Tuesday, 30 May 2017

DataPrivacyNY, part 1: introductions + NYPL

I was very lucky to be invited by the Carnegie UK Trust to a study trip to New York on public libraries and online data privacy, which took place 15 to 19 May. For me, it was an amazing opportunity to learn from the people we met but also from the other members of our group.
You can look up the tweets under the hashtag #DataPrivacyNY and there will be articles on the Carnegie UK Trust blog from each member of our group.
Here I will simply try to tidy up my notes in a series of three (possibly quite long) posts. (I seem to have a lot of notes!) Usual disclaimer: my notes are a reflection of my personal understanding of what I think people said.

On the first day we had an introduction to the topic of online data privacy as well as an overview of US public libraries, before going on to hear from the team at the New York Public Library.

For our first session we were greeted at the Carnegie Corporation of New York offices by Geri Mannion, who heads the Corporation's US democracy programme. Geri explained that many US public libraries are active in this area: for example with a "citizenship corner" in the library, a place where people - immigrants and US citizens - go to learn about their rights. Some libraries also run sessions to help people apply for naturalisation.

Joel Rosenthal, president of the Carnegie Council for Ethics in International Affairs, then led a discussion on privacy and ethics especially in the United States.
The Carnegie trusts are involved in education, democracy, citizen empowerment, libraries... all areas and institutions that are about "giving each individual person the opportunity to think for his- or herself".

We all have a need for privacy ("something to hide"), be that in our personal life (we all have curtains in our house!) or professional life (you might need to talk about an issue with your supervisor but not share it with everyone else). Some professional roles are restricted, where you have to be careful what you share or do because people can find out about it (e.g. you've donated money to an organisation and your name appears on a public register) and it might discredit your professional activities.

There seems to be different sensibilities regarding privacy in the USA, in the UK, and in the rest of Europe.
The right to privacy has been used against the registration of people on matters relating to health or immigration: why should the government have a list of such people? In the US that same argument has also been used against the registration of individuals who own firearms.
Privacy is a question of choice: making an informed choice about giving away personal information. But sometimes we have to give away our personal information in order to access an online service (e.g. Facebook) or further information.
On public computers in libraries there is a default browser, which may not be the best one to help users protect their online privacy - where is the choice there? It was pointed out that librarians traditionally have the role of selecting what is "best" e.g. in terms of curating book collections and sources of information - does this need to apply to online tools on public computers too?
Internet companies protect their data very well - how do we turn this situation over and get citizens to access that information, and control their own information themselves?

Next Pam Sandlian-Smith, director of Anythink Libraries (public library service near Denver, Colorado) and President-Elect of the Public Library Association gave us an overview of public libraries in the country.
"The sense of confidentiality is part of our DNA in libraries."

The Public Library Association (PLA) is a branch of the American Library Association (ALA). Some of PLA's initiatives include: digital literacy (developing staff skills first), Every child ready to read (helping parents develop their child's literacy in their early years), Project Outcome (making sure library services are counting the right things to show their impact).
In the USA there are over 16,000 public libraries, including over 10,000 in rural areas. There are similar perceptions and support for public libraries from residents in the US as in the UK (as highlighted in the Carnegie UK Trust's Shining a light report). But there are also similar challenges with some communities having an outdated image of their library and not wanting it to change.
Public libraries around the US have set up a wide range of initiatives, activities and services: some offer summer lunch programmes, others have been working on rethinking the library space, children summer reading programmes, ballet in the library, festival to pass on (transgenerational) skills, social workers inviting homeless people and library staff to enjoy a concert and breakfast together...

Anythink Libraries has recently invested in a new campaign to promote the library and its services. "The public library is your place" video (see above) will be aired on TV and there will be posters inside buses. Pam said that devoting money to do this is hard because of budget constraints but absolutely essential since it's about trying to help the community understand everything the library has to offer (as it's about much more than books...) Anythink will also be encouraging the local community to share their stories on social media about how and why they use their library - it's a much more powerful message when it's citizens rather than librarians saying "the library is wonderful!"

From an overview of public libraries in the USA to an overview of online data privacy: next was David Greene, Director Civil Liberties at the Electronic Frontier Foundation (EFF).
EFF "promotes and fights for the rights of users of digital technologies". It is composed of three main teams: lawyers, activists, technologists.

(I was very excited to get a new sticker for my laptop!!)

There is some information online that we knowingly transmit - e.g. when we give our details on an online form - and some that we don't - e.g. our location: we're not always aware we are sharing it.
Metadata (like the location, the time, the recipient) and content (what the message actually says) are treated differently in law and by individuals. David said he doesn't like the term metadata because it makes it sound like it's not important; however metadata about communications can reveal a lot about a person, even without having the content.
In the US there is something called the "third party doctrine": if you have willingly given information such as metadata to a third party then law enforcement can access it. This started a long time ago and applied to letters, phone calls via a human operator... but now it also applies to the Internet, which raises huge problems for privacy.
"There's no such thing as the Internet of Things - it's just putting lots of other people's computers inside your house."
Tracking means the user loses control of their information: we don't know who else on the Internet is also going to get our information.
HTTPS and Tor are tools that can be used to keep some information hidden. By using HTTPS (i.e. encryption) all anyone sitting between the Internet user and the website they are sending that information to will get is the "to" (the name of the website) and "from" (the user's location). The user does have to trust that the website also has good privacy practices. Tor will mask the user's location. See Tor and HTTPS for diagrams of what information can be retrieved by eavesdroppers when using the tools - image 1: when you use neither; image 2: when you use HTTPS; image 3: when you use Tor; image 4: when you use both.

What eavesdroppers can and can't see when you use HTTPS
(Cropped - original image published by EFF under a Creative Commons Attribution licence)

Thoughts for librarians:

  • Targeted and vulnerable communities may feel discouraged from using libraries because of data sharing i.e. libraries' inability to guarantee their privacy.
  • Libraries like to offer customers "Amazon-like experiences" but at the same time librarians don't like to share their customers' information. So if you want to offer these types of services you need to: give people the option to opt in and educate them about what they're giving up when they sign up; be transparent about how their information is being used and who it is being shared with.
  • "Collect as little as possible and then retain even less".
  • Build privacy as a feature.
  • Produce transparency reports.

Later we met with Tony Ageh, Michelle Mayes and Bill Marden of the New York Public Library (yes, in a meeting room at the iconic Stephen A. Schwarzman building!) The New York Public Library (NYPL) network is composed of 4 research libraries and 88 branch libraries across Manhattan, Staten Island and the Bronx (Brooklyn and Queens each have their own public library network). NYPL is partly funded by the City of New York and by private donations.

NYPL published its revised privacy policy in November 2016. Revising the policy has meant revisiting and harmonising practices; during the review, the team considered the following questions, among others:

  • What information do we collect?
  • How long for?
  • What do we do to protect it?
  • Where is the data stored? Is it on the institution's servers or on a resource provider's server, and if the latter in which country?
  • What control do we have over data held by a resource provider?
  • Do all our online systems use HTTPS?
  • Which of our services are opt-out and may need to be changed to opt-in? [In Europe the law points to services being offered by default as opt-in, rather than opt-out.]
The revised policy is supported by internal privacy principles that all staff have signed up to. A group of librarians meets quarterly to review anything new that may affect privacy, for example new software or online services that libraries want to subscribe to.
The NYPL team have recognised a need to educate members of the public about what they're giving away when using a particular third-party platform (e-book provider, database, etc.) the library subscribes to - when customers are using a platform, they are under that vendor's terms and conditions.
[For more information, do read Bill Marden's post The path to creating a new privacy policy : NYPL's story on the Choose Privacy Week blog.]
At NYPL borrowing history data is deleted as soon as the person returns the book!
There is sometimes a tension between the data department, which collects information to understand how the library is used or perceived, and privacy issues.

NYPL offers classes, in multiple languages, for residents to learn about privacy. However, the City has now announced that at every branch library there will be a member of staff able to help residents protect their privacy. [An extract is provided below, though the full text of the announcement is worth reading.] The challenge for NYPL and the other library services is now to roll out training to all staff for them to understand privacy principles, and for some of them to be able to answer all types of security and privacy questions.

"The City, in partnership with our libraries, will support residents throughout all five boroughs who have questions about how to use the internet safely and securely. Librarians and other staff — at least one person at every branch — will be trained to respond to patrons’ questions and will incorporate new lessons into their digital literacy trainings.
Librarians are already on the front lines of digital inclusion and they are a trusted source of information in our communities. This collaboration with the Brooklyn Public Library, New York Public Library, Queens Library and the Metropolitan New York Library Council builds on the achievements of the Data Privacy Project."
Extract from Safeguarding Internet privacy in service to the public by Miguel A. Gamiño Jr., NYC Chief Technology Officer

No comments:

Post a Comment