Privacy Frameworks & Tools

Adventures in Privacy Literacy — Kate Roberts & Erin Berman, San José Public Library

Big Picture Question: How might we empower people to make informed decisions about online privacy issues? Came out of Knight Foundation challenge

  • Lots of online data privacy issues & needs going on
  • Need for being privacy literate; patrons asking about this issue
  • Shift from Fear-based to fun & education

Received Knight Prototype Fund — rapidly iterate and create prototype (Luma Institute training)

  • Their beginning research found that learning about online privacy can be scary, overwhelming (way too many results–where to get started), and boring (droll, dry, no interactivity, no personalization, one-size-fits-all)
  • Yet people are thinking about their privacy
    • 93% of adults that being in control of who can get info about them is impt
    • 69% of adults say they are not confident that records of their activity maintained by online sites..
    • Pew reports on online privacy

Design Thinking: Statement Starters, Stakeholder Mapping, Thumbnail Sketches, Community Interviews

Wanted to create something fun & engaging for their community.

Talking with our community, all ages/backgrounds, found

  • use the Internet in different ways, day to day, hour to hour, it changed
  • unique needs
  • multiple identities
  • different definitions of privacy
  • Hungry to learn

Content mattered much more than platform, whatever was developed.

Partnerships: International Computer Science Institute & San José State University Game Dev Club

Game Development Roles: manager; artist; level creator; coder

Gamification Principles: Why Games Work

  • Sequencing
  • Appropriate Challenge
  • Status
  • Achievements
  • Feedback Loops
  • Curiosity
  • Recognition over Recall

Paper Prototyping — 13 users tested; iterated along the way; learning happened; simplification needed; connecting dots to Privacy Path

Digital Prototype Tech: Construct 2 (HTML5 for 2D games) & Javascript (inserting the text & building the logic for the privacy path) — loaded text on the side of the game

User Testing: Broad audience have different needs: teenagers; adults; English as a second language; Diff levels of gaming experience

Follow-up survey: 80% learned something new from their Privacy Path; 33% took action, following links or tips

What came next: How should we make this info available for our customers on all devices? Game was going to be challenging & expensive to continue to design. Instead Developed Privacy area for library website, based on the paths originally developed for the prototyped game

  • Used Quiz Module in Drupal to build toolkit & privacy paths
  • Getting Started Tools for quick resources
  • How the library is protecting patron privacy
  • Coming Soon: Spanish & Vietnamese versions of Virtual PrivacyLab
  • Game may never be live; definitely playable at the version they created in prototyping level
  • Community response: page traffic phenomenal; library community reaction has been positive

NISO’s Initiative on Patron Privacy in Info Systems (#nisoprivacy) — Todd A. Carpenter @TAC_NISO, Executive Director, NISO

  • About NISO
  • ALA Code of Ethics Clause III – We protect each library user’s right to privacy & confidentiality…
  • Publishers, content providers & systems vendors are not libraries, nor are they staffed by librarians; they serve library patrons, but they also serve other communities in other ways
  • We often envision libraries as books — but much more often are servers
  • Most library/info services take place in the cloud — not directly managed by library
  • Outside of the library community, there’s a lot of orgs that have a very diff perspective on privacy: Google, Amazon, Facebook
  • Not all privacy issues are hacks; not all breaches are malicious; not all data sharing is inappropriate
    • Google Analytics — data goes back to Google
    • OverDrive + Amazon
    • Adobe Digital Editions — plain text data transfer
  • Weigh these risks against the real benefits that can be derived, or service improvements that are possible, thru usage analysis
  • Can libraries & services providers develop valuable services that are based on user activity data or improve existing services…
  • Can we build a framework to protect patron privacy that is based on consensus that simultaneously recognizes the nuances with the privacy issue?
  • NISO Patron Privacy Initiative — Mellon Foundation support
  • Goal: Establish a consensus framework of principles that proscribe how info systems should respect the privacy of patron data
  • Discussions
    • Virtual Discussions: patron privacy in library systems, vendor systems, & publisher systems; AND legal frameworks
    • In-person/live-streamed, post-ALA conference
    • all meeting recordings available on project website
  • Meetings were to develop key elements of privacy, privacy principles, and outline what principles mean
    • Preamble: importance of privacy in community + value that can be provided by using patron data, using it in a responsible way, recognizing benefits, how to build privacy into process of using info
    • Principle 1: Shared Privacy Responsibilities: Responsibility over everyone serving library patrons to respect privacy
    • Principle 2: Transparency & Facilitating Privacy Awareness — not buried, not lengthy & not easy to understand.
    • Principle 3: Security — use best possible systems to protect patron identifiable info
    • Principle 4: Data Collection & Use — when appropriate to collect data, use, how long to hold/use
    • Principle 5: Anonymization — if activity data, strip out as much identifiable info as possible, keeping risk of privacy exposure in mind
    • Principle 6: Options & Informed Consent — educate patrons; provide Opt-Out; policies shouldn’t be retroactive
    • Principle 7: Sharing data with others — it is necessary to pass credentials in a digital environment; passing it onto advertising isn’t appropriate. Reflect on patron privacy expectations, when sharing data with other orgs
    • Principle 8: Notification of Privacy Policies & Practices — not making changes retroactive.
    • Principle 9: Supporting Anonymous Use — opportunity for patron to use the service anonymously, as much as possible. Showing if an anonymous service is/isn’t available
    • Principle 10: Access to One’s Own User Data
    • Principle 11: Continuous Improvement — similar to preservation. Continually updating protocols & policies.
    • Principle 12: Accountability (bw Library and Vendors) — third party review; vehicle for privacy audit needs to be developed
    • Glossary developed for terms used
  • What’s next? Draft of final report developed but not quite done. Out for final review.
  • Special ISQ Issue & Computers and Libraries article has been written about this process; Trying to be open about the project
  • For more info on NISO website

Holding Vendors Accountable question — not there yet for implementation — follow-up work on what implementation/adherence of the above principles would look like and how companies are doing. In vendors’ interest to have better grasp of some of these issues.