SUBSCRIBE NOW!

Vol. 24 No. 4 — April 2004

I think the PATRIOT Act and various other attacks on privacy have created a marketing advantage for libraries. I hope that most Americans know that librarians are not a bunch of hysterical porn-pushers, as members of the current presidential administration and their proxies would have the public believe. So far, the ALA and its editorial and press support have shown that we outclass our detractors. But I worry about appropriate response: Librarians are quick to a political fight, but often neglect practicalities. What would you do if law enforcement officials arrived at your door today with a PATRIOT subpoena? Does your circulation staff (often the front line in these skirmishes) even know what a subpoena looks like or how it differs from a warrant? Moreover, what should we all be doing to prepare ourselves, and what should we not let ourselves be distracted from in the meantime?

Alleged Hysterics?

I sorta chuckle at the fact that John Ashcroft came off looking like a boob with the whole "hysterical librarians" play in the press. On the other hand, if we look at that incident as objective disparagement instead of frustrated name-calling (I still think it was really the latter), then it's criticism that we might put into action. For example, a while back, there were some PATRIOT-mocking signs floating around the Internet—things like "No one has requested your personal information today. Check back for the absence of this sign later"—that got a lot of attention.

I thought they were funny until I heard that libraries were actually posting them. Frankly, this seems more like a misguided political statement than a proactive library campaign to protect patron privacy and anonymity. We deride Chicken Little because she ran around disrupting others' comfortable existence by claiming that the sky was about to fall. I think we could have ignored her if instead she had quietly gone about building herself a shelter from the imagined doom. Similarly, if librarians concentrated on ensuring short-term retention of usage records, and developing procedures for dealing with law enforcement information requests, instead of employing political scare-tactics, patrons would truly be better off.

Law Enforcement Realities

Some of the vague anecdotes that follow are based on real stories. They are meant as cautionary tales, and involve various criminal investigations in libraries, not PATRIOT Act (and accompanying gag order) scenarios.

"WHILE YOU DON'T PARTICULARLY WANT TO PROTECT THE PRIVACY OF A CRIMINAL, YOU KNOW THAT ANY COMPUTER IN YOUR LIBRARY MIGHT CONTAIN INFORMATION ABOUT INNOCENT PATRONS AS WELL."

Imagine that someone has used a computer in your library to perpetrate some unlawful activity. What might you expect when an FBI agent comes to your office? Even the most likable agent is an intimidating figure. His requests might seem innocent enough—he just wants to see where "workstation 24" is located. You show him. Now he wants to know if there is any data on that computer that might identify its previous users—specifically, any who had logged on 1 week ago between 3 p.m. and 5 p.m. "That depends," sounds like a good answer. Now he wants to know about the computers next to the one that was used criminally. Is there anything on them that might identify possible witnesses to the crime? While you're thinking that one over, you might put together a list of staff members who were on duty nearby—they might have noticed the perpetrator too.

You're in luck, because you sanitize your computers every week. While you don't particularly want to protect the privacy of a criminal, you know that any computer in your library might contain information about innocent patrons as well. You know that the surrounding computers should be free from legal intrusion; if you're in an academic library, you realize that giving up such information might violate the Family Educational Rights and Privacy Act, or FERPA. (Or do you realize that?) You show the officer your data-retention policy. If you think your assurances of data deletion will send the lawman packing, think again. He might even admit to how quaint he finds it that you think that a good computer forensics professional would fail to find what he's looking for. Does your technical infrastructure ensure patron privacy and confidentiality?

None of this is meant to suggest that libraries should strive to protect terrorists and criminals from routine investigation. Libraries are not criminal sanctuaries, but educational ones. However, they have a responsibility to protect not only the freedom to read, but also the freedom to research. There is (or should be) a reasonable expectation of privacy among library clientele that if the computers they use for research are shared by criminals, their innocent activity will not be caught in a widely cast information net.

Security Versus Privacy

The problem with security is that it requires the erosion of privacy. And it's not just government erosion that we have to worry about; we do it every day. Sometimes it's through willful decisions to foster a more secure library environment. Other times, it's through benign neglect of record-retention procedures and inattention to detail.

Whether librarians are asking patrons to log on to a computer workstation, or asking them to sign in at the door, we should require written policies that relate to the confidentiality of the patron activity that takes place in the library. This is not just my opinion; it's the librarian's code of ethics:

We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.

—Principle III, American
Library Association Code of Ethics, 1995

But anyone who has cleaned up after an Internet Worm attack, tried to stop a malicious hacker, or tried to protect children from Internet predators knows that privacy is the first casualty of security. This does not mean, however, that libraries have to completely abandon their standards of privacy and confidentiality to attain more security.

"WHAT WOULD YOU DO IF LAW ENFORCEMENT OFFICIALS ARRIVED AT YOUR DOOR TODAY WITH A PATRIOT SUBPOENA?"

The responsibility includes knowing what IT departments do to track online computer usage. The questions are more practical than paranoid: What do vendors who provide subscription databases do with your patron data, and is the policy in your contract? Does your turnkey library system provider have root access to your servers and accompanying data, and have they ever used it to fulfill a law enforcement request for information? Do your personalization services disclose retention of patron data? Are your online systems in compliance with state laws regarding patron privacy (which might include more than just circulation record confidentiality)?

There's one last casualty of services that offer personalization and require more security—anonymity. Librarians need to be looking beyond privacy and confidentiality to the right of complete anonymity. While not explicitly covered in the code of ethics, the use of analog materials in the library has always implied some level of anonymity. How far can or should our profession go to offer its patrons anonymous access to online materials?

Be Prepared, Be Vigilant, Be Reasonable

There are plenty of good resources out there about preparing libraries for the PATRIOT Act, and hardly any library conference can get away with a program that does not address the issue in theory or in practice. In a handy four-page briefing for Library Issues, Kathleen Hoeth succinctly describes the real dangers of the USA PATRIOT Act to libraries, and gives rational advice about preparing for the law's enforcement. The article also includes a boilerplate model for policies and procedures (Kathleen Hoeth, "The USA PATRIOT Act: How Will Your Library Respond?" Library Issues, 24(3), Jan. 2004). This informative article should be required for all library administrators.

"LIBRARIANS NEED TO BE LOOKING BEYOND PRIVACY AND CONFIDENTIALITY TO THE RIGHT OF COMPLETE ANONYMITY."

I don't really think enforcement of the act is the equivalent of Chicken Little's falling sky—I think enforcement really will come. But I do think the first library that joins the hysterical fray without preparatory action might end up bringing shame upon itself. Moreover, we should not let PATRIOT Act obsession distract us from other serious, related issues, such as the Digital Millennium Copyright Act, the Children's Internet Protection Act, and various battles for more reasonable copyright protections. I would be willing to guarantee that DMCA, CIPA, and copyright enforcement will have earlier and longer-lasting impacts on libraries than PATRIOT will.

Happy Anniversary to Me

This column marks a milestone for me. It's my 20th column for Computers in Libraries, and I've celebrated by getting a little preachy. Please forgive me. Although if you've been following my columns, you'll know that I'm not usually one to de-politicize an issue. I was born inside the Beltway—it's in my blood. But I wonder whether the politicization of the freedom to read and the library sovereignty of patron privacy are distracting us from some basically simple rules of engagement. This is not an argument against the ALA Washington Office. God bless their David-and-Goliath struggle against the Justice Department, Congressional copyright zealots, the recording industry, and filtering fanatics (95 percent of whom, I would bet, would be hard-pressed to produce a library card). While I would hardly advocate dropping everything to answer the yet-to-be-determined social injustices allowed under the USA PATRIOT Act, I do think that librarians should act reasonably to remain informed, educate their staff and patrons, and stand prepared for their first law enforcement encounter.