Week 11 - Vendor Agreements

I compare the privacy policies of three popular library vendors and offer some suggestions about how they could be improved: https://github.com/alisonLFP/libraryfreedominstitute/blob/master/assignments/week11/B.N.%20Jones%20LFI%20week%2011.pdf

great work Bryan. love that you tried it over Tor as well as trying with Privacy Badger and Lightbeam. some thoughts…

I wonder how Freegal expects people under 13 to “not share any PII”? lol, I mean, what?

also, it’s so amazing that vendors don’t consider IP addresses or other identifying data to be PII – that’s madness (although fairly typical – none of these ones consider IP addresses PII).

I wonder how we can convince vendors that their definition of PII is woefully inadequate.

I spent some time looking over the Library Privacy Checklist for E-Book Lending and Digital Content Vendors and made a plan for how I will work through Priority 1 Actions at my library.

Since I don’t work with vendors, I used the assignment to look at our privacy policy in light of ALA’s privacy policy overview checklist. A few additional things that aren’t in the assignment:

  • Our public privacy policy, such as it is, is buried on our website at BCPL.info → About Us → Policies → Website General User Terms and Conditions.

  • Our website is controlled by Baltimore County’s IT department, so that may explain some of the more legalese policies and terms of use. It may also make implementing changes difficult.

  • “If you seek to avoid the use of cookies, you should not use any application or webpage that uses cookies.” Seriously you guys?

  • “As consideration for your use of the Baltimore County Public Library website, you agree to provide true and accurate information about yourself and to make certain the information that you provide is current, complete and promptly updated as necessary.” Could this be grounds for BCPL to not allow users accessing the website via Tor?

  • “…your substantive communications and materials transmitted to us, such as data, questions, comments or suggestions, are considered non-confidential and non-proprietary.” This is bad! If electronic only, this can still include emails, purchase requests, electronic reference questions, and more. I question this in the assignment but am having a lot of trouble understanding why it would be included.

@mtkinney – this is a great list of priorities and I think your plan to try to leverage the size of your consortium to demand these things from vendors is an excellent idea. that’s exactly how we get things done! we have power! also I like the idea of adding privacy policy info to multiple places including your a-z database list!

re: deleting old accounts. do you think you could contact former students and ask them about account deletion before you do it? or make this into something at a policy level? eg “accounts unused after x amount of time will be deleted to protect your privacy”

@sjbrown really thorough examination of your privacy policy! I love these questions. You’ve created a great framework here for examining the assumptions and justifications used in these policies. Why IS this information necessary? What EXACTLY do ambiguous words like “appropriate” mean? The way you’ve broken down your internal policies using the ALA checklists is really helpful and I think could be used to guide other libraries doing the same thing.

Wowwww. It’s basically saying “just don’t use computers or the internet ever”.

Interesting. I guess technically this would mean that Tor was against the policy. But I wonder about such a policy more broadly. How can this possibly be enforced?

This is indeed very worrisome. This is the part of the policy I’d personally push back against the strongest. It goes against the ALA code of ethics. They might have this in here because they don’t want to act like they can guarantee privacy or anything, but saying explicitly that this information is essentially public is something else entirely!

Ah - I can contact students if they signed up for the accounts with their personal email addresses, but a lot of times, they use their school account, and then forget about it when they move on to bigger and better things. But I SHOULD try that first before I delete them, and yes… I think on that research guide about creating user accounts with our various platforms, I could have a policy level warning about untouched user accounts… Hmmm… Lots to think about!

I wrote a privacy policy for my library, based on the ALA library privacy checklists. It hasn’t been officially adopted yet and I’m still in the process of getting comments on it, but I don’t think the core of it is going to change much. I tried to simplify the language as much as possible, but it still was rated between a 10th and 11th grade reading level on a couple of different reading level checkers.

looks great @clobdell. smart to put it through a reading level checker. despite my best efforts, I always get 10th or 11th grade on mine too. though occasionally I have been able to lower it a little by turning sentences into bullet points.