Letter from the Executive Director
Last week, it seemed as if the entire U.S. corporate world woke up to the fact that some people, notably Europeans, care about their privacy and that companies should do something about it. What exactly corporations are doing, insofar as one can tell, seems to be modest. Now ubiquitous pop-up banners appear on websites to inform the visitor that the site is using cookies and tracking clicks, regardless of any user desire not to be tracked. Many companies have revised their privacy policies and are sending out confirmation notices to ensure that recipients opt-in to remain on mailing lists. Some companies have set up new privacy-setting pages or have made gestures in the direction of one’s ability to delete, correct or move one’s data. As someone who cares deeply about privacy, I’m pleased about any movement toward greater privacy protections and am thankful for the E.U.’s GDPR rollout.
A few years ago, NISO led a project, with support from the Mellon Foundation, to develop a set of principles related to privacy of library patron data in third-party systems. The resulting NISO Privacy Principles were meant to be a starting point for the community to drive forward conversations about privacy with the software-supplier and publisher communities. The conversations did push several companies toward greater privacy engagement and controls, which, if followed, would make GDPR adoption less onerous. That project also led to subsequent conversations and an ongoing Interest Group within the Research Data Alliance on privacy concerns related to the sharing of research data sets. That project is close to finalizing its recommendations in advance of the next RDA plenary this fall.
Concerns about privacy came up again during the in-person meeting NISO hosted last week on authentication and access control systems in libraries. This meeting was terrific (thanks to all who participated!), with some deep conversations taking place about these critical systems. Of note was a robust conversation among the participants regarding the NISO-STM project on Resource Access in the 21st Century (RA21): the underlying technology that the RA21 project is built upon is the SAML attribute exchange and the supporting identity federation community. This system is not privacy protecting by default, because of the variety of use cases that the system supports (e.g., course-system login). By nature, if a student is accessing one of these systems, the identity system must pass along an individual’s personal information to provide access to the appropriate student-specific information (courses, grades, homework, professor messages, etc.). Since most academic institutions already have this structure in place, it made sense for RA21 to build upon it. However, that does not mean that the RA21 system will require (or even request) such personally-identifiable information. The RA21 project is trying to achieve a very simple goal: to store a patron’s preferred institutional identity provider, such that the login process through SAML services is simpler and less confusing. It is not designed to store personally identifiable information such as user logins, nor is its goal to track individual patrons without their consent. A privacy and security review of the two pilot technologies being considered reported that there was minimal risk to either approach when it came to exposing user data via the RA21 system, basically because the proposed solutions do not store these data. Furthermore, the project’s leadership has agreed to use the GDPR as its guide, but also to incorporate the NISO Privacy Principles in its final framework as well. The specifics still need to be worked out in the drafting of the recommendations. In addition, during her talk at the NISO meeting, Ann West, Associate VP for Trust and Identity at the InCommon Federation, discussed the identity federation badging process which could be used as part of the RA21 recommendation to further limit the practice of attribute sharing by federations when allowing access to library resources.
With kindest regards,