Following up – again – on recent posts on libraries and privacy here and at Chronicles of Dissent, CoD has received a response from the makers of the CASSIE Internet access management system. Excerpts from their e-mail exchange:
1. Can the feature to be able to view a patron’s screen remotely be disabled library-wide via configuration settings?
Yes, it can be disabled system-wide, and it is disabled by default. If enabled, the system can be configured so that only selected staff members have access to the function…
2. Is there any administrative function that permits the admin to determine if employees have been using the remote viewing option, and if so, which employee, how often, and for which patron(s)?
No. No record that a screen was viewed, whose screen was viewed, or screen image data, is logged or stored by CASSIE…
3. If the remote viewing feature is in use, does the patron’s screen indicate that their screen is being remotely viewed if the employee does not send them a message to their screen?
4. If a user’s screen is viewed remotely, is there a screenshot or log or anything that gets stored about the web site that was on the screen at the time of the remote viewing?
No record that a screen was viewed, whose screen was viewed, or screen image data, is logged or stored by CASSIE. As a clarification, CASSIE does not log or store records relating to web sites visited, applications used, or documents printed.
My reactions to each item, in brief:
1. Default settings are often the easiest point of intervention to ensure the value-conscious design of our technologies, and I’m glad to see that this troubling feature is disabled when the software is first installed.
2. It is troubling that no audit trail is kept to ensure that staff only engage in remote monitoring of patron’s Internet browsing according to policy (which I presume would be in place). I cringe to think that a staff member would be able “sneak a peek” without anyone knowing – ever.
3. Lack of notice to patron’s that their screen is being viewed is unfortunate, but does make some sense if the purpose of viewing the screen is valid. I hope libraries post clear and obvious warnings so patrons are aware that their online activities might be monitored.
4. It is good to know that CASSIE does not collect screenshots or otherwise record “web sites visited, applications used, or documents printed.” Unfortunately, there are plenty of other products that could be installed to engage in this kind of surveillance (which I hope no library would consider using).
In response to CoD’s question to me, it does appear that CASSIE was designed with some deference to patron privacy. Not perfect, but could be much worse. I do think, however, that a robust policy and technical audit of local public library Internet access practices is in order.