Say Yes No Maybe So To Privacy

I honestly don’t know whether to laugh, cry, or just let the apathy take over me when it comes to libraries and their relations to vendor that collect usage information. It must be active cognitive dissonance in which we tout the confidential nature of patron records, the freedom to read anonymously, and the actions we will take (up to and including jail and legal proceedings) but let such data slip through our fingers first with database providers, then with social media, and finally now with the landscape of apps. It’s either that librarians aren’t serious about principles of privacy protection or we have to accept that the cultural norm has shifted to the point of passive acceptance where the less work it takes to do something, the better.

The Digital Reader reported late yesterday that Adobe was collecting user information about people’s eBook library through the latest edition of their program, Adobe Digital Editions. Among the many problems here, two are chief in this librarian’s eyes: first, that the data is sent unencrypted and insecure to the point where anyone can just tap in; second, that Adobe is provider of digital authentication to Overdrive, the leading supplier of library eBooks in the United States. The first is somewhat laughable (a digital security company that cannot encrypt) but the second is absolutely enraging. The two come together as one with Adobe’s statement about their data collection that I will (unfairly) sum up as “It’s totally in line with our privacy policy to take that data to make sure that you aren’t stealing.” It’s like checking for identify theft by screaming out the person’s social security number to a person across a crowded room checking it against their records. It’s digital security at its Super Troopers best.

But I save my fiery gaze of fury for the entity that I can do something about: Overdrive. As of the moment I am writing this, they are currently “aware” of the situation and I await their comment with deservedly given suspicion. While I struggle with giving them the benefit of the doubt with Adobe (but seriously, COME ON MAN), I did make it a point to look up the privacy policy of their app which they are pushing people (aka our library members) to sign up. I encourage you to read the whole thing since you are serving it up to your community, but I’ll highlight some passages for you.

What is “Personal Information”

“Personal Information” describes information that can be associated with a specific user and used to identify that person, such as your name, email address, birthday, gender, location information, etc. Personal Information, specifically your name and email address, will be submitted by you when you create, access, and use your OverDrive account. Other information, that is not personally identifiable, may be collected automatically by creating, accessing, or otherwise using your OverDrive account.

What information does OverDrive collect?

We may collect certain information about your interactions with us and information related to you and your use of your OverDrive account, including but not limited to, Personal Information, your online activity, digital content selections, reviews, ratings, your library card account number and/or Adobe® ID as well as Internet Protocol addresses, device types, unique device data, such as device identifiers, and operating systems.

By creating and using an OverDrive account with OverDrive and/or otherwise consenting to the sharing of information with us, you authorize OverDrive to collect and retain your Personal Information and, at your option, you library card account number and/or Adobe ID, and other information. Please be aware that your OverDrive account cannot be used unless you identify yourself to us.

How does OverDrive use information?

[…]

OverDrive may also use and share non-personally identifiable information, such as general demographic or location information, or information about the computer or device from which you access your OverDrive account. Additionally, we may anonymize Personal Information and share it in an aggregated form with third parties, advertisers and/or business partners in order to analyze service usage, improve the OverDrive service and your experience, or for other similar purposes. The use and disclosure of such information is not subject to any restrictions under this Privacy Policy.

Even as I copied and pasted these passages, I felt the swell of apathy rise within me. How much can I care about this when people (including myself) are giving away their personal information everyday in exchange for free web stuff or customization or personalized deals? It’s hard to reconcile that at times, especially since I know I will copy this link into my social media accounts.

But, for me, this is an instance where action is called for. The freedom to read anonymously is simply that important. In a world that seeks to find, track, and record our mundane moments, our principles should not be flexible on this invasion of privacy. There is a reason and a damned good one that library records enjoy a higher level of protection: uninhibited curiosity and the intellectual pursuits are the hallmarks of thought, discovery, and being. We must act if not from these ideals but from our legal duty to protect our member’s privacy.

What happens next? I’m not entirely sure. For myself and my library, it’s a hard look at the expenditures and price (legal, moral, and financial) we pay for them. I will be taking a hard look at 3M and their privacy policy and consider what options are available. I don’t know about any other companies at this point, but I’m willing to consider more options. Honestly, even for the delight it brings my members in getting books online it poses an ugly question: at what cost? Can libraries back away from eBooks now or have the claws sunk in too deep? At what point is “giving them what they want” to we allow to give ourselves away?

I remember attending the Public Library Association annual conference when it was in Philadelphia a couple years back. Overdrive threw a bash at the Constitution Center complete with food, drinks, and entertainment by a wide ranging cover band. As the revelry played out in front of me, one of my thoughts was how libraries had paid for the extravagance. It really was a good party, though the attention to detail there could have been used on the app at the time.

It’s not any different now. If you think about it, nothing is new here, just unfortunate. Privacy intrusions abound these days, but there should be lines. There needs to be lines or else the concept erodes away under the constant drip of internet cookies, app permissions, and other forms of tracking software. We as a profession have to draw that line. Or just go home as glorified content caregivers who will do or say anything to keep the general public coming to an inadequate building with funding commitments based on whether cutting or adding is the favored community political position.

So, get on the phone or send an email to your eContent providers. Find out what they are doing to comply with state laws and the ideals of the library. It’s up to you to do it.

Draw your line.

3 thoughts on “Say Yes No Maybe So To Privacy

  1. Okay, I have been steaming over this awhile, but this bit is just too much: “Personal Information, specifically your name and email address, will be submitted by you when you create, access, and use your OverDrive account.”

    Ha! Ha. No. That is so incomplete it’s blackly comical.

    Are you familiar with SIP (Session Identification Protocol)? A few things about it.
    1) It’s one way to log people on to various vendor services, e.g. when logging in at the OverDrive site. You put in your library card number and PIN, click submit, OverDrive uses SIP to ask your library’s server if you’re allowed to log on; your library server sends a response.
    2) Encryption is not required.
    3) Here’s a sample SIP response from Polaris to OverDrive, reformatted to add line breaks and remove all identifying information, replacing that info with an explanation of what it is. You’ll see there are a few fields I didn’t find documentation on, but the important thing is that this is what it sends by default if you’re using SIP with Polaris to log in to OverDrive. And encryption is not even required!

    64 [patron information response]|
    AO [institution ID]|
    AA [card number]|
    AE [lastName, firstName middleName]|
    BZ [max amount allowed to have on hold]|
    CA [max amount allowed to have overdue]|
    CB [max amount allowed to have checked out at once]|
    BL [valid patron flag (y/n)]|
    CQ [valid password flag (y/n)]|
    BH [currency]|
    BV [amount owed]|
    CC [max amount owed before blocked]|
    BD [physical address]|
    BE [email address]|
    BC [date of birth]|
    PA [?]|
    PE [patron branch]|
    PS [patron code]|
    U4 [?]|
    U5 [?]|
    PZ [zip code]|
    PX [card expiration date]|
    PY [?]|
    BF [phone number]|
    AF [message to print on screen if login not allowed]|
    AG [print line (not sure what to make of this one; it looks like just a subset of AF above)]|
    AY [sequence number (for error detection/synching)]

    I’ve been told there is not a way to make it send only the absolute bare minimum required to verify if someone should be allowed to log on (BL, CQ, maybe BV and CC). I’m not sure if that’s correct–it beggars belief–but given what I’ve seen from Polaris, if The Powers That Be agreed we should raise hell about it I’m sure we’d get the response “This is an enhancement request.”

    I don’t know if Sirsi or any of the other vendors do things differently (by which I mean, almost certainly better) or if this is just how things “have” to be when verifying patron logon info with OverDrive.

    But really. We’re supposed to think that it’s in line with any sensible policy to send that much information about a patron–damn near everything required for identity theft–just to verify if s/he should be allowed to check out eBooks?

  2. Pingback: (Failing to) Protect Patron Privacy | Jenny Arch

  3. Pingback: Swiss Army Librarian » A Couple of Minor Interesting Things :: Brian Herzog

Share your thoughts

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s