Patron Privacy in a Surveillance State. Revised.
Adam Chandler
Metadata Working GroupMay 1, 2014
2
July 5, 1993
3
“They are intent on making every conversation and every form of behaviour in the world known to them” - July 2, 2013
Post-Snowden reality
4
5
6
7
8
Gellman, Barton, and Ashkan Soltani. “NSA Infiltrates Links to Yahoo, Google Data Centers Worldwide, Snowden Documents Say.” The Washington Post, November 1, 2013,
9
10
11
12
13
“First half of 2013, American authorities made 12,444 requests of 40,322 accounts. Yahoo handed over content in 37 percent of cases, whereas in 55 percent of the cases, the company handed over only ‘non-content data’ (NCD).”*
*Basic subscriber information including the information captured at the time of registration such as an alternate e-mail address, name, location, and IP address, login details, billing information, and other transactional information (e.g., “to,” “from,” and “date” fields from e-mail headers).
14
321,000 legal orders for user data in 2013. Of those, over 6,000 were court orders to provide metadata in real time.”
15
16
“State and federal agencies made 301,816 separate demands for data from AT&T in 2013.
“Governments asked for location-related data 37,839 times”
17
“Sprint Accused of Overcharging US for Spying Assistance.” Network World, March 4, 2014. http://www.networkworld.com/news/2014/030414-sprint-accused-of-overcharging-us-279362.html.
“What eludes Mr. Snowden – along with most of his detractors and supporters – is that we might be living through a transformation in how capitalism works, with personal data emerging as an alternative payment regime. The benefits to consumers are already obvious; the potential costs to citizens are not. As markets in personal information proliferate, so do the externalities – with democracy the main victim.”
18
Evgeny Morozov
19
20
21
“When the government collects metadata on people, the government puts them under surveillance. When the government collects metadata on the entire country, they put everyone under surveillance. When Google does it, they do the same thing. Metadata equals surveillance; it's that simple.”
22
Bruce Schneier
“Surveillance is the business model of the
Internet.”
23
Bruce Schneier
“With little or no revenue from its users, Google still manages to turn a healthy profit by selling advertisements within its products that rely in substantial part on users’ personal identification information … in this model, the users are the real product.“
- after dismissing a class action lawsuit brought by Google users who claimed the search giant broke the law when it combined the privacy policies of Gmail, YouTube and a variety of other services. 24
US Magistrate Judge Paul Grewal
25
"We have a stalker
economy."
Um. Since we work in libraries… what does all this mean for patron privacy?
26
Statement on Access to Personally Identifiable Information in Historical Records
Librarians should recognize an obligation to monitor their governments’ legislation in regard to confidentiality of data records. In particular, librarians should support the need for privacy laws to protect library users from such abuses as government agencies monitoring their reading and research habits. - IFLA Governing Board
27
ALA Code of Ethics
III. We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted. - American Library Association
28
29
30
31
32
33
David Weinberger, co-director of the Harvard Library Innovation Lab.
"The privacy that libraries traditionally have been preserving is not always valued by their patrons, especially in an age of social networking."
Library 2.0
35
36
“Librarian 2.0 is the guru of the information age.”
Stephen Abram
37
38
39
40
Zimmer, Michael. “Patron Privacy in the ‘2.0’ Era: Avoiding the Faustian Bargain of Library 2.0.” Journal of Information Ethics 22, no. 1 (April 1, 2013): 44–59. doi:10.3172/JIE.22.1.44.
7.5%
41
Zimmer, Michael. “Patron Privacy in the ‘2.0’ Era: Avoiding the Faustian Bargain of Library 2.0.” Journal of Information Ethics 22, no. 1 (April 1, 2013): 44–59. doi:10.3172/JIE.22.1.44.
1.6%
Contextual integrity
42
Nissenbaum, Helen Fay. Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford, Calif.: Stanford Law Books, 2010.
Case study: How are these competing paradigms playing out
in Cornell University Library?
43
Library systems that collect patron usage data inside Cornell campus
45
46
47
48
49
50
51
Library systems that collect patron usage data outside Cornell campus
53
54
55
56
57
58
59
60
4. Postings to Question Point Services
You acknowledge and agree that OCLC may store all electronic transactions carried out between you and the library on this service and any information provided by you on this web form, as described in the Privacy Statement, for an indefinite period, with this exception: your name and all but the domain of your e-mail address will be deleted after 90 days. As such, OCLC may disclose the data in its possession only as described in the Privacy Statement and if required to do so by law.
You hereby grant to OCLC the perpetual, nonexclusive, world-wide right to edit, compile, and make searchable by libraries and the public all completed question-and-answer pairs
61
“This study used content analysis to determine the degree to which the privacy policies of 27 major vendors meet standards articulated by the library profession and information technology industry. While most vendors have privacy policies, the policy provisions fall short on many library profession standards and show little support for the library Code of Ethics” (Magi, 2010).
Magi, Trina J. “A Content Analysis of Library Vendor Privacy Policies: Do They Meet Our Standards?” College & Research Libraries 71, no. 3 (May 1, 2010): 254–272.
62
63
Percentage polled who trust the following organizations “not at all”
64
“For Privacy, Americans Trust Facebook Less Than The NSA.” BuzzFeed. Accessed October 9, 2013. http://www.buzzfeed.com/charliewarzel/survey-for-privacy-americans-trust-facebook-less-than-the-ns.
Is privacy online valued?
65
66
"There is a big myth out there that young people don't care about privacy, and that is about as inaccurate as you can get… Just because young people want to participate in a public doesn't mean that they want to be public.“
- Danah Boyd, Microsoft Research
67
They try to assert a form of social norms, an online “Keep out of Room” sign. This is difficult [in services like Facebook] they quickly learn.
68
Social steganography ("hiding in plain site")
69
70
71
86%72
Rainie, Lee, Sara Kiesler, Ruogu Kang, and Mary Madden. Anonymity, Privacy, and Security Online. Pew Research Center’s Internet & American Life Project, September 5, 2013. http://pewinternet.org/Reports/2013/Anonymity-online.aspx.
73
Rainie, Lee, Sara Kiesler, Ruogu Kang, and Mary Madden. Anonymity, Privacy, and Security Online. Pew Research Center’s Internet & American Life Project, September 5, 2013. http://pewinternet.org/Reports/2013/Anonymity-online.aspx.
55%
74
Kiss, Jemima. “Privacy Tools Used by 28% of the Online World, Research Finds.” The Guardian, January 21, 2014, sec. Technology. http://www.theguardian.com/technology/2014/jan/21/privacy-tools-censorship-online-anonymity-tools.
56% say Internet is eroding their personal privacy
75
Kiss, Jemima. “Privacy Tools Used by 28% of the Online World, Research Finds.” The Guardian, January 21, 2014, sec. Technology. http://www.theguardian.com/technology/2014/jan/21/privacy-tools-censorship-online-anonymity-tools.
28% (415 million) use tools to disguise their identity or location
76
77
Recommendations
• Conduct a privacy audit, then repeat it at regular intervals
• Educate library technologists and marketing staff about patron privacy
• Weigh the pros and cons of adding social network features
• Use alternative to Google Analytics: http://piwik.org/privacy/
• Pressure vendors to implement SSL encryption
• Implement SSL for our ezproxy service
• Advocate for a log file/usage data anonymization best practice for library eresource vendors (i.e., LIPAA)
• Learn then teach data encryption as library service?
• Reorient ourselves to privacy by design
79Is patron privacy a value or a service?