Thursday, January 13, 2011

End-user privacy isn't a yes/no decision, it is informed choices

Former Sun Microsystems CEO, Scott McNealy, famously declared back in 1999: “Privacy is dead. Get over it.” It is safe to say that library administrators have never subscribed to that theory and aren’t likely to anytime soon. Yet the youth of today and many middle-age to older people as well as librarians seem perfectly willing to surrender large parts of their privacy when using many web-based services. So what is going on here?

The issues surrounding end-user privacy and library services are, as many of us well know, complex, multi-faceted and carry great liability, responsibility and trust. Therefore, it is no surprise that decisions made in this area require soul-searching thought and full understanding of the risks and implications of the final decisions made in dealing with this issue.

Librarianship, as most of us know, is by its very nature, a risk-averse profession. We spend tax dollars and/or organizational resources carefully and after extensive due diligence. So it isn't surprising that we bring this same mindset and framework to bear on decisions regarding end-user privacy. As a result, our decisions frequently lean heavily towards the side of extreme caution. We also tend to make it a black and white or yes/no decision in support of that conservative and cautious approach. However, I think we need to seriously pause and ask ourselves if we can continue to use that approach in dealing with this complex issue? I wonder if we don't need to move from this being a yes/no decision to a series of informed choices for our end-users? Why do I say that?

First of all, the economic pressures on libraries are enormous and growing by the day. At the same time, many libraries are seeing increased usage. So the need to do more with less is rapidly translating into the need to be more efficient and be more effective. Using data to streamline end-users interaction with our systems/staff and our overall management of libraries meets both goals. Yet we seem reluctant and frustrated to do so.

At the last Charleston Conference, an attendee made the comment "I'm so frustrated because I see our users searching Amazon to find materials and then they come back to our discovery tool simply to find out if we can provide access to it." Now clearly Amazon does not offer all the resources that most libraries do, but within the areas where they do provide materials, they offer a very personalized discovery tool and of course, one of the reasons they can do this is because they maintain extensive user usage data, and they use this data to tailor results for the end-users. Very effectively.

When I'm talking with library directors and staff, it is very rare for me to find many who don't actively use Amazon and/or Netflix themselves. So clearly, even though we take a conservative approach on behalf or our end-users, many of us have personally made a decision to allow Amazon and/or Netflix (or related services) to collect and use our personal data in order to tailor services for us. We understand the risks and have agreed to accept those in return for the convenience provided by those services. Many of us also use Facebook. This social networking tool now has over 500M users. The latest interface upgrade collected extensive additional user profile information including schools attended, degrees of study, etc. Again, many have willingly supplied this extensive information (in this case, without any clear understanding of what the benefits/risks will be).

Understandably, making decisions for yourself is not the same as making a decision for all of a library's end-users. However, the question we need to pose to ourselves is this: If as individuals we're willing to accept convenience in return for privacy, why do we think our users aren't willing to make the same compromise when using library resources? Is it right for us to arbitrarily lower the level of service that can be provided to end-users from their libraries without giving them an informed choice that would provide a higher level of service?

Obviously, this question is not as simple as it might first appear. Libraries maintain a level of trust with their users that are deeply valued by both them and the end-users. Frequently there are professional codes-of-conduct and/or legal requirements that must be factored into privacy decisions.

Many librarians feel that their conservative position is in line with that of their professional associations. Yet here in North America for example, ALA in their "Interpretation of the Library Bill of Rights" clearly say "leave the user in control of as many choices as possible" and that "Users have the right to be informed what policies and procedures govern the amount and retention of personally identifiable information, what that information is necessary for the library and what the user can do to maintain his or her privacy." Furthermore, it says that such information must be "guarded against impediments of open inquiry." All very reasonable statements and they leave the door open for us to do more than we frequently are doing today. Let's note that it does not say we can't retain user information, it doesn't say we can't use it to provide better services. It is only saying that we need to inform and give the user the choice to choose settings that will limit what information is held and for how long. Clearly this is not advocacy of making this a binary decision, it understands and conveys that such information if collected and used must be done within a context that makes it an informed choice of the user.

I think it is time we approach this issue with more openness and some fresh thought. If we don’t, we’re going to continue to lose users to services where people are willing to trade privacy for convenience because it saves them time and, at least for the moment, costs (when we understand personal time also carries real value for many).

We can offer discovery tools and recommendation tools that are more personalized to the end-user, but we need to collect and use more information about those end-users in order to do achieve that goal. In so doing we must spend time clearly laying out for the user (not just in the normal legal terms, but also in terms they understand):
  1. Explain the overall privacy policy.
  2. What data we’re collecting and using.
  3. How we’ll use that data (i.e. the statement of benefits)
  4. How long that data will be retained and how it can be deleted by the end-user.
  5. Under what conditions that data would be disclosed to an outside third party if it is held by the library.
  6. Make participation in the tailored services something the end-user very consciously indicates they want to use. In other words, don’t make them opt out, have them opt in.
The increasing use and expansion of library cloud-computing based solutions will mean that more and more data might well start to reside in the cloud. There it will be possible to quickly amalgamate and use analytical tools to develop highly customized, data-driven decisions that will help to shape end-users interactions with the library. New services will readily become possible, but with it so will the need to deal with the issues surrounding end-user privacy.

What other preparation needs to happen here? A good start would be to read the new Library Technology Report that was recently published on the subject. Barbara Jones, Director of the Office of Intellectual Freedom at ALA, in concluding the second chapter in this work, offered some excellent suggestions for librarians (from which I selectively pick and substantially abbreviate here):
  • As librarians we need to work to help educate and draft legislation that addresses privacy.
  • We need to get and give training to staff on privacy issues.
  • We should instruct our users in making informed choices about privacy settings and what the continued incremental loss of privacy could result in.
  • We should build on the work of others and our associations.
It’s good advice. End user privacy is far more gray than black and white. In order to maintain our trusted relationship with end-users and to encourage their greater use of our services, we’ll need to better meet their needs and be very upfront about what information we’re using and how we’re using it. It’s all about informed choices.

(Finally, remember I’m not a lawyer and this is not to be taken as legal advice. Before making decisions for your organization, get appropriate and authoritative legal advice.)