[Web4lib] Library Website Privacy Policies
Robert Balliot
rballiot at gmail.com
Sun Apr 3 09:33:21 EDT 2011
Jason:
Washoe County and Washoe County Library use Google Analytics.
So, everything being done on your website up to a point is being
aggregated / analysed by a third party and is contained in their
massive database - which can be used to draw inferences about the
identity of the user (including IP address and location). Google is a
private company not bound by the same privacy rules as a government
entity. Even though your policy may state that the Library is
tracking usage - usage is also being tracked by Google. Google could
receive a National Security Letter and the library and Washoe County
would not know that usage is being tracked.
Washoe Countly Library does not use https for the Sirsi/Dynix Login:
http://library.washoecounty.us/uhtbin/cgisirsi/0/RN/0/1/1168/X/
So, the Pin / Library card information is being sent unencrypted over
the web and Google Analytics is aggregating the IP address along with
the before and after web history, key words, landing page, type of
browser used, screen resolution and other data about the patrons.
Keystroke logging software / hardware in any Internet cafe, school
computer or on any compromised system would reveal Pins and logins.
I have not seen your two page description, but if the intent of the
description is to be inclusive - then it would be misleading not to
include all relevant information about privacy. If the intent is to be
inclusive, then the document would need to be changed many times to
reflect the latest laws, technological changes, and other factors
affecting library privacy. That would require much more than two
pages.
R. Balliot
http://oceanstatelibrarian.com
On Sat, Apr 2, 2011 at 5:21 PM, Adams, Jason <JAdams at washoecounty.us> wrote:
>
> It seems that a general policy should be simply stated, but the actual explicit process used to provide privacy should be a public record that is changeable and updated and available on demand.
>
>
> “The [Library] may track the usage of the Library website and other services accessed through Library services. The [Library] uses this information as anonymous aggregate data to determine the number of visitors to different sections of our site and services…”
> “…The vendors of some of [the Library’s electronic databases] provide statistical information to the Library.”
>
\> “Server logs and statistical summaries are reviewed by [the
Library] to determine how individual electronic services are used in
order to improve website content, better manage network traffic, and
troubleshoot server problems.”
>
> “The [Library] also offers a wireless network… Please be aware that data accessed and sent over the [Library’s] wireless network is not encrypted.”
>
> “The [Library] website contains links to external websites and databases… The Library cannot be responsible for user privacy when visiting outside websites or the privacy practices of other sites which may differ from the practices described in this policy.”
>
> What are your thoughts? Has anyone had experience putting together a privacy policy for their library’s website? If so, did you work with a team or alone, and what steps did you take to get final approval before posting it to the site?
>
> Thanks, Robert, for your reply, and thanks in advance to any other replies I might receive.
>
> Sincerely,
>
>
> From: Robert Balliot [mailto:rballiot at gmail.com]
> Sent: Friday, April 01, 2011 7:50 PM
> To: Adams, Jason
> Cc: web4lib at webjunction.org
> Subject: Re: [Web4lib] Library Website Privacy Policies
>
>
>
>
>
> This is an interesting problem. The way that I understand the law is that States can offer more constitutional protections than the Federal government, but not less. So, you have the Nevada law which reads:
>
>
>
> Nevada Chapter 239 Public Records:
>
>
>
> NRS 239.013 Confidentiality of records of library which identify user with property used. Any records of a public library or other library which contain the identity of a user and the books, documents, films, recordings or other property of the library which were used are confidential and not public books or records within the meaning of NRS 239.010. Such records may be disclosed only in response to an order issued by a court upon a finding that the disclosure of such records is necessary to protect the public safety or to prosecute a crime. (Added to NRS by 1981, 182)
>
>
>
> That seems like a pretty strong case for privacy in Nevada. In my mind, those confidential records would include anything being done on a library computer. But, the Children's Internet Protection Act (based on the power of withholding funds) and the various iterations of the Patriot Act and FISA end up modifying Constitutional protections by changing the historic parameters of probable cause and somewhat redefining due process through National Security Letters. I imagine that there may be some case law at this point that has tested the provisions of the Patriot Act that a qualified attorney could definitively apply to both Nevada law and Federal law.
>
>
>
> The ALA code of ethics only has the power of a well-reasoned authoritative suggestion. But, I think your policy would need to balance what you *can do* with liability. If you provide a policy that is perceived as an obligation to your public / patrons then the less you say without trying to rewrite the law may provide the least amount of institutional liability. On the other hand, a well-informed public is a good thing for society and a fundamental goal of libraries. It seems that a general policy should be simply stated, but the actual explicit process used to provide privacy should be a public record that is changeable and updated and available on demand.
>
>
>
> I don't really think that libraries in general can guarantee protection of the privacy of computerized records. There are too many access points and rarely any measures in place to encrypt active records and forensically wipe old records. Even though you may want to protect privacy and aspire to do so, it may be a greater disservice to the public to convince them that you can.
>
>
>
> R. Balliot
>
> http://oceanstatelibrarian.com
>
>
>
> On Fri, Apr 1, 2011 at 7:59 PM, Adams, Jason <JAdams at washoecounty.us> wrote:
>
> Our Web Team put together a nice 2-page privacy policy -- very similar
> to what you see on most library websites. When our Policy Review Team
> revised it, our privacy policy was reduced to two sentences sandwiched
> between a statement from the ALA Code of Ethics ("We protect each
> library user's right to privacy...") and a statement about the PATRIOT
> Act ("The Library System complies with the law as it relates to the
> U.S.A. P.A.T.R.I.O.T. Act...").
>
> It's my understanding that it is "proper" standard practice for website
> privacy policies to detail a website's information-gathering practices,
> including a description of why we collect data, what we collect, and
> what we do with it. I've seen this mentioned by the Electronic Frontier
> Foundation, Federal Trade Commission, and the American Library
> Association (in their document "Guidelines For Developing a Library
> Privacy Policy").
>
> What are your suggestions for helping our less web-savvy library system
> decision-makers to understand the importance of a more descriptive
> privacy policy for our library website? Any links to related articles,
> other library privacy policies, and statements by the EFF, FTC, ALA,
> library lawyers, etc. would also be helpful.
>
> Thanks in advance for your replies!
>
> Jason Adams, Library Assistant II
>
>
>
> _______________________________________________
> Web4lib mailing list
> Web4lib at webjunction.org
> http://lists.webjunction.org/web4lib/
>
>
>
> Jason Adams, Library Assistant II
More information about the Web4lib
mailing list