data-privacy

E-Lending Challenges and Libraries’ Mission to Ensure Information Access for All

/ Washington Journal of Law, Technology & Arts / Leave a comment
Photo by Emily on Pexels.com

By: Anusha Seyed Nasrulai

Library services have transformed from being primarily administered in the physical library space to providing library card holders with access to a broad range of digital materials, including ebooks, audiobooks, research, music, film, and more. When digital materials first entered the market, they posed great opportunities to increase the availability and accessibility of library collections. Libraries have adjusted their acquisitions and curation efforts to accommodate an increased demand for digital materials. At the same time, publishers and vendors have repackaged their products to drive profits in response to the demand by raising ebook costs to exorbitant rates. Libraries are “typically required to pay 3–4 times the consumer price for an ebook or audiobook license of a popular title.” Also, many publishers have replaced perpetual licenses with time limited licenses. Publishers further control the market by restricting “how many copies libraries can have, who they can lend to, and how long they (and their patrons) can keep the books.” This has led to library budgets being consumed by licensing costs.

The e-lending marketplace presents multiple challenges to libraries’ longstanding commitment to ensure access to information for all. Digital materials are many patrons’ primary method of accessing information. For example, digital formats are essential resources to patrons with “vision impairment, dyslexia, and other physical or learning needs.”

Libraries are at the whim of the power wielded by vendors controlling access to vital digital materials. About five companies control publishing and dominate the industry for licensing digital materials to libraries. Some companies have business enterprises beyond academic information, including the use and sale of personal and financial information. Thomas Reuters and RELX Group (parent companies of Westlaw and LexisNexis) not only dominate the legal research market, but they also own some of the largest news and academic databases and are data brokers that sell to private entities and law enforcement agencies. Sarah Lamdan, former CUNY law librarian and professor, now ALA director, described the digital information market landscape as a monopoly of information markets, which raises significant ethical and privacy concerns.

Libraries’ Respond to Market Shifts 

The rest of this article examines the implications for the market shift to digital materials for libraries and their patrons, focusing on ownership rights, open source projects, and patron privacy. In response to vendors’ overwhelming control of the digital information marketplace, libraries and researchers are developing solutions to ensure information access for all.

Ownership Rights

Libraries hold ownership rights and control lending access over physical books by the right to first sale. The “first sale” doctrine (17 U.S.C. § 109(a)) “gives the owners of copyrighted works the rights to sell, lend, or share their copies without having to obtain permission or pay fees.” However, this ownership doctrine does not control digital transmissions— including ebook acquisitions. Publishers create license agreements in partnership with vendors, who then license them to libraries. Margaret Chon, Law Professor at Seattle University, argues that high prices and restrictive lending practices undermine the special position libraries have historically held in the copyright system as institutions protecting and facilitating public access to copyrighted works.

Without copyright reform, libraries are often at the behest of vendors’ licensing models. In response, libraries have developed comprehensive strategies to negotiate with vendor providers and select vendors that align with their mission. Still, “the contract-law focused world of copyright for digital content is much more heavily weighted to the benefit of publishers and to the greatest extent possible.” Therefore, libraries have sought legal reforms as one of the solutions to address the modern digital information marketplace. 

ReadersFirst is an organization of almost 300 libraries dedicated to libraries maintaining open and free access to ebooks as collections are increasingly digitized. ReadersFirst advocates for ebook legislation to prevent content restrictions, prohibitively high prices for licenses, and using licenses to excise important copyright law, such as Fair Use. This past summer, Connecticut passed an ebook bill and other states have introduced similar legislation. This bill will be carefully watched after similar legislation in Maryland and New York have been undone by copyright challenges. 

Open Source Projects

During the COVID-19 pandemic, Internet Archive launched the National Emergency Library (NEL). NEL was a continuation of a previous online project where scans of physical library books were “checked out” to people as though they were physical books. In Hachette v. Internet Archive, publishers successfully challenged NEL’s temporary lifting of the one-person-limit on lending. Though this case did not involve a traditional library, it does call into question whether controlled digital lending practices by libraries are vulnerable. 

To protect library projects that expand access to digital materials, new industry standards are being proposed. Controlled digital lending (CDL) protections allow libraries to lend, preserve, and archive digital materials. Currently, a new NISO consensus framework is being developed to support CDL in libraries, with the goal of expanding “understanding of CDL as a natural extension of existing rights held and practices undertaken by libraries for content they legally hold.”

The ability to curate and share open source resources further libraries’ goal to ensure information access for all. An important example of library open source projects are research guides. Research guides are collections of high quality and relevant resources on a given topic from books. Resources included articles, books, media, databases, special collections, exhibits, and programs. Kara Phillips, director of the Seattle University Law Library, stated that research guides “respond to important issues so that patrons can find reliable, authoritative information… [to] support democracy, rule of law, and the legal system.” 

Patron Privacy

As vendors adapt to the competitive digital information marketplace, the change in business models has increased their appetite for patron data. As Roxanne Shirazi, a research librarian at CUNY, puts it, “[a]s lenders, library vendors do not end their relationships with libraries when they complete a sale. Instead, as streaming content providers, vendors become embedded in libraries. They are able to follow library patrons’ research activities, storing data about how people are using their services.”

There are only a handful of states that protect readers’ data outside of libraries. For example, the California’s Reader Privacy Act safeguards readers’ data when accessing physical books or ebooks. Therefore, ensuring patron privacy and holding vendors accountable to ALA privacy standards are central to libraries’ mission.

The Path Forward for Libraries

Librarians and other stakeholders are organizing to address the profound problems that have arisen from changes in the e-lending market. In providing guidance regarding digital access, the American Library Association states, “[i]n order to have a functional democracy, we must have informed citizens. Libraries are an essential part of the national information infrastructure, providing people with access and opportunities for participation in the digital environment, especially those who might otherwise be excluded.”

The Freedom to Inquire: Data Privacy Lessons from Libraries

/ Washington Journal of Law, Technology & Arts / Leave a comment
Photo by Stanislav Kondratiev on Pexels.com

By: Anusha Seyed Nasrulai

“All people, regardless of origin, age, background, or views, possess a right to privacy and confidentiality in their library use. Libraries should advocate for, educate about, and protect people’s privacy, safeguarding all library use data, including personally identifiable information.”

These are the words enshrined in the last article of the American Library Association’s (ALA) Library Bill of Rights. The ALA first adopted principles protecting the freedom of inquiry in 1939 in response to concerns of government censorship and surveillance amid a moral panic against anarchists. In subsequent decades, the Library Bill of Rights was amended and interpreted to champion intellectual freedom during eras like McCarthyism, the Civil Rights Movement, and post-9/11. 

The Legal Right to Data Privacy 

Recognition of the freedom of inquiry in libraries also developed at the same time as a legal right to privacy was being conceptualized. In 1890, lawyers Samuel Warren and future Supreme Court Justice Louis Brandeis first defined a legal right to privacy in a famous law review article. Still, a legal right to privacy was not widely recognized till 1965 in Griswold v. Connecticut. There is currently no comprehensive federal data privacy law, resulting in a patchwork of sectoral and state data privacy laws. However, the libraries’ privacy principles obligate libraries to expand the privacy rights afforded to patrons beyond what the law requires. Examining libraries’ data privacy principles offers important lessons for envisioning new legal data privacy frameworks.

Libraries’ responsibility to protect patron privacy and confidentiality is, in fact, recognized by the law. Forty-eight states protect the confidentiality of patron records, and the attorney generals in the other two states have recognized the privacy of patrons’ library records. 

Libraries’ Approach to Data Privacy 

Precise definitions are required to understand these principles. For libraries, the right to “privacy is the right to open inquiry without having the subject of one’s interest examined or scrutinized by others.” Confidentiality is the libraries’ duty to keep personally identifiable information private on patrons’ behalf. Personally Identifiable Information (PII) is information that can be used to identify a specific person.

Data Privacy Policies 

Only 19 states have passed comprehensive privacy laws. Rights recognized under state laws may include the right to request data for correction or deletion, the right to opt out of certain processing and sales, the prohibition on discrimination for exercising rights under the law, notice and transparency requirements, and data purpose and processing limitations. The state laws typically only apply to for-profit businesses that meet high thresholds for gross revenue and amount of business activity in the state. Whereas library policies protect patron data from private and government requests. State laws are also limited by their enforcement mechanisms. Many state privacy laws rely on the enforcement of attorney generals rather than create a private right of action.

In addition to complying with privacy laws, library privacy policies are developed with guidance from the ALA’s Privacy Interpretation of the Library Bill of Rights and NISO Consensus Principles on Users’ Digital Privacy in Library, Publisher, and Software-Provider Systems. Libraries have a duty to create and maintain clear, easily accessible, and understandable privacy policies for all patrons. Privacy policies include information on what data is collected, who the data is shared with, and how long the data is retained for. PII should only be collected and stored when required for specific, clearly disclosed purposes and only with the patron’s consent. Users should have the right to access their own personal information or activity data for review, export, and request correction or deletion. Libraries should process these requests wherever operationally feasible.

Libraries practice data minimization, meaning libraries only collect personal data necessary for an operational purpose. Libraries default to practices such as purpose limitation and opting users out of nonessential data collections. Patrons should have an opportunity to give explicit consent so they can make an informed decision whether to agree with the collection of their data for nonessential purposes. Patrons should also be able to opt out at any time. For instance, some libraries offer patrons to opt in to a saved history of their checked-out books, otherwise, this data is deleted by default.

Libraries’ privacy policies often reflect a deep commitment to patron trust. As Mustafa Hassoun, a privacy attorney at Hillis Clark Martin & Peterson, noted, “Libraries always strive to do right by their patrons.” He works with libraries across Washington state and emphasized that “this commitment to patron trust and data stewardship continues even in the absence of broader legislation like the People’s Privacy Act, which would significantly expand data protection requirements in Washington.”

Vendor Partners 

Libraries aim to hold vendor partners, such as publishers and software providers, accountable to their data privacy principles where possible. Vendors are obligated to make their data use policies accessible to patrons. Libraries also carefully consider patrons’ privacy before entering data sharing agreements with vendors. The ALA’s Privacy Interpretation guides libraries to never share patron’s PII with vendors unless they have explicit patron permission or are required to under law or existing contract. When such information is shared, “any data collected for analysis should be anonymous or aggregated, it should never be linked to personal information.” Finally, when procuring new technologies, “[b]iometric technologies, like facial recognition, do not align with the library’s mission of facilitating access without unjust surveillance.”

The library community has developed processes and resources to negotiate contracts that align with their privacy principles. This is significant given that readers often lack clarity into how vendors use their data. Also, vendor partners may have great incentives to collect and aggregate as much user data as possible.

Complying with Law Enforcement 

The ALA guides library workers to consult with their library administration and legal counsel before complying with law enforcement. Records are to be shared only in response to a properly executed court order or legal process. “If a library worker is compelled to release information by a valid subpoena or court order,” they are instructed to personally retrieve the requested information rather than “allowing the law enforcement agency to perform its own retrieval [which] may compromise confidential information that is not subject to the current request.” 

Libraries have chosen to strictly comply with the boundaries of the law to balance the strong interest of protecting patron privacy while complying with legal orders. As Jonathan Franklin, a Digital Innovation Law Librarian at the University of Washington, puts it, “In a world where all data is seen as having value, it might be that the easiest path is to delete nothing and sell/use everything, so protecting privacy over profits takes extra-effort.” Companies or other entities may have different incentives for more broadly collaborating with law enforcement. Companies like Ring, Flock, and many others are directly partnering with law enforcement to share data that facilitates surveillance of customers and the broader public.

Looking Forward: Lessons and Challenges

Libraries provide important insights regarding how to enact data privacy principles and policies that champion people’s freedom of intellectual exploration and expression. As data privacy law continues to develop and transform, these lessons from libraries exemplify how data privacy principles can be enacted to uphold people’s privacy and civil liberties.

The privacy ideals of libraries are constrained by the realities of limited resources and funding. One study found that libraries face significant challenges when upholding patron privacy due to lack of technical knowledge and training among staff, as well as inadequate funding for training or privacy protection tools. Many of the data privacy studies and resources developed by and for librarians are funded by the Institute of Museum and Library Services (IMLS) grants. The current administration is attempting to dismantle IMLS, though that is being challenged in court. Amid these pressures, libraries have an almost century-long tradition of protecting patron data from censorship and surveillance.

As C. Allison Sills, an instructional librarian in North Carolina, aptly stated, the “Invasion of privacy by retaining patron checkout history is tantamount to book banning. If you surveil the populace, the populace will start to self-censor to prevent ‘potential’ discrimination, which starts the fear cycle.”