Appendix - Privacy and Confidentiality in the Electronic Environment

ALA Task Force on Privacy and Confidentialityin the Electronic Environment

Committee Study and Deliberations

The Task Force focused initially on identifying the technologies, describing these to some extent, and assessing their possible impacts in areas related to libraries. This Appendix addresses the new technologies by reviewing the following areas:

  • Confidentiality of Library Records
  • Usage Tracking
  • Security Issues
  • Institutional Concerns and Developments
  • Library Practices
  • Commercial Applications

The information gathered here informed the report of the Task Force to ALA Council.

Confidentiality of Library Records

Information on state laws related to the confidentiality of library records is nearly impossible to tease out online. However, there are a number of good print resources. Two books in particular have good summaries and discussions of privacy, open records laws, and related issues for libraries:

Library Patrons and the Law by Arlene Bielefield and Lawrence Cheeseman. Neal-Schuman, 1995.

Maintaining the Privacy of Library Records by Arlene Bielefield and Lawrence Cheeseman. Neal-Schuman, 1994.

The second title has a chart with a summary of applicable state laws. There seems to have been a rash of library record confidentiality legislation in the mid-1980s. Most of these laws were written with the public library in mind but some also cover any publicly funded institution.

The confidentiality of library records is specifically protected to some degree in all states except Hawaii, Kentucky, Ohio, and Texas. (The four exception states may have other protections. Texas, for example, has a state constitutional privacy provision.)

Records Protected

In general, these laws protect circulation and registration records. Many of them also protect information on the "use of library materials" and any other personally identifiable information kept by libraries. A few go so far as to mandate confidentiality of records that do not contain personal information but could be used with other records to link personal data with library use. (Perhaps a browser log combined with a computer sign-up sheet?)

Releasing Information

Typically, library information can be released to the individual at his or her own request (often in writing) or released upon presentation of a court order or subpoena. A number of libraries have successfully challenged subpoenas they viewed as overly broad or serving narrow interests. The lesson here is that not every court order should be complied with automatically.

Interestingly, only a handful of states (Alabama, Georgia, Louisiana, New Mexico, South Dakota, and Wyoming) specifically mandate release of a juvenile's library records to a parent or guardian.

Record Format

Most of the laws do not address format and can be assumed to cover all library records, electronic or otherwise. They do concern "library" records with no consideration of records generated, kept or used by a third party (vendor, network service, etc.). It appears that there is an assumption that the library is in complete control of patron personal data. This is clearly changing and we may want to address this potential problem.

Two Related Concerns

Most federal and state legislation on the privacy of electronic records and personal data deal exclusively with medical information. There is pending legislation (federal) on the privacy of commercial transactions over the Internet, but it's not clear how this will turn out. The e-commerce folks have gotten a reprieve while they settle on industry rules for "self-regulation". It is difficult to predict if there will be a move to update privacy legislation to specifically cover electronic records, or automatically generated data. It is even more difficult to know if that would be a "good thing".

Open record laws in some, but not all, states specifically exempt library records from freedom of information (FOIA) inquiries. The federal law leaves it to the states to set such exemptions. In a few states it appears that the open records law and the law on library record confidentiality may be in conflict.

Usage Tracking

Automatic Usage Tracking

Web servers, by necessity, know some very basic information about the visits to the site and the requests for information the site receives. The most basic of this information is the Internet address of the computer requesting a Web page for viewing, the date and time of the request, and the page that was requested. Each such transaction is generally logged by the remote Web server and logs are often analyzed to generate statistics on numbers of visits the site has received, the relative popularity of files on the site, and a general view of what networks and countries the viewers are coming from.

All of this information relates to the address of the requesting computer and does not directly identify the person at the computer. In some cases, where the computer is a personal computer and has a fixed Internet address, it may be possible to trace online activity with a particular computer and computer operator. In the more common case, where Internet addresses are reassigned as computers are turned on or dialed up, connecting the Internet address with a particular person is not impossible but it is difficult and costly.

The next most popular type of usage tracking is done through the use of "cookies." Cookies are small files that are written by the visited web site to the visitor's computer's hard drive. The cookie generally is used to uniquely identify the computer and track repeat visits. It may also carry an identification number that can be linked to a record of online activity that is stored by the remote web site's owner. This record can be relatively innocent, such as the number of visits and time of day of visits, but it can also record personally identifying information if the visitor has signed up for services or made purchases through the site.

In addition to these two types of tracking, visited web sites can also gather information on the type of browser used by visitors, the operating system of the visiting computer, and the previous site visited. Depending on the browser settings it may be possible to obtain the visitor's email address if the browser is also used as the email program.

Other Usage Tracking

Because the information revealed in automatic usage tracking is limited, many sites encourage users to register for member services. Registration and sign-in then gives the site additional information about the individual user. Because many users knowingly give false information sites may require a valid email address before opening a user's "account." Users may be required to reveal demographic information such as age, educational level, or income as part of registration. User activity on the site will then be linked to the user's account.

Web sites also use "services" to gather information on users even if they do not sign up with the site. For example, some sites offer weather information services that require the user to input their zip code; others offer horoscopes based on date of birth. Contests and sweepstakes are employed on the web to gather contact information from individuals, just as they are in the offline world.

Usage tracking by the library

The library's own web server probably has all of the usage tracking capability of those used by commercial web sites although it is likely that the library makes only minimal use of the information gathered. However, the fact that the data exist and may not be secured is to some extent a privacy issue.

Server Statistics

All servers today gather activity logs of some type and usually as part of their default settings. Some libraries may not be making use of the logs, while others may be incorporating log data into their regular management statistics as well as server maintenance and enhancement activities. The specific privacy issues for libraries are similar to the ones relating to user circulation records:

  • The library must be aware that these logs do have the potential to identify users although it is unlikely that they would be utilized for that purpose. One possible scenario is in the tracing of hackers who may have used the library's computer or other activities involving law enforcement.
  • Logs should be kept secure and available only to authorized users.
  • Log files should be deleted at appropriate intervals determined by the library.
  • If the library does not run its own server it should determine that the logs are treated properly and securely

Cookies

The library's own web site may use cookies, either to track user activity or to allow functions to span page views, such as keeping the user's library card number while the user checks out or renews multiple items. This could affect users in the library as well as those logging in from home. Cookies used for this purpose do not need to leave a permanent record, and those relating to circulation of items should be given a very limited expiration date so that they are removed from the user's computer as quickly as possible after the transaction has completed.

Signup Sheets

Although not a part of the technology itself, many libraries have users sign up for their online time slot. These signup sheets then become a record of who was using the computer at a given time. In unusual cases, such as criminal investigations, these hard copy logs may be combined with server logs to identify the person operating the machine at the time that some suspicious activity took place. Libraries need to consider how long such signup sheets should be saved given their potential for use (and for abuse).

Usage Tracking by External Websites

Remote web sites visited by users of library Internet connections will almost certainly do more user tracking than libraries do themselves. The commercial nature of the Internet and its advertising revenue model mean that sites are very interested in who is visiting, their interests and demographics. In general, libraries have no control over what data are gathered by remote sites although they can mitigate some of this through local browser settings.

Server Statistics

Remote sites will gather statistics of visits to their site. Because the library's Internet access computers are used by many different people, there is less likelihood that usage statistics could be linked to actual individuals. Libraries also usually disable the use of the browser for email, so there will be no capture of individual email accounts.

Browser Information

Remote sites will gather information about browser types and versions in order to tailor the data that they send back to the library machine. There is little privacy risk in this activity.

Cookies

Commercial web sites make frequent use of cookies, most of which is aimed at marketing and usage tracking. These cookies have no practical utility for the user and therefore could be eliminated by setting the browser to automatically reject cookies. Cookies are, however, sometimes required:

  • Some sites will not let a user view any documents unless their system accepts a cookie.
  • Some features, like online purchasing or Web email accounts, only work through cookies.

Cookies pose a real dilemma for libraries because they can carry or link to the activities of an individual user, which is inappropriate for a shared, public machine. Some cookies are set with the email address and password of the user. Even those that are "anonymous" may alter the content of the screen based on past activity which is not related to the current user seated at the Internet station. Yet by disabling cookies, users may be prevented from accessing some sites and from using some features of the Web.

In response to a query posted to PUBLIB, most replies indicated that although the libraries may have disabled cookies in their browsers at one point they found that without cookies patrons could not make use of essential services such as online databases that the library subscribed to. One respondent had developed a clever solution for his library by creating a cookie file for the library's online databases then making the file read-only so that no other cookies could be set. Clearly, a discrete cookie acceptance program would be a valuable addition to the library's workstation security suite.

Security Issues

Computer system and network security issues are extremely important in these days of broad-based internet access to business processes. Increasing incidents of computer viruses and other computer crimes have alerted many to the need for much tighter security. Restricting access to services to only those for whom the services are intended and provided is also a significant concern. These issues are addressed in a number of different ways, by adopting methods in which an individual identifies himself to the system he seeks to use.

Authentication

Authentication mechanisms generally attempt to assure that the person is who they purport to be and/or that they are entitled to the services for which they are applying.

Perhaps the simplest form of authentication in use, in part because it requires little on the part of the user, is authentication accomplished by filtering the IP address of the user's machine. With this technology, a table of allowable IP addresses is maintained between the user and the target resource. Only machines whose IP addresses reside in this table are granted permission to access the target resource. This is the most common authorization method used for licensed, web-based services because of its relative ease of implementation. And when a whole IP range is authorized, usage statistics are no longer traceable to individual passwords/people.

The disadvantages of using IP address authentication are its relative lack of security, the relatively high maintenance required for keeping the addresses on all services up-to-date, and the difficulty of handling services to users not part of the IP address network, such as those who use other ISP's, those off-campus and/or public library patrons.

Restricting access to a service can also be accomplished by filtering packets at the router or firewall where these are used in institutional networks; firewall technologies are relatively secure.

A common form of authentication, the userid/password pair can be used to grant access to a machine or service. This is a familiar technology to most computer users, not very sophisticated in nature. It is easy for a vendor to implement.. The userid and/or the password may be assigned by the system administrator or self-assigned by the user. Such authentication is often used to grant access to email services and to file shares on local area networks. In this form it is often used to grant the library user access to her/his own library circulation record. In many implementations, however, passwords might not be encrypted as they pass over the network, thus making it possible for passwords to be compromised with relative ease. Maintenance, too, can become troublesome as multiple systems require the maintenance of multiple password files for the same user. Userid/password authentication concerns in the library center around the user's account on the online catalog system -- the account where private address and circulation data are held. Concerns also center around the use of userid/password to authenticate against a proxy server or firewall for access to restricted research databases. In each of these areas there are concerns about:

  • How secure is the password? How easily could it be compromised?
  • Are passwords encrypted in storage? Encrypted when transmitted?
  • How much staff access is there to the password file?
  • What is the library or agency's policy on giving away the information that is secured by this userid/password?

Development trends within the userid/password arena tend towards the wider use of encryption for the storage and transmission of passwords. Also, administrators more than ever tend to provide their users with more and better advice on how to design and maintain an effective USERID and password. The use of hashed or protected passwords imparts a much higher degree of security to the userid/password authentication event. A hashed password is encrypted and details of the encryption method are sent along. The target system recreates the password according to the encryption method and matches the output to the original password, thus providing a much higher degree of authentication.

In some applications the use of a one-time password proves effective. Such a password might be given a very limited lifespan by the administrator. Such passwords might also be used in combination with smart card technologies. This type of password is not known to be in use in library automation systems.

Encryption

Encryption is the process of transforming information so it can't be decrypted or read by anyone but the intended recipient. This disguised information is called ciphertext. It is the ciphertext that you send across the Internet. A cryptosystem is designed so that decryption can be accomplished only under certain conditions, which generally means only by persons in possession of both a decryption engine (these days, generally a computer program) and a particular piece of information, called the decryption key, which is supplied to the decryption engine in the process of decryption. Plain text is converted into ciphertext by means of an encryption engine (again, generally a computer program) whose operation is fixed and determinate (the encryption method) but which functions in practice in a way dependent on a piece of information (the encryption key) which has a major effect on the output of the encryption process.

Libraries transmit many sensitive data over the Internet. These transmissions are open to:

  • Eavesdropping, where your information remains intact, but its privacy is compromised. For example, someone could learn your library borrower ID, spy on a private conversation, or intercept confidential search results.
  • Modification, where your original information is changed or replaced and then sent to the recipient, who is none the wiser. For example, someone could alter a request for materials, or change a person's resume.
  • Impersonation, where your information passes to a person who poses as the intended recipient.

Where encryption is employed, sensitive data can be protected during transmission.

Many issues surround the practice of developing and using encryption. Standards exist, but they are not universally adopted. There is continuing debate related to the government's interest and participation in the use of encryption techniques and products. Export controls exist on commercial products. Legal challenges are likely to arise as well.

Institutional Concerns and Developments

In order to make electronic services available to the public, libraries are rarely alone in providing the support for the underlying technology. Libraries are most often a part of a larger institutional framework which may dictate or influence the actual implementations of certain technologies and which may affect the privacy of library staff (as employees) and the library's patrons through decisions about any number of issues related to directory information, e-mail packages, network operations and authentication, and supported software such as browsers and filters. It may even be the case that the library is unaware of some of these decisions that would have such an impact, and the decision-makers may be unaware of the library's concerns and interests in this issue.

An example of the sort of administrative decision that may affect the library's support of technologies is the decision to install filters on all PC's within a governmental or school environment without notifying the users of this. Noted in the January 2000 Newsletter on Intellectual Freedom (p. 23) and in the October 1999 American Libraries, "because of a customer access problem reported to them, library staff at the Anchorage Municipal Libraries discovered that filters had been installed on all municipal Internet connections, apparently on orders of Mayor Rick Mystrom. Subsequent communication with the city administration revealed that filters had recently been placed on all municipal computers in response to productivity concerns. Neither the Anchorage Assembly (city council) nor the library had been consulted."

The institutions with which libraries are affiliated are likely to have policies and practices that dictate inclusion of names, phone number, and work e-mail addresses in directory databases, that determine how employee e-mail and privacy are to be handled, and that specify policies relating to use of technologies in the work place. Monitoring of employees may occur and in fact be quite appropriate and legitimate, but it seems highly desirable that notification be given to employees concerning all policies and practices that may impact them. To the extent that monitoring may occur for customer service purposes, library patrons, who may also be monitored in the process, should be notified.

Library Practices

Because of libraries' historical commitment to patron privacy and confidentiality, many efforts exist already to focus on library practices as they relate to the issues under consideration. It is good library practice to prepare and disseminate policies on access to electronic resources, workstation use and Internet policies which address privacy and confidentiality issues. Policies that govern the use of electronic resources in libraries impact on many facets of library operations. They are used to educate and inform library boards, employees, and users; to support mission statements; to drive collection development decisions; to frame censorship challenges and the accompanying process; to align other related service policies and to cross-check staff practice. Well-written policies empower users. Development of policy statements forces librarians to examine and articulate the role of electronic resources within the context of the library's mission. Policies provide a safeguard for libraries when actions are challenged. A stated commitment to privacy is aligned with the Library Bill of Rights. The development and dissemination of policies reflect good management practice in libraries. Consideration of privacy issues in the electronic environment is an extension of this "best practice."

Borrowing, Tracking through Online Circulation

An old issue for libraries, not new with the electronic environment, is the commitment to confidential treatment of borrowing and usage records for library materials. With automated systems, it may be easier than ever to capture this information and to answer such questions as

  • Who has what items charged or requested right now?
  • Who was the last user to have an item charged?
  • Who had what charged in the past?
  • Who owes money; who has ever lost a book (even if title no longer associated with patron record); who has asked for waived fines or threshold overrides?.
  • When was someone at circ desk; when did she drop her books into the return slot?

Information needed for communicating with patrons and for capturing demographic information is often stored in patron records. Additional information that may be found in patron records can include associations (parent-child links; professor-assistant links), SSN or drivers license numbers (may be key to other databases), addresses and phone numbers; dates of valid addresses (suggesting when a house might stand empty for summer vacation).

Such information, usually central to the library's mission and activities, is routinely protected by access policies, and, in electronic form, transmissions are encrypted; however, back-ups and logs may not be so closely protected. Many staff and individuals associated with system operations have access to the data stored, and thus it is very important that all staff have a clear understanding of the issues associated with borrower/patron privacy.

New library service developments enable greater end-user convenience through online requests, self-checkout, renewal, etc. These also offer the potential for loss of confidentiality as users can page back through web screens or check the status of a misappropriated ID number.

Electronic Resource Usage

Electronic resources include: 1) Paid subscriptions to services, databases, or purchased CD-ROMS, 2) Online Public Access Catalogs (OPACs), and 3) Remote or on-site access, which may or may not require authorization. (Web Access is covered in a separate topic.) All of these services or products are used like any other library resource--for research, entertainment, homework, etc. Continuing developments and refinements in many integrated library systems offer users the capability to download or email information to themselves, which may link information to a specific user. Depending on the policy of the library, access to some or all of these resources may be limited by location (in the library vs. off-site) or by status (resident, employee, student, etc.) Remote access often requires authorization and/or authentication to use e-resources. For purposes of justifying continued support of and/or subscriptions to these resources, the library may wish to compile relatively detailed statistical usage information from activity logs and other tracking mechanisms. It is easy for the library to strip out and customize what information it wishes to capture. Libraries may employ proxy servers to collect statistics on the number of hits to e-resources. While these data may be used for budget planning, simultaneous user licensing, addition of passwords, etc., it is feasible that private information could be gathered. The key, as in any situation where tracking occurs at an individual level, is to not retain or capture the information that would compromise that privacy.

Contract negotiations with service providers or product vendors must specify levels and types of access. Informing users of privacy policies and limitations of contractual agreements is critical. Depending on the library policies, contracts and agreements, statistics may be gathered by IP address or linked directly to the user via network ID and password.

Web Access

One of the most difficult and contentious areas of new technology for libraries is in providing public access to the web and the issues surrounding how to manage that access. These run from filtering in order to 'protect' children from inappropriate websites to workstation configuration and placement in order to provide privacy. A variety of hardware and software (Fortress, SpectorSoft) solutions may be available, as well as less technical policy and practice solutions.

Libraries may adopt a number of strategies to help manage web access: no public internet access; access to selected sites only; filtered access; no cookies; cookies from selected sites only, then write-protect disk; educate users about what to reveal. Libraries can set cache to zero and can encourage users to kill browser when done. Public workstations may get filled up with cookies, each describing a different user's preferences/contact info at a different web site. Many sites request personal information. Users need to be informed about what they should and should not reveal. The Children's Online Privacy Protection Act of 1998, effective April 21, 2000, requires commercial website operators to follow fair information practices in connection with the collection and use of personal information from children. This raises important concerns for libraries as Web access providers, particularly in educating children and their parents or guardians.

Policies on Web access vary greatly from library to library and may address such topics as age (adult vs children), status (member of the library community), location (on site vs remote access) and timed usage (sign-up vs unlimited access). With authorization, a user has access to the web sites the library is offering to its clientele. At some libraries authorization simply equates to being physically present in the library when using a workstation. Any tracking of information is linked to the IP address, not a user name. Authentication requires a specific user signon and password that links a user by name to a workstation for a given period of time. In order to receive this signon and password, some personal identification may be required. With authentication a user usually has a broader access to web resources than with authorization.

The ability to count users, study use patterns, collect aggregate data, and logout web access on a timed inactivity standard are some of the features of monitoring web software that assists in library planning.

All manner of data may be gathered with surveillance software. Authorization will gather information linked to the IP address and authentication can link all Web activity to a specific individual. The amount of information gathered varies.

Control of Web access in large research, academic and public libraries may be determined at the administrative level of the library. However, it is not unusual for academic computing centers or university administration to provide a broader authority in the academic library environment. Similarly, public libraries may offer Internet access as one user of a larger government network. School libraries may be limited by controls imposed at the school district level. In general, Internet Service Providers (ISPs) may also have policies on data gathering and dissemination. Whenever possible, licensing and contracts should reflect the library's policies on privacy and confidentiality.

Filtering

Filters, which are offered in a variety of formats, are designed to block Internet content that someone has defined as unwanted or objectionable. Filters are available in the form of software, remote proxy servers or through search engines or Internet Service Providers (ISPs). The blocking of information is based on human review and/or machine-programmed analysis. The automated approach can focus on keywords, phrases, and sites. In addition, time of use, category of user and type of Internet activity (ftp, chat, etc.) can be blocked. Sample products include

In those libraries that use filters, one can find an array of filtering deployment. Filtered Internet access may be the only option, as one extreme, or one workstation in the Children's Collection may contain filter client software, with no limitation to workstation access throughout the library by children. Some of the problems that arise with the use of filters are

  • Use of filters in libraries is contrary to the Library Bill of Rights
  • Filters block legally-protected speech
  • Filters prevent a user from exercising free access and enquiry
  • Filter companies make arbitrary decisions regarding what to block
  • Filters block controversial speech
  • Filters do not work
  • Server-based filters can log activity that could be linked to users

In libraries where users have a choice of filtered or non-filtered access, it is possible that activity could be linked to the user. In those libraries where a filter can be disabled on site by a library employee, such intervention may well create a privacy issue for the user who must seek assistance to retrieve blocked information. Use of a filter in a library will create an environment where the speech that was intended to be blocked will be available and speech that was not intended to be blocked, will be inaccessible. Librarians will have to deal with both scenarios.

Of national interest to the library community was the Mainstream Loudon case wherein the court struck down a library's mandatory filtering policy. Many states face legislation requiring the implementation of filtering in schools. Publicity challenges are numerous, including education the user about their 1st Amendment rights, how filters affect those rights, the rights of parents/guardians to guide their own children and privacy issues related to filters.

Customization/Personalization of Websites and Preference Profiling

Users have increasing oportunities to customize or personalize their interactions with web-based services. Examples include bookmark keepers ( www.murl.com); personal profiles (saved search profiles under an account the user supplies or past shopping history under an ID stored in a cookie); personalized web spaces (myhomepage.html); and personalized profiles to public resources ( http://hegel.lib.ncsu.edu/development/mylibrary/). Information collected to enable personalization includes users' preferences settings, identified by name or id and password or PIN; users' search strategies; email addresses; or shopping histories. My.Yahoo, for example, requires birthdate (including year), gender, and ZIP code. A user could falsify responses for pseudonumity, but then the services aren't necessarily tailored appropriately.

For the most part, these services are add-on in nature and user invoked. The user has more control over interface with such services, and trades for it control over personal data/preferences. It may be desirable for libraries to communicate some of these issues, as users begin to act on new opportunities to personalize web environments.

Email of Search Results

Many online search engines and catalogs support emailed output. In some cases the user can annotate search results or modify subject line of email. Size limits on output (resource usage, also prevents denial of service attacks/spam) and routines for dealing with bounced mail (if redelivered to user, how is confidentiality protected?) can help an institution manage such a service. The potential for violation of privacy within this type of service relates to how the library may manage the logs of activity, not unlike the issues that would surround other types of email. Addresses, searches and strategies may also be at risk if safeguards are not in place.

Email

As much of our written communication now takes place by e-mail, the libraries services are also affected by this development. Mail sent/received by library staff, mail sent by users to library staff (requests for help), mail sent by users to others using library-supported software (browsers), and mail sent by users to themselves (database output; annotations), mail sent on library-supported listservs are all relevant as libraries consider their policies with respect to privacy and confidentiality. Logs of mail and activity, and backups of network and email traffic must be considered for their confidentiality. It is important for staff to understand the work policies with respect to private correspondence using work account/mail server. And it is important for users to understand that they may be less able to be anonymous than over phone or even in person.

Workstation Configuration and Privacy

When planning the arrangement of cluster or individual workstations in public areas, libraries can either provide or prevent privacy in searching and viewing electronic and Internet resources. In addition to systematically addressing workstation hardware and furniture configuration, libraries can install privacy screens on monitors, such as the 3M Privacy Computer Filter. While some privacy screens slide over the monitor face, others are attached with loop-and-fastener tape. Deliberate workstation arrangement and use of a privacy screen offer increased confidentiality to a user regarding information searched and retrieved AND protect the passer-by who does not choose to view the online activities of another. Privacy in workstation arrangement may result in improper user behavior. Workstation arrangements may result in the loss of eye-contact with users for library staff.

Patron Information to Vendors for Electronic Use

There are several ways for a commercial vendor to obtain user information in the electronic environment. Many involve the voluntary submission of personal data over the Internet. The distinction lies in how the information gathered is used and if the person who supplied it is aware of all of the potential uses. The simplest search on the Web may be used to collect aggregate data on products, services, etc. that can be tied to a location or user group from the IP address, what browser was used and from which domain. When a user provides a name when completing a survey, the user provides an identifying link to the user from the vendor. A customized profile of that potential "customer " could be developed and shared with other vendors. Some libraries are also authorizing bookstores to have hotlinks on library Web sites. Individual data are only secured by the vendor/bookstore when the user purchases an item via that site. Personal information solicited by vendors from children has recently been regulated by the implementation of the Children's Online Privacy Protection Act of 1998.

In most of these situations, the privacy policy of the vendor, not the library, will determine if or how a user's personal data and activity profile will be shared or sold. Privacy policies of vendors are not always clearly stated. Library users may assume that access to the Web through the library site is governed by library policy. The commercialization of a library's Web site makes the library a partner in the potential violation of user privacy.

The confidentiality of users that has long been a hallmark of the library profession becomes a commodity in the free market when library users supply personal information on the Internet via the library. The link of commercial vendors on library sites is a recent development. Some libraries also use banner advertisements that lure the user with instructions to "click here and ask for information." A publicity challenge is how to educate users on the blurring of profit versus non-profit in the Web environment. How can libraries effectively inform users regarding the potential and real security risks on the Internet when private information is divulged? Libraries must also be prepared to educate children, parents and guardians on the impact of The Children's Online Privacy Protection Act of 1998.

Commercial Applications

Those industries that view libraries as major customers have shown that they will build in privacy protections (and other technologies) to products aimed at libraries. The primary industries that are in this relationship to libraries today where privacy is important are:

Library Automation Systems

Library automation systems have already put in place numerous controls to protect patron records. Today, library systems are increasingly interacting with other systems via protocols like HTTP (the World Wide Web protocol) and Z39.50 (for database searching). As these systems evolve, libraries must exercise oversight in assuring that the patron protections are carried forward into new versions of these systems.

Database Vendor Systems

Increasingly, vendors of database systems are making those systems available over network connections and providing access to library patrons on a subscription basis. As the primary customers for these databases, libraries and their related institutions have an opportunity to influence the treatment of user privacy through the negotiation of contract terms. Larger institutions and consortia obviously have more influence, but their negotiations can benefit smaller institutions by setting a precedent.

Content Vendor Systems

Until recently, most online access was to bibliographic databases only. Producers of content are now beginning to make their content available online, although there is still much fear of piracy that keeps vendors from offering some works. To protect works that are distributed digitally, vendors are developing access control mechanisms that may intend to track the use of works in a way that was neither possible nor required in the hard copy environment. These access controls can be a danger to the privacy users have normally experienced in using library resources. Libraries, in their subscription to and licenses for access to this content can focus on these issues of privacy and confidentiality.

Other Commercial Developments

As the web and the internet become ubiquitous for the conduct of business and commerce, developments that may impact libraries and their patrons' use of information and libraries will likely unfold almost entirely outside of our control. Even in areas where we may have strong interest, we may not have the necessary participation, such as with the Platform for Privacy Preferences (P3P) being developed by W3C. Committed individuals working to participate, and strong association support voiced frequently and regularly, may provide the best possibility for moving the issues forward in a way that we feel might benefit our organizations and our library users.