This week, at the Center for Information Policy Research, I launched a new project on Privacy and Cloud Computing in Public Libraries:
Public libraries are increasingly turning to cloud computing solutions to satisfy their technological needs in order to best serve patrons, while simultaneously taking advantage of new opportunities for cost savings, flexibility, and enhanced data management. These cloud services are typically provided by third parties who have built robust solutions to help libraries deliver resources, services, and expertise efficiently, and encourage patrons to socialize and leverage the power of the community of users. Examples of cloud computing platforms for libraries include OCLC WorldShare, Ex Libris Alma, and BiblioCommons.
The use of cloud computing in libraries, however, has the potential to disrupt longstanding ethical norms within librarianship dedicated to protecting patron privacy. While librarians have historically engaged in professional practices that limit retention of patron data and protected confidentiality, cloud computing platforms are largely based on the tracking, collection, and aggregation of user data.
Starting in 2015, CIPR is engaging in a pilot research study to help us understand how libraries are implementing third-party cloud computing services, how these implementations might impact patron privacy, and how libraries are responding to these concerns. The results of the research will include a summary report of findings, and the development of a set of best practices to guide future implementations of cloud computing in public library settings, with the goal of finding a suitable balance between the need to provide cost-effective technology-based services while also protecting patron privacy.
This research builds on some of my more conceptual work on privacy and Library 2.0, with the goal of looking more at how these technologies are implemented on the ground, and providing pragmatic assessment and guidance for practitioners.
The first phase of this project is to investigate and compare how public libraries are implementing the BiblioCommons cloud-computing platform, which delivers an enhanced and interactive online catalog for their patrons.
Some libraries, like New York Public Library, have instituted privacy policies specific to the use of BiblioCommons. I’m curious to what extent partner libraries have taken similar steps to address privacy concerns related to the use of BiblioCommons, either contractually with how the cloud service receives patron data, or in how they communicate with patrons.
To that end, I’ve sent a records requests to over 30 libraries currently using BiblioCommons. Here’s a sample:
The University of Wisconsin-Milwaukee Center for Information Policy Research (http://cipr.uwm.edu) is researching the use of “cloud,” web-based, or third-party computer services by public libraries across the country. The Austin Public Library has been identified as a customer of the BiblioCommons cloud-computing platform, delivering an enhanced and interactive online catalog for your patrons.
The project’s goal is to analyze how public libraries utilize cloud computing services, as well as how they address and communicate issues that might impact patron privacy. The results of the research will include a summary report of findings, and the development of a set of best practices to guide future implementations of cloud computing in public library settings, with the goal of finding a suitable balance between the need to provide cost-effective technology-based services while also protecting patron privacy. Your participation in this project will help to ensure that our results provide a complete understanding, as well as useful guidance, for helping us navigate this increasingly important issue.
On behalf of the UW-Milwaukee Center for Information Policy Research, and in accordance with the Texas Public Information Act, §6252-17a et seq, I request copies of the following information:
- All contracts, agreements, or related legal/vendor documents the Library might have with BiblioCommons, its partners, or representatives.
- All internal policies, documented procedures, or other materials related to the initial installation and continued implementation of BiblioCommons products and services.
- All notices provided to patrons related to the Library’s collection and use of patron data, including the Library’s privacy policy (if one exists), user/patron agreements, or related materials.
It has been an interesting experience this week with the aftermath of these numerous requests.
Many libraries have simply replied with an acknowledgment and a proposed timeline for getting me the requested materials (each letter notes the relevant statutory requirement for the timeframe to respond, and asks them to let me know of any anticipated delay or costs). Some have forwarded the request to the relevant government agency that deals with requests for government records. A few directors have contacted me asking for more information and insight into the project, which I’m happy to provide, of course.
One library administrator seemed to take some umbrage with my project and approach. That director emailed a larger list of library directors asking if anyone else had received my records request, noting that “There is no promise of anonymizing the data or offer to opt out of the study, which is a typically included in studies these days” and expressing surprise that my IRB would approve such a methodology. (I learned of this concern due to that director’s email being forwarded to a privacy list hosted by the ALA that I’m a subscriber to.) I’ve since replied that this methodology doesn’t involve human subjects, and follows common approaches to obtaining government information (such as the Fordham Center for Law and Information Policy’s excellent research on privacy and cloud computing in public schools). I’ll reach out to this director personally, and hopefully the concerns will be put to rest.
Interestingly, I had planned to contact BiblioCommons itself today to discuss the project, request information from them directly, and see if there might be representatives I could meet with at the ALA Midwinter meeting in Chicago later this month. Before I could reach out to them, I received an email from BiblioCommons’s Privacy Officer, who must have been contacted by various libraries who received my records request. He noted that BiblioCommons “supports transparency” and uses a standard contract boilerplate with all member libraries, and while some have requested variations, there have been none with regard to issues that might impact patron privacy. Further, he notes that BiblioCommons has deployed standardized terms of service and privacy policies for its members to provide for patrons, which is likely what the NYPL’s policy is reflecting.
It will be interesting to assess the data myself and see how all this pans out.
MichaelZimmer.org 
1 comment