Comments and links from the WebEx chat, Virtual Meeting, May 21, 2015

 
05/21/2015    09:52:56 AM    from NISO HQ to All Panelists:
Panelists (those speaking), be sure you have dialed in on the telephone and please also mute your computer (the audio broadcast seems to start automatically we don't want the sound to circle back into your phone).  Thank you.
 
05/21/2015    09:58:06 AM    from NISO HQ to All Panelists:
and if you are not speaking, good idea to mute your phone to cut down on background noise. (the phone line can be muted/unmuted via *6/#6) 
 
05/21/2015    10:07:45 AM    from Christopher Harris to All Participants:
Christopher Harris - Director of the School Library System for the Genesee Valley Educational Partnership and ALA Fellow for Youth and Technology Policy Issues with the ALA Office for Information Technology Policy
 
05/21/2015    10:08:37 AM    from Eric Hellman to All Participants:
I'm Eric Hellman, member of the steering committee. I run Unglue.it, and I've been writing and speaking on privacy issues. See http://go-to-hellman.blogspot.com/
 
05/21/2015    10:08:52 AM    from Abigail Wickes to All Panelists:
Hi all! My name is Abigail Wickes, and I'm an MLS who ended up in publishing--I'm a marketing analyst at Oxford University Press.
 
05/21/2015    10:09:12 AM    from Peter Murray to All Participants:
Peter Murray - assistant director for technology services development at LYRASIS. Also co-chair of the NISO discovery-to-delivery topic 
committee.  http://dltj.org/about
 
05/21/2015    10:09:13 AM    from Andrew Pace to All Panelists:
Andrew Pace from OCLC here, interested in ensuring privacy in cloud-based discovery and management services.
 
05/21/2015    10:09:17 AM    from NISO HQ to All Participants:
Tomer Shemesh- Ex Libris Security Officer 
 
05/21/2015    10:09:23 AM    from Mike Robinson to All Participants:
Mike Robinson, University of Alaksa Anchorage, ALA Intellectual Freedom, Privacy Chair
 
05/21/2015    10:09:25 AM    from gary price to All Participants:
Gary Price, Editor of LJ's  infoDOCKET, Librarian, Managing Editor of NISO Info Standards Quarterly and NISO Newsline
 
05/21/2015    10:09:41 AM    from Rich Entlich to All Participants:
I'm Rich Entlich from the Cornell University Library. My title is Collection Analyst and I spend a lot of my time gathering, analyzing, and reporting on library use data for a variety of resource types.
 
05/21/2015    10:10:15 AM    from Michael Zimmer to All Participants:
Michael ZImmer - Associate Professor in the School of Information Studies at the University of Wisconsin-Milwaukee, and Director of the Center for Information Policy Research. Broad research focus on privacy, information ethics, libraries and privacy... http://www.michaelzimmer.org/
 
05/21/2015    10:10:33 AM    from Kyan Chuong to All Participants:
Hi, my name is Kyan Chuong. I'm a librarian at the National Library of Medicine.
 
05/21/2015    10:10:45 AM    from Karen Wetzel to All Panelists:
Karen Wetzel, Program Manager for the EDUCAUSE Center for Analysis and Research. Interested in the how privacy issues interplay across campus (analytics, cloud, mobility, student systems, etc.) and the various players that need to be involved to ensure privacy rights (e.g., libraries, IT, admin, etc.).
 
05/21/2015    10:10:45 AM    from Deborah Caldwell-Stone to All Participants:
Deborah Caldwell-Stone, Deputy Director, ALA Office for Intellectual Freedom; I work with librarians, admins  and trustees on privacy policy and law issues related to patron privacy
 
05/21/2015    10:11:07 AM    from Laura Quilter to All Panelists:
This is Laura Quilter, Copyright & Information Policy Librarian / Attorney at UMass Amherst. 
 
05/21/2015    10:19:02 AM    from N Lagace to Host (privately):
Prue Adler from ARL here. Looking forward to this conversation. - Prue
 
05/21/2015    10:19:41 AM    from NISO HQ to All Participants:
hashtag on twitter is #NISOPrivacy
 
05/21/2015    10:20:32 AM    from NISO HQ to All Participants:
from Shlomo Sanders: I am the Ex Libris CTO. We spend a lot of time and effort on security and privacy of data, especially Personal Information. 
 
05/21/2015    10:20:57 AM    from NISO HQ to All Participants:
Daniel Ayala, Director of Global Information Security & Privacy for ProQuest.  I am on the Steering Committee for this project.  I am relatively new to the Library and Information space, but have a 20 year history in user and data privacy and technology.
 
05/21/2015    10:21:53 AM    from NISO HQ to All Participants:
Hello all. I'm Lisa Hinchliffe, Professor and Coordinator for Info Lit in the University Library Admin at U of Illinois Urbana. Serving on the NISO committee, my interest is library's developing policies and practices that reflect current data realities, build services that can only be created with data streams, and protect and manage the data appropriately. I'm also on the Privacy Policy Implementation Team at UIUC LIbrary.
 
05/21/2015    10:22:22 AM    from NISO HQ to All Participants:
Emily Morton-Owens, Seattle Public Library. Interested in technical solutions to promote privacy and data warehousing. Will once again start this session over breakfast & log out for a bit to get to the office.
 
05/21/2015    10:23:34 AM    from NISO HQ to All Participants:
Marshall Breeding -- Consultant, member of steering committee, with a general interest in library technologies and have recently done some writing and speaking on the topic of the privacy and security of library systems.
 
05/21/2015    10:23:35 AM    from Abigail Wickes to All Participants:
(again to all participants) Hi all! My name is Abigail Wickes, and I'm an MLS who ended up in publishing--I'm a marketing analyst at Oxford University Press.
 
05/21/2015    10:24:00 AM    from Lori Ayre to All Participants:
Lori Ayre, Technology Consultant with The Galecia Group.  I work with libraries to do software (ILS and resource sharing) procurements (as well as RFID and automated materials handling). 
 
05/21/2015    10:24:27 AM    from NISO HQ to All Participants:
Hi -- I'm Kathryn Harnish, Director of Product Management for the Library Services Platform (aka Intota) at ProQuest.
 
05/21/2015    10:24:54 AM    from NISO HQ to All Participants:
Hi, Cliff Lynch here. I'm the director of the Coalition for Networked Information. Recently, have been spending a good deal of time on reader privacy issues in the networked world.
 
05/21/2015    10:25:57 AM    from NISO HQ to All Participants:
Hey there. I'm Bonnie Tijerina, a fellow at Data & Society where I'm looking at data privacy literacy in libraries and how libraries might be able to support big data researchers navigate complex ethical issues during their research.
 
05/21/2015    10:26:29 AM    from NISO HQ to All Participants:
Hi I'm Bobbi Newman, librairan, blogger, phd student, loudly challening the assertion that privacy is dead for years, http://librarianbyday.net
 
05/21/2015    10:26:37 AM    from Lisa Hinchliffe to All Participants:
I'm without phone today
 
05/21/2015    10:26:55 AM    from Lisa Hinchliffe to All Participants:
But, I think the desire was for more nuance 
 
05/21/2015    10:27:13 AM    from Lisa Hinchliffe to All Participants:
in the dialogue between collecting data and privacy protections
 
05/21/2015    10:27:26 AM    from Lisa Hinchliffe to All Participants:
Seemed a bit separated in the discuss. Silo'd
 
05/21/2015    10:28:41 AM    from Lisa Hinchliffe to All Participants:
I think the lightening talks today are going to help us bring these together. We're finding our way ... last time was groundwork and today I think we can go deeper.
 
05/21/2015    10:28:49 AM    from Mike Robinson to All Participants:
another nuance about data collection would be between the library collecting data and vendor or 3rd party data collection
 
05/21/2015    10:29:06 AM    from Roger Schonfeld to All Participants:
Hi everyone, I'm Roger Schonfeld, the director of Ithaka S+R's program on Libraries and Scholarly Communication. I've been focusing quite a bit recently on opportunities to personalize discovery services for researchers. I've been thinking about how libraries distingiush themselves in a competitive environment for providing many of their services. 
 
05/21/2015    10:29:10 AM    from NISO HQ to All Participants:
Lori Ayre, Technology Consultant with The Galecia Group.  I work with libraries to do software (ILS and resource sharing) procurements (as well as RFID and automated materials handling).  Privacy always an issue on the software procurements - also the RFID.
 
05/21/2015    10:39:09 AM    from gary price to All Participants:
Variations on what ALA is stating seen in one form or another in many other library assoc ethics statements from around the globe. 
 
05/21/2015    10:39:10 AM    from gary price to All Participants:
http://www.ifla.org/faife/professional-codes-of-ethics-for-librarians#nationalcodes
 
05/21/2015    10:40:23 AM    from gary price to All Participants:
Oregon State University’s Library Web Site Hacked, Comment from University Librarian
 
05/21/2015    10:40:28 AM    from gary price to All Participants:
http://www.infodocket.com/2015/05/19/oregon-state-universitys-library-web-site-hacked/
 
05/21/2015    10:41:00 AM    from Deborah Caldwell-Stone to All Participants:
The Privacy Interpretation of the Library Bill of Rights elaborates on the ethical responsibilities of libraries/librarians:http://www.ala.org/advocacy/intfreedom/librarybill/interpretations/privacy
 
05/21/2015    10:41:09 AM    from gary price to All Participants:
usiness Research: St. Louis Federal Reserve Research Site Hacked  http://www.infodocket.com/2015/05/21/business-research-st-louis-federal-reserve-research-site-fred-hacked/
 
05/21/2015    10:41:09 AM    from Christopher Harris to All Participants:
Interesting read on the shady business behind data breaches - are they all real or are some just shakedowns for cash? http://www.theverge.com/2015/5/19/8622631/labmd-data-breach-tiversa-security-ftc-lawsuit
 
05/21/2015    10:42:20 AM    from Shlomo Sanders to All Participants:
Looks like good company on the list!
 
05/21/2015    10:42:57 AM    from Rich Entlich to All Participants:
Some privacy policies are codified in state law. In New York:
 
05/21/2015    10:43:28 AM    from gary price to All Participants:
Hackers Breached Wyoming’s Statewide Catalog “WYLDCat” in Early October 2014   http://www.infodocket.com/2014/11/10/hackers-breached-wyomings-wyldcat-catalog-in-early-october/
 
05/21/2015    10:43:43 AM    from Rich Entlich to All Participants:
New York Civil Practice Law 
New York State, Laws of New York, Consolidated Laws, Civil Practice Law and Rules § 4509
http://public.leginfo.state.ny.us/LAWSSEAF.cgi?QUERYTYPE=LAWS+&QUERYDATA=$$CVP4509
§ 4509. Library records. Library records, which contain names or other personally identifying details regarding the users of public, free association, school, college and university libraries and library systems of this state, including but not limited to records related to the circulation of library materials, computer database searches, interlibrary loan transactions, reference queries, requests for photocopies of library materials, title reserve requests, or the use of audio-visual materials, films or records, shall be confidential and shall not be disclosed except that such records may be disclosed to the extent necessary for the proper operation of such library and shall be disclosed upon request or consent of the user or pursuant to subpoena, court order or where otherwise requ
 
05/21/2015    10:43:59 AM    from Andrew Asher to Host (privately):
IMO we should work under the assumption that data will always eventually be breached, either by illigitimate or legitimate actors
 
05/21/2015    10:44:11 AM    from Christopher Harris to All Participants:
Don't forget that for school libraries, federal law (FERPA) trumps state law and ALA bill of rights as library records are student records. introduces an interesting point of conflict
 
05/21/2015    10:45:07 AM    from Rich Entlich to All Participants:
Last sentence was truncated.  Should end: required by statute.
 
05/21/2015    10:45:32 AM    from gary price to All Participants:
Btw, a tool called Cookie Cadger (I demoed this at CNI) make unencryted data including search strategies easily viewable and tied directly to 
the MAC address of the device requesting it. It's free tool.  Works with wi-fi or Ethernet. 
 
05/21/2015    10:45:39 AM    from Mike Robinson to All Participants:
Licenses/TOS also have implications for copyright/fair use
 
05/21/2015    10:46:08 AM    from Deborah Caldwell-Stone to All Participants:
Actually, FERPA complements, and does not trump, state library confidentiality laws that address school libraries (not all states include K-12 school libraries in their library privacy statutes)
 
05/21/2015    10:46:10 AM    from NISO HQ to All Participants:
From Cliff Lynch: I worry a lot about the rhetoric of "data breeches", which sounds like a cyberspace bank robbery -- the robbers come in and grab stuff and run off. The even more serious problem, I'd suggest, may be extensive long term undetected compromise, where you have people (including other nation-states, potententially) roaming around for literally years undetected. And you're never really sure you've fully regained control of your systems. Examples: check out what happened to Penn State Engineering (announced a few days ago), or the Sony case. 
 
05/21/2015    10:47:05 AM    from gary price to All Participants:
Adobe was doing this and corrected it. ALA wrote a news release (as they should have) scolding Adobe. However, the news release did NOT that many library systems and services were doing the same thing all day, everyday and they continue to do it. 
 
05/21/2015    10:47:16 AM    from Bobbi Newman to All Participants:
even if it was just sloppy coding it highlights the importance of libraries questioning what data we are allowing vendors to collect about patrons
 
05/21/2015    10:47:24 AM    from gary price to All Participants:
"did not mention"
 
05/21/2015    10:48:01 AM    from Shlomo Sanders to All Participants:
First step is that ALL DATA SHOULD BE ENCRYTPED SENT/RECEIVED OVER THE INTERNET
 
05/21/2015    10:48:40 AM    from Laura Quilter to All Participants:
The OA's practice is not unique among libraries; just uncommon among social media sites.
 
05/21/2015    10:48:56 AM    from Hadrien Gardeur to All Participants:
Encryption is only part of the problem for Adobe, they were also collecting data that they don't need to collect for their DRM to work properly
 
05/21/2015    10:48:57 AM    from Lori Ayre to All Participants:
Appropos of this, EFF shows Internet Archive as someone "who has our backs."  https://www.eff.org/who-has-your-back-2014
 
05/21/2015    10:49:04 AM    from NISO HQ to All Participants:
sorry, this is the comment from Andrew Asher: IMO we should work under the assumption that data will always eventually be breached, either by illigitimate or legitimate actors
 
05/21/2015    10:50:00 AM    from Bobbi Newman to All Participants:
I question of these possible improvements are worth abandoning a core tenet of librarianship
 
05/21/2015    10:50:40 AM    from Andrew Asher to All Participants:
I also really question user's actual desire for many of these services
 
05/21/2015    10:51:03 AM    from Bobbi Newman to All Participants:
I agree Andrew
 
05/21/2015    10:51:07 AM    from Lisa Hinchliffe to All Participants:
Bobbi - why do you say abondoning. We have always had records of things that are checked out. That is a place we trade off privacy for service quality. 
 
05/21/2015    10:51:10 AM    from Shlomo Sanders to All Participants:
Most of the analytics needed can be done using 100% anonymized data.
 
05/21/2015    10:51:27 AM    from Bobbi Newman to All Participants:
you cannot 100% anonymze data
 
05/21/2015    10:51:28 AM    from Laura Quilter to All Participants:
Users on Facebook using GoodReads are manifesting a very significant interest in social data sharing. 
 
05/21/2015    10:51:56 AM    from gary price to All Participants:
Shlomo, it has been shown many times that with enough anonymized data it's possible to identify someone. 
 
05/21/2015    10:52:53 AM    from Lisa Hinchliffe to All Participants:
Encrypted and anonymized are still best practices to limit data exposure. Even if doesn't guarantee no breach. Right?
 
05/21/2015    10:53:09 AM    from Bobbi Newman to All Participants:
Lisa - not always. Not tired to patron records. 
 
05/21/2015    10:53:12 AM    from Peter Murray to All Participants:
One such report on how anonymizing data sets:  Credit Card Data Is Less Anonymous Than You Think | MIT Technology Review http://www.technologyreview.com/article/536501/data-sets-not-so-anonymous/
 
05/21/2015    10:53:36 AM    from Mike Robinson to All Participants:
transparency is most important, then permission, then encyrption/protection
 
05/21/2015    10:53:55 AM    from Lisa Hinchliffe to All Participants:
Bobbi - really, there are libraries that don't keep records of what someone has checked out? 
 
05/21/2015    10:54:10 AM    from Shlomo Sanders to All Participants:
Detailed anonyimized logs is definetly a problem. But once it turns into analytics (e.g. Journal X used Y times) you cannout backtrack to the orginal user.
 
05/21/2015    10:54:23 AM    from Peter Murray to All Participants:
Mike: agree that all are important.  Would want to think more about the priority order.
 
05/21/2015    10:54:36 AM    from Bobbi Newman to All Participants:
Lisa - yes absolutely. And they should not be keeping records unless patrons have opted-in
 
05/21/2015    10:55:25 AM    from Lisa Hinchliffe to All Participants:
Bobbi - I'm talking about records of what is checked out while it is checked out. 
 
05/21/2015    10:55:35 AM    from Christopher Harris to All Participants:
In schools, parents don't have a right to opt-out of record keeping of patron checkouts
 
05/21/2015    10:55:39 AM    from gary price to All Participants:
Mike: 100% agreement. The example of transparancy that I have talked about for years. OverDrive and Amazon. Are we transparent: 
 
05/21/2015    10:55:50 AM    from gary price to All Participants:
Adding Transparency to the Ebook Transaction
 
05/21/2015    10:55:58 AM    from gary price to All Participants:
http://www.infodocket.com/2013/06/25/adding-transparency-to-the-ebook-transaction/
 
05/21/2015    10:56:08 AM    from Christopher Harris to All Participants:
This is a point where the dicsusion needs to diverge....schools (and universitites to some extent) have different requirements based on FERPA
 
05/21/2015    10:56:10 AM    from Shlomo Sanders to All Participants:
I would say, not to keep any patron level data unless needed for functionality (e.g. you need to know who loaned a book until it is returned. In analytics the orginal anaonymized records could be around for as little as a few minutes or a day.
 
05/21/2015    10:56:13 AM    from Bobbi Newman to All Participants:
Lisa - oh, yes that. but it should be purged after returned
 
05/21/2015    10:56:44 AM    from Shlomo Sanders to All Participants:
Exactly right. same thing exactly for usage data for analytics.
 
05/21/2015    10:56:59 AM    from Laura Quilter to All Participants:
Let's hear it for fair use. 
 
05/21/2015    10:57:13 AM    from Mike Robinson to All Participants:
depends, if patron wants to track their reading history they should be able to
 
05/21/2015    10:57:14 AM    from Christopher Harris to All Participants:
There is legitimate need to keep student checkout data to chart progress of that student's growth as a reader
 
05/21/2015    10:57:27 AM    from Lisa Hinchliffe to All Participants:
Bobbi - that's my point, while it is checked out - libraries limit privacy in order to provide service. So, this is about defining balance between service and privacy. Privacy is not always the winner in between the two.
 
05/21/2015    10:57:49 AM    from Christopher Harris to All Participants:
So why would we want to set a principle for all libraries that eliminates the needs of schools? 
 
05/21/2015    10:57:58 AM    from Hadrien Gardeur to All Participants:
Part of the problem comes from integrated/vertical solutions that can aggregate a lot of data (browsing, circulation, how people read etc.) too
 
05/21/2015    10:58:28 AM    from Bobbi Newman to All Participants:
That is a distinctly different kind of service. In order to allow access to materials it is necessary. the potential "improvement" of services or data colllection is completely different 
 
05/21/2015    10:58:35 AM    from gary price to All Participants:
It has been my experience that many librarians on the FRONT LINES need to learn more about what is going. We need to teach our colleagues about these issues. Without their understanding and help what we want to do will be minimized. 
 
05/21/2015    10:58:47 AM    from Hadrien Gardeur to All Participants:
having more loosely integrated systems, where one can control the flow and nature of data exchange would minimize exposure
 
05/21/2015    10:58:49 AM    from Shlomo Sanders to All Participants:
"There is legitimate need to keep student checkout data to chart progress of that student's growth as a reader" - Good example. There are a bunch of similar scenarios which are even more extreme.
 
05/21/2015    10:59:14 AM    from Lisa Hinchliffe to All Participants:
Bobbi - great so that is a principle we could explore ... "to allow access to materials it is necessary" ... so, we can then explore whether that is true in other places
 
05/21/2015    10:59:22 AM    from Bobbi Newman to All Participants:
Gary - yes I agree and recent convo's about this initiative has reflected that 
 
05/21/2015    10:59:44 AM    from Christopher Harris to All Participants:
school and academic libraries have every right to track checkout and usage information to help develop collections. There is no need to ask patrons. It is the right of the school to make this decision under FERPA
 
05/21/2015    11:00:18 AM    from Christopher Harris to All Participants:
There is every right under FERPA to compare student use of library materials and their academic performance. 
 
05/21/2015    11:00:26 AM    from Bobbi Newman to All Participants:
maybe we should be questionng that "right"
 
05/21/2015    11:00:39 AM    from Christopher Harris to All Participants:
Revisiting federal law might be a bit above our pay grade
 
05/21/2015    11:00:51 AM    from Christopher Harris to All Participants:
you can dislike it, but it is a law
 
05/21/2015    11:01:03 AM    from David King to All Panelists:
CHris - public libraries do that too
 
05/21/2015    11:01:28 AM    from Peter Murray to All Participants:
ISO/IEC 27018:2014  Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498
 
05/21/2015    11:01:36 AM    from Christopher Harris to All Participants:
Libraries can take a stand, but when the parent organization (school, univerisity, etc) says we are using library data as is our right....have fun fighting the place that employs you
 
05/21/2015    11:01:52 AM    from Lisa Hinchliffe to All Participants:
So, what the law allows creates scope but principles might be more nuanced that "whatever the law allows"? (I think this is a good example of what I think data should be used for - but I don't like relying on "the law" as the defining of scope)
 
05/21/2015    11:02:06 AM    from Bobbi Newman to All Participants:
Again, this should be big picture, a SHOULD, not what individual institutions do 
 
05/21/2015    11:02:44 AM    from Christopher Harris to All Participants:
Creating principlies that don't work in the real world sounds like it may not be ultimiately effective
 
05/21/2015    11:02:44 AM    from Bobbi Newman to All Participants:
Lisa - agreed. There are, and have been, plenty of bad laws
 
05/21/2015    11:02:59 AM    from Peter Murray to All Participants:
Preview ISO/IEC 27018:2014 https://www.iso.org/obp/ui/#!iso:std:61498:en
 
05/21/2015    11:03:27 AM    from Deborah Caldwell-Stone to All Participants:
If statutes impose a legal duty to protect user data from third party disclosure, , the institution cannot evade those duties.
 
05/21/2015    11:03:35 AM    from Lisa Hinchliffe to All Participants:
I think we should distinguish aspirations from functional principles. We already have a statement on walues. But, those values compete  - e.g. privacy and service provision. Principles could help negotiate the tensions.
 
05/21/2015    11:03:41 AM    from Mike Robinson to All Participants:
we have principles around privacy, we are trying to come up with practices that respect those principles but allow personalization, analytics, etc
 
05/21/2015    11:04:09 AM    from Christopher Harris to All Participants:
I think going the way of the new Hague Declaration might be better - acknowledge that data use is going to happen and focusing on ethical use of such - http://thehaguedeclaration.com/the-hague-declaration-on-knowledge-discovery-in-the-digital-age/
 
05/21/2015    11:04:50 AM    from Lisa Hinchliffe to All Participants:
And, when it comes to adult library users at least, I should get to decide about data collection - I am irritated by paternalistic policies that turn off functions in systems that as a user I would like to benefit from. E.g., books I have checked out. I value Amazon telling me "you bought this"
 
05/21/2015    11:05:02 AM    from Eric Hellman to All Participants:
Bobbi (and others), should libraries be allowed to use Google Analytics on their websites?
 
05/21/2015    11:05:04 AM    from gary price to All Participants:
In 2011 California passed a reader privacy law focused on ebooks. While the Amazon/OverDrive relationship might not be illegal (I'm not a lawyer) is it against the spirit of the law, what's intended. Btw, we don't even tell users HOW TO remove the data from Amazon's servers. Why not? 
 
05/21/2015    11:05:12 AM    from gary price to All Participants:
https://www.eff.org/press/archives/2011/10/03
 
05/21/2015    11:05:13 AM    from David King to All Participants:
Chris - agreed. anonymized patron/customer data is simply how businesses and organizations work. Can't make a buck/improve a service if you don't know who's using it, what gets checked out more, etc
 
05/21/2015    11:05:20 AM    from Christopher Harris to All Participants:
Lisa: maybe at a public library, but not for academic libraries
 
05/21/2015    11:05:44 AM    from Peter Murray to All Participants:
Christopher: Nice link on the Hague Declaration. Thank you.
 
05/21/2015    11:05:46 AM    from Lisa Hinchliffe to All Participants:
Chris - which comment does this go with?
 
05/21/2015    11:05:47 AM    from Daniel Ayala to All Participants:
I think LIdsa brings up a good point - there is a difference between what patrons want from a services and data perspective vs. what the information industry thinks they should have / not have for their own good
 
05/21/2015    11:05:50 AM    from Christopher Harris to All Participants:
And I agree with david that public libraries probably have a right to analyze their service provision to improve it
 
05/21/2015    11:06:10 AM    from Christopher Harris to All Participants:
Lisa: The idea of an adult being able to decide if data is collected
 
05/21/2015    11:06:18 AM    from Shlomo Sanders to All Participants:
And why not academic libraries? 
 
05/21/2015    11:06:43 AM    from Laura Quilter to All Participants:
Agreeing with Christopher Harris about ethical uses of data. 
 
05/21/2015    11:06:43 AM    from Christopher Harris to All Participants:
Lisa: because acadmic libraries involve student records and FERPA allows them to be collected. Students can review it, but not say that you cannot collect the data
 
05/21/2015    11:07:08 AM    from Lisa Hinchliffe to All Participants:
Gary - I'm not sure why you think we don't tell users how to remove their data. 
 
05/21/2015    11:07:44 AM    from Lisa Hinchliffe to All Participants:
Chris - why don't you think that applies for an academic library?
 
05/21/2015    11:07:49 AM    from Laura Quilter to All Participants:
Responding to Bobbi's point about competition. We may not want to "compete" per se, but from the users' perspectives, we are offering related or similar services. If we want to distinguish ourselves on the basis of privacy, then we need, as Todd says, to educate users that that is what they're getting from us. 
 
05/21/2015    11:07:51 AM    from Karen Wetzel to All Participants:
Perhaps it's not about competition, but there is interest in this data from multiple parties. We need to be able to come to common terms about privacy protection, data retention, etc.
 
05/21/2015    11:08:23 AM    from David King to All Participants:
I'd say there's very real competition with libraries and other services
 
05/21/2015    11:08:34 AM    from Christopher Harris to All Participants:
library records at a university library are student records under FERPA
 
05/21/2015    11:09:03 AM    from Laura Quilter to All Participants:
The library community *SHOULD* view itself as in competition w/ Google for discovery. We absolutely are. Every time we look at our users they are using Google before WorldCat/library discovery, MASSIVELY. 
 
05/21/2015    11:09:04 AM    from Eric Hellman to All Participants:
Many libraries seem to have no clue how much they've already compromised.
 
05/21/2015    11:09:08 AM    from Mike Robinson to All Participants:
agree with karen, useful to come up with standard way to describe elements of privacy protection, etc.
 
05/21/2015    11:09:11 AM    from gary price to All Participants:
Again, what are we doing (and isn't this essential) to EXPLAIN to users, staff, community leaders, etc. WHAT IS GOING ON with what they do. Why are WE NOT TRANSPARENT? To me this is most disturbing.  THE library world wants others to be transparent but we are not ourselves. 
 
05/21/2015    11:09:15 AM    from Deborah Caldwell-Stone to All Participants:
True informed consent/transparency about data use and data flows is essential 
 
05/21/2015    11:09:19 AM    from Lisa Hinchliffe to All Participants:
Chris - yes. FERPA doesn't require data collection though. Just allows. it.
 
05/21/2015    11:10:06 AM    from Christopher Harris to All Participants:
Right...allows it. But the library is likely not going to make that final decision in all situations. If the university itself says you need to collect this so we can make data-driven decisions are you ready to resign in protest?
 
05/21/2015    11:10:07 AM    from Lisa Hinchliffe to All Participants:
Chris - so that is my point. Why are we making it so systems DON'T allow users to access their history?
 
05/21/2015    11:10:45 AM    from Christopher Harris to All Participants:
Wait, I think we agree.
 
05/21/2015    11:10:52 AM    from Lisa Hinchliffe to All Participants:
Chris - I'm advocating that we let users in academic libraries opt-in to collecting it. 
 
05/21/2015    11:11:01 AM    from Bobbi Newman to All Participants:
OK I can't keep up with chat and listen to conversation that is happening and think. Apologies, but I'm bowing out of chat. Please feel free to email directly if you'd like to discuss something I said further bobbi.newman@gmail.com
 
05/21/2015    11:11:10 AM    from Shlomo Sanders to All Participants:
Opt out would be more practical
 
05/21/2015    11:12:08 AM    from Lisa Hinchliffe to All Participants:
Chris - And, I think it would be good for library service provision to use the data collectively. I'm interested in principles so we manage and protect user data rather than refusing to collect (or worse, collect and/or let others and then don't use!)
 
05/21/2015    11:12:13 AM    from Laura Quilter to All Participants:
Users are sharing their data in any way they can. They may not understand the full implications of that, and they may value "privacy" abstractly when they do, but they are making choices to share data al the time.  
 
05/21/2015    11:13:14 AM    from Christopher Harris to All Participants:
lisa - yes..we need to use the data because it is going to be used with our without our consent anyway. we are holding ourselves back I worry
 
05/21/2015    11:15:07 AM    from Mike Robinson to All Participants:
are libraries willing to pay vendor(s) for web analytics that protect privacy?
 
05/21/2015    11:15:14 AM    from Lisa Hinchliffe to All Participants:
My view is - the data exists. It all goes through the campus network. Campus IT has it. 
 
05/21/2015    11:15:24 AM    from Karen Wetzel to All Participants:
We also should consider -- going back to what Todd said about what services we might be able to provide -- how we may be failing our users if we don't use analytics to improve services.
 
05/21/2015    11:15:36 AM    from Andrew Asher to All Participants:
Just because ppl are sharing data doesn't abdicate our responsibility as educators and researchers to protect our students/subjects
 
05/21/2015    11:15:42 AM    from Mike Robinson to All Participants:
if you encrypt with https IPS/campus IT does not have it
 
05/21/2015    11:16:17 AM    from Deborah Caldwell-Stone to All Participants:
Is the solution legal & ethical controls on the use of patron use data that extend to third party vendors
 
05/21/2015    11:16:24 AM    from Lisa Hinchliffe to All Participants:
Definitely does not Andrew! Which is why we need to focus on protecting/managing not just saying "it's wrong to collect it!"
 
05/21/2015    11:16:27 AM    from Karen Wetzel to All Participants:
Agree with Andrew. We need to balance use of and sharing of data with our responsibility for privacy protection
 
05/21/2015    11:16:39 AM    from Peter Murray to All Participants:
That is coming up in my lightning talk...
 
05/21/2015    11:17:25 AM    from Laura Quilter to All Participants:
Debroah Caldwell-Stone -- Yes, I think that's the solution. Establishg standards of use, that enables exploration of technologies but establishes practices not going beyond intended uses. This is basic Fair Information Practice Principles, that we have never fully implemented!
 
05/21/2015    11:17:46 AM    from Andrew Asher to All Participants:
I'm not saying its wrong to collect it, but a risk benefit analysis should be done in advance
 
05/21/2015    11:18:00 AM    from Andrew Asher to All Participants:
Also, consent 
 
05/21/2015    11:18:45 AM    from Lisa Hinchliffe to All Participants:
Agreed on risk/benefit - not sure "consent" is the right model to import. But, certainly useful approach to "think with"
 
05/21/2015    11:19:48 AM    from Andrew Asher to All Participants:
This is a basic tenent of research ethics, and this is really what we're doing.  For me informed consent is a huge problem in lib data collection
 
05/21/2015    11:19:51 AM    from Shlomo Sanders to All Participants:
You can make the chat window bigger :)
 
05/21/2015    11:19:58 AM    from Lisa Hinchliffe to All Participants:
One problem with importing "consent" from IRB/research world is that research subjects don't get benefit of experience of resarch protocol if they don't consent. In library world, they should still get benefit? 
 
05/21/2015    11:20:34 AM    from Lisa Hinchliffe to All Participants:
I get the benefits of the "consent" model but I'm bothered by other aspects of it.
 
05/21/2015    11:20:36 AM    from Peter Murray to All Participants:
A discourse.org site!  (piped into e-mail for those that choose)
 
05/21/2015    11:20:49 AM    from Deborah Caldwell-Stone to All Participants:
See new MO law extending duty to protect patron data to vendors: http://www.moga.mo.gov/mostatutes/stathtml/18200008171.html
 
05/21/2015    11:21:06 AM    from Andrew Asher to All Participants:
PPl should have a choice-- that's the informed part
 
05/21/2015    11:21:39 AM    from Lisa Hinchliffe to All Participants:
Right, but if they choose NO then deny access to service/collection/etc.? 
 
05/21/2015    11:21:55 AM    from Lisa Hinchliffe to All Participants:
Like we would deny them access to say, a medical protocol that is being tested?
 
05/21/2015    11:22:22 AM    from Andrew Asher to All Participants:
This is precisely the problem, there isn't an alternative, so the data collection is potentially coercive
 
05/21/2015    11:22:37 AM    from NISO HQ to All Participants:
To size-up the chat window, you can click on the triangle next to the Participants list, which will minimize that section and the chat section will maximize to fill the space.  Same applies for Q&A.
 
05/21/2015    11:22:38 AM    from Lisa Hinchliffe to All Participants:
So then no one can have the service?
 
05/21/2015    11:22:50 AM    from Christopher Harris to All Participants:
Deborah: so the vendor can use all the data they want to do whatever they want with it as long as they don't release it to anyone else? And they would likely be fully allowed to "anonymize" the data and sell it off under the law?
 
05/21/2015    11:23:29 AM    from Shlomo Sanders to All Participants:
Not the vendor! The vendor makes the data availabile for use by the library.
 
05/21/2015    11:23:31 AM    from Andrew Asher to All Participants:
Lisa--no, people should be able to opt-out
 
05/21/2015    11:23:37 AM    from Deborah Caldwell-Stone to All Participants:
No sharing or third party disclosure of patron data absent patron consent or presentation of a court order
 
05/21/2015    11:23:59 AM    from Christopher Harris to All Participants:
Define "patron data"
 
05/21/2015    11:24:11 AM    from Christopher Harris to All Participants:
A scrubbed list of the most checked out books is not patron data I imagine
 
05/21/2015    11:24:40 AM    from Lisa Hinchliffe to All Participants:
How does that work Andrew when the service cannot be provided w/o data collection/use? Opt-out of data collection means you don't get the service!
 
05/21/2015    11:25:02 AM    from Christopher Harris to All Participants:
So the vendor could sell a list of rising hot books to a book store chain or publishers? Could sell a list of most searched terms for fiction genres? 
 
05/21/2015    11:25:08 AM    from Andrew Asher to All Participants:
Design better services-- we're talking broad principles right :) 
 
05/21/2015    11:25:30 AM    from Deborah Caldwell-Stone to All Participants:
"any document, record, or other method of storing information retained, received or generated by a library that identifies a person or persons as having requested, used, or borrowed library material, and all other records identifying the names of library users" per MO law
 
05/21/2015    11:25:45 AM    from Tomer Shemesh to All Participants:
PII (personal identifier information) consider patron data
 
05/21/2015    11:25:57 AM    from Christopher Harris to All Participants:
so delete the patron field and boom...its all legal to use and sell
 
05/21/2015    11:26:03 AM    from Lisa Hinchliffe to All Participants:
"better" excluding any then that are personalized. :) 
 
05/21/2015    11:26:25 AM    from Andrew Asher to All Participants:
Better as in give me a choice to have/not have personalization 
 
05/21/2015    11:27:06 AM    from Lisa Hinchliffe to All Participants:
Ah, you are conceptualizing that there is a service that can be used in two modes - personalized/not personalized.
 
05/21/2015    11:27:07 AM    from Andrew Asher to All Participants:
As a researcher, I actually do not want any personalization in my search systems--it introduces bias 
 
05/21/2015    11:27:45 AM    from Lisa Hinchliffe to All Participants:
There is always bias. Q is if it is useful bias. 
 
05/21/2015    11:27:59 AM    from Deborah Caldwell-Stone to All Participants:
And, per "Privacy: An Interpretation of the Library Bill of Rights: "Confidentiality extends to “information sought or received and resources consulted, borrowed, acquired or transmitted”, including, but not limited to: database search records, reference questions and interviews, circulation records, interlibrary loan records, information about materials downloaded or placed on “hold” or “reserve,” and other personally identifiable information about uses of library materials" programs, facilities, or services.
 
05/21/2015    11:29:00 AM    from Andrew Asher to All Participants:
Of course-- but "useful" is a matter of interpretation
 
05/21/2015    11:29:12 AM    from Lisa Hinchliffe to All Participants:
Another problem with "consent" model on library resources is that could leave impression that library is only data collection. Campus IT, for example, is also collecting - so even if opt-out of library, user still being tracked in some way.
 
05/21/2015    11:30:17 AM    from Andrew Asher to All Participants:
Again, I don't see how other units questionable data collection practices make it ok for my unit 
 
05/21/2015    11:30:37 AM    from Lisa Hinchliffe to All Participants:
That isn't my argument. 
 
05/21/2015    11:30:45 AM    from Karen Wetzel to All Participants:
Need to consider how library data is being integrated into student success systems and predictive analytics, too. As Lisa notes, libraries are just one source of student data, and increasingly the lines between sources are getting blurred as data from multiple sources are being integrated into these larger data sets/systems.
 
05/21/2015    11:31:40 AM    from Andrew Asher to All Participants:
Yes, this problem goes beyond library
 
05/21/2015    11:32:39 AM    from gary price to All Participants:
Deborah..re: "information sought or received and resources consulted, borrowed, acquired or transmitted..." Isn't a library (via OverDrive) sharing confidential data with a third party (Amazon)?              
 
05/21/2015    11:33:02 AM    from gary price to All Participants:
to be clear, a library user via a library. 
 
05/21/2015    11:33:07 AM    from Mike Robinson to All Participants:
libraries on campus don't control/mandate copyright per se but are viewed as authority on it (hopefully).  libraries can position themselves similarily in regards to student privacy
 
05/21/2015    11:33:58 AM    from Deborah Caldwell-Stone to All Participants:
Gary: allegedly the user has consented to the sharing in order to use their proprietary Amason ereader (Kindle)
 
05/21/2015    11:34:07 AM    from David King to All Participants:
Gary - that's correct.
 
05/21/2015    11:34:46 AM    from Andrew Asher to All Participants:
Mike--yes--I agree w/ this stance 
 
05/21/2015    11:35:07 AM    from Deborah Caldwell-Stone to All Participants:
Mike Robinson - yes!
 
05/21/2015    11:36:16 AM    from gary price to All Participants:
Deborah: I see but I'm not sure this is made clear to users and as I've said before (many times) we don't explain to users how to remove the data. Btw, not only is the data record stored  by Amazon but any notes made in the ebook is stored by Amazon even after the book is retured. 
 
05/21/2015    11:36:23 AM    from gary price to All Participants:
Mike:
 
05/21/2015    11:38:18 AM    from gary price to All Participants:
Agreed. A portion of my presentation at the LITA meeting (in Chicago) and CNI in St. Louis was about making the library the campus or community source for privacy and data security info. Of course the only want for this to happen is make a library staff more aware and conversant about these issues. Even more of a challenge, keeping them (all of us really current on these issues). 
 
05/21/2015    11:38:37 AM    from Deborah Caldwell-Stone to All Participants:
Gary: all true.  Agree that libraries should better explain/be transparent about that transaction.
 
05/21/2015    11:41:12 AM    from Karen Wetzel to All Participants:
How are libraries working with chief privacy officers or others who are currently in charge of privacy at the institution (often this might be the chief information security officer)? 
 
05/21/2015    11:42:31 AM    from Lisa Hinchliffe to All Participants:
Great point Karen!
 
05/21/2015    11:47:41 AM    from Shlomo Sanders to All Participants:
Shouldnt be storing the raw data
 
05/21/2015    11:48:28 AM    from Andrew Asher to All Participants:
Subpeona seems like a real risk-- a destruction plan seems in order 
 
05/21/2015    11:48:35 AM    from gary price to All Participants:
Before to long I hope we spend some time (in addition to what we are already discussing OR will discuss) ASKING Who and WHY do we want to make possible changes for? 1) Ourselves, our community for ethical reasons, right thing to do? 2) For our users because they want it, need it? right thing to do?  3) Legal or Possible Legal Reasons? A balance yes but without asking ourselves and maybe even our users (in some cases at at a local or community level) and explaining the pros, potential issues, concerns).  Let's not let all the things we can do or might do get in the way of asking why and who. 
 
05/21/2015    11:48:49 AM    from Christopher Harris to All Participants:
Once the subpeona arrives, isn't destruction of the data illegal?
 
05/21/2015    11:49:01 AM    from Daniel Ayala to All Participants:
Chris - yes it is
 
05/21/2015    11:49:10 AM    from Andrew Asher to All Participants:
Yes, so analysis & then destruction should be planned 
 
05/21/2015    11:49:24 AM    from gary price to All Participants:
possible changes and incl. statements, viewpoints, etc. 
 
05/21/2015    11:49:24 AM    from Andrew Asher to All Participants:
Then its gone before one arrives 
 
05/21/2015    11:49:29 AM    from Shlomo Sanders to All Participants:
right
 
05/21/2015    11:49:38 AM    from Christopher Harris to All Participants:
Unless it gets backed up somewhere by the network folks
 
05/21/2015    11:50:00 AM    from gary price to All Participants:
Also, we need to look at other possibe privacy issues years out. For example, use of beacons, etc. 
 
05/21/2015    11:50:01 AM    from Shlomo Sanders to All Participants:
Even backups have retention policy
 
05/21/2015    11:50:15 AM    from Daniel Ayala to All Participants:
Chris - your CISO should have a similar desire to have a strong retention and destruction policy and related complince. Also Counsel would want that too
 
05/21/2015    11:50:26 AM    from Andrew Asher to All Participants:
Yeah-- Anything that's been on a univ server is problematic, also can probably be accessed by network admins 
 
05/21/2015    11:51:01 AM    from Christopher Harris to All Participants:
Yes, but Cornell is partly a NY State school and so there are retention laws for state created work
 
05/21/2015    11:51:45 AM    from Mike Robinson to All Participants:
when I backup library data to campus network storage, I encrypt it first
 
05/21/2015    11:52:08 AM    from Shlomo Sanders to All Participants:
And can be decrypted or else it is not much of a backup
 
05/21/2015    11:52:22 AM    from Eric Hellman to All Participants:
The Cornell catalog is exceptionally clean wrt privacy- no beacons, forces https, et.
 
05/21/2015    11:52:49 AM    from Mike Robinson to All Participants:
yes, but I don't have to worry about unauthorized access by campus IT or others
 
05/21/2015    11:53:35 AM    from Peter Murray to All Participants:
Eric:  s/wrt privacy/wrt web transaction privacy/  #just clarifying.
 
05/21/2015    11:53:41 AM    from Christopher Harris to All Participants:
I think this sounds like a good model. Are there risks? yes. But it also sounds like he is getting some great usefullness from this
 
05/21/2015    11:55:44 AM    from gary price to All Participants:
Here's a recently updated tech report from Microsoft that might be of interest. "Inverse Privacy"                                                                     "An item of your personal information is inversely private if some party has access to it but you do not. We analyze the provenance of inversely private information and its rise to dominance over other kinds of personal information. In a nutshell, the inverse privacy problem is unjustified inaccessibility to you of your inversely private information. We believe that the inverse privacy problem has a market-based solution."
http://research.microsoft.com/pubs/245268/TR2-Inverse25.pdf
 
05/21/2015    11:57:45 AM    from Christopher Harris to All Participants:
Heavy burdens Rich is bearing here...Gotta give him respect for that!
 
05/21/2015    11:58:35 AM    from Lori Ayre to All Participants:
Opt-in and opt-out isnt enough.  For one thing, as some note, what does that mean about the substandard service one can provide if one "opt-outs" (whatever that means). And if they opt-in, what are all the ramifications?  How much do we (as librarians) even know what happens down the road when our users "opt-in"?  I think there's a long chain of transparency problems to resolve.
 
05/21/2015    11:58:46 AM    from Mike Robinson to All Participants:
are libraries willing to pay more for well implimented privacy?  for example, spider oak for cloud storage costs me money for proper encryption vs free data storage options in the clould that do not protect data
 
05/21/2015    11:59:22 AM    from Christopher Harris to All Participants:
I would be willing to pay extra for privacy and respectful/ethical/appropriate use of data
 
05/21/2015    11:59:38 AM    from Christopher Harris to All Participants:
But then I would skip the opt-in/opt-out...if I am paying then I am going to use the data
 
05/21/2015    12:00:25 PM    from Lisa Hinchliffe to All Participants:
Interesting piece on this in The Atlantic - http://www.theatlantic.com/technology/archive/2015/02/why-people-probably-wont-pay-to-keep-their-web-history-secret/385765/
 
05/21/2015    12:00:28 PM    from Mike Robinson to All Participants:
opt in/out is about giving user choices not per se about protecting their data
 
05/21/2015    12:01:41 PM    from Lisa Hinchliffe to All Participants:
Correct - still need protections for the opted in. And, the fact of opting out is a data point about a user that has to be tracked! :) #ironically
 
05/21/2015    12:01:47 PM    from Christopher Harris to All Participants:
If I am paying a premium for access to anonymous data, then do I need to ask users? The point is that I as the library wouldn't be seeing the patron data anyway, just the anonymous set. So then it isn't "patron data" it is "library data"
 
05/21/2015    12:01:50 PM    from Lori Ayre to All Participants:
Mike, I'mfor choices but I don't think we really know what we are offering in those choices.  
 
05/21/2015    12:02:36 PM    from Christopher Harris to All Participants:
I don't have to ask the patrons if they want to opt out of a door counter
 
05/21/2015    12:02:53 PM    from Christopher Harris to All Participants:
I don't ask them if they want to opt out of security systems or tattle tags
 
05/21/2015    12:03:00 PM    from Tomer Shemesh to All Participants:
in the Cloud,  we can implement more security measures in addition infrastructure systems) to protect the data. Certification and auditing and penetration test by external security company verify it.
 
05/21/2015    12:03:27 PM    from Christopher Harris to All Participants:
Anonymous circulation data is comparable in my mind to a door counter - it is library data, not patron data
 
05/21/2015    12:03:53 PM    from Hadrien Gardeur to All Participants:
how some of these services are designed also has a huge impact on what's collected or not
 
05/21/2015    12:04:10 PM    from Andrew Asher to All Participants:
If you're linking it to dempgraphic info its definitely patron data 
 
05/21/2015    12:04:16 PM    from Hadrien Gardeur to All Participants:
for example in the US Overdrive knows precisely who's borrowing what
 
05/21/2015    12:04:27 PM    from gary price to All Participants:
Is a person's device MAC address consider personal data? 
 
05/21/2015    12:04:46 PM    from Andrew Asher to All Participants:
I would argue it is 
 
05/21/2015    12:04:50 PM    from Christopher Harris to All Participants:
What level of demographic linking makes it patron data? Gender? Race? Age?
 
05/21/2015    12:04:52 PM    from Hadrien Gardeur to All Participants:
in France, that's not the case, the distributor/agregator has no personal information about the patron, it's just an anonymized UUID
 
05/21/2015    12:05:39 PM    from Christopher Harris to All Participants:
So do I have to ask before I check around the room and see how many males or females are in the library? Or a rough estimate of seniors vs teens?
 
05/21/2015    12:06:03 PM    from Karen Wetzel to All Participants:
Only if you plan to write down the numbers anywhere ;)
 
05/21/2015    12:06:23 PM    from Tomer Shemesh to All Participants:
Implementing security proactive and preventive action, with processes for security issues and privacy are very important as well. 
 
05/21/2015    12:06:43 PM    from Andrew Asher to All Participants:
This is a false analogy
 
05/21/2015    12:07:22 PM    from gary price to All Participants:
Right now, I (and everyone else) can EASILY see the MAC address of anyone searching many library OPACS and have it tied to their search strategy. 
 
05/21/2015    12:07:46 PM    from Christopher Harris to All Participants:
How? If there is nothing linked in the data set (leaving aside what we as technical experts may know are the true limitations of anonymized data) to a particular patron then how is a high level view of circulation any different than a collection of door counter stats?
 
05/21/2015    12:07:58 PM    from Lori Ayre to All Participants:
One piece of information may be "library data" but once you start putting enough pieces together, we can end up with "patron data" or something a little closer to patron than library data (using Christopher's logic).  Or more likely, someone else does that mining work, not the library.
 
05/21/2015    12:08:04 PM    from David King to All Participants:
Gary - that's only personal PCs, in the library, using wifi... right? Not "anyone."
 
05/21/2015    12:08:36 PM    from Andrew Asher to All Participants:
A library is a public space and there are different expectations of privacy 
 
05/21/2015    12:09:20 PM    from Tomer Shemesh to All Participants:
To have 24x7 Hub that can receiving any potential privacy issue or security that can be immediately  handled , with high priority processes.
 
05/21/2015    12:09:25 PM    from Christopher Harris to All Participants:
So if you want total privacy in your circulation habits, don't borrow from the library. Buy the book used in cash from some flea market
 
05/21/2015    12:10:45 PM    from Andrew Asher to All Participants:
I should not have to provide you with my race, gender or age in order to use the library 
 
05/21/2015    12:11:14 PM    from Andrew Asher to All Participants:
Thats not ethically tenable IMO for an educational institution to say I should use the flea market 
 
05/21/2015    12:11:26 PM    from Christopher Harris to All Participants:
I totally agree, but you broguht up the concern of demographics and I was trying to see which demographic area you meant
 
05/21/2015    12:11:34 PM    from David King to All Participants:
ANdrew - some public libraries have teen-only areas, for example. Have to show you're 18 or under to use them.
 
05/21/2015    12:12:44 PM    from Christopher Harris to All Participants:
If there is no demographic data in the circulation record...just the metadata on the book itself, then that is in my mind library data and not patron data
 
05/21/2015    12:12:51 PM    from gary price to All Participants:
David, no, if someone is at Starbucks or on a fligt with wi-fi, etc. searching some OPACs and some vendor databases it's easy to see their query, MAC address, and all of the non-encrypted pages they visit. Also, even if the page itself is encrypted but a call from the page (let's say an image) is NOT, i can learn of the page being viewed (via the referer).  You can also do this in an ethernet connection and gain access to the network via a cable. 
 
05/21/2015    12:12:54 PM    from Mike Robinson to All Participants:
Christopher: agreed, you sacrifice some privacy to borrow the book.  but if you want to read it in the library you can remain anonymous.  can we still provide anonymity for online resources in some for and personalization for those users who want it?
 
05/21/2015    12:12:56 PM    from Lisa Hinchliffe to All Participants:
I wonder a lot if it is ethically tenable to not offer the option for personalized library experience (within secure and well managed data systems).... 
 
05/21/2015    12:13:02 PM    from Christopher Harris to All Participants:
Assuming you have stripped the user id info
 
05/21/2015    12:13:24 PM    from Eric Hellman to All Participants:
Andrew, if a user takes out "What can you expect when you're expecting", you know with high probability that the user is female and of child-bearing age.
 
05/21/2015    12:13:36 PM    from Lisa Hinchliffe to All Participants:
Mike - often even not the. Many libraries require one to check in - i.e., to show ID to get into the library.
 
05/21/2015    12:14:27 PM    from Lisa Hinchliffe to All Participants:
And, at many libraries - you are being filmed by security cameras as you sit and read
 
05/21/2015    12:14:31 PM    from Shlomo Sanders to All Participants:
I am usually for opt out. But for personalized library experiance I would say it should be opt in. If the library stats to garther the info only after opt in then how long will it take to do something useful?
 
05/21/2015    12:14:32 PM    from Andrew Asher to All Participants:
Chris--I agree with that-- once you've linked it to a different dataset providing demographic info, I think a line is crossed 
 
05/21/2015    12:16:07 PM    from Christopher Harris to All Participants:
So might we start to consider the idea of a completely unlinked and anonymous as possible data set that JUST lists what books were checked out (not even books checked out by the same person) might be considered library data and not patron data and therefore not subject to any question of opt-in/opt-out as similar to other basic library data collections like door counters? 
 
05/21/2015    12:16:34 PM    from Lisa Hinchliffe to All Participants:
Shlomo - why do you think opt in for library is usually opt out is your stance?
 
05/21/2015    12:17:00 PM    from Eric Hellman to All Participants:
If you anonymize a beacon, you could collect data but only connect it to the user upon opt-in
 
05/21/2015    12:17:51 PM    from Shlomo Sanders to All Participants:
I think about all this in the same way Chris described a second ago. "completely unlinked and anonymous as possible data set that JUST lists what books were checked out (not even books checked out by the same person) might be considered library data and not patron data and therefore not subject to any question of opt-in/opt-out" Therefore I dont understand the stand of opt in.
 
05/21/2015    12:18:27 PM    from Shlomo Sanders to All Participants:
"If you anonymize a beacon, you could collect data but only connect it to the user upon opt-in" Right!
 
05/21/2015    12:20:00 PM    from Christopher Harris to All Participants:
YES! Patron data usage and customization requires a discussion about opt-in vs opt-out, but I think we need to separate out the set of basic library data as outside of this conversation. It isn't patron data, it is library data.
 
05/21/2015    12:20:37 PM    from Peter Murray to All Participants:
Christopher: Interesting -- a distiction between "library data" and "patron activity data".
 
05/21/2015    12:20:55 PM    from Christopher Harris to All Participants:
I think discussing and defining that distinction could be one of the biggest things to come out of this discussion
 
05/21/2015    12:21:14 PM    from Peter Murray to All Participants:
Christopher++
 
05/21/2015    12:21:29 PM    from gary price to All Participants:
Lisa and others: two interesting papers  here (out of  U of Wash iSchoo) re: cameras and surveillance in the library. http://www.infodocket.com/2014/02/01/conference-paper-the-panoptic-librarian-the-role-of-video-surveillance-in-the-modern-public-library/
 
05/21/2015    12:21:54 PM    from Christopher Harris to All Participants:
It allows us to maintain ethical and respect for patron privacy, while also allowing us to compete (dirty word I know) in providing a better overall expereince when we know what books are hot, what search terms are being used, in a totally anonymous way
 
05/21/2015    12:21:59 PM    from Shlomo Sanders to All Participants:
I dont understand.  "patron activity data" isnt "library data"? 
 
05/21/2015    12:22:43 PM    from Andrew Asher to All Participants:
Christopher--yes, a very useful distinction
 
05/21/2015    12:22:51 PM    from Peter Murray to All Participants:
Shlomo:  patron-specific activity data versus general usage data of library resources.
 
05/21/2015    12:23:16 PM    from Shlomo Sanders to All Participants:
OK. Got it
 
05/21/2015    12:23:26 PM    from David King to All Participants:
Shlomo: plus patron demographic info, which most of us collect too
 
05/21/2015    12:24:22 PM    from Christopher Harris to All Participants:
I quite imagine that ProQuest knows exactly what terms are must used, what articles are most read, etc. That is library (or in this case database) data. But when they start suggesting an article to me based on past searches that is patron data and if I haven't asked them to do this it gets a bit creepy
 
05/21/2015    12:25:49 PM    from Christopher Harris to All Participants:
David: I think there is some strong potential for high level demographic slicing of data, but I know this also raises concerns we talked about last time with respect to the potential for loss of aggregate anonymity due to small demographic sets
 
05/21/2015    12:26:41 PM    from Christopher Harris to All Participants:
This I know well coming from a region with very small school districts where there might be a graduating class of 30 and only one african-american student - the "anonymous" data of test data from the group of african-americans in the district isn't so private
 
05/21/2015    12:44:46 PM    from Christopher Harris to All Participants:
Very fun conversation, and quite enlightening. Sadly I must run to lead a workshop
 
05/21/2015    12:46:59 PM    from Mike Robinson to All Participants:
agreed, filter bubble / personalization can cause bias problem for researchers
 
05/21/2015    12:51:36 PM    from Hadrien Gardeur to All Participants:
good reminder of what can be collected
 
05/21/2015    12:52:12 PM    from Hadrien Gardeur to All Participants:
additional info are also collected through DRM vendors or reading apps
 
05/21/2015    12:52:23 PM    from Mike Robinson to All Participants:
peter's commments on something like SERU for patron privacy are spot on, its what I hope we can achieve
 
05/21/2015    12:54:20 PM    from Bobbi Newman to All Participants:
please idenitify yourself when you start speaking, thank you
 
05/21/2015    13:12:16 PM    from Laura Quilter to All Panelists:
A group scratchboard next time might be useful. Shared google doc. 
 
05/21/2015    13:13:03 PM    from Hadrien Gardeur to All Participants:
one thing that I'd like to see, is the ability for the library to decide what is sent to the vendor, for example let them decide between using an anonymized ID or more personal information
 
05/21/2015    13:13:45 PM    from Hadrien Gardeur to All Participants:
instead of a one size fits all solution, where all you can do is pray for the vendor to do the right thing
 
05/21/2015    13:14:03 PM    from Lori Ayre to All Participants:
Hadrien++
 
05/21/2015    13:14:12 PM    from Bobbi Newman to All Participants:
I think a listserv is  a great idea
 
05/21/2015    13:16:40 PM    from NISO HQ to All Participants:
thank you, everybody!
 
05/21/2015    13:17:25 PM    from Mike Robinson to All Participants:
thanx
 
05/21/2015    13:17:31 PM    from Peter Murray to All Participants:
Thanks!