On Monday I get an unsolicited e-mail message from a florist alerting me that Easter is just around the corner and that I should buy some flowers. The message also reminds me that Mother's Day is soon to follow. On Tuesday another unsolicited e-mail tells me I might want to look at some new books and CDs hot off the press. On Wednesday a financial institution tells me it's having a money sale, and on Thursday I'm told there's a new type of tomato seed that would be perfect for my garden this summer. All of these were unsolicited. True, I have visited all of these sites and either made a purchase or perused down their virtual aisles, but at no time did I ask to be reminded weekly or monthly of newly released products or upcoming sales. This is disturbing on several levels. First, I've been added to these companies' lists without my knowledge. Second, they've made a choice for me—to fill my already overflowing mailbox with unsolicited junk e-mail. 

Worse yet, when one of these companies hits hard times, I notice a little story in the newspaper about its bankruptcy. The following week, I get 40 e-mails instead of four—my personal information and purchasing habits data have been sold! 
 

Where Worlds Collide
Our physical and virtual worlds are colliding. We truly are what we eat, drink, read, and now, browse. So many of our day-to-day interactions now take place online, and the digital trail we leave behind reveals more and more of who we are and what we do; we become defined by our online profiles made up of bits and bytes. Even some of the stores where I physically shop now wish to know my e-mail address so they can complete my profile. The bank knows my behavior from ATM transactions, the grocery knows what I buy through my club card membership, and now the Web sites where I visit or make transactions remind me each time there's a sale. If I ever need an alibi, I know that the trail of electronic bread crumbs spread behind my electronic transactions will fit the bill perfectly.

Webster's defines a profile as, "a set of characteristics or qualities that identify a type or category of person or thing." A profile may be associated with an individual by several means. A person may voluntarily provide information. Or, an inference may be made by combining data like ZIP code and date of birth (referred to as triangulating data). Another way is through "synchronization" with other data sources where personal information is stored and shared with other companies (usually for a fee). Creating a user profile when the information is not volunteered by the end-user is most often done with cookie files, those pesky little computer files residing on your computer that the desktop and server pass back and forth. 

Online profiling is one of the most incendiary privacy issues on the Internet, especially when your digital identity is used at another site because your personal information was captured in a database and then sold or shared with companies you've never heard of. There's a growing backlash against online profiling from consumer advocacy groups and increasingly from concerned individuals who are caught in the crossfire between demanding increased connectivity and desiring to maintain their anonymity. 

So why should this matter to you and your library? Most states have enacted laws that protect the privacy of our patrons. But the Internet didn't exist when these kinds of laws were enacted, and they were written to protect patron information as it related to physical materials circulation. We know that these same laws apply to our digital library counterparts, but do our patrons? 

I don't know of any libraries that conduct true online profiling, but we do maintain records for authentication purposes, for interlibrary loan, or when we ask patrons to define their preferences so that information can be better tailored online to meet their needs, such as for a personal portal page. We store much of this information electronically in a database. Are patrons aware of information collected from our digital library Web sites, how this information is used, and who has access? To assure that they do know how their information is being collected and used, a library should craft a privacy policy. 
 

Consider Privacy Policies
Providing a privacy policy is not a requirement for most organizations. In 1998, the Federal Trade Commission (FTC) responded to the tremendous backlash to online profiling and asked companies in the online industry to voluntarily explain and post their privacy policies in more detail. The FTC's intention was to make initial progress in creating an electronic environment with some protection of consumer privacy, and perhaps to allow online companies to carry out self policing as an alternative to regulating an ill-defined environment. In response, several of the industry's heavy hitters, like Microsoft and IBM, formed an alliance called TRUSTe to better educate the public and to promote "fair information practices." 

According to the TRUSTe program (http://www.truste.org), 

TRUSTe is an independent, non-profit initiative whose mission is to build users' trust and confidence in the Internet by promoting the principles of disclosure and informed consent. Because this site wants to demonstrate its commitment to your privacy, it has agreed to disclose its information practices and have its privacy practices reviewed for compliance by TRUSTe. When you see our TRUSTe seal, you can be assured that the Web site will disclose:

• What personal information is being gathered about you 
• How the information will be used 
• Who the information will be shared with, if anyone 
• Choices available to you regarding how collected information is used 
• Safeguards in place to protect your information from loss, misuse, or alteration 
• How you can update or correct inaccuracies in your information.

If you are planning to write a privacy statement, there are several examples worthy of note. First, check out the policy statement for Excite based on the TRUSTe disclosure statement at http://www.excite.com/privacy_policy. Another example is not a privacy statement at all; it's a privacy statement generator developed by the Organisation for Economic Co-operation and Development (OECD; http://www.oecd.org). The generator is available directly from http://cs3-hq.oecd.org/scripts/pwv3/pwhome.htm. The OECD privacy policy generator is incredibly thorough, though it includes some issues that have no bearing in a library environment. I've paraphrased some of the OECD high points you'll want to address in the sidebar below. 
 

Two Different Hats
Currently there is no framework to address the many legal issues that arise in cyberspace. Just to give you an idea, consider all of these areas in a non-electronic environment: trademark, copyright, liability, fraud and theft, defamation, disclosure, search and seizure, invasion of privacy, evidence, and jurisdiction. Most are pretty tangible, right? Now consider each one of these issues as it relates to the Internet. You'll find that each has an entirely different meaning when you try to translate it. Let's consider one issue, jurisdiction: "the territory over which authority is exercised." As e-mail messages and Web pages are sent or downloaded around the world, how do you define "territory"? 

So, let's get back to online profiling and consumer privacy. Is this something we should be concerned about in our library environments? 

When I put on my Webmaster hat (a pointy hat with stars), my answer is "no." From a standpoint of designing the most user-focused site that I can, profiling helps us to target services better. Targeted services can mean delivering information specific to an individual's preferences or formatting and packaging information delivery to meet my end-user's needs (like to a PDA). Or it could mean clustering products, content, and services to serve communities, such as a group with common interests and needs, for example, physicians. Profiling helps me design user-centric Web sites. 

Now let me put on my librarian's hat. Now, my answer is "yes," we should be concerned about online profiling and consumer privacy in our libraries. Our users assume that their privacy is protected by law. The Internet didn't exist when the laws were written and enacted to provide protection to those who checked out materials. The phrase "digital library" was not around, although we know these same laws provide protection in both our traditional and digital libraries. But do users know this? Like much of today's legislation, little case law exists to see how the laws will actually be applied in an electronic environment. 

As the law tries to keep pace with Internet technology, we need to protect our patrons and ourselves, to be proactive in our organizations, and to educate our patrons as best we can. A privacy statement provides a much-needed proactive measure and also re-emphasizes the role we play on behalf of our patrons—that of pathfinder and trusted agent. Privacy has always been a library priority. When we educate our users about privacy we not only help them protect it, we also decrease our risk of liability if privacy is compromised.

 

Kim Guenther is the director for the University ofVirginia Health System Web Center and the Health System Webmaster. Her e-mail address is guenther@virginia.edu.