User Privacy and Security Online: The Role of Information Professionals
Ensuring the privacy of library users and providing a safe and secure environment in which to seek and use information resources have always been central values for information professionals, and encapsulated in guidelines and codes of practice issued by the International Federation of Library Associations (IFLA) and those of library associations around the world. The ability to adhere to these values in day-to-day work, however, is being threatened by the new information environment, in which users use library computers to search for and use information resources online via web search engines, or to access the Internet for other purposes such as online banking, paying bills, or accessing e-government services. In this context, information professionals face new challenges in their endeavors to protect the privacy and security of library users.
Growing threats to the online privacy and security of library users include government monitoring and surveillance of online activity in the name of national security legislation: the collection of personal data by third-party organizations for marketing purposes, and the illegal hacking of online information systems for criminal purposes, as well as the online “footprint” left by information system users which can potentially be seen by library staff, IT specialists, or others with access to the system. The chapter discusses these increasing threats to patron privacy in the online information environment, and identify what information professionals and library associations can do and are already doing to maximize the privacy and security of users in the new electronic information environment. Three important roles in particular are identified and discussed: promoting digital literacy, which includes ensuring that users understand threats to privacy and take appropriate steps to minimize these when seeking information online; working with IT specialists to develop and implement secure online information systems; and acting as political advocates for the privacy and confidentiality of library users in the face of increasing regulation which potentially contravenes these values. The chapter concludes with a number of key recommendations for ways in which librarians and other information professionals can help maximize the privacy and security of users online, while reconciling this with other important values such as freedom of access to information.
Growing Threats to User Security and Privacy in the Online Information Environment
A diverse range of factors threatens the security and privacy of users when searching and using online services and resources in libraries. These present information professionals with unprecedented challenges to protect users and uphold the key values of the information profession. A review of relevant literature revealed some of the main factors or trends that are presenting new risks to the privacy or security online library users, as discussed in this section.
First, government surveillance of online activity, ostensibly for purposes of protecting national security or combatting terrorism, has become widespread (Fortier & Burkell 2015; IFLA 2016a). There is often a lack of transparency about this surveillance, with individuals having no idea that their online activities are being monitored. However, this is not a new threat facing libraries; in the United States, surveillance of library users has often been a practice of the FBI for counter-intelligence purposes during times of perceived threats to national security. Matz (2008), for example, refers to the Library Awareness Program of the FBI in the 1980s, which used library records to monitor the reading habits of individuals with Russian or Slavic sounding names. The extent of government surveillance of individuals in the United States and worldwide was also famously revealed by Edward Snowden, the former CIA employee and federal government IT contractor, who in 2013 leaked National Security Agency information about mass online surveillance programs (Clark 2016).
In many countries including the United States since the passing of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act), libraries are required to provide detailed information on patron activity if requested to do so under a court order, and to unencrypt this if necessary (Kim 2016). In the face of such legislation and surveillance activities, information professionals can no longer offer the guarantees of privacy and anonymity to library users, which were once possible, especially as users are increasingly using online search engines such as Google over which librarians have little control (Pekala 2017) rather than traditional library databases and catalogues.
Second, as libraries themselves increasingly provide digital services and resources and often collaborate with others in establishing extensive shared electronic networks, this also increases the risks to user privacy and security. A large number of actors are typically involved in establishing and maintaining such networks, often including private vendors, and it becomes more difficult to secure systems or identify when user activity is being monitored by third-party organizations. A major breach of the privacy and security of library users was committed by the company Adobe, which collected data on the activity of individuals who used their Digital Editions 4 (DE4) software to read e-books online. It was reportedly sent in unencrypted form to Adobe, enabling anyone monitoring web traffic to see the information (Gallagher 2014).
Researchers have found that third-party vendors who supply digital content to libraries often have unclear or limited privacy policies which are not of the standard typical of libraries in the past (Klinefelter 2016). Furthermore, cloudbased or Library 2.0 services such as BiblioCommons are increasingly being adopted by libraries. These use new business models in which basic services are provided free of charge to users but which are funded through data-driven advertising which requires the collection of personal data (Zimmer 2017). User activity is tracked and analyzed so that personalized advertising or recommendations can be provided to individuals and used in understanding overall user trends, as described in the “IFLA Statement on the Right to be Forgotten” (IFLA 2016b). In this new business environment, multiple parties collect and share data about online activity for marketing purposes, and may also sell this data to brokers who in turn sell it on to other parties who may use this data for legitimate marketing purposes or for criminal activity (Kim 2016; Pekala 2017). Libraries themselves are increasingly collecting and using information about their users in order to provide personalized recommendations or services tailored to the needs of their target population (Hahn 2017). This sometimes involves interacting with users on social media in ways that may also compromise their privacy.
Breaches of personal data can also occur due co gaps in network security on library systems, when a system becomes infected by a virus, or as a result of users becoming victims of phishing scams (Kim 2016). Third parties with malicious intent might intercept information being transmitted across the Internet, especially when using wireless networks or when this is not fully encrypted (Breeding 2015). It was reported in 2017 that one hacker had breached the security systems of libraries in more than 60 leading universities and other institutions in the United States and the United Kingdom, such as Cornell University, Purdue University, the University of Oxford, and the University of Cambridge (Osborne 2017). The risk of hacking is of particular concern when library users take advantage of the availability of library computers and Internet access to use online services such as banking, e-government, and online shopping or to interact on social media sites (Massis 2017). While in many settings this is contributing to a narrowing of the digital divide between those with Internet access at home and those without, the risks to their security are typically greater in the public library setting.
Overall, these security risks are increasing as new technologies evolve and are adopted by libraries. Hahn (2017), for example, discusses the likely impacts on library users as the Internet of Things (loT) disrupts technologies currently being used by libraries. In this development, miniscule technologies that gather and transmit data are being embedded in nearly all types of items and devices, even including library books, for example, with benefits such as the ability to track borrowing or personalize recommendations to users. However, this is another development which has implications for user privacy, since individuals often have no idea that their activities are being monitored by new interconnected technologies, and for user security, since the developments also often increase the potential for malicious hacking. Privacy and security become more difficult for libraries to protect due to the many third-party tools and service providers typically involved in the interconnected systems comprising the loT (Halin 2017).