Libraries hold fundamental the need to provide their services in ways that protect the privacy of their community members. We go to great lengths to ensure that no third party can find out what a patron checked out, what she read in the library, what questions he asked of a librarian, or what answers were given. This concern for patron privacy must be embodied in the policies and procedures of the library and by any of the technical systems involved in supporting the library's services. Since libraries depend heavily on technology for almost every aspect of their internal work and for the provision of content resources and services to their patrons, it is essential that they look closely at how these products handle any data related to patron interactions.
Not Absolute: Exceptions Apply
Concerns and practices related to patron privacy depend on a variety of contexts. As with other issues, practices related to privacy vary depending on the type of library and its organizational context. A corporate library, for example, has a different approach to privacy. The sharing of data may be governed by employee contracts or terms of service applicable to customer transactions. What material an employee uses or references might be subject to disclosure to supervisors or corporate administration. Use of resources by external users may be considered customer data and be subject to use and distribution specified in click-through terms of service. Academic libraries could also have special circumstances in which they may be required to provide patron-specific information beyond law enforcement agencies, such as academic review boards or other campus or administrative bodies. Public libraries generally carry the heaviest burden in the protection of patron information. All libraries must respond to warrants from law enforcement that may demand data regarding a specific patron's transactions.
Technology Built to Embody Security and Privacy
Organizational and legal exceptions aside, libraries diligently work to protect the confidentiality of personally identifiable information, items borrowed or consulted, research inquiries, and use of other services. As libraries implement or create technology-based systems related to their work, their high-level design, specific functionality, and operational execution must be consistent with these expectations for privacy and security.
Strong security ensures any personal data that needs to be stored on a library's computer environment cannot be accessed beyond any needed operational use. Weak security enables the possibility that malicious hackers could break into the system and gain access to sensitive data. Even though much of the information that libraries manage--especially the kind describing its collections--is meant for open distribution, these systems often also handle financial and personal data, which must be carefully secured. Standard security measures protect systems against unauthorized access. More importantly, sensitive information can be encrypted so that even if intruders gain access to the system, they cannot access the content of the files. General computer and network security has become an increasingly complex specialization, which requires an incredible level of technical expertise and proactive vigilance.
Maintain Privacy But Deliver Personalized Experience
Beyond generic security measures, attention to privacy should be baked into the design of any technology platform used by libraries that involves any aspect of patron data or interaction. These systems must be able to contain private data in a way that does not hamper the library's ability to make use of data to produce a more personalized, sophisticated, and effective set of services to benefit its patrons. If systems exclude all personal data and use-related data, the resulting services will be one-dimensional and sterile. I consider it essential for libraries to deliver dynamic and personalized services to remain viable in today's environment; expectations are set by sophisticated social networks and commercial destinations.
Traditional Patron Record Management
As the provision of content and service is increasingly conveyed via technology, the protection of privacy becomes incredibly complex. At a basic level, details regarding library patrons should be handled in a way that respects confidentiality. Libraries need to maintain records for their patrons in order to provide services to them. These records should be stored in a secure technical environment so that these details are not used beyond the intended internal purposes. Additionally, they will be well-protected from unauthorized access, including reasonable precautions against the increasingly prevalent theft of data.
The basic scenario of the protection of circulation records in the ILS has been the traditional locus of concern. As the environment that manages the circulation of print materials, the ILS makes links between patron and item records. A patron record includes details about the patron that are needed to conduct the business of the library, but the details are expected to be kept confidential. Patrons reasonably expect that their residential or business address, email, phone number, driver's license number, and especially credit card number on file will not be exposed.
Library systems also manage records that describe the materials in their collections and aggressively expose this metadata. Providing access to these bibliographic databases through online catalogs, discovery services, and the general web promotes the use of these collections and forms a key component of the library's mission.
The crux of privacy lies in the linkage between the private patron record and the public item record. That linkage forms the basis for the circulation of physical materials. To manage the inventory, library personnel need data showing which items are on loan to what patrons. Notices may need to be sent to remind patrons to return materials or when an item may have been recalled, as well as when a fine is due for late return. Likewise, patrons need to be able to sign into their online account and see what items they borrowed, place renewals, or pay fines or fees.
The business rules of the circulation module of an ILS hinge on the link between patron and item records. That link needs to be maintained for the duration of an active loan. But once the loan transaction has been completed, policies and practices vary. Some libraries prefer to maintain data regarding the last borrower of an item until it has been checked out again. This data can be helpful in case the item is damaged, missing, or possibly not really returned. If an item does not circulate frequently, the data regarding that last borrower can remain for a long period, providing more of a chance for accidental exposure or enforced disclosure.
The technical platforms used by libraries must manage patron records consistent with policies and practices that apply to privacy and security. Beyond patron records, the transactions related to services performed for patrons also convey private information. A checkout transaction links an item of content to a specific patron. Therefore, it must be securely handled to ensure the privacy of a patron's reading history. To satisfy this concern, most ILSs have features to protect past borrowing activity. They clear completed circulation transactions to prevent accidental exposure or to limit the data that might be available in response to a court order.
And yet, this obliteration of circulation transaction data also limits opportunities for personalization. For example, patrons might want to view all of the items they previously checked out. Library discovery services should be able to make recommendations based on items previously searched or borrowed. Even these basic personalized features become impossible to provide in a system that takes a very aggressive approach to removing data related to patron activity. Retaining anonymized data that might contain demographic or other categories that characterize the patron--while removing patron-specific data--can provide statistical data, but not necessarily support personalized patron interactions. Some systems give patrons an option to collect and retain personal information.
Exposure via Internet Transmission
While the internal management of patron data and transactions tends to dominate conversations regarding patron privacy, an area of even greater concern is the vulnerability of sensitive information as it traverses the internet. Any information provided via the web as unencrypted text can easily be intercepted along the way. Freely available utilities are widely used that can capture traffic on Wi-Fi or Ethernet networks. Given that reality, specific interactions considered sensitive are generally encrypted. It's certainly expected that any transaction involving a credit card or other financial transaction would be encrypted. Likewise, login sequences must be encrypted to prevent the capture of user names and passwords.
Most of us know to check whether a site is encrypted when we enter a credit card payment. The page must be delivered using https:// instead of http://. This means that it will be encrypted along the full path between the web browser and the provider's server. Even with sophisticated equipment, no one along the way would be able to decipher any sensitive data. In addition to checking whether the page is encrypted, you can view the digital certificate to ensure the identity of the organization delivering the service. Keep in mind that the SSL (Secure Sockets Layer) protocol previously used to encrypt webpage delivery is not considered obsolete, but it is vulnerable and has been replaced by TLS (Transport Layer Security). Most browsers will now issue a warning if the site continues to rely on an obsolete security protocol.
Recently, I conducted a small study of how the major online catalogs and discovery interfaces handle security and encryption. The majority of these products operate mostly through the delivery of pages in clear text. Almost all give the option of encrypting only those pages related to patron sign-on, display of account details, and ecommerce transactions. However, general search activity is usually conducted in the clear. After all, the bibliographic information involved in these sessions falls into the category of information expected to be widely disseminated.
Conversely, these search sessions reveal quite sensitive information. Anyone capturing the session would be able to derive the search performed, results presented, and items selected for viewing. It is also not difficult to identify the person involved via the IP address of the network or the MAC address of her device, tying it to a specific place through geolocation data. Names and addresses might also be captured from other unencrypted pages viewed outside of the library catalog session. Even though the library might go to great lengths to protect circulation-related transactions regarding physical books from the remote possibility of legal requests or malicious hacking, data of equal or greater sensitivity is exposed continuously via unencrypted user sessions. These unencrypted sessions are tantamount to allowing strangers to look over the shoulder of a patron using a computer in the library to search the catalog or other content resources.
Encryption Strengthens Privacy
The response to this unintended exposure is obvious. Libraries should insist that these sessions be continuously encrypted. Rather than selectively securing pages related to login and patron detail display, encrypting the entire session would represent a giant leap in advancing patron privacy. Facebook began encrypting its full site in January 2011. This additional privacy can be accomplished with minimal cost. At one time, the computing power associated with the encryption of webpage delivery was considerable and applied to only the most sensitive pages or transactions.
Today, the additional computing power needed to encrypt pages is negligible and is supported in all web servers. The cost comes primarily in the purchase and renewal fees associated with a digital certificate and the time involved to install the certificate and configure the server. Online catalog and database providers may need to perform some development tasks to support the transition to fully encrypted patron sessions. While these tasks are not trivial, they are also not exceedingly difficult. I would anticipate the most challenging scenarios involve the online catalog products that remain in use that are no longer actively developed by their vendors. For sites the library manages directly that involve patron-facing services, I would encourage implementing encryption when possible.
Encrypting the delivery of patron-oriented library services will represent important progress toward improving confidentiality and privacy. I'm relatively optimistic regarding progress on this front. Several discovery service or online catalog providers have recently made this change or plan to in the near future. This move, while definitely necessary, by no means represents a panacea for patron privacy. It closes an obvious hole, but many others remain.
Web technologies include quite an array of techniques for extracting data about individuals and their activities and interests, designed primarily to support commerce and advertising. These technologies present a challenge to libraries to ensure they don't intrude into our services in ways that compromise patron privacy. But they also provide opportunities to enrich the way our organizations deliver patron services, if we can master and control them to create a parallel ecosystem that supports library strategies and values.