Week 11: vendor agreements

Hi all, here are Sarah’s slides from yesterday: https://drive.google.com/file/d/1pv1GsgQGL9cEJc9kzQOtqCZ2Xhp3AjyH/view?usp=sharing

The lecture video is posted in the video thread.

Let’s talk about your vendor agreements! What do you think of the ALA privacy checklists? What about the San Jose security analysis results? How do your vendor policies measure up? Did you find any trackers using Lightbeam (or Privacy Badger)?

I don’t really interact with our vendors at all, so I have meetings with the folks in my library who do, to go over the privacy checklists and the relevant slides from Sarah’s presentations. I’ll report back on what I find out, but I do think that these checklist-style documents are super helpful to make things more straightforward. This is the area I’m most concerned about w/r/t our library’s new privacy policy, so I really appreciated Sarah’s suggestions on linking out to vendor privacy policies, and finding ways to make it clear the limitations of what privacy we actually offer.

As a sidenote, we’re at the start of some work to make a better rubric for our student workers who go through all of our e-resources to make sure they’re working/accessible, and it occurs to me that there may be some privacy-related things that students could confirm as part of this work. Anyway, definitely going to be trying to insert into existing workflows, however I can.

I will say, I find Lightbeam super cool to look at, but almost incomprehensible to read, besides to demonstrate the overall overwhelm of tracking. Privacy Badger is a little more legible. I just clicked through a few of our resources, and it appears that many of them do have third party trackers.

This week’s lecture and readings were super enlightening, and I really appreciate how practical/hands-on much of it is. I’m looking forward to poking at my administration with the privacy checklists. Ideally I’d like to do a privacy audit, either by myself or with a team. Like @kellymce, I don’t have any interactions with vendors, but I can at least ask questions and share best practices there.

I really appreciate the privacy checklists. I am going to take a deeper dive into them + my system, but I suspect the results may be disappointing for at least some of them. Some things that stood out about our privacy policy:

  • As far as I can tell, ours is posted online only. And you have to hunt for it - There is a section called “Privacy Policy” under the general “Website General User Terms and Conditions,” and as the name suggests (or rather does not suggest), this is specific to the website and does not discuss anything about, for instance, circulation records. I can’t find anything public about that from home but am going to check once I’m at work and report back!

  • Our policy regarding cookies: “The Baltimore County Public Library website uses session cookies—CFTOKEN and CFID—whenever you visit the site… If you seek to avoid the use of cookies, you should not use any application or webpage that uses cookies.” …I don’t appreciate the tone there.

  • The “Warranty and Disclaimer” section includes the line: “Anyone using this system expressly consents to administrative monitoring at all times.” Also this section is generally full of a bunch of legal terminology that I don’t find terribly friendly for laypeople.

On the whole I’m rather ashamed at our privacy policy, or lack thereof. Also I believe that this policy, for what it’s worth, was only posted online when our new website was launched earlier this year. Before that I don’t think there was anything publicly posted.

Our Digital Safety Team met today and the topic of vendors and tracking came up. I’m going to share the San Jose Security analysis results with them, which I also found super useful. Right now, our privacy policy is pretty detailed concerning using wi-fi, library computers and our Book Me Reader’s Advisory Service but we just have a disclaimer about our databases, Overdrive, Hoopla, etc. which states “The Library is not responsible for the privacy practices or content of other sites you may link to via the library’s web site”. The policy is buried deep within our site and I don’t imagine many people look at it. I like the idea of printing out the policy and posting near the computers and Sarah’s suggestion of linking the the vendors privacy policies.

I used Privacy Badger for tracking and noticed there’s tracking on Hoopla, Overdrive and RB Digital, the main vendors our patrons use.

1 Like

I really like this idea, Kelly. I also don’t interact with vendors, but I’m going to talk about it with my director, who does.

We don’t currently have a privacy policy so I’ve been working on one as an alternative to this week’s assignment. Because our web presence and computer hardware are administered by the college, there are some things I’m trying to figure out from our IT department regarding our use of cookies and how often they purge stuff from the servers.

As I said on today’s call with Gary Price, I’m interested in how this kind of checklist/best practice framework can be used to inform other privacy conversations, like talking to local lawmakers. Lots of the stuff covered can be easily replicated and tweaked for the right audience. For example, the checklists talk about the importance of end-to-end encryption for all data and how to demand this from vendors. Likewise we can be asking our lawmakers, what are you doing to ensure that businesses must comply with consumer protection standards like end-to-end encryption?

@kellymce I totally agree about Lightbeam. it’s clear that lots of stuff is happening, but it might be too overwhelming for it to be useful in any educational context!

@sjbrown and @rebekah your library privacy policies sound a lot like other library privacy policies I’ve seen. the administrative monitoring line in the Baltimore one is particularly broad and creepy.

@clobdell I’ll be interested to see how a privacy policy shapes up using these checklists! I think I asked Sarah about examples of libraries who’ve done that, and I don’t remember her having any examples, so it’ll be great to have an example of how one could look.

I, like everyone else, don’t interact with vendors. I was thinking of asking the manager of Technical Services for a copy of the OverDrive policy, well at least the privacy policy section, but I haven’t. I should though because it’ll might a way to start a conversation about vendors’ privacy practices that maybe library administration have not considered before. I like the ideas of sharing the privacy checklists with the Acquisition and IT staff who are responsible for working with vendors or handling the library’s technology.

Surprisingly, I didn’t find many trackers using Privacy Badger on our OverDrive, Hoopla, Freegal, and RBDigital pages; there were more results on the library’s homepage! When I logged on Hoopla and Freegal, Privacy Badger found 1 potential tracker.

The San Jose security analysis was very informative, especially the vendor security matrix definitions.Using their chart and definitions, I might go back and try to figure out how our vendors stack up.

My system, Charleston County Public Library, has an online privacy policy: https://www.ccpl.org/policies-procedures. It’s buried with the rest of our policies. Ideally, a link to it should be prominently on the home page. The policy as whole seems underwhelming.

While reading the privacy checklists, which I really like, I did an “audit” by noting practices that, to the best of my knowledge, my library does. Implementing most of the practices on the checklists is out of my scope of authority, but it was still fun to assess what we are doing towards securing patron privacy. If I was director, I would push to create a Library Privacy Officer position. This person would work closely with IT and Technical Services departments to audit system regularly using the privacy checklists. They would also work with the Programming Dept. to educate the public. If our county was to say no to funding a Privacy Officer position, I would use the checklists to still do an audit with relevant departments.

On a realistic level, I noted some practices I could do as a branch manager at my location:

  • Post our online privacy policy by PC Reservation Station or somewhere else in the branch
  • Ensure library applications and other documents containing patrons’ personal information are actually shredded like library policy instructs
  • Post brochures about protecting privacy online, with recommended tools
  • Make sure my staff understand library policy’s on how to handle law enforcement & government requests for patron records (in a nutshell, they need a subpoena)
  • Restrict access to patron records to library staff only. My branch doesn’t have a page, and we do have the occasional volunteer. So I would work with my volunteer supervisor to make sure volunteers don’t do any tasks involving patron records, using the ILS, or anything else that may reveal what patrons are borrowing. Especially because my library isn’t currently doing background checks on volunteers anymore.

Yes, Gary’s point about talking to local lawmakers really resonated with me. I want to do programming for next year’s Choose Privacy Week, and inviting the councilman in my branch’s area to attend is something I’m thinking of doing.

@greK that’s a great idea. I spoke to my journalist friend yesterday and he says he’s around to give us a last minute lecture on Tuesday (we’ll record it of course). I’m working on questions to ask him and I’ll post details here in the chat if we go forward with it (we can also have him come next Tuesday if need be).

I’m going switch up the assignment and the discussion. For the discussion, here are some things we do / did / are doing at my library cherrypicked from ALA Privacy Checklists. Shortly before LFI started I transitions from Public Services to Systems. We/us refers to Systems Team.

  • Pika, our discover layer, has a feature called “Masquerade” where staff can log in and see what a patron sees w/r/t the patron’s account without knowing the patron’s PIN. Staff could see the patron’s reading history though all ourliterature states that staff will not see your reading history if you choose to turn it on. We changed it so reading history can no longer be seen by staff if they use the “Masquerade” feature. I’m proud to report it was actually our Policy Review Committee that brought this issue to our attention. It didn’t originate from the Systems Team which tends to be more privacy minded. A related, unresolved issue is that our ILS creates a “Notice History” veiwable in the staff client that is a defacto reading history. We worked with our vendor to only keep notice history for three months in the staff client, but we know their server side logs still keep all this info. We are working with our vendor to ensure these logs get deleted but I’m not sure how much leverage we have.

  • We’ve worked with our marketing team to ensure the only info they get about patrons is their name and email, and only if the patron has opted in share this info. Currently, our online and paper library card sign up forms are ambiguous and say different things. We are working on a creating a self sign up kiosk and using that as opportunity to make online and paper verbiage uniform and make it clear what you are opting in to.

  • We are working to encrypt the Pika database when the data is rest. We have updated to the newest version of MariaDB, the database system Pika uses. We we still need to actually run the commands to encrypt that data and then do a performance test. If it doesn’t break and/or make our discovery layer go slow as mud, we hope to be an example for other Pika users.

  • We’ve begun to delete all EZ Prozy logs after three months.

We have less direct control over vendor contracts. Our Collection Development Manager has final up/down authority on those but we try to weigh in as best we can. I know the last one we signed, some members of the Systems Team thought the language was very strong in terms of privacy. I felt it was pretty soft. We share work space though so the lines of communication with Collection Development Team are open. There are a lot of opportunities for us to have positive influence in this area. SJPL Vendor Security Analysis will be very helpful in clarifying things.

Becky Yoose has been giving great talks about how to handle patron data and vendor contracts. Her LITA lecture can be found here. There’s a lot practical stuff in there about how to implement the ALA Checklists. Adobe nonsense, forgive if link does not work.

1 Like

Great that you made this change! I’m curious, did the policy review committee do it on the grounds that the policies did not actually reflect the practice in this case?

Wow, is the vendor insisting that they get to keep this data?

What’s their take on the privacy stuff?

Becky Yoose is awesome!!!

btw, since Adobe Connect makes you use Flash (which is awful!) you might want to open that webinar in Tails (where it is safer to use Flash!).

I think they have a good faith intention to implement best practices. The policy on the last contract was not bad:

Protecting patrons’ privacy is critical to the mission of Nashville Public Library. As ******* joins the library in extending services, vendor shall also protect our patrons’ implicit right to privacy. The default arrangement of setting up a user profile on the application should be set to collect the minimum of patron information required for product to function. Any programmatic data communications between ******* and Nashville Public Library users should supply only the minimum of patron information required to fulfill the specific purpose for which that information is being made available. Users should have a choice about whether or not to opt-in to features requesting additional personal information. Users should also have the ability to opt-out, if they later change their minds. ******* may only use individual user activity data to provide the Licensed Content and to analyze and improve its delivery of services and Licensed Content to End Users. ******* may use End User data in an aggregate form that does not identify any individual for research, white papers and studies. Any activity monitored should be anonymized and untraceable to specific library patrons wherever possible. All collection of user activity should be disclosed and accessible to Nashville Public Library staff. ******* shall not request any borrowing information that may be contained in patrons’ records. User activity data with personally identifiable information should not be retained longer than thirty days. Data communications between client applications and server applications, that may include patron information, should be encrypted. ******* shall not enter into any agreement with a third-party to disclose any patron data without first getting approval from the library. Should any patron data be erroneously disseminated, ******* shall immediately notify Nashville Public Library with complete details regarding all breached data and shall make swift effort to patch any system that has been exposed.

But compare this clause about third party’s that Yoose suggests in the presentation I linked to:

No SPL records or data shall be released by the provider to any third party without prior written consent of SPL.

I’m still going through the privacy checklists! I manage our eResources at my college library, so as I become familiar with them, I am first going to be working my way through the Library Privacy Checklist for E-Book Lending and Digital Content Vendors.

One thing I have been thinking about in relation to this topic… I remember when legislation was passed that made it so credit card statements had to be simplified for better consumer understanding. I think the way some privacy statements are written could be simpler so people could better understand what they are reading. I’m thinking about the intermediary pop-up Sarah Houghton was talking about during our call. She noted that before patrons jump to a service (Overdrive?), that about once a month a pop-up would appear warning folks they were leaving the library website and therefore the privacy protections could be different. I do want to post links for my patrons to easily find privacy statements for our web of eResources vendors, but I think the large amount of text they present is a barrier itself. It’s up to patrons to take the time to read the statements, but when my student has a short amount of time to find research articles for their paper, do they really have time to read a 21 page privacy policy from EBSCO? So… after I go through the road of working on my library in particular, I think I might be interested in working on how vendors can make these statements simpler… Maybe.

@mtkinney there is a browser extension called Terms of Service; Didn’t Read that rates TOS based on a number of criteria and assigns them a grade: https://tosdr.org/

You can then go through and look at the metrics that made them choose whatever grade they chose. This scoring method makes it really easy to know what you’re getting with a 21 page policy. While they have pretty much only rated the privacy policies of very popular sites like YouTube, they might have some library vendor policies up there and also you could maybe use their method as a criteria for looking into vendor policies (though that would be its own project!).

Thank you! Will install it at home tonight.