Week 9 discussion: Talking to IT and admin about privacy: what's your experience?

Edit: we had our lecture already, but let’s continue using this thread to talk about our experiences convincing IT and admin about privacy. When have we used Becky’s suggestions and how has that gone? What goals would we like to achieve with our IT relationships? What privacy projects do we want them to buy into?

Our week 9 lecture and discussion will be with Becky Yoose about convincing library IT and admin to make privacy and security changes. I’m sure that many of you have experience with this, good and bad, and I’d like to ground our discussion that week in those experiences. So anticipating Becky’s conversation with us, let’s talk here first:

  • What specific questions do you have about how to convince IT/admin about the importance of privacy?
  • What scenarios have you been in where you’ve struggled to make the case for these changes?

Not saying this is an end-all, be-all approach to the problem, but something I’ve run into a bit is trying to at least find a middle of the road solution to having IT departments talk more explicitly about the privacy/security risks of using certain tools. Take Zoom, for instance–even in the heat of the FBI attention and the numerous articles popping up about its security flaws, our IT was basically just like, “We’re not concerned about the security at this time” (hot on the heels of them telling us we were averaging 90 minutes a day, 7 days a week on there). They don’t see this as a chance to educate or disclaim the risks and help people understand them better, likely because they’re not viewing tech from a “we should be teaching people about this” angle. In my experience, IT doesn’t like to teach much of anything, so how do we get them to see that this is an important learning opportunity even if they’re not going to implement a different solution?

Ugh, too many to count. From trying to ditch the captive portal roadblock at my last public library job to asking about beta testing for the LibraryVPN project, I’ve just been told outright NO, no room for discussion whatsoever, by IT departments. I discussed Zoom privacy issues with a group of some of our most progressive privacy-conscious students on Friday and they said that while they normally would be fighting the good fight about it with our IT, they didn’t have the energy for it at this point, and I don’t blame them (I don’t either - it was bad enough that they refused to train anyone on these tools so I took that responsibility on myself). I know we’ve alighted on this before throughout class, but I’m sure we’re not unique in this lacking energy right now. :\

1 Like

I have had very similar experiences to you, Callan, when dealing with IT. I also see it far worse from my other co-workers; because my job is tangentially related to IT at times, I feel like my opinion is at least better accepted, and they are more likely to listen to me. To our many Branch Librarians, I see their opinions are often outright dismissed or ignored entirely.

I think it is important to find common ground between the IT side and the service side of the library. It is easy to say that though, I can’t say I have seen this happen much in reality.

1 Like

What specific questions do you have about how to convince IT/admin about the importance of privacy?
How do you respond to the comment “All of your information is already out there anyways, so why worry about privacy?” or my personal favorite, “Big companies are already mining data and using it to their advantage, so why should the library be any different? We should be using this data to make better decisions and increase our marketing efforts.” For clarification, these are comments I hear from my elected Board of Trustees every time they want me to use our patron data for some marketing idea they have.

What scenarios have you been in where you’ve struggled to make the case for these changes?

I was once in a situation where the Chair of my Board wanted us to run a report of all the email addresses associated with a town address and add them to our e-newsletter distribution list without their consent or knowledge. His argument was that in the corporate world it was “common practice” to add people to mailing lists and that he’d like us to do it despite my objections. He wasn’t completely convinced when I showed him that such a move would not only be wrong, but would also be in direct violation of several town and network policies. I also cannot convince them to move away from “free” services like MailChimp because “they work just fine,” and “who really cares what I post? I have nothing to hide.”

We had a similar situation when a Board member decided out of the blue that we should install cameras in every area of the library (laughable given the size of the building- you have sight lines everywhere). What started off as “it would be helpful if someone committed a crime” turned quickly to “well, what if the cops are looking for someone? They could review all the tapes to see if that person came to the library.” The argument was also made that we’d be able to see better what people were looking at and collect data on what they browse but don’t check out, or that if someone in town was missing, we could look at the film to and tell family members if the person had been in the library that day. It took a letter from me and the rest of my staff stating we would quit in order for this particular board member to drop the idea. He actually laughed at me when I pointed out how massively unsafe this would be for marginalized residents and domestic abuse victims. It’s frustrating to be dismissed as a conspiracy theorist every time you defend someone’s privacy! (end rant)

We have two ITs in our college. The first is the main campus IT, and then we have a library Academic Information Technologies. Academic Information Technologies reports to the library and for the most part we can help determine priorities, but our managers have to do that. For us it’s about leadership, and the head of my unit is a good advocate and we have been able to get some our projects prioritized on the web, computers, and computing environment in the library. In general, I think it’s hard to start asking for software to be installed when “security” is seen as an “it” priority. I feel like if we wanted Https:everywhere installed or other types of software we have to argue for it on a case by case basis. I think would would be helpful for me would be to have a list of the kinds of software people have installed in labs to aid computer privacy and documentation of that software. Also, another consideration would be how to carve out an expertise for librarians that would be complimentary to the cybersecurity mindset of IT folks. I definitely think of “privacy” as a kind of practice more connected to patron advocacy and cybersecurity as a kind of practice more connected to hardware and software (not people). I don’t know if this is a useful distraction. As librarian I feel like where I can do my work is by having workshops that connect people to best practices and privacy tools so that they are cognizant of what they need to do. Now if those tools aren’t going to be there in a lab environment where I teach and work, then I feel like I can really justify asking for those tools to be cloned with the lab PCs and Macs. I think that’s the kind of approach I would like to take.

The struggles we’ve had with our IT are usability struggles. And this includes some kind of software bug, that we have to painstakingly document for them to believe that our users are experiencing some kind of hardware and software problem. For example or library makes it’s own book scanning software and for a long time it was a POS. It would crash, make bloated PDF image files that none once could email to themselves. Eventually it got better, after working together to document each case. We sent up so many emails, complaints, that we eventually made our own ticketing system using Google Forms that would just shoot a documented error form. Now the software is great actually. And our library actually sells that scanner software to other libraries. In terms of privacy, we have noticed errors like documents still remaining in public computer when it restarts, user print logs, etc, that we were eventually able to report and get fixed. We have to really coordinate our documentation, and again a lot of that is leadership because someone hast to tell people to start documenting that error, and then that person has to put all those Google Form reports into a coherent error that IT can understand and do something about. That manager that interfaces with IT is very important. And the person who does that now isn’t very tech savvy or anything, but she is a very good advocate and organizer.

  • What specific questions do you have about how to convince IT/admin about the importance of privacy?
    Advice on how the library can try to gain a seat at the table at the discussions as we do seem to be the department most concerned with privacy. Talking points on industry wide security that may bring it more attention than the current perception that the librarians just refuse to take part in all these great initiatives and software packages that “lead to student success”

  • What scenarios have you been in where you’ve struggled to make the case for these changes?
    Just about every scenario when something is announced. There are actually four layers of IT - the central IT, campus IT and libraries IT and our library IT. We have little to no decision making on the library level as everything is dictated by decisions made a the central level and then works it way down. The local IT is fantastic and willing to work creatively but has to respond to and is partially accountable to the other layers. For example, local was more than willing to add Tor Browser to the PC’s but faces a major obstacle because they are imaged by the library IT with input from the others. My biggest frustration is that the library is not at the table for any of the discussions that involve the changes and privacy never seems to be a concern, over that of cost, convenience and monitoring of students and employees capabilities

Something I’ve really struggled with in dealing with IT at my institution is just getting a straight answer about what data they’re collecting from the student computers in our four campus libraries. IT runs our library computer labs (which are the biggest labs on 3 out of 4 PCC campuses) and they are extremely opaque about whether and how they are surveilling students (the IT policy states that they can but doesn’t definitively say that they do). Our IT group is extremely dysfunctional where the right hand frequently doesn’t know what the left-hand is doing so I’m not even really sure who to talk to about it because the IT staff I deal with (who are lovely people) usually have no idea what the larger IT org is doing. Our current CIO comes from a corporate environment and seems to still think he’s in one, which has only increased the opacity.

How do you effectively have privacy prioritized in IT decisions/processes when the departments are often overstretched and underfunded in many public settings?

How do you come to a pre-arranged and agreed upon idea of what private or secure enough means in the public environment?

These are amazing! Please keep these questions and experiences coming.

This is my number one issue that I have encountered time and time again. Dealing with some issue (ex: A patron’s e-mail account is automatically logged in after they have left the computer and signed out) that I personally, as well as many other staff members, have seen happen. We document it as best as we can and send to IT, but we don’t get a response, or we do get one but they tell us they can’t recreate the problem.

I understand it may be a weird isolated bug, and I am sure they can’t recreate it which makes it extremely difficult for IT to solve the issue. I often feel like I am being gaslit though and that IT thinks that the library staff are just making this issue up entirely. I barely have time to document these weird bugs, I and other library staff definitely don’t have time to make up fake technical issues.

It is an extremely frustrating issue.

As for questions, this is something I think about a lot:

Working in libraries, we are often on the forefront of the new technology that we don’t entirely understand. When we begin to assimilate a new piece of technology into our workplace, we often do it twice: once on the library staff side, and once on the IT side. What are the best practices to ensure that as we deal with new technology, and the issues that arise from this new technology, that both the library staff and IT remain on the same page?

1 Like

My experience with our campus IT has overall been good. We have our campus IT people then our college contracts out to Ellucians who runs all of our main software the campuses use. It’s never really been clear (well at least not to me) how the work duties between our campus IT and Ellucians are divided. I’m not sure if Ellucians has to approve every type of software we want on our library devices, or if our campus IT people can make that call. When we got a new cataloging system for our libraries Ellucians had to approve it so I would assume they would be involved if we wanted privacy software installed.
I think the hardest thing for me would be not knowing who is going to be the person making that ‘yes’ or ‘no’ decision.

1 Like

I anticipate this being quite the uphill battle. First off, our IT lady is quite the rough-around-the-edges character. I get along with her quite well, relatively speaking, but I still suspect she will see this as an unwanted encroaching on her “turf”, which she guards rather jealously. I plan on having a sit-down meeting with her to discuss the ideas I have out of this course and putting real emphasis on working WITH her and relying on her expertise to try to see what I can get done. I also foresee the same problem, magnified, with our Head of Circulation, who basically believes–and lets everyone know she believes–that our patrons are out to get away with whatever they can. Regarding experience with implementing privacy features for our patrons, I once brought up, early in my job here at SCL, that a lot of our ILS system and specifically our patron holds pick-up system could use improvement for privacy’s sake, and the Head of Circ took that as an affront. When we then did a tour of another library and saw how they had done their holds pick-up–the same way I had described it at another library I’d worked at–she seemed surprised it worked and like the idea had never been proposed to her. In addition, I’d also love to see more self-check kiosks in the library, and better maintenance and increased usage of the ones we have, because those can be useful tools for patron privacy, and perhaps that will be on the agenda already due to our phased reopening plans, so hopefully that will get accomplished.

To be completely fair, the reality is, at least in my branch, that we have a problem with theft of materials, and that drives a lot of our policies. I think that can be mitigated by changing some Circ policies–we’re discontinuing overdue fines going forward, so hopefully that will make people’s cards usable again once those fines are removed and it unblocks their cards so they won’t feel the need to steal the books they want–and I also think a simple introduction of tattle-tape or perhaps the RFID tags we used for materials in Palm Beach County could help prevent further theft.

Basically, the issues I predict with implementing better patron privacy practices at my library are due to personality conflicts and inter-office politics. That said, there is something of a basis for the frankly terrible attitudes some of my colleagues have toward our patrons, but I think the problems they cite are easily addressable, but would require a wider-scale overhaul of policies and procedures in our library system as opposed to a relatively simple fix.

My experience with IT and making things happen has had two major things that have worked well in my favor.

The first is to make sure that I have a base level of knowledge about the topic that I’m seeking their assistance on. While they will have specialized abilities and access that I need to engage, being able to intelligently discuss what I’m asking for, how it could potentially be accomplished, and what the issues around implementation could be makes it more of a conversation and less a request for someone to do something for you. Plus, increasing IT skills in people outside the department is never a bad thing.

Second, making change in many organizations can involve a lot of informal authority. People gain political and personal capital from a lot of things, but in my experience, it tends to be gained by volunteering to help out, getting to know people as individuals, making small requests to begin with, and trying to create common ground to share accomplishments and forward momentum. In a lot of library environments, there can be turf wars between public service or branch departments and more centralized IT departments. Making time to break down those barriers, to engage with workers at all levels from the opposite side when you get the opportunity, and maintaining those relationships should be key. Know people’s names. Know what they’re experts in and what they’re interested in. Find a natural ally. It’s not always easy, but it can be a good place to start.

2 Likes

I agree with Becky 100% that relationship-building is key to making things happen with IT. IT staff are going to be much more open to helping you if you have an existing relationship vs. if the only time you talk to IT staff is when you have a problem. I’ve made an effort to talk with and get to know the IT staff who work in the Library and it’s led to them helping us with quite a few things, the most important was removing the obnoxious login software (that’s on all regular lab computers) from our instruction classroom computers. We used to spent 10-15 minutes of our classes teaching students how to create accounts and get into the computers which took so much time away from actual information literacy instruction. All it took was telling my buddy in IT how frustrating it was and that hurdle was removed! MAGIC! I also asked him about having the browsers automatically be in incognito mode and BAM they were! :smile:

I also think not going into interactions with IT holding biases or stereotypes against them is valuable. When we see them as whole people with their own goals, limitations, and stressors and don’t make things all about us and our wants, we’re going to be more likely to get what we want. When you start a conversation with your back up and without trying to understand the other side, it shows.

That is challenging Marisa! I’ve found in the past when working with people who are really territorial that coming to them with the problem you’re trying to solve and brainstorming solutions together can help make the conversation less adversarial. When you go in promoting the thing you want, it’s easy for them to see that as encroaching on their territory. When you brainstorm solutions together, you show respect for their expertise.

I’ve used this technique with some real jerks over the years and it’s been pretty effective! It’s awesome when you can get them to think the thing you wanted to do was their idea!

1 Like

I love it when this happens!

Think about how we feel when people treat us like the librarian in their imagination!

This is really good advice.

1 Like