Name:
Licensing Privacy: What Librarians Want
Description:
Licensing Privacy: What Librarians Want
Thumbnail URL:
https://cadmoremediastorage.blob.core.windows.net/28eea46f-859a-4541-8845-4a94d3c8e4a6/videoscrubberimages/Scrubber_1.jpg
Duration:
T01H01M01S
Embed URL:
https://stream.cadmore.media/player/28eea46f-859a-4541-8845-4a94d3c8e4a6
Content URL:
https://cadmoreoriginalmedia.blob.core.windows.net/28eea46f-859a-4541-8845-4a94d3c8e4a6/session_6a__licensing_privacy__what_librarians_want (360p).mp4?sv=2019-02-02&sr=c&sig=720rUcfihAtqY3JZ8nDLqDLAZzkUOEw%2B2lOmf%2BQe4f0%3D&st=2024-12-22T14%3A24%3A14Z&se=2024-12-22T16%3A29%3A14Z&sp=r
Upload Date:
2024-02-02T00:00:00.0000000
Transcript:
Language: EN.
Segment:0 .
Well, good afternoon, everyone. As we come to the final leg of this jam packed few days together. My name is Lisa janicke hinchliffe and I'm pleased to be convening this session on licensing privacy. What librarians want. I'll be joined eventually on the stage by a few additional folks, but so they can see the slides and don't have to sit up here watching you while I'm speaking.
They're down in front for now. So what I'm going to be sharing with you this afternoon is where we're at in a four year project to look at how libraries and our providers can work better to ensure the kind of privacy protections libraries are looking for their users and their readers. I want to share a little bit about my own background that brings me here today. I'm a professor as well as the coordinator for research and teaching professional development at the University of Illinois at urbana-champaign.
I have had a long career in academic libraries working as well at a comprehensive University and a community college. In 2010 2011, I was president of the Association of College and Research libraries, in which my presidential initiative was the value of academic libraries, the importance of libraries, being able to articulate the value of what they do and how it aligns with their institutional mission, brought with it the notions that having data about our users and what they were doing is an important part of being able to document the value that we provide.
It runs smack against our notions though, that we don't track our users and what they're doing. And so since 2010, I've been working with the library community on this question of how do we do the work that we need to do, provide the services that we need to provide, while at the same time being able to demonstrate that value. I've also sort of worked on the publishing side of things as the editor of two journals, library trends and research strategies, and I'm on the editorial boards of a number of journals, so I'm also aware of the importance of reader data, author data.
Et cetera to good and best practices management in the publishing side of things. I've also encountered these issues as a board member of the Society for Scholarly Publishing ORCID and the University of Illinois press. I'm also a chef in the Scholarly Kitchen where I've written a number of pieces related to the notion of user data, user tracking and what's happening on our platforms.
So as I mentioned, I've been working on this issue since 2010 with the presidential initiative. There have been so many activities that have attempted to sort of make progress on this question. We have early talks that were given most significantly for our own industry. We have the niso consensus principles on user digital privacy in library publisher and software provided platforms.
We can see where we have shorthanded that to the niso privacy principles. A piece I wrote in the Scholarly Kitchen very early on in my career there called what will you do when they come for your proxy server? Looked at the disconnect between the efforts of then RA21 and the library community's understanding of the way that authentication and reader surveillance should or should not work.
There's been a number of other attempts to document numbers of these issues, but ultimately we have found that we had made little progress on actually coming to the table together and making change in current practices as opposed to identifying the problems with current practices. At the National forum on web privacy and web analytics in 2019 at the University of sorry at Montana State University.
We wrote an action handbook that said here are actions libraries could pursue in order to make progress on this problem that we have described multiple times. I'm currently leading a number of different privacy projects and I'm prioritizing privacy project related to privacy and learning analytics. This melon licensing privacy project, as well as serving on a number of committees and working groups across the industry related to intellectual freedom, privacy protections and public libraries, which has become all the more important as book banning and the like, has become, unfortunately, a daily part of my colleagues and public library's existence.
And I've engaged with various community practices around spark and Seamless Access previously. Ra RA21 I say this as part to share what I sort of bring to the table, but also to say that I recognize that this is a very complex and multifaceted topic, but fully cognizant that we have to ask ourselves this question repeatedly. What future do we want as librarians and are we satisfied with the direction of travel?
I think in the library profession we have some good sense of the future. We want what we'd like to actually be the current, and we're really somewhat dissatisfied with the direction of travel. So I'd like to invite us to work together on going on a journey together. So one of the panelists that will join me up here today in a little bit is Cody Hansen.
He did a very important piece of research for our field, which really called for librarians to recognize that when we told library patrons that their use of the library was private, that no one knew what they were reading, that we were not telling the truth. It was it is not the case, as he wrote, that it's possible for libraries to provide any meaningful assurance of privacy or anonymity to users of licensed resources.
This call to arms or call to attention helped catalyze some of the library professions, recognition that it wasn't enough to be dedicated to privacy if you weren't actually delivering privacy. And indeed, it might even be dangerous to tell people that something is private when it is not, because then they might not make fully informed decisions about the risks that they're undertaking by using certain platforms.
Now, in a library audience, I would assume you have some familiarity with our library privacy value. But you're not a library audience. So I want to talk to you a little bit about the way libraries have historically conceptualized the value of privacy, which is different, very different than legal frameworks for privacy. So just to be clear, GDPR, great, whatever that California law is called, great.
None of those are equivalent to what librarians mean by privacy. So we have three seminal documents in our field the ala library Bill of Rights. The ala code of ethics and the ala privacy and confidentiality Q&A. The ala is the American Library association, which is the leading trade Association for librarians of all types in the United States that also exercises a fair amount of influence internationally.
Ala's value of privacy is very tied to the notion of intellectual freedom that free people read freely. This, while historically controversial at different points in time, was not controversial when we began this project four years ago is a highly controversial comment these days in our country, as well as in other countries. But the notion that free people read freely is a foundation of why we're concerned about privacy.
We're concerned because of the way we want users to have freedom of inquiry in order to have freedom. In other ways. And the reality is that when users recognize or fear that their privacy or confidentiality is compromised, then that true freedom of inquiry no longer exists. So we have a high level value of intellectual freedom and privacy as a mechanism for ensuring that privacy is essential as it goes on to say, to the exercise of free speech, free thought and free Association.
The library Bill of Rights is a statement of what users should expect from their libraries. And there are many components here, but I'm going to put the seventh one on the screen here. All people, regardless of origin, age, background or views, possess a right to privacy and confidentiality in their library use. Libraries should advocate for, educate about and protect people's privacy, safeguarding all library use data, including personally identifiable information.
What people read on publisher platforms is library use data in our understanding. And there's this issue. And you'll see that ala always combines together privacy and confidentiality, that people have a right to both of those things, and that libraries and librarians as professionals have an ethical obligation to protect, advocate and educate about privacy. So when we raise these issues, one could say we are just doing our job.
The code of ethics itself goes on to say how library professionals should execute their responsibilities. It's a long document, and I'm just going to highlight the three components that come into play, particularly with respect to privacy. The third Plank is a parallel to the seventh in the Bill of Rights. The third Plank says we protect each library user's right to privacy and confidentiality with respect to the information sought or received and resources consulted, borrowed, acquired or transmitted.
So it's very much here. You can see that it is about the content that people are accessing and protecting the fact that they are using those resources. So we're very concerned when those resources are no longer in our control as they were historically with print. But when the access to those materials is also monitored or monitorable by other third parties. We also, of course, though, want to provide the highest level of service.
And while I've jokingly said there's no private library like the print library, we're not going back to print because that wouldn't be high quality service. So we need to figure out a way to reconcile the demands of the digital networked information environment with the requirement we have for reader privacy. We also have to look and see that there's a sixth Plank in this that says we do not advance private interests at the expense of library users, colleagues or our employee institutions.
It's particularly library users here that we need to be concerned about. So we cannot subjugate our library users rights to the interests of third parties that might have commercial interests in those data. This puts us in a very challenging environment in the digital world. So one thing that Allah does in the Q&A is helps us understand the difference in our minds between privacy and confidentiality.
So in a library, user privacy is the right to open inquiry without having the subject of one's interest examined or scrutinized by others. And confidentiality exists when a library is in possession of that information and keeps that information private on their behalf. So confidentiality is the library's responsibility. When we bring a third party into this relationship, then.
The user retains the right to privacy, which is the right to read and enquire without being subject to scrutiny. And we also still maintain our requirement that the library is responsible for confidentiality, which is ensuring that any third party will also keep that data confidential. It is recognized that libraries themselves have to have user data in order to function.
We keep track of which books people have checked out. We have security cameras in libraries. We do all sorts of things that capture data. But when we have that data, we are called to handle it in a very particular way. And really what Allah says is you can use user data, data about what people are doing in the library as a library for one of two purposes to provide or improve the provision of that service.
Nothing more. So as we bring again a third party or third parties into that environment, that is what we are looking for. That user data is only used to provide the service or to improve the service and only as much data as is necessary to provide said service. Allah has done the work to go ahead and take these guidelines and say, OK, how would they then apply in these third party relationships with a set of documents that the library privacy guidelines for vendors in which they also recognize that third parties will need data in order to provide services?
But calls upon those third parties and calls upon libraries to ensure that those third parties treat user data with the same values and practices that we would expect libraries to use in treating that data. So where do we get to then is how are we going to make that happen? And out of the Montana forum that I identified for you earlier, there was this notion that we should work in our licensing agreements to come to contractual terms that would address these issues.
Um, and so this effort then led to this pathway, which was to develop and maintain model license language for user privacy, which is a practice that establishes that's well followed in libraries for other things where we have common license language, it communicates the priority of this issue to our business community and facilitates communication and efficiency in negotiation. If we have language we can work from.
In fall of 2018, I was privileged to give a presentation in which we proposed what such a project would look like, and in fall of 2019, we were privileged to receive funding from the Mellon Foundation that recognized that efforts, that resources would be needed in order to bring this conversation together. You might note the particular date of fall of 19, which meant that everything we planned to do in 2020 did not happen.
We plan to initially do a national convening kind of issue, a blue ribbon panel, white paper. Et cetera. Instead, our COVID fueled redevelopment led to what I think is ultimately been more effective a chance to do a whole series of presentations and white papers and webinars where we have addressed different aspects of this issue over time.
All of the resources that have been created through this project are available at published illinois.edu/licensing privacy. And yes, when you go to that website, you will be asked to consent to cookies. So there have been a lot of people involved in this project. I've been privileged to serve as the pi, but a number of people have served as consultants in writing white papers, leading webinars and the like, and I'll be mentioning them as we work through.
I also want to mentor the advisory group that has advised on this project. One of the first things we did was to really get a sense of where libraries stood with this issue. And Daniel Cooper. Daniel Cooper of Ithaca SNR did an interview series of interviews with library leaders who identified as sort of privacy forward.
That privacy was important to them. We are very grateful for their candid conversations and their really thoughtful reflections on the challenges of working on privacy among all the other priorities that they face as they negotiate license agreements. We found that even among those most staunch proponents of privacy, there was the recognition that privacy won't take precedence over access.
And that's a real challenge for us. And it may mean that sometimes you hear some mixed messages if you're feeling that. But what they said is that there's other ways to make gains in this area and that we don't have to only focus on licensing language. So recognizing that libraries will continue to license what faculty need to do their research and students need to learn.
There is a recognition as well that a number of services increasingly use personal accounts and not just IP or other authentication to provide services. But also recognizing that as some of these platforms are developing into digital tools, there may be more competition in the marketplace. And one thing we'd like to at least explore a little bit is the idea that privacy protections could actually be a market advantage.
Now, the good news was librarians also told us that when they negotiated for specific things for privacy, they actually had really good luck. It was very effective. And so it was great to hear that the library business community was responding to these desires. And what that told me is we needed to get a little bit more specific in our ask, what is it that we want when we say make this more private?
How can we make that actionable? The directors also said that libraries had to develop their own policies internally that could serve as guidelines for negotiation and partnerships with publishers. So in addition to developing policies, the library director said that they would say that it's best to resist non-disclosure agreements because non-disclosure agreements can even impede our ability to let our users know the terms under which they are accessing information.
And if that is the case, they could be taking on risk that they don't intend to be taking on and using those resources. So we need the ability in a non-disclosure agreement, a no non-disclosure agreement world, in order to fully inform users of what they are doing. We want to really clarify what terms are being consented to by both users as well as libraries and clarify who is authorized or even legally allowed to consent to which terms.
Libraries can't consent on behalf of users. In some cases, there is a question of whether users can override contract terms that the library has set. So really clarifying when and how library user data can be shared and most importantly, also requiring notification in the event of a data breach. There have been far too many data breaches in our field where individual users of resources were notified, but the library that held the contract was not notified that there had been a data breach of their own patron data.
So there are some really low hanging fruit and easy to achieve things. But librarians also said they needed help. They needed to be able to look at contracts better and figure out how they would evaluate these. And so, Becky, use of consulting services was contracted to develop our vendor contract and policy rubric, which is a way of looking across eight different domains and three privacy levels to figure out whether there are any concerns with a particular contract and a particular privacy policy.
Those eight domains are listed on the screen here. And the privacy levels are minimal. Viable privacy meets falls short and exceeds. This is a consensus document based on looking at the literature. It doesn't mean that any given library wouldn't have greater demands, but it finally made more concrete and specific. So the rubric itself, when you download it looks like this for each domain, there is a set of things to look for and a set of places you can document concerns.
At the end of going through all the eight domains, it gives you a collective output of which areas are concerns with a particular contract or vendor product. You need a lot of documents and it's a lot of work to assess one of these contracts. For this, you need the contract, the vendor privacy policy, you need the rubric. It's helpful to have some other things.
It's a multi-hour process. Nonetheless, our reviewers said that they saw a number of use cases, internal discussion to the library, assisting in contract negotiations, reviewing the privacy policy status of resources already contracted for, and as a training tool for new library workers. Very notable for me is that we developed this as a tool for librarians and immediately the library vendor community took it and began to use it to do internal discussions at their companies about whether they could improve their practices to either meet or exceed the minimum viable privacy.
And that was very heartening to me and helped me articulate for the library community that it is necessary for us to be specific in our asks if we want to see progress. So there are some real emergent issues that have come out of this process. Model license language is actually while the whole focus of the project initially not sufficient for achieving reader privacy.
We also learned that libraries needed to do a better job of ensuring that all employees have a basic understanding of authentication and authorization frameworks. And so I'm grateful to Cody and his colleague sunshine Carter, who wrote the only primer on authentication and authorization in higher education that at this point am aware of. And in fact, our colleagues init departments have started to use it to train their staffs.
We also think I'm starting to believe that libraries need to identify a library privacy officer or set of folks who have this to provide leadership for privacy work within the library itself. And we'll have a white paper coming out on that soon. And finally, that libraries have to strengthen their campus partnerships and work collectively to protect reader privacy and information security with units such as the information technology services department on campus.
So I have just summarize in a fair number of slides, four years of work on this project. I'm really grateful for all the people who have engaged. We've had webinars with up to 500 people learning about these results. And so as I looked at the SSP theme this year, it seemed the perfect time to bring together now a panel as well of two librarians and one member of the library business community to share their reflections, reactions and engagements around the work of this project, but also these issues more generally.
So I'd like to invite to the stage Athena, Cody and Amanda. And as they're coming up, we'll move to a little bit of a structured question and answer period and then we will have time for questions from you all. Come on up. Puts you.
So, Athena, if you would introduce yourself and then reflect on, as you've considered, that licensing privacy rubric that Becky developed, what are your thoughts about how the rubric could be used and what some of the challenges might be? Hi, I'm Athena hubner. I am the discovery services librarian at the University of Central Florida. And as such, I am the person who maintains and tries to improve the user experience for our authentication systems and discovery layer.
I'm also in charge of coordinating the license process, even though I don't have signatory authority. So I will start off by saying I am glad to be here on this panel, but I'm replacing someone who would have been much more knowledgeable. And the first time I looked at the rubric was yesterday. So I find it very interesting. And I do have thoughts. Good OK.
I knew you would. I do. So I looked at the categories and the ones that stood out to me, as were the I would really like us to be aspirational are the data user data rights and the data disclosure, because I think our users have no idea what information might be out there about them. They have no way of finding out and we don't know really whether are would be happy about it and say, yes, please use this data to make this product a better experience for me.
Or if they'd say, I really don't want anyone to know this information about me, please stop sharing it. And until we get it in front of our users, it's really a big unknown for me. Um, but the. All of these aspects are things that I think are very important the minimizing, the sharing of the data. Unless it's going to be functionally improving, the experience for the user is very important to me.
And keeping that data private and secure. Encrypted is important to the University. We have some very strict policies about what data can be shared and what it needs to have to secure it. And we frequently do end up having to send a writer, along with our contract negotiations, to incorporate more privacy language. So those are my initial thoughts.
Great Thank you, Athena. Yes Thank you as well for the last minute fill in for someone who is unable to be here at the last minute. So Cody, Athena just talked about how the platforms themselves might be capturing data, but there's also this intervening layer of like, how do you get authenticated and authorized? And that is another sort of platform sometimes and who owns that platform and the like.
And as I mentioned, you were kind enough to co-author the authentication authorization primer for this project, but I you think about these things all the time. So can we hear a little bit about you and then your thoughts about how these authentication layers handle user data and some of the concerns librarians have? Sure Thank you, Lisa. Yeah all right.
I'll first say Thank you to all of you who stuck around for our panel this afternoon. It's my first time at this meeting and I've really enjoyed it. Thank you also for saving me a little bit of time in quoting back to the audience the code of ethics, which leads knows I'm very fond of. I I'm not in a librarian role at the University of Minnesota libraries.
I'm the director there, but I am a librarian by training. And I, I identify very strongly with the code of ethics and the professional aspects of librarianship. And so the idea of keeping private and confidential information that our users are seeking is very important to me. Likewise, there are. For new reasons every day. Why?
I'm glad I live in Minnesota and but not least of which is that Minnesota has an excellent government data Practices Act that likewise identifies the connection between a user's identity and the information they're seeking as private data. So that in Minnesota, this is not just a matter of professional ethics, but it's a matter of law about how we treat library user data. The challenge, of course, ethically, legally, is that for us to be able to provide the resources that our users need.
To be able to demonstrate to our partners that a user is authorized, that a use is authorized. We need to know who a user is and what they're trying to get at. We need to put together those very two pieces of information that are a little bit radioactive for us professionally and legally. As Lisa put it earlier, to do the work we need to do, we need this information.
and. So we. Myself included. We do think about this a lot, about how to best manage this information. And on behalf of our users, of course, we feel a profound sense of duty to our users, first and foremost. And so when looking at authentication and authorization systems, really, what we see is that.
The user's identity and the information that they're seeking or the destination that they're hoping to get to, they need to be connected. But that connection does not need to travel throughout the whole chain. What really differs between different authentication and authorization mechanisms via IP authentication, proxy authentication. So Shibboleth type authentication is who knows what along the way.
The library in my case, the higher Ed institution, perhaps a third party. Knowledge base or link resolver, and then the ultimate destination that the user visits. And there is a significant difference in different authentication authorization methods. Who knows what along the way? that's particularly important because I believe and I'll editorialize here a little bit that our notions of what constitutes personally identifiable information are antiquated.
We live in a world of easily inferred identity. Just mentioned at one of the lightning talks earlier about the information that a consultancy was gleaning about users just based on their names inferring gender and ethnic identity. In Minnesota. And I think generally speaking, an IP address alone is not considered identifying information. But if that IP address is shared with some sort of identity broker through a CRM system or something like that, there's a great deal of inferred identity that can be provided.
So we're not even necessarily talking about a specific user details in your email address and name demographic information, because most of that can be pulled. Most of that can be harvested. And so because of that, it makes us and it makes me even more protective of the kind of information that you share, who we share it with and what systems covering that information. So I will say that for me and for the University of Minnesota, we prefer to use authentication authorization systems that keep as much of that information as possible in our custody because we feel responsible for the relationship that we have with our users.
We feel that our relationship with our third party information resource providers, their relationship with the library, our relationship with the users and that we need to be the broker there, not just for our purchasing power and things like that, but because we feel that in order to execute our professional and our legal responsibility, that we need to ensure that that information is. Is taken care of as best they can, and we trust ourselves better than anyone else.
I will say not all libraries are similarly and not all libraries are similarly equipped to take the care that we prefer to do. It's a luxury that we have, but that's my initial thoughts about it. Great thanks, Cody. Amanda, if you'd introduce yourself. But on the vendor side, what kind of privacy questions are you hearing from librarians?
Because you're interacting with librarians at all types of institutions, not just the Cody's of the world and very small publics and academics. So how do you work with them to address the concerns that they have around privacy? From your side of the table, if you will. Oh, hi, everyone. My name is Amanda Ferrante and I work with ebsco information services.
I'm a principal product manager for identity and access management at ebsco. So somehow we ended up with a full panel of authentication fanatics, which is great. I love it. My role there is to make sure that the needs and requirements of our customers many, many different types of libraries, including libraries in higher Ed, but also in corporate institutions, medical institutions, hospitals, k-12, public libraries, and across the globe.
That those needs of our community are met by our roadmap. So I focus primarily on access to our platform, but of course authentication and authorization, as Cody already mentioned, is extremely coupled to privacy concerns and privacy implications. So as part of my role over the last three years, I have taken on some of that work to make sure that ebsco is bringing in the voice of our customer as it relates to privacy, which is actually a very hard thing to do, which I'll get into in just a moment.
So, Lisa, you asked what kind of privacy questions we get and then also how we address them. So there's so much to unpack there. So I'll try to take it piece by piece. As far as the types of questions we get related to privacy, I can pretty much boil it down to two different buckets. The first one is compliance and certification. So really, you know, we get a lot of questions on a daily basis of does ebsco's platform comply with this law or this certification or this regulation that impacts my institution or my type of patron or my geographic region because we require you to comply with that thing in order to use your product.
So it's a very sort of a hard line. It's a very easy question to ask. Certainly complying with the law, you know, the language of that law will give you essentially a checklist in many ways. So there's no real need to bring the voice of our customers, to our roadmap to comply with privacy legislation, because we know we have to do it. And we know what's required of us.
It's very clearly documented. So that's bucket number one. Bucket number two, if the risk of sounding extremely reductive is literally everything else. So we have and we want to have we endeavor to have conversations with libraries about privacy all the time to better understand their concerns better, understand the most urgent and pervasive problems that we need to solve with technology.
So a lot of times everything else will include what information is collected and who is it shared with? Is it shared? Do you sell data is a question we get all the time. By the way. We don't. What value does collecting that data add for the researcher? That's a really, really important question that we need to be able to articulate about our products.
Who has control over the data and who, when and using what mechanisms can they exercise that control. So it's really interesting to hear you talk about your relationship to third party license providers or vendors is, you know, siloed and separate from your relationship to your patrons. Because oftentimes and this is frequently a legal requirement, we need to also give the patrons the ability to control their data and exercise their right to be forgotten.
Right so there tends to be a lot of gray area between what is expected of a vendor from libraries and what is actually required under the law. And the way that I often refer to it is we need to comply with the law. That goes without saying, but we work with the community who values privacy so highly. We need to honor those values. We value it too, right?
So we need to do what needs to be done to honor privacy above and beyond the letter of the law is how we often refer to it. So that's what we get asked. But how do we address it? Because like I said, the law gives you a checklist. Everything else doesn't come with a guide, which is why we're here talking about this rubric. Um, so we talk with libraries that mean it's really that simple.
And it may be somewhat taboo to mention this out loud in a room full of people, but it's very difficult for vendors and libraries to come together and have a conversation about privacy because a lack of transparency in how vendors handle data and how they honor the ability to control data for the user or the library has led to, in some cases, mistrust between these two groups of stakeholders. But really, if nothing else, we are on the same side.
Or at least I could speak for ebsco, that we want to honor the same values that we hear from our customers. So we have. You know, been actively seeking out forums, to have conversations and to get the checklist to better understand what are the urgent, pervasive problems. So that will include working groups, but also meetings like this where we get to have conversations with people we haven't yet talked to about it.
So that's the summary. Great Yeah. All these things can probably be their own four hour talk, so. Yeah so, Athena, you mentioned that you're on the negotiating side looking at these things. So in your experience, is it typical that you have an Amanda on the other side of things that you can talk with in a given vendor relationship about these issues?
And do you also internally to your University have resources you can draw upon as you're negotiating the library side of it, if you will? Like, what's this look like from your perspective? Amanda is the first Amanda I've met, so I usually do not have someone on the vendor side that I to contact to talk to about privacy issues. It's usually the our usual customer service representative is who I am talking to and they may be talking to their legal team and I'm talking to my legal team and there's usually not a particular person I to talk to about privacy and how it usually goes down is there will be something in the contract that mentions user emails or names or something like that, and that triggers an extra review by our data privacy team at UCF.
And then Dan lopresto comes along and says, oh, well, we need to do a review. And he'll ask me, you know, what are they doing with this data? And I often really don't have the information to answer those questions. So I will have to reach out and get more information from the vendor at that time. And quite often, as I mentioned, it turns into a Writer that's attached, that has ucf's preferred terms about privacy.
And I was not consulted in developing any of those terms. They don't really deal with privacy the way that librarians think about privacy. It's much more about conforming with UCF policies, about sensitive user data and identifiable personal information, which we include email addresses, one of the things that are personally identifiable information. So it's kind of a mess and it could use some more structure and something that we could refer to as a way of starting this conversation.
So I don't know if you want me to go on, but. Well, we will. Yeah, we can. We'll I'm sure we can come back to you if people want to hear more about that experience. But I do think I mean, think it's not surprising that the folks I have on a panel like this are, you know, maybe in settings that have sort of are past the beginning stages.
Right? so a company that has somebody who is focused on this issue means that clients of ebsco have somebody to talk to. But then that also points out to you where you don't have anyone in other places. And so the but it's infrastructure on both sides to because do we have someone on the library side that we can talk to? And Cody, I want to ask you to make it just a little more complicated for us because it infrastructures that libraries rely on May not actually be run by the library either.
I mean, lots of them aren't right. You mentioned of those sorts of things. So can you talk about how campus it needs to come in here and how is a librarian or also brokering that relationship? Yeah so. In my experience here informed primarily by. So we're very fortunate to have really thoughtful partners on campus. We're able to work with.
And you really do understand where the library is coming from. But we are entirely reliant on them for our identity. Are probably an outlier at this point. You run a proxy server at a library in a lot of cases if there is a proxy server being run. Um, but we still rely on them for our identity.
And so it is very important that conversations about the actual connections, the actual integrations that are happening, whether. Or those require collaboration between libraries campus and. Service providers. And and so I will I'll seize this opportunity to. If you find yourself on the other side of the table discussing.
About your product. If you are talking to central to make sure the libraries are also centralized. Because not everywhere has the same relationship that we do. And I will say, just as an example of the necessary coordination there, if you you're selling a product to the University of Minnesota libraries and you just pick up our standard in common. Saml metadata, that's very generous of you.
You will be opening up your product to Tens of thousands of former students and staff and faculty, retirees, alumni, et cetera. We appreciate that, but it's probably not what you signing up for. And so if you want to make sure that your implementation is actually contains devices, you're going to need to talk to a library and centralized together and.
so I will say again, you know, we are privileged to be able to care about some of this because we have centralized resources that. Abigail and I were talking before the panel here about how we are in sort of similar positions, similar inverted positions, where at University of Minnesota libraries. Our collection is large enough that.
Try to. Databases and work with large largest publishers and also very small and very unsophisticated publishers. And so we have to be able to support a wide range of authentication. Materials provided by the large and small. Likewise, Amanda. Maybe speak to this, but have to support large and more sophisticated libraries like ours as well as very small and under-resourced.
Um, and have to be able to scale down too. So it's the way that we do authentication and authorization for us is always going to be all of the above, or at least for the foreseeable future. We will need to support everything from authentication through. See more content style. Sailauf but every one of those cases.
So before I ask Amanda my last question, I want to give the audience a heads up. Heads up that as soon as she finishes answering, it'll be your time to ask them questions. I guess you can ask me too, but ask them. So, Amanda, you and I have been part of the library vendor privacy community of practice for the past few years, and I'm wondering if I could ask you to go ahead on our behalf to share a bit about that group.
That is our one sort of common group we've got right now about what it's been working on and what might be possible if people want to engage with that. Sure so right now, you know, in its current state, it's called the library vendor privacy community of practice. But when Lisa and I first joined, it really was a working group. It was the library vendor resolution working group, and it was tasked by the intellectual freedom committee to do a review of vendor vendor privacy policies and practices, identify key issues and develop a shared set of privacy guidelines that were bought into and blessed, if you will, by both the library and the vendor community.
So when we first came together and started meeting, there were a handful of librarians from a couple of different types of libraries. I think academic and public were both represented and also a handful of different vendors. And so what we first set out to do was just what we were tasked with to start by reviewing vendor privacy practices and policies and to the best of our ability in a very non-political non-contentious way, begin to come to an alignment on what types of practices we agree as a community because we are all a part of the community.
We no longer want to see and document those requirements. So that they could be observed by vendors. But what actually happened over the years that followed was somewhat odd in my experience, but kind of magical, which was we all started to just really talk about privacy in general. And concerns in general, not so much as an us versus them mentality of libraries and vendors on different sides of the field, but more so talking about it as a community.
And so that really grew into a community of practice where we at the end of a year plus of meeting and sharing concerns, building trust, which was really an integral part of this entire process between the groups of stakeholders, we decided that we weren't quite ready to document a shared set of expectations, but rather we needed further involvement from a community. So we received buy in to sort of kick it up a notch to a community of practice, and we were able to launch that with an in-person kickoff at ala annual 2022.
And so, you know, for me, this was a really unique experience just because of that trust building process, but also because, as I alluded to earlier, as a product manager, my job, my role is to make sure that we are using technology to solve problems that affect our community. But unfortunately, it's very difficult to get clear, consistent guidance and feedback about what we should be investing, you know, our costs, our development time and resources into.
And so as a product manager, you know, when I hear some things from certain libraries, but the complete opposite from other libraries, it can be very difficult to make informed decisions about what serves my community. So right now, we are sort of brainstorming programming with the community of practice, looking for topics of interest that would benefit both libraries and vendors and help us continue communicating.
So most recently we underwent a peer review with the community of the ebsco privacy policy, which was very brave. It was a little terrifying, but really, you know, our compliance and privacy officer said we're undertaking a review and revision of our privacy policy. And I said, well, don't we want the library community to tell us what they want to see in it?
So that felt like a great opportunity and it was very positive. And I think one of the things that we really want to do, you know, not just mentioning it here, to mention that there is a forum where we can now have these conversations and share feedback in both directions. But we are very, very eager to get more vendors involved because it cannot be a one sided conversation.
And I think quite frankly, the licensing privacy rubric is a great example of an artifact to your point earlier benefits us all. Vendors are somewhat desperate to have those clear, documented guidelines and to begin building on that as a foundation, ask questions, you know, refine the rubric if that's, you know, in the future and, you know, build it out, expand it. That's all something that could happen in this community of practice.
So I would be remiss if I didn't plug some in-person meetups that we have scheduled at ala annual. We are meeting up with the community of practice on Friday, the 23rd June 23rd, and then the day following, the core committee for Federated authentication will have a session related to access and privacy. So that would be Sunday the 25th, two days after actually. So if you are attending, we would love to have you. Thank you, Amanda, Athena and Cody.
I'd like to go ahead and open it up to people attending the session. Now, if there's questions that we haven't addressed or things you've heard that you'd like to hear a little bit more about, and we have somebody moderating online. There's an online question, maybe there. Yeah, there are two great online questions so far. The first one is what happens when the purpose of the use. When the purpose of use of the user's info or data is for security purposes.
What should the library do in order not to breach the user's privacy? So the so secure use of a product is to me would be so if the reason we can have library user data and use user data is either to provide or improve a service. Um, if you're not going to have privacy, if you don't have security.
So I would include I'm not totally sure what this question is, but to me, um, providing security is, is part of providing access to the service. So the question though would be is how much data is that data then retained or used for other purposes or the like. But I'm wondering, Cody, if you've negotiated this because I'm sure you're concerned about security.
Yes, absolutely. So if what we're talking about here is, Uh, let's say misuse of electronic resources, which is an issue that we take very seriously. And I know that our partners do too. Um, we understand as, as a library that it is our obligation to monitor and secure use of our resources. And so just as an example, um, Lisa alluded to this earlier that we have to collect data about users and their habits in order to do our business.
And this is part of it. So we retain information about user accounts and the resources that they access, but we retain it for a fixed period of time, after which we strip it of identification. And it is we keep it for that 30 days or whatever it is, some rolling period precisely so that we can do the sort of forensic work that needs to happen to root out what is a compromised account or something like that, which, to be clear, a compromised account for the University.
The misuse of electronic library resources is the least of our concerns. If if we have a compromised University account, because, of course, what people typically go after is direct deposits, not library resources. So we take that very seriously, as do our campus partners. We also sometimes have incidents like this. And, you know, our process is perfectly aligned with what you explained, Cody, which is, you know, depending on what type of authentication is being used to access the ebsco platform, if and when our systems do detect malicious use or some sort of breach misuse of the product, there is, you know, action that needs to be taken.
And typically, if the University or the library is using a user based authentication method like single sign on, it is much easier to sort of narrow the focus, identify exactly which account has been breached. So if using user based authentication, we would say the minimal data to respond to a security event would be a unique identifier, which we would prefer, be pseudonymous and not necessarily something like email address.
If you are sending an ID number to ebsco. The user has personalized experiences and then if we detect that their account is being used for misuse of the product, what we can report is that pseudonymous identifier to you, which you can then use to look up the user and take action using your own policies. So I think the entire ecosystem sort of follows that model of there is a minimal piece of data. You need to respond to security incidents, but it does not necessarily need to be transparently identifiable.
I will just very quickly add for this room actual instances of malicious or breached accounts compared to what I would characterize as enthusiastic use of our resources. It's like 1 in 10. Maybe the false alarms are far outnumber the actual instances of abuse. I like that term. Enthusiastic use.
Yes Yeah. Sometimes when people are like they're overusing it, I'm like, we actually paid for that. So I think there was another question. There is there's time for probably one more question. So do we have one in the room? Before we go to this digital. I was like, I cannot see anyone. There could be 400 people out there.
There could be three. There are definitely 400 people out there. Definitely 400. OK first of all, Thank you so much. I'm a certified privacy professional. It's so exciting to have this here from her voice. I know. So thank you, Lisa. And Thank you, everyone, for sharing this.
The question I was curious about is if any of this work has gone back and informed the privacy offices in your organization, because that rubric is a really nice example of how you could take what a lot of folks call privacy impact assessments and translate it for a specific audience. So I'm curious if your work has actually gone back up to those who just focus about privacy to perhaps inform them about here's a better way to engage our customers downstream.
So are you asking the privacy officers within libraries or within vendors? Both, actually. OK so what I can say is the educause, the National it organization in higher education, which has a chief privacy officers community of practice, they through knowing some of them and seeing them seeing some of this work, they invited me to present to the chief privacy officers.
And if you're familiar with educause, they have a privacy and security rubric that they have developed and they were in the process of literally redeveloping it as we issued our rubric. And so this rubric was part of what then was reviewed by them. We didn't get a report back of like, you know, we took 3.6 and whatever, but it was part of their review process because one of the things I'm cognizant of is that if you already have to fill out this security and privacy form for the IT department on campus, maybe you don't need to also have to fill out a library.
One if we can get the library one, the library concerns into the it framework. So I think educause is working more and more on privacy. They actually renamed their security conference privacy and security. So I think that the idea like if I could say like the ultimate vision would be that this gets into industry documents so that we don't have to do this campus by campus and vendor by vendor, because it's going to take us a long, long time.
So somehow we need to get this into the way the industry operates rather than, you know, you happen to talk to Cody or Lisa kind of things. So if I could just I might be turned off. If I could just add, I guess, two ideas to that to folks to think about. First of all, I don't know if everyone's familiar with the fips, but if you're not, you can Google it. Fair information practices and principles.
If you look at those, the FTC has done a really good job about making them very approachable. There's icons. It's a lot like what C has done, and that's something where anyone who's working with the federal government, any vendor that is already in that space, has to work with those and it could be a nice place to go next. But the other thing I would also suggest is to have folks who are interested in privacy also go to the privacy conferences and those associations, because that's where a lot of these connections can also be made.
So thank you so much. Great thanks, Christina. And you should all follow Christina's work on this area too. So we are out of time, but I'm sure any of us would be happy to talk with you one on one or collectively if you get up here fast enough. Thank you so much for coming to this session today and look forward to being partners with you moving forward in this work.