It’s not really overdue books and late fees that keep librarians up at night – it’s the battle over users’ online privacy.

The fact our local library – that old repository of the printed word on paper – is at the forefront of protecting our digital rights may surprise some, but members of the Canadian Federation of Library Associations (CFLA/FCAB) are actively involved in defending people’s access to information, and showing the important interconnections among privacy, social responsibility, and a healthy democracy.

In fact, many librarians have taken the Digital Library Pledge as part of their participation in the Library Freedom Project, a privacy-centric partnership among librarians, technologists, attorneys, and privacy advocates. Activities include informing participants about surveillance threats, educating users about privacy rights and responsibilities, and reviewing the digital tools available to stop surveillance.

As endorsers of the Digital Library Pledge, the Ottawa Public Library (OPL) system, for example, agrees that privacy includes the right to read, consider and develop ideas and beliefs without unwanted observation or surveillance. Privacy, pledge-takers agree, is essential to free speech, free thought, and free association in a democratic society, so libraries are committed to preserving citizens’ right to privacy and protecting the confidentiality of data associated with the use of a library’s digital resources, including Web-connected computers available to the public, online search tools and databases used by patrons as well as staff, and more.

“Ransomware – that’s one keeping me up at night: it’s more about data security than privacy,” Craig Ginther, the Manager of Technology Services at the OPL, told WhatsYourTech.ca in an email exchange. “There’s need to better understand all places where user data is stored, so we can ensure we’re not inadvertently hanging on to data. Our reliance on third-party content providers…[remains] a black box in most cases.

“Certainly, I agree that libraries need to have conversations with our users about the potential risks to privacy when using online systems. There’s a lack of understanding among front-line employees, and their ability to create a better understanding among our customers (is affected).”

But even as education and awareness can help the efficacy of any privacy policy, new techniques and technologies present new challenges for librarians (or anyone seeking to protect online data privacy): the digital advertising ecosystem and a growing commercial interest in user demographics reaches into library environments, too, so advertising trackers or cookies can introduce privacy breaches into the library environment.

Another technological challenge: encryption and secure transmission of user data. The Digital Library Pledge encourages the use of the secure https communications standard, recognizing that too many library websites and third-party vendor products are vulnerable to surveillance.

Ginther noted how the Ottawa system, in partnership with Toronto Public Library and the Southern Ontario Library Services (SOLS), surveyed all its digital content vendors to gauge their commitment to providing https across their products as well, and he said they are continuing to press a few remaining vendors who still don’t follow the recommendations.

“Guidelines are a good place to start, but it clearly can’t end there,” Ginther said. “Libraries are headed in the right direction on this, but there’s lots more to be done – and this is one of the reasons we signed on to the LFP pledge – to put our money where our mouth is when it comes to renewal of third-party systems that aren’t willing to move the chains when it comes to protecting user privacy.”

He noted how the OPL’s cardholder authentication system, for example, is managed through a third-party system that is under https. Called EZProxy, the platform can be used by libraries to give access from outside the library’s computer network to restricted-access websites that otherwise authenticate users by IP address. OPL’s primary catalog vendor has recently shifted to site-wide SSL encryption (SSL, or Secure Sockets Layer, is being succeeded by TLS, or Transport Layer Security, which the OPL uses for secure encrypted data transport to outside vendors).

Still, there’s “lots of work to be done at OPL,” Ginther acknowledged, “in terms of our own understanding of the third-party systems that we make available, and our ability to share that understanding with our customers.”

[Data privacy and online security] are “never a done deal. For our part, we need to ensure that we’re vigilant and keeping up with changes. We consider this to be a journey without a destination.”

So if you’re heading to the library, be sure and check out the privacy policies along with your reading material: the librarian is likely among those who believe understanding and following the best online privacy and data security practices is a moral if not legal responsibility these days.

Even as some individuals, private organizations and public institutions disregard their responsibilities, others take it as their solemn duty to inform people about online privacy, to educate customers about the best data security practices, and to state clearly and openly what their own privacy policy entails.

And to collect late fees!

-30-