–would prefer to remain somewhat private. Not anymore. Everything we are or hope to be, whether true or not, is on the Web; and someone is or will be making use of it. In this brave new world, we all live our lives on the backs of so many digital postcards that travel the globe daily.

This isn’t about going back, or trying to recapture the genie or clean up the toothpaste. Those days are over. Rather this is about how we librarians have become students of change and must now weigh those changes regularly. As the Web changes books, it also changes the libraries that house them. And so McLuhan was right after all: We shape our tools and thereafter our tools shape us.

And so here we are, once more to the breach. Habent sua fata libelli: books have their fates. The only question that remains today is this one: is this the fate we want for them, for our libraries?

Personal Content Capitalism

I’ve been hearing less and less about Google+ lately, the social network launched by the search giant over the summer. I can’t comment on its functionality because I haven’t tried it; while I’m interested, I’ve got a couple of big projects going on and don’t have the bandwidth right now for an additional flavor of social media. However, my partner is on Google+ and recently let me know that he added me to a circle. I have a Google account and use lots of other Google services, but feels weird that people I know can add me to Google+ circles even though I’m not using the service.

It’s worth thinking about the way social media and internet services are monetizing (or trying to monetize) our personal content. Like many librarians and academics I rely on these services frequently, though I’ve lately begun to question whether the advantages and convenience that they provide are worth it. Last month the professional social networking website LinkedIn retreated from an earlier decision to include photographs from their users’ profile pages in ads for the service. This was just the latest in what seems to be an ever-increasing number of news items about social media companies that push their users’ comfort levels with privacy a bit to far.

A few months ago I quit Facebook because I was concerned that their privacy policies are growing evermore fluid at the same time that everyone seems to be using it to post information about events, photos, etc. Every time I commented on a friend’s wall or uploaded a picture of my kid I felt like I wasn’t getting nearly as much out of my end of the relationship as Facebook was from me. I have to admit, though, that I do miss the easy access to information from a wide range of folks I know from many stages of my life.

Like Facebook, Google uses our personal content to sell ads. Of course, selling internet ads is Google’s whole business: we are Google’s product, and the longer Google can keep us online, the more money they can make selling ads. I don’t use Gmail because I have another email provider. But I’m a heavy user of other Google services. I keep my personal schedule in Google Calendar because at our library we use it for our internal scheduling. I use Docs to collaborate with colleagues everywhere: in my library (though we are shifting to an internal wiki for much of that), with colleagues across the university system where I work, and with long-distance collaborators. And checking in with Google Reader is a staple of my daily routine.

But lately I’m reconsidering all of the personal content I’ve willingly given to internet services. I’m not sure how to ramp down my use of these tools that I’ve become so dependent on, especially given the number of people I work and communicate with who use the same tools. What’s the appropriate balance of control over our personal content and convenient, useful services? And how should we help guide students in making these same decisions?

Another Case of the Missing Library

Steven just remarked on the Educause training toolkit for information literacy that somehow missed the fact that libraries have been working on it for some time. D’oh! This presentation on an Annenberg School-sponsored media survey also struck me as a place where “library” as a source of information is noticeably absent. (So are books.) Admittedly, the focus is on how media can recapture people’s attention as a trusted source of information, and it’s really focused on “how do we get consumers to pay attention to our advertising so we can recover that revenue stream.” But still … the survey asked about where people turn to find trusted information. The library is not one of the options. (See especially slides 20 and 24.)

The survey focused entirely on sources of information that can be optimized for advertising dollars – and how to drive the public toward news media for purchasing decisions – so they may have just decided libraries don’t belong on the list. But when they ask about “where you go for information” and libraries aren’t there, it suggests value is only attached to information sources that exist to generate advertising dollars and stock dividends.

The study reports that people are increasingly skeptical about mass media and that “word of mouth” is more important than being told what to read through PR and marketing. In other words, you PR flaks have shot yourselves in the foot and are now trying to learn how to talk like a human.

Maybe our users need to get a little more outspoken. Libraries have net assets worth billions! You can claim your dividend every time you use them! You can use them online with no pay wall! And no harvesting of personal information or annoying banner ads!

I think we have an edge, here, if only we were able to get the word out.

Some Thoughts on Privacy 2.0

The Pew Internet in American Life project has just come out with a report on how people feel about their online identity. Digital Footprints examines who keeps track of personal information available online, how they feel about inaccuracies they might find, and whether they are nervous that so much personal information is publicly available.

The majority of Internet users responding to the survey say they don’t worry about it. Most would like to control their digital image – but don’t take steps to do it. (Interestingly teens are more likely to limit access to their profiles. Many adults feel an unlimited online presence is necessary for their careers – and teens may feel limiting their profile is an equally smart move for their future careers.) Technology has changed our expectations: the interactivity of Web 2.0 and the addition of new data formats and geotagging will only increase the fine grain of our digital footprint. But so have external events. The public grew far more tolerant of having their privacy invaded after 9/11, according to several studies in a fascinating section of the report.

My guess is that we’ve been equally desensitized by advertising that is driven by harvesting and analyzing our searches, and by banks and other corporation routinely mining our lives for personal information. (Fortunately Senator Dodd thinks there should be some limits to corporate spying, at least when it contributes to a violation of the constitution.)

The recent OCLC report on Sharing, Privacy, and Trust in our Networked World found that only about half of respondents want libraries to keep their activities private, in contrast to librarians, who are more likely to find privacy important. In general, this report jibes with Pew’s in that people want to control what they share. They just aren’t very aware of what they’re sharing when they’re not in control. The degree of trust in information services that store their searches and use that information commercially either means there’s a disconnect between wanting to control what they share and letting corporations harvest information from their searches – or they simply don’t recognize the extent to which it’s happening.

The OCLC report urges libraries to do more social networking to develop trust.

We know that privacy is important to users, and to librarians, but we also know that sharing and open access matter. Privacy matters, but sharing matters more. If the axiom â€œconvenience trumps qualityâ€ was the trade-off that gave rise to the search portals as providers of â€œgood enoughâ€ information, it might be said of the social Web that â€œsharing trumps privacy.â€

Unfortunately the example they use as a success in this area is the banking industry (huh?), not sites that seem to take both readers and privacy more seriously, like LibraryThing (which is not mentioned in the OCLC report, though it’s doing largely what the report recommends libraries do). And it seems to contradict the report’s belief that people are desperate to share that there are only seven comments at the site OCLC created to discuss the report.

The blogger Rudibrarian has a brilliant post on this issue.

Something I think about whenever I see a list of Cool 2.0 Free Tools You Can Implement At Your Library is privacy (or more accurately, confidentiality). Why are they free? Whoâ€™s getting what? Does the user retain ownership of their information? Is the library facilitating the sale or use of usersâ€™ information when offering this tool?

I *only* think about this when I see othersâ€™ implementations or lists of tools. I almost never think about it when I myself am doing something where I ought to think about it. Like, perhaps, when adding applications to my facebookâ€¦.

…Users ought to worry about this stuff but the information world has gone completely mad and out of control and is being monetized and ramified in all sorts of ways they canâ€™t even begin to understand when they take their first gateway drug (which might be a DisneyPhone designed to allow their parents to track their every movement and thus desensitize them further!)

So, librarians used to have this bill of rights to guide library services which states

IV. Libraries should cooperate with all persons and groups concerned with resisting abridgment of free expression and free access to ideas.

Which I read to mean that libraries and librarians work to support the statement that all individuals are free to read whatever they choose and that such reading is nobodyâ€™s business but their own. Essentially, that libraries and librarians are (or should be) committed to protecting patron privacy and confidentiality (two similar but not identical goals).

So, questions to ponder for later parsing:

1. Are libraries still committed to this?
2. Should we care that our patrons (especially academic library patrons, since thatâ€™s my ball of string) donâ€™t care about their own privacy or confidentiality? Should their naivetÃ© trump our responsibilities?
3. Does our desire to do more for our patrons hold hands with their naivetÃ© to further sexy goals, or is it OK to not let them know what weâ€™re doing (or that we donâ€™t know!)?
4. Does anyone know how much info weâ€™re giving away though Facebook? or other username/password identity sites?
5. Is it still within our power to prevent Minority Report from becoming reality?

To which I’d add: Aren’t these all questions we should be asking ourselves, right now, urgently?