Date post: | 27-Mar-2015 |
Category: |
Documents |
Upload: | elijah-cowan |
View: | 213 times |
Download: | 1 times |
Developing a Comprehensive Privacy
Policy
“Rights of privacy are necessary for intellectual freedom and are fundamental to the ethics and practice of librarianship.”- American Library Association, Privacy Statement 2002
“You have zero privacy anyway – Get over it.”- Scott McNealy, Co-founder, Sun Microsystems, 1999
POINT
COUNTERPOINT
2011 Version
“These are also galvanizing times of promise and opportunity. And yet we can only reap the full benefits if we work together, as a society, to uphold people’s right to privacy.”- Jennifer Stoddart, Privacy Commissioner of Canada, November 2010
“If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place”
- Eric Schmidt, CEO, Google, December 2009
POINT
COUNTERPOINT
The Privacy Landscape
Canadian Libraries are still inconsistent in their Privacy Policies Behind the US in this area Most Canadian Policies are response to
PIPEDA or Provincial Privacy Legislation Some are Response to Events Only 7 of the 20 largest Ontario Public
Library systems have a posted Privacy Policy!
Privacy Legislation
Basic Principles for Personal Information: Collected with consent and for a reasonable
purpose Used and disclosed for the limited purpose for
which it was collected Accurate Accessible for inspection and correction Stored securely
Only a Starting Point!
Importance for Libraries
Libraries have a role to protect Privacy “Protecting user privacy and confidentiality has long been an integral
part of the mission of libraries.”
– American Library Association 2002
Awareness among Staff & Patrons Consistency in handling Data & Issues Guidelines for when Privacy is ‘Tested’
CLA Position Statement
Drafted June 1987 First Sentence: “Rapid advancements in computer and
communications technology…”
Very Limited Scope “That names of library users not be released to any person,
institution, association or agency for any reasons save as may be legally required by Federal or Provincial laws.”
What about Usage Histories? Data Storage?
OLA Position Statement
None Published (nor OLITA or OLBA) Occasional discussions (blogs, mailing lists, etc) Such as May 9, 2006: “The OLA Board at its meeting on May
5 lent OLA's support to a coalition that is challenging digital copyright reform on privacy issues.”
Privacy Dangers
‘Fishing Expeditions’ Data Mining (Identified as threat by
ALA) Pressure to Release Information Hidden caches of Data Unexpected points of access & storage “Retention” versus “Preservation”
Going Fishing…
Police & other authorities may request patron records or usage information
Significant pressure could be applied in certain types of situations Media Pressure Political Pressure – Board, Council, etc Pressure from the Public
In the News…
“Durham Regional Police have laid child pornography charges after an Oshawa man was seen surfing child porn at a public library… On January 7th, 2006, the accused attended the public library in Brooklin and began an extensive search for child pornography using one of the library’s computers… Officers seized two computers from the library and gathered additional information.”
-- Durham Regional Police News Release, April 19 2006
• Police aggressive in attitude towards library• Easier to involve Mayor/Media than obtain a
warrant?
Even Bigger News…
“Security services had bomb plot suspects under surveillance for more than six months… To obtain the ammonium nitrate, [alleged bomb plot suspect Zakaria] Amara searched for suppliers on the internet, using the facilities of a public library…”
-- CBC News Report, June 7 2006
• Mississauga Library Computers seized by RCMP – “pressing matter”
The “Hot Button” Issues
Child Pornography Internet Sexual Predators Terrorism
Can Library Boards & Management Resist Political & Media Pressure on these fronts?
A Different Approach…
The Seattle Public Library Confidentiality Policy
“Minimum records kept”“The Seattle Public Library keeps the minimum number of records necessary for maintaining operations. When a customer logs off a Library Computer, information about that user session is automatically deleted.”
Possible Headlines?
“Library refuses to co-operate with Child Pornography investigation”
“Kidnapping case encounters roadblock in Library”
“Libraries a Terrorist Internet Haven”
“Cyber-Bullies use Library to hide their true identities”
The B-List
Cyber Bullying Stalking Threats Disseminating Hate Fraud The “C-List”: Activism
Privacy Policy “Touchstones”
Last Week: Borrowing Records Yesterday: Public Access Computers,
Internet Logs Today: eBooks, WiFi Access,
RFID,Database Searches, 3rd Party Services, Cloud
Tomorrow: DRM, and ???
“Last Week”: Borrowing Records
Basic Concept: Delete Info after Return “Information about what a person may have borrowed is not retained when the item
is returned except where fines and fees may have occurred”
Watch for Exceptions – Document Visiting Library Services: May want to retain Data Make sure Library Software truly complies (logs; backups; etc) Holds – Does Library Software treat differently?
Other Considerations Patrons may want to see their own historical data; have a choice? Historical data for better service – “Amazon Effect”; Bibliocommons
“Yesterday”:Public Internet Access
Sign-ups: Take Patron Info? Keep it? Keep Session Logs? Internet Acceptable Use Policies (AUP) ISP Responsibility; new US/EU
Regulations
“[Sign up information] is removed as soon as the person who has reserved the computer signs on.” - Seattle Public Library
“[We] delete the history of a user’s Internet session and all searches once an individual session is completed.” - San Francisco Public Library
“Today”: New Challenges
External DataBase Searches eBooks – Borrowing Records, etc 3rd Party Services
“Beyond Control” of Library? Possibly in jurisdiction of USA PATRIOT Act (etc)?
WiFi Access for Patrons Login, Usage Logs, etc?
RFID
Newest Challenges
Cloud Computing Google Docs, Microsoft Office 365, Azure, Amazon Web
Serv Jurisdiction Issues !! Danger, Danger !
Social Networking Interactions Facebook, etc
Hardware & Equipment Photocopiers – some keep images of copies made (really!) Out-of-Lease & Disposed of; Stolen; Serviced; Garbage
Tomorrow: The Fun Never Ends
DRM – Digital Rights Management Letters from major Privacy Advocates and
Stakeholders regarding Privacy Risks with potential Copyright / DRM legal protections
What’s Next?
The Case of the Hidden Data
Many potential Data caches Logs Backups Caches & Mirrors Proxies Upstream storage & ISP’s Partners, Suppliers, 3rd Party Services,
more
More Dangers
Hidden/Undocumented Data Potential Embarrassment & Financial
Liability for failed Policy Protections Loss of Patron Confidence
Unexpected release – ‘garbage bin’ data
Costs (Staff Resources & More) to deliver ‘difficult’ data when requested
The Privacy Ideal
No need to release data you don’t have
Request & Store the absolute minimum
“Think twice before you capture data, and three times before you store it.”
- Electronic Frontier Foundation
Delete Data no longer required
The Privacy Ideal Continued…
Document All Hidden Sources Audit, Monitor, Consult Psychics
Pick two out of three
Ingredients to a Policy Design
Details for common issues Library Cards, Borrowing Records, Computer Use
General Principles for the Future Synchronization with Reality
Make sure you can deliver what you promise!
Special Cases Equipment/Data Seizure Policy; Ethical Research Policy
Policy Frameworks
CSA Model Privacy Code Accountability / Identifying Purposes / Consent / Limiting Collection /
Limiting Use, Disclosure and Retention / Accuracy / Safeguards / Openness / Individual Access / Ability to Challenge
Fair Information Practice Principles (FTC) Notice / Choice / Access / Security / Enforcement
OECD Guidelines on the Protection of Privacy
Collection limitation / Data quality / Purpose specification / Use limitation / Security Safeguards / Openness / Individual Participation / Accountability
Organization Must Decide
Discuss, Debate, and Decide on Scope of Privacy Policy Extent of Data Retention Extent of Assistance to Law Enforcement Extent on Protection for Patron Privacy
Board, Management & Senior Staff should all be involved in process
Policy Must Evolve
New challenges, new technologies New Regulations; US atmosphere Increasing Awareness by Patrons /
Public Board, Management & Staff Must
Understand and buy-in to policy!
Related Policies…
Data Retention Details Should be a Separate Policy, that adheres to Guidelines
set in Privacy Policy
Web Site Privacy Statement Related, but Separate in scope
Staff Privacy Entirely Different Policy with Different Goals
References
American Library Association www.ala.org/ala/issuesadvocacy/intfreedom/librarybill/interpretations/privacy.cfm
Electronic Frontier Foundationwww.eff.org/Privacy/
Electronic Privacy Information Centerwww.epic.org
Center for Democracy & Technologywww.cdt.org
More References
CSA Model Codewww.csa.ca/standards/privacy/Default.asp?language=english
Information & Privacy Commissioner of Ontariowww.ipc.on.ca/docs/library-e.pdf
Office of the Privacy Commissioner of Canadawww.priv.gc.ca
Thank You!
“The role of libraries … must not be compromised by an erosion of the privacy rights of library users.”
-- American Library Association, 1991
George Geczy, Vice-Chair,Hamilton Public Library
Email [email protected]