Privacy vs. patrons; or, “but I want my circ records!”

I lean hard on my students to recognize that patrons are not librarians and do not think like librarians, so I owe it to them to tell a story on myself on that score. I was volunteering at the local Ride the Drive event last year (yes, it was held mid-pandemic, with due precautions) when I got to chatting with another volunteer about my library-circ-data FOIA project and why I was so dismayed at finding the library had twenty years of my library checkouts on file.

The guy looked honestly nonplussed. “But I like being able to look at what books I checked out,” he said. I had to downshift the conversation by a lot—honestly, my mental bike chain seized up in spectacular fashion and fell right off its derailleur—to get it back in gear. I’m not proud of myself; I assumed vastly too much of a non-librarian and should have known better.

Y’all, as I said to IMLS (and this experience was partly why I said what I did), library privacy ethics and librarian practices in service to those ethics are extremely non-obvious to most library patrons. One of the commonest ways circulation and reference folks run into this knowledge gap is precisely with the patron curious about what they checked out last year, something a properly data-minimized ILS will not know, at least not by default.

(If you are a fully-credentialed librarian in the US or Canada—yes, I do mean the MLS—and you do not know why a properly data-minimized ILS will not know by default what a patron checked out last year: first, be ashamed of your ignorance; second, check out this Texas school district marrying censorship with parental snooping for one reason of many that retaining identified circ records is an exquisitely bad idea; third, go read Steve Witt’s article on the history of privacy in the ALA Code of Ethics. As an LIS educator myself I almost never say “every librarian should know,” but here’s my exception to that self-imposed rule: everyone with an ALA-accredited MLS should know why retaining identified records of patron information use past what is absolutely necessary to run a library or archives is dangerous as hell, and why ALA and CFLA/FCAB consider it unethical. Zero exceptions. Zero.)

I’m the last person who would claim that recalling one’s own prior information use is pointless. Have you seen my Pinboard and/or Raindrop?! My whole thing as a knowledge worker is “bookmark it; you might need it later.” I also share the raised hackles of some librarians who have written that blanket circulation-history deletion is inappropriately paternalistic; “you can’t have this useful thing because I The Librarian know better than you!” is kind of obnoxious as a service stance even when it’s true, and it often is true—patrons’ information-use threat models tend to be, erm, underdeveloped.

But here’s the thing: a patron recording and retaining their own information use is a very different thing with a very different threat model from the library recording and retaining use for all patrons, especially by default. There are reasons I keep lists of fics I’ve enjoyed in Archive of our Own’s internal bookmarking feature (and log in there under a pseudonym) rather than in my public and identified Raindrop or Pinboard accounts, just as a relatively-harmless example (though watching would-be censors and revisionists try to get me for involvement with critical race theory based on my Goblin Emperor fic habit would be amusing in a gallows-humor sort of way).

Part of the difference is Big Red Targetness: if you as an individual are a Big Red Target for some person or group that’s out to get you, you likely know about it and modulate your behavior (including information behavior) accordingly as best you can… but how many people, emphatically including those who know they themselves are Big Red Targets, know that both historically and presently libraries have been a Big Red Target for people looking to micromanage, surveil, threaten, blackmail, attack, arrest, and/or imprison other people? It’s perverse to think that libraries should ignore that just because some patrons aren’t Big Red Targets and feel safe (or defiant) enough to keep records of what they read.

Part of it is chosenness and defaults. One thing I need to write some new slides about for human-factors infosec (formerly intro-infosec) is a rule I wish developers would consider ironclad: software defaults should be the securest possible, such that end users have to make affirmative choices to adopt a less-secure posture. This is crucially important because most people neither think about nor change software defaults! This is known! And it’s no less true in libraries than in software! The thought of a patron getting picked up by the local purity police (who may or may not be the actual police, of course) because they simply didn’t think about the library keeping records of the LGBTQ+-themed book they checked out is just odious.

It may surprise you, then, to learn that I do actually think there is an ethical road to keeping circ-history-interested patrons happy without endangering other patrons and without trashing library privacy ethics—possibly more than one road, even. It comes back to choice: at bare minimum, patrons must affirmatively choose to retain their circulation records. Retention past return (save perhaps in the special-collections edge case) must never be the ILS default for any patron. (“But analytics! But assessment!” someone is yelping. I’ll be blunt: fuck analytics and fuck assessment; neither is sufficient reason to put any patron at risk. “But history!” someone else is yelping. I’ll be blunt again: the safety of living, breathing people is vastly more important than the convenience of future historians. By all means quote me on that, especially to historians.)

So. What are some ways to let people—even help them—keep tabs on their reading without trashing everyone’s privacy or increasing the library’s Big Red Targetness?

  • Outsource it. Show patrons LibraryThing, StoryGraph, (ugh, if you must) Goodreads, Zotero, Pinboard, Raindrop. If your ILS has bookmarkable URLs, that’s it; that’s all patrons (and you) need. Bonus: they’re not limited to tracking just their library checkouts!
  • Have a bag/cart/list feature, as many ILSes do. This is, believe it or not, different from retaining circulation records! For one thing, it’s active, not passive; a patron must make an affirmative choice to put something on a list, and the default (for times when a patron wants to keep their reading to themself) is not to do so. For another, it doesn’t assert “this patron read this thing” the way a circulation record does, which may seem like a distinction without a difference, but I would trust most lawyers and governance types to be sneaky enough to point it out in a court case.
  • Build a separate bag/cart/list application leveraging the ILS’s APIs or RESTful URLs. Give it a panic button, even, that deletes (or at least deidentifies) all its data when The Man comes calling; that’s vastly less damage and tsuris than trying to figure out how to delete stuff in an ILS (though I do also think ILSes should have panic buttons). Of course use of this app should be an opt-in decision by patrons, who should not otherwise even appear in it.
  • Build or borrow a bookmarking API. Does anyone besides me remember unAPI? Something like that, or perhaps a setup. Get it implemented in ILSes (start with the open-source ones; the proprietary ones will never listen) and bookmarking tools like the ones I mentioned above. Makes it easier to nudge patrons to memory tools that don’t live in the library.

I don’t claim that these options are comprehensive; there may well be something I haven’t thought of. It may even exist and I just don’t know about it! I hope that this post reassures librarians that there can be a happy medium between protecting patron privacy and providing good service to patrons in this specific situation.