Thursday, February 19, 2009

What Libraries Can Learn from Facebook

A colleague and I were discussing the recent Facebook TOS kerfuffle and she said she was fascinated by how much privacy people are willing to give away in exchange for a desired experience. I agreed that I am equally fascinated, and that it is vitally important for librarians to be on the vanguard of monitoring these trends, and educating our customers as to the possible risks of sharing too much information.

But I also think that librarians, at times, can be too knee-jerk about privacy issues, and I wonder if while looking at one end of the Facebook dustup (big corporation trampling on privacy rights) we might be missing some important lessons on the other end (big corporation letting customers control their own information in exchange for a highly engaging experience. And Facebook DOES give customers a tremendous, leading edge, amount of control. See: "10 Privacy Settings Every Facebook User Should Know.)

We all know that people (myself, and probably you included) will share personal information in exchange for a quality experience. We share personal renting and buying habits in exchange for Netflix and Amazon recommendations. We share personal reading habits on GoodReads and LibraryThing to connect with others who share our interests and tastes. We share our credit card numbers with many online vendors in exchange for the convenience of "one-click" ordering.

We know all this, and we personally experience the benefits, but librarians still seem generally loathe to let our customers share their personal information in exchange for anything. We don't just protect customer privacy, we paternalistically protect it from the customers themselves, rendering them childlike. Our privacy philosophy often reduces down to, "We know better", or "You can't be trusted with that--you'll hurt yourself."

Our choice to disallow customer control of their own information means that their needs for connection and social networking go unmet, which in turn creates opportunities for entrepreneurial companies like Library Elf, GoodReads, and LibraryThing (created by frustrated library lovers, I wonder?) to come in and fill those needs. Which is great, but why aren't libraries creating and offering these experiences?

I worry every day about whether libraries will be relevant, three, five, or ten years from now. Unless we start allowing our customers to make decisions about their own personal data, AND start building systems that offer them a social networked experience based on their ability to selectively share their heretofore private info, I fear that libraries will grow increasingly irrelevant to our customers.

Labels: , ,


At February 20, 2009 9:16 AM, Anonymous ~Kathy Dempsey said...

I worry about relevance too. This whole social network / privacy overprotection thing is only one reason why... libraries have a lot of things to address to stay relevant. It's always a toss-up between falling into these new models vs "tradition."
Tradition sounds great, till you start to realize that, eventually, those who remembered and valued those traditions will all be gone.

At February 20, 2009 12:55 PM, Blogger Andy W said...

When personal information is treated as a legal liability, there is going to be an overprotective attitude to it. As a service provided by the county or state, the public library inherits the same privacy paradigm that the government utilizes. With access to the most sensitive personal identification information, the government will attempt to publicly disclose the least, generally that which is only required by statute or regulation, and release additional items only to properly authorized individuals. What you perceive as paternalism on behalf of the patron is really the library protecting itself from any potential security risks involving patron information. It is the tried and true “better safe than sorry” mantra that makes libraries hold patron information so close that they cannot use it within the system.

With that said, I don’t see the future of libraries as building social networks or creating ways to facilitate the sharing of patron information. I am more in favor of utilizing what currently exists. There are current third party entities (such as the ones you specifically mentioned in your post) that are able to take on the privacy liabilities and security concerns better than libraries can currently handle. The creation of bridge products that will allow libraries and these sites to interact with each other is the most viable and practical path at present. I think this is as an inevitable development as the web brings everyone and everything closer. I think with the proper outreach we can position ourselves as a facilitator and supporter to these outside sites and create mutually beneficial relations.

Personally, I think there are bigger issues about privacy within the library community that really control the conversation. There is much graduate school classroom time dedicated to the value of freedom of inquiry and the various contemporary historical specters that have threatened this over the years (e.g. censorship, McCarthyism, the Patriot Act). This sets the tone and maintains the so-called status quo around patron privacy.

At February 20, 2009 4:14 PM, OpenID deepening said...

Peter, two thoughts:

I often wonder about libraries trying to "keep up" with commercial enterprises. Are we really competing with booksellers, cafes, and video stores? I don't think we are. I think we complementarily occupy neighboring spaces.

Which is background that makes it easier for me to say that libraries are different. There are businesses that connect folks with books, with information, with entertainment. But we do it for free. We do it to ensure that the opportunity to access learning, knowledge, media, exists for everyone.

So, if you want to play with your own borrowing data, you have at least two choices:
1. Buy your books online from a bookseller who will keep and track that data and won't protect it when you accidentally land on a no-fly list
2. Use the library and a third party add-on to play with your data. Add your books into GoodReads and LibraryThing. Nobody is stopping you. Hell, the library will even provide all the data you need to add that title into Library Thing. It's your information, use it however you want. And whatever you do with it, it's your choice.

Are we really wrong for committing over the decades to protecting user borrowing habits from anyone's eyes? I see it as bedrock, just like freely available access to information in the technology de jour. Just like not being in it for a profit.

At February 24, 2009 2:29 PM, Blogger Peter Bromberg said...

Kathy, thanks for your comment. I think we're basically in agreement however, I wouldn't say that it's a "toss-up" between tradition and new models; I'd say it's about discovering new ways to express our traditional values. Certainly one of those core values is the protection of patron privacy--I just question whether it is useful expression of that value to protect patron data from patrons themselves...

Andy, I think we have a few fundamental disagreements. I don't see library privacy policies as being inherited from the privacy paradigm of government. In fact, government records are, for the most part, open. And library records are, for the most part, much more protected. If you told a private investigator to work up a report on me they'd probably be able to give you every piece of information about me EXCEPT my library borrowing habits (and my library let's me opt in to preserve my reading history on the ILS system -- and it's still secure!)

I also disagree that libraries adopt strict privacy policies to protect themselves. Protect themselves from what? Can you point me to any data, articles, etc. backing this up? I've never heard this suggested before...

I would be very happy if libraries would open up their patron data and give patrons the option of sharing that data with 3rd party systems, but I don't see that happening too much outside of Library Elf--which doesn't provide a social networking experience, merely a convenient reminder service--something libraries really should be offering themselves IMHO.

Deepening: Are we really competing with booksellers, cafes, videos, etc.? I don't know. I agree that we occupy a complimentary space (well put.) But I also think it's helpful to approach planning and assessment our services with a good old SWOT (Stregths, weaknesses, opportunities, threats) analysis, and I would be surprised if bookstores, netflix and Starbucks didn't show up on most library's SWOTs! Futurist Faith Popcorn says "time is the new money" and to the extent that people have less and less time, we are in fact competing for their time and attention.

Deepening, you also say that "libraries are different", and I agree. But nothing about the ways in which we are different suggests that we can't also allow patrons to control their data and allow them to interact with each other. To suggest that doing so somehow conflicts with our mission to promote learning and knowledge is 180 degrees from how I see it. Learning and knowledge is not only, or even primarily about reading data in a book. It's about connecting with others in conversation, and debate. I learn more about great books to read from Good Reads than I do from my local library's ILS system for instance. GoodReads not only gives me great title recommendations, it also connects me with friends and acquaintances with similar interests and allows me to form relationships. Just think how useful it would be for researchers if the library allowed them to share share and annotate their reading habits, share that information, and connect with others doing similar research.

You say nobody's stopping me from using my patron data and that the library will even provide all the data I need. But they don't! I can't easily access, manipulate, mix and mashup my library data. I'm pretty much forced to use GoodReads, Shelfari, or Library Thing. Most libraries don't even give patrons the option of saving their reading history, and those that do don't (to my knowledge) provide an API to get that data out.

To suggest that if I don't like it I have the choice to go to a bookseller instead sounds to me too much like, "this is OUR library and if you don't like the way we do things you're free to leave." Libraries could maybe get away with that when we were the only game in town, but those days are over. My concern is that if we tell people it's our way or the highway, they'll choose the highway in a heartbeat.

So to answer your final question: Are we wrong to protect borrowing habits from anyone's eyes? Absolutely, yes we are. We should be protecting borrowing habits from everyone *except* the patron themselves AND whomever else they want to share that information with. I see that is the proper expression of our commitment to privacy.

At February 24, 2009 8:18 PM, Blogger Andy W said...

(First off, bravo for actually making me do my homework on this rather than skimming and guessing as to why the library is so privacy crazy. However, with that said, it does make my initial suppositions more accurate than I thought for reasons that you will see below.)

For me, it is not much of a logical leap for the library to inherit the attributes of the government when the state/county is acting in the role of a guardian. While it is true that there are many government records that are open to the public (as well there should be in the capacity of an open democratic government), these records are products of the business of government. They are not the product of the personal intellectual choices of the ordinary citizen. For me (and the ALA), library patron polices reflect a safeguarding of the First and Fourth Amendments and the freedom of expression that the entailing Supreme Court cases have defined within. Thus, the state or county as a maintainer (guardian) of library records is liable for keeping them within the legal definitions of "privacy".

This goes into addressing the second issue you raise. Libraries develop subsequent privacy policies to protect themselves from the spectrum of legal ramifications as mentioned above and in addition to (at best) patron information theft for use for junkmail and/or spam or revealing potentially embarrassing reading subject matter to (at worst) identity theft. (I am absolutely loathe to cite a Wikipedia article, but in this case it does give a good overview of the tort of invasion of privacy. The previously mentioned ALA article does cover the issue as well in regards to state governments.) Given the litigious nature of our society, this makes it a risk worth avoiding.

Now, for all its huffing and puffing, this is somewhat dodging the point of your blog post; what you are asking for is the ability to manipulate your own patron information how you see fit. I see the library's hands legally tied in this matter. However, I don't see it as the end of the road. I see room for development of third party programs that give patrons the interface that you are talking about. These programs would also need to improve upon the current bevy of sites that are available now. The alternative is a complex legal dance for people to waive their federal and state protections to share their library information directly; I cannot imagine any libraries eager to engage in this.

At February 25, 2009 8:49 PM, Anonymous Anonymous said...

I'll second pretty much everything Andy W. has said. There's a huge difference between "open government" which allows me to view public documents and the idea that public access to records should extend to the personal information of patrons. I'm guessing by Peter's comments that he's not well acquainted with library privacy laws across the country. I know in my state that these laws put strict controls on how personal information, including what I check out from library, is handled and who has access to it. These policies and laws exist to protect patrons from the unauthorized access to their personal use of the libraries and the inherent threat to privacy that comes from allowing unfettered access to that information. If I was a system administrator of an ILS, I would have serious reservations about sharing patron data with 3rd parties. Who is "Library Elf" and what are they doing with that data? In my state, I don't even think the Library Privacy laws would allow that data to be shared with a third party service provider. I understand how that frustrates a user like Peter but in an area like this, I would err on the side of caution.

At February 26, 2009 8:18 AM, Blogger Peter Bromberg said...

Hi anonymous, and thanks for your comment. I don't think you read my post very closely as you seem to be responding to a straw man of your own creation and not to what I wrote. I'll try to clarify:

I did not suggest that library patron records should be open and accessible as some other government records are. I was responding to Andy W's assertion that library privacy policies are "inherited" from the strict privacy policies of our governmental bodies (and therefore our "hands are tied"). I was pointing out that in fact library privacy policies are much stricter--and I'm not anywhere saying they shouldn't be... But clearly there is nothing about my county government's approach to privacy that prevents my county library from giving me control of my OWN DATA.

And that's the point that you and Andy and "Deepening" seem to be missing so I'll stress it again. When I talk about opening up the data, I'm suggesting that libraries give CUSTOMERS control of their OWN DATA.

When I hook up with Library Elf for the benefit of text message reminders, my library has not given away access to my data. The have simply configured the ILS system to ALLOW ME to share my OWN DATA with Library Elf, in exchange for a service.

See, I (as an adult) get to decide if Library Elf is trustworthy.

I (as owner of my account) get to decide if Library Elf can access it.

To sum up: I am only advocating that libraries give customers more flexible control of their own data so they can choose to share it with whomever they choose.

It is also my wish that libraries would build some of these social networking features into our own systems so customers choose to play on our turf.

At February 26, 2009 3:19 PM, Blogger Andy W said...

Allow me to offer a correction and a clarification to my previous post.

Peter, NJ libraries do take their cue about library record privacy from the state government. In fact, in New Jersey, library records are controlled by state statutue. To quote it here:

"18A:73-43.2. Confidentiality; exceptions
Library records which contain the names or other personally identifying details regarding the users of libraries are confidential and shall not be disclosed except in the following circumstances:
a. The records are necessary for the proper operation of the library;
b. Disclosure is requested by the user; or
c. Disclosure is required pursuant to a subpena issued by a court or court order.
L. 1985, c. 172, s. 2, eff. May 31, 1985."

(Emphasis mine.)

So, please accept a mea culpa about "having our hands tied". It certainly helps to look at the actual law that controls in the state in which we both work in. Library patrons are within their rights to ask for disclosure of their information. However, inherent control of the record is vested with the library; it is up the patron to request disclosure.

Now, this still leaves open an exciting conversation as to the nature of the disclosure.
The social libertarian in me would say that disclosure should be anything and everything the patron wants, but the pragmatic side tells me that this is not going to be as easy. In the same statute (18A:73-43.1), a library record is defined as

"[...] means any document or record, however maintained, the primary purpose of which is to provide for control of the circulation or other public use of library materials."

In this language, I see a couple of problems.

In a response to the first version Patriot Act, some library systems scaled back the amount of information that a library automation system retains. In some of the cases listed in the articles linked, the library cut record keeping down to the bare bones to protect patron privacy from government intrusion. Even with the revisions in the Patriot Act, I have not found any articles in which libraries have returned to previous record keeping policies. (I would be interested to hear about any who have.)

The second problem is that, as a result of these draconic record keeping policies, there would be no borrowing history to disclose. You specifically mention in your original post how we trade shopping or borrowing history for enhanced services; what if there is nothing to share? The patron borrowing record would have to begin from the moment the patron exercised their library record rights; it is not for the library to maintain a borrowing record "just in case" a patron decided to keep one. In following your own example, it would take an action by the patron to ask that their record retain their borrowing history. So, there is the distinct possibility that whatever information is retained in a library record is not going to be much in terms of actual disclosure.

The third problem is, with the exception of Library Thing, I don't see an automation or interface that allows for ease of disclosure with one of these third party sites. I would not put the onus on the library to meet the different demands of the various sites and services in order to comply with disclosure requests. This may be a case of waiting for the market to catch up and create an interface that would allow for a greater connection between library record and third party site or service. If the demand is great enough, it would certainly be in the best interest of the library to be the one attempting to bridge this gap. (Any links to articles or studies to support such a demand would be wonderful.)

Bottom line: This now feels less like an issue of library policy and more about educating patrons on their rights. Beyond that, it is a matter of implimentation.

At February 26, 2009 3:31 PM, Blogger Peter Bromberg said...

Yowza! Facebook just posted a draft of their "guiding principles" and they are asking members to comment on them--and then they're going to ask members to vote on them. Now that's transparency!

Sink your teeth into the first two principles (I'd like to see them adopted whole cloth into a Library User's Bill of rights...):

1. Freedom to Share and Connect

People should have the freedom to share whatever information they want, in any medium and any format, and have the right to connect online with anyone – any person, organization or service – as long as they both consent to the connection.

2. Ownership and Control of Information

People should own their information. They should have the freedom to share it with anyone they want and take it with them anywhere they want, including removing it from the Facebook Service. People should have the freedom to decide with whom they will share their information, and to set privacy controls to protect those choices. Those controls, however, are not capable of limiting how those who have received information may use it, particularly outside the Facebook Service.

You can read the rest here:

At February 26, 2009 3:46 PM, Anonymous Anonymous said...

Perhaps I wasn't as clear as I should have been in my comments. But Andy W. correctly identifies that the laws that govern library come from state law and that those state laws err on the side of privacy and protection when it comes to patron information as compared to open access. Again, I can sympathize with your feelings that you "own" that information. But you don't. It's a government record about you and ultimately, it's the government, not the user, who is liable for the release of that information. This probably sounds overly legalese in response but it is the law and that's how it will be interpreted by the lawyers. Whatever Facebook does, they are not governed by the same laws of privacy nor I suspect, the same expectations of privacy.

To respond to one specific example, Library Elf, you again confuse information about you that is stored on the library's servers, with your information. Your information is what you have actual control over. You don't have control over the records that the library keeps except as permitted by law. You also make the assumption that it should be easy to allow Library Elf access to your data. But how? There's no easy way to ensure that the data belongs to you and if I was a systems administrator, why would I want to turn over to a third party the ability to access data from my system, especially when I have no knowledge of who that third party is or how they will use that data?


Post a Comment

Links to this post:

Create a Link

<< Home