We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.
American Library Association Code of Ethics
Yesterday I watched as Adobe Digital Editions told Adobe what book I was reading — title, author, publisher, year of publication, subject, description — and every page I’d read, and the time at which I read them. Adobe’s EULA states that it also collects my user ID and my general location.
I was able to watch this information be collected because it was all sent unencrypted, readable to any English-speaking human with access to any of the servers it passes through, in whatsoever jurisdiction, and also (if your wifi is unencrypted) the open air between my laptop and my router.
The Council of the American Library Association strongly recommends that… [circulation and other personally identifying] records shall not be made available to any agency of state, federal, or local government except pursuant to such process, order or subpoena as may be authorized under the authority of, and pursuant to, federal, state, or local law relating to civil, criminal, or administrative discovery procedures or legislative investigative power [and that librarians] resist the issuance of enforcement of any such process, order, or subpoena until such time as a proper showing of good cause has been made in a court of competent jurisdiction.”
Policy on confidentiality of library records
Your patrons’ reading information is already part of a warrantless dragnet. Because it has been transmitted in cleartext, the government needs no further assistance from you, your patrons, or your vendors to read it. Even were they to present you with a valid subpoena, you would be powerless to resist it, because you have, in effect, already written the information on your walls; you have no technical ability to protect it.
The American Library Association urges all libraries to…
- Limit the degree to which personally identifiable information is collected, monitored, disclosed, and distributed; and avoid creating unnecessary records; and
- Limit access to personally identifiable information to staff performing authorized functions; and…
- Ensure that the library work with its organization’s information technology unit to ensure that library usage records processed or held by the IT unit are treated in accordance with library records policies; and
- Ensure that those records that must be retained are secure; and
- Avoid library practices and procedures that place personally identifiable information on public view.”
If Adobe Digital Editions is part of your technical stack — if your library offers Overdrive or 3M Cloud Library or EBL or ebrary or Baker & Taylor Axis 360 or EBSCO or MyiLibrary or quite possibly other vendors I haven’t googled yet — you are not doing this. You cannot do this.
…ebook models make us choose. And I don’t mean choosing which catalog, or interface, or set of contract terms we want — though we do make those choices, and they matter. I mean that we choose which values to advance, and which to sacrifice. We’re making those values choices every time we sign a contract, whether we talk about it or not.
me, Library Journal, 2012
In 2012 I wrote and spoke about how the technical affordances, and legal restrictions, of ebooks make us choose among fundamental library values in a way that paper books have not. About how we were making those choices about values whether we made them explicitly or not. About how we default to choosing access over privacy.
We have chosen access over privacy, and privacy is not an option left for us to choose.
Because: don’t underestimate this. This is not merely a question of a technical slip-up in one version of an Adobe product.
This is about the fact that we do not have the technical skills to verify whether our products are in line with the values we espouse, the policies we hold, or even the contracts we sign, and we do not delegate this verification to others who do. Our failure to verify affects all the software we run.
This is about the fact that best practice in software is generally to log promiscuously; you’re trained, as a developer, to keep all the information, just in case it comes in handy. It takes a conscious choice (or a slipshod incompetence) not to do so. Libraries must demand that our vendors make that choice, or else we are in the awkward position of trusting to their incompetence. This affects all the software we run.
This is about the fact that encryption products are often hard to use, the fact that secure https is not yet the default everywhere, the fact that anyone can easily see traffic on the unencrypted wireless networks found at so many libraries, the fact that anyone with the password (which, if you’re a library, is everyone) can see all the traffic on encrypted networks too. This affects all the software we run.
This is about Adobe. It is not just about Adobe. These are questions we should ask of everything. These are audits we should be performing on everything. This affects all the software we run.
I am usually a middle-ground person. I see multiple sides to every argument, I entertain arguments that have shades of the abhorrent to find their shades of truth. This is not an issue where I can do that.
If you have chosen, whether actively or by default, to trust that the technical affordances of your software match both your contracts and your values, you have chosen to let privacy burn. If you’re content with that choice, have the decency to stand up and say it: to say that playing nice with your vendors matters more to you than this part or professional ethics, that protecting patron privacy is not on your list of priorities.
If you’re not content with that choice, it is time to set something else on fire.
andromeda yelton 
This is a brilliant analysis, Andromeda. Thank you for writing such a clear deconstruction of the larger issue here of sustaining espoused values within the current environment and calling upon us to consider our choices and responses.
LikeLike
Hi You are right about Overdrive but please check about 3M Cloud. This may have changed but last I knew the end user did not have to give up a personal Adobe ID. The Adobe id is used but they are “pool” id’s at 3M. Only 3M has the key to linking that recyclable Adobe id to the loan in progress. 3M seemed to be very aware of these privacy issues and protecting them, last I worked with them. Every so often the app would break and the system would demand an Adobe id. But it was not the personal id, it was an Adobe id 3m Cloud needed to get from itself (sort of like an IP number wireless lease). Please do check on this.
LikeLike
This is good info, thanks! I’m still pretty wigged out about sending all the reading info, but if it’s tied to a sort of DHCP-like set of IDs through 3M rather than a patron-specific ID, that’s definitely a step in the right direction.
I don’t have the technical capacity to verify this myself, but I’d love to see comment from people who do.
LikeLike
Two things struck when I read the reports last night and which you put better into words than I could.
1) We need to define a minimum function set to ensure that software complies with the professional standards we deem as necessary for a library stamp of approval. Encryption would be very high on that list. A unified minimum function set would prepare vendors to comply (similarly to how car makers update their models to comply with highway safety standards).
2) We, in libraries – and particularly associations – need to have the skills or employ those with the skills to test and verify compliance (as you said). This may mean altering budgets away from traditional roles to employ more software developers and retraining the currently employed without software skills.
Thank you for the post… you’ve articulated my frustration with this issue very well.
LikeLike
I’m here to echo Ms. Diess above–thanks Andromeda for helping to inform your readers on this critical issue. At some point, we’ve got to push back (and hard) against this sort of corporate overreach.
LikeLike
Thank you. Looking forward to seeing what libraries do about this.
LikeLike
In addition to the destruction of reader privacy, DRM really impedes access too. ADE is difficult to use, difficult to set up, and makes note taking problematic. When selling eBooks on their own platforms, many academic publishers offer DRM free PDFs of chapters, and those publishers have not gone out of business. The logic of DRM is particularly weak for academic books; libraries are often the main customers, and we’re not going to go out and torrent a bunch of titles. Let’s get ADE out of the picture already.
LikeLike
Ultimately it’s all about the DRM, right? Once you have DRM, you have an infrastructure that makes it super easy to do all this – maybe easier TO do it than not to. I mean, you have a requirement for some sort of authentication baked in, which makes it hard to NOT spy on readers. DRM-free ebooks give you much better starting points for both privacy and usability.
But if you don’t have DRM, there’s a very good chance the publishers won’t play ball and then you’ll have no content. The choices here aren’t actually easy. (Even the moral choice isn’t 100% clear, depending on your relative weighting of access and privacy.)
I would a million times rather live in a no-ebook-DRM world, but I also worked for years on trying to make that world happen, and headway was very hard to make.
LikeLike
Thanks for this post Andromeda. This is an important issue and libraries are being put in the position of choosing between online access or privacy.
The privacy subcommittee of ALA’s Intellectual Freedom Committee has been concerned about this for sometime (full disclosure, I am the current chair of the subcommittee). We recently released a new version of the Privacy Tool Kit (http://www.ala.org/advocacy/privacyconfidentiality/toolkitsprivacy/privacy) which is a great resource for those who are concerned about privacy in their libraries. It lays out what we should be expecting, I mean demanding, from our online vendors in terms of privacy.
The toolkit is a great start, but we need to work together to pressure vendors to adopt practices that protect reader confidentiality. My guess is that many of the EULA and licensing agreements do not meet the standards many libraries expect and sometimes require by law.
Developing the technical expertise within the library community to help verify how product and services work in regards to privacy would be great. Or maybe we could even chip in together to hire such exerptise if needed?
LikeLike
I was reading the toolkit last week, and it’s great from a policy standpoint. I agree with you that augmenting it on the technical front would be good, though. I’d definitely love to see the library community hire someone to verify technical privacy protections – it only needs to be done once per software and we can all benefit from it, so doing that at an association level makes a lot of sense!
Anyway, check your email in a few minutes.
LikeLike
FYI, LITA has now officially constituted a patron privacy interest group, thanks to the leadership of Galen Charlton – get in touch with him and see what they’re up to!
LikeLike