Anne Klinefelter, the beloved law library director at UNC-Chapel Hill (you should hear her dean introduce her; really!), is hosting a Data Privacy Day event on reader privacy. She makes the case in her opening panel remarks that, if we wish to translate library practices with respect to privacy into a digital world, we need to figure out how to translate not just law but also ethics. Anne argues that the law needs updating to keep up with new research practices of today’s library users, especially as we shift from a world (primarily) of checking out books to a world (primarily) of accessing databases. Her analysis of the 48 state laws with respect to user data privacy shows that the statutes vary in substance, in coverage, and in enforcement. Anne’s closing point is a great one: if we’re in the business of translating these rules of library protection of user data, we need to bring the ethical code and norms along as well.
Jane Horvath (Google) and Andrew McDiarmid (CDT) take up the Google Books Search Settlement and its privacy implications. Jane emphasized the protections for user privacy built into book search. She also emphasized ECPA and the need to update it to protect reader privacy. Google, she says, is “calling for ECPA reform. It really is necessary now.”
Andrew described, diplomatically and clearly, the privacy concerns that CDT has with respect to the Google Books Search Settlement (which CDT thinks should be approved; EFF, the Samuelson Clinic, and the ACLU of Northern California have similar concerns, but oppose approval of the settlement). The critiques that Andrew described are not limited to Google’s activities, he noted; Amazon and others need to address the same issues. Andrew worries about the potential development of (too?) rich user profiles that may be the target of information requests for law enforcement and civil litigants. Rather than regulate Google as a library, Andrew argues, we should focus on the kinds of safeguards that CDT would like to see apply. The best recent restatement of Fair Information Practices is by the DHS, says Andrew. Eight principles should apply: Transparency, individual participation (including the right to correct it), purpose specification, minimization, use limitation, data quality and integrity, security, accountability and auditing. CDT would like to see Google commit to specific protections in alignment with these eight principles.