Week 8: the right to privacy

It was great to hear from Jessie Rossman today about our privacy rights and some recent privacy-related victories in court. We don’t get victories that often!

Our readings this week focus on a few things: some of the work that the ACLU has done/is doing around privacy (you can skim that link just to get an idea of what they’re up to), the current and historical inequities in applying those rights (it’s a review of two books we’ve discussed here somewhat – Automating Inequality and The Poverty of Privacy Rights, both of which are on our reading list on github, both of which I highly recommend picking up when you have the time!), a set of recommendations from EFF about what librarians can do to protect privacy in our spaces (Jessie covered a lot of these same points!), and an ALA resource about state privacy laws regarding library records. Here are the discussion questions I’d like us to think about:

  • How are your communities affected by the loss of privacy rights?
  • How is your library equipped to enforce privacy rights?
  • How does your state fare with regard to library privacy law? Does it seem like your local laws are sufficient to protect patrons?

There was something in the readings I keep thinking about. The “Privacy for Whom?” article starts with a quote from Snowden, “Privacy is the right to a self.” This rings true to me. As it relates to the article, who is watching whom? Who has a right to self and who does not? Everyone has a right to a self. In Nashville, there is talk of the city creating a “Community Hub” data portal / interface that unifies city services, like when Google unified all their services. Some of us want to make sure that the library’s ethics / practice / orientation about citizen privacy becomes the standard of this so-called “Community Hub.” We want to make sure we are protecting people’s rights not being complicit in stripping them away.

Our state law is pretty tight. Basically says get a warrant (http://www.ala.org/aboutala/files/oif/ifgroups/stateifcchairs/stateifcinaction/tennesseeprivacy.rtf).

I am concerned about “anonymized” PII that vendors get. This feels like a dark ocean I’m just staring at the surface of, but I am trying to learn more.


This is tangential to this week’s discussions, but when looking through the ACLU’s privacy resources, I went down the rabbit hole of privacy issues related to electronic medical records and genetic information. The genetic stuff has been in the news a lot lately with the revelations that 23 and Me is sharing their customers’ genetic info with GlaxoSmithKline and also a few months back the news that the Golden State Killer was tracked down using genetic ancestry websites.

One of the ACLU blog posts was about a court case in Utah and whether or not the DEA needed a warrant to accent the Utah state prescription drug database.

The American Civil Liberties Union of Utah and the national ACLU have filed a motion in federal court challenging the U.S. Drug Enforcement Administration’s authority to obtain Utahns’ private prescription records from the Utah Controlled Substance Database (UCSD) without a warrant. Last month, the DEA sued the state of Utah in an attempt to circumvent a state law requiring a warrant for such access, and today the ACLU filed a motion to intervene in the case on behalf of Utahns whose prescription records are in the database.

I would have thought, given HIPAA, that there would be no question that a warrant would be required to access that info. Anyway, I was wondering if any of our speakers are going to touch on digital privacy as it relates to medical records/info.

You know, I don’t currently have anyone on the schedule, but let me see if I can remedy that!

Yes! And it’s a place where the mosaic idea comes in to play, for instance: “As increasing amounts of information on all of us are collected and disseminated online, scrubbing data just isn’t enough to keep our individual ‘databases of ruin’ out of the hands of the police, political enemies, nosy neighbors, friends, and spies.” - https://arstechnica.com/tech-policy/2009/09/your-secrets-live-online-in-databases-of-ruin/

And also: “…anonymous credit card data can be reverse engineered to identify individuals’ transactions” - https://hbr.org/2015/02/theres-no-such-thing-as-anonymous-data

Many/all of you have probably seen similar things, and of course there’s lots more out there. I find it hard feel much reason for optimism when it comes to this issue.

I’m curious what you all saw in your state’s (or states’, if you checked a few) library related privacy laws. I looked at four states and was surprised at how much they varied.

Misc. things that stood out:

  • Maryland has a provision for gifts: “A custodian shall deny inspection of library, archival, or museum material given by a person to the extent that the person who made the gift limits disclosure as a condition of the gift…”.
  • New York specifies that “computer database searches, interlibrary loan transactions, reference queries, [and] requests for photocopies of library materials” are protected. The other states I read didn’t get this specific.
  • Rhode Island had an interesting provision, speaking (above and by Jessie) of the mosaic concept: “Library records which by themselves or when examined with other public records, would reveal the identity of the library user…” are protected [emphasis mine].

Also - I know this book has been mentioned already, but I finally finished Habeas Data and would, as others have, highly recommend it to anyone who especially liked Jessie’s talk. It goes into a lot of technical but interesting detail about some of the court cases she discussed (and more!).