Study shows challenges to protecting privacy of library users

Librarians have historically taken a strong stand on protecting the privacy of their patrons. But how well they accomplish this varies widely with the size of a library, and technology has made it more difficult, according to the first study of privacy practices and challenges in public libraries.

University of Illinois Urbana-Champaign information sciences professor and cybersecurity expert Masooda Bashir led the study, which was published in The Library Quarterly.

Because no study on this topic had been done before, Bashir and her research group wanted to find out what the current practices and challenges were for public libraries, she said. The team conducted an online survey of public library employees across the country, asking questions about employee training, whether the library published information relating to privacy protections, the processing of law enforcement requests, the use of secure storage methods and responses to data breaches.

The survey was followed by virtual sessions with library information technology employees.

"Technology has really changed the landscape and libraries are becoming much more digitally focused," Bashir said.

During the COVID-19 pandemic, libraries added online services and offered additional apps to patrons. But it is hard to know how well the patrons' privacy is being protected when a library uses digital services offered through a vendor. "Data is shared without our knowledge and processed in ways we can't comprehend sometimes," Bashir said.

The library employees who participated in the survey said their biggest challenge in protecting patron privacy was lack of training and technical knowledge to identify privacy vulnerabilities and take steps to minimize them.

"They all valued privacy and they all wanted to protect patrons' privacy. But sometimes with advances in technology, they're not able to have that control over the kinds of data collected or shared or what happens when it leaves the library. Once someone leaves a library website and is on a vendor website, the protections might not carry over," Bashir said.

More than 800 library employees completed the survey, and most of the respondents worked at small libraries. The size of the library, as measured by its number of cardholders, was the main factor in the level of privacy protections it provided. Larger libraries were more likely to have an information technology employee or someone dedicated to privacy protection. Rural libraries lacked those resources and often had to share such services with other small libraries.

Nearly all the libraries offered basic protections such as the secure disposal of sensitive data. While two-thirds of the respondents said their libraries provide privacy training to employees, 21% of those said the training was not mandatory and less than one-third had received training in the past year. Two-thirds of the participating libraries did not publish any information for patrons on how to protect their privacy, and more than two-thirds had no documented plan for handling data breaches.

Even more alarming to Bashir: For some libraries, particularly smaller ones, their only online presence is through social media rather than their own website.

"That is very troubling. Facebook collects a lot of data—everything that someone might be reading and looking at. That is not a good practice for public libraries," she said.

Additionally, the U.S. doesn't have a comprehensive law or set of privacy protections such as the European Union has, Bashir said.

Another challenge for libraries is that many patrons using a library computer often need help submitting a form or doing some other work online, so they are freely providing personal information, Bashir said.

"Public libraries are used by a lot of people in lower socio-economic groups. Privacy protections for these groups are even more important because they are vulnerable populations," she said.

The American Library Association has guidelines available for helping libraries preserve privacy, but many librarians didn't know about them, she said.

Bashir said a future project for her research group is to develop tools for librarians to be able to detect vulnerabilities in their libraries' technology and to help develop privacy policies and best practices for libraries that don't have the resources to do so themselves.

"Technology caused some of these challenges, and we can also use technology to solve some of them," she said.