This article was downloaded by: [Stony Brook University]

On: 22 October 2014, At: 01:48

Publisher: Routledge
Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House,
37-41 Mortimer Street, London W1T 3JH, UK

Journal of Library Administration

Publication details, including instructions for authors and subscription information:
http://www.tandfonline.com/loi/wjla20

Ethical Issues Implicit in Library Authentication and

Access Management: Risks and Best Practices
a
Pam Dixon
a
The World Privacy Forum , CA E-mail:
Published online: 12 Oct 2008.

To cite this article: Pam Dixon (2008) Ethical Issues Implicit in Library Authentication and Access Management: Risks and Best
Practices, Journal of Library Administration, 47:3-4, 141-162, DOI: 10.1080/01930820802186480

To link to this article: http://dx.doi.org/10.1080/01930820802186480

PLEASE SCROLL DOWN FOR ARTICLE

Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) contained
in the publications on our platform. However, Taylor & Francis, our agents, and our licensors make no
representations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the
Content. Any opinions and views expressed in this publication are the opinions and views of the authors, and
are not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and
should be independently verified with primary sources of information. Taylor and Francis shall not be liable for
any losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever
or howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use of
the Content.

This article may be used for research, teaching, and private study purposes. Any substantial or systematic
reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any
form to anyone is expressly forbidden. Terms & Conditions of access and use can be found at http://
www.tandfonline.com/page/terms-and-conditions
 Ethical Issues Implicit in Library
Authentication and Access Management:
Risks and Best Practices
Pam Dixon
Downloaded by [Stony Brook University] at 01:48 22 October 2014

ABSTRACT. As authentication and access management systems and

procedures in libraries have transitioned from paper to digital and have
become more ubiquitous, new considerations regarding the ethical im-
plications of these systems have arisen. Digital authentication and ac-
cess management raises concerns about privacy, identifiability, and
disclosure of patron-related data.
Library patron confidentiality is protected by law in a number of
states. But privacy considerations have often been missing from techni-
cal and other authentication discussions, possibly due to a general lack
of best practice guidelines addressing these challenging issues. This arti-
cle analyzes the privacy and ethics issues that authentication and access
management in libraries raise, reviews applicability of the canon of Fair
Information Practices for ethical guidance in library policies, and
discusses best practices for libraries.

KEYWORDS. Authentication, access management, authorization, pri-

vacy, Fair Information Practices, libraries, biometrics, personally identi-
fiable information (PII), DRM, ethics, best practices

Pam Dixon is author, researcher, and founder of The World Privacy Forum, CA
(E-mail: pdixon@worldprivacyforum.org).
Available online at http://jla.haworthpress.com
© 2008 by The Haworth Press. All rights reserved.
doi:10.1080/01930820802186480 141
 142 JOURNAL OF LIBRARY ADMINISTRATION

INTRODUCTION

The overarching purpose of authentication–to identify patrons–and

the ideals of libraries–to allow anonymous research–conflict directly
with each other in challenging and unresolved ways.
Authentication–or determining that individuals are who they say
they are–used to be accomplished by a library patron filling out a slip of
paper with information such as name, home address, and phone num-
ber, and in return receiving a library card with a number, bar code, or
Downloaded by [Stony Brook University] at 01:48 22 October 2014

possibly their name on the face of the card. Access management–track-

ing which patron was using which library materials through a record
keeping system–used to involve a paper-based process tied to a
stand-alone database in a library or network of libraries. These systems
have largely been replaced by more sophisticated digital models that
have changed many things about the authentication and access manage-
ment processes in libraries.1
Authentication and digital access management are now more ubiqui-
tous, have become significantly more complex, and may be tied to gran-
ular content management and services extending in some cases beyond
the library. Both authentication and access management often rely di-
rectly or indirectly on personally identifiable information.2 It is not un-
usual to find that libraries have merged or tied authentication and access
management into other library systems.
Digital authentication techniques can pose privacy issues in their
own right. But more problems arise when digital authentication is used
in concert with other activities in libraries. For example, the greatly in-
creased use of computers, networks, and virtual libraries typically result
in the creation of multiple patron clickstreams and data trails. Authenti-
cation and access management technologies facilitate the capture, re-
tention, analysis and eventual disclosure of the copious amounts of
transactional and other information that are captured in the variety of
library technologies.
When this stored information is linked or is capable of being linked to
patron authentication, entire library patron clickstreams and digital ac-
tivities over the course of time may be tied to a unique individual. The
maintenance of these kinds of patron records represents a profound shift
in library practice and policy, changes with significant ethical implica-
tions. Librarians, who have been well-trained in matters relating to pa-
tron confidentiality, tend to care deeply about such matters. However,
the difficulty with today’s authentication and access management
schemes lies in their complexity and in their implementation. The data
 Pam Dixon 143

may not be under the control of the library, and a library may not even
be aware how new technology affects library values. Many of the ethi-
cal challenges for privacy are subtle and buried deep within systems, so
they are much more difficult to perceive.

OPERATIONAL
AND OTHER CHANGES IN AUTHENTICATION
Downloaded by [Stony Brook University] at 01:48 22 October 2014

New authentication and access controls have become increasingly ubiq-

uitous in library settings. An Association of Research Libraries (ARL)
survey from 2001 found that 98 percent of responding institutions au-
thenticated users in some manner.3 Of these institutions, 82 percent
authenticated using Internet Protocol (IP) address, and 78 percent authen-
ticated using user password and user identification number (user ID).
Additionally, there is increased tension surrounding user authentica-
tion. Currently, if a library is not authenticating patrons or providing ac-
cess control to content, then it is likely that the library may be pressured
to do so by either an IT department, or in some cases a city government.4
Fully 35 percent of libraries surveyed by ARL in 2003 noted that they
were required to authenticate at library public access workstations by
their parent institution. One library was mandated by its state to authen-
ticate patrons.5 It is probable that at some near point in the future, all or
almost all libraries will employ authentication techniques and access
management for at least some of their systems. These systems may be
implemented and managed by non-library departments and personnel,
and may even be managed remotely.
Another change lies in the increased complexity of authentication
and access control. Authentication and access management techniques
can involve quite complex computing architectures and data flows; con-
tent vendors may require one form of authentication, while a networked
information resource may require another. The National Information
and Standards Organization’s (NISO) analysis of authentication and ac-
cess methods in the library metasearch environment discussed a variety
of access and authentication technologies such as Internet Protocol or IP
filtering, cookies, proxy servers, and digital certificates, among others.
It is not unusual for libraries to use a finely-tuned and nuanced combina-
tion of these and other practices and technologies for authentication and
access control for in-domain and out-of-domain users. According to
NISO, “[t]he Access Management Process in a metasearch environ-
ment can require multiple steps and be quite complex . . . The process
 144 JOURNAL OF LIBRARY ADMINISTRATION

involves multiple “actors” (end user-authenticator, authentication re-

lease authority, authorizer, metasearch engine, data source) and any
actor can play many roles.”6
Despite the complexity of the systems, most library authentication
techniques in use today share some commonalities. A patron’s authenti-
cation is often tied to a name, a government-issued identification such
as a driver’s license, an Internet Protocol or IP address,7 an educational
or institutional identification number, an email address, or some other
form of personally identifiable information. Most authentications do
Downloaded by [Stony Brook University] at 01:48 22 October 2014

not require an in-person transaction after the initial set-up, and can typi-
cally be accomplished via a laptop, smart card, or a library terminal. Au-
thentication is often available ephemerally throughout the library using
a wireless system that allows real-time authentication as needed.8
Today’s library authentication mechanisms may also manage both
the green-lighting of the patron identity and the details of access to data-
bases and to other services. In some UK libraries, patrons can use a sin-
gle authentication to check out books and request bookings for sports
facilities.9 In numerous public and academic libraries, users can access
robust databases in the physical library (as an in-domain user), or they
can authenticate from home using their own computers and access the
same databases (as an out-of-domain user). Some libraries allow users
to access their circulation records or to use photocopying services
through the authentication, and it is not unusual for an academic library
to also authenticate for course registration information.
A number of highly granular access management systems have
emerged, many of which incorporate additional layers of authentication
and may also allow financial transactions. Some of these systems are
proprietary, and may also include Digital Rights Management (DRM)
tied to authentication. The eMeta “eRights” software, for example,
manages digital rights, authentication, and subscription information.10
ASM International made its volumes available to academic libraries
through this particular platform, as did Standard & Poors.11
Large reference database services such as WilsonWeb have made ef-
forts to make their digital system compatible with a variety of widely
used access and authentication management systems.12 But generally
speaking, most libraries will have to accommodate multiple systems
and chart out a complex variety of authentication layers to meet all of
the external vendor requirements. These layers may be invisible to most
patrons, and the patrons may be wholly unaware that they are authenti-
cating to one or more off-site databases or content distributors.
 Pam Dixon 145

In some libraries, authentication processes have become more reliant

on increasingly personal information. For example, patrons may be
asked to give a second form of ID as part of the access procedure. In
some rare cases, patrons may be offered a biometric-based13 library sys-
tem instead of a plain-face card. A biometric may be as simple as a
photo, or it can be more complex. Fingerprinting, once exclusively as-
sociated with the criminal justice system, is also being used in some li-
braries for authentication. 14
However, one of the most challenging privacy issues libraries may face
Downloaded by [Stony Brook University] at 01:48 22 October 2014

in the area of authentication and access control is not biometrics, but the
subtle erosion of patron privacy through automated processes largely invis-
ible to most librarians and patrons. These issues can be ameliorated, but to
do so takes knowledge and detailed library policies that address the ethical
aspects of authentication and access management.

CORE PRINCIPLES AVAILABLE FOR ETHICAL ANALYSIS

OF AUTHENTICATION AND ACCESS MANAGEMENT
SYSTEMS IN LIBRARIES
Librarians are not without guidance in ethical areas that touch on au-
thentication and access control issues, such as privacy and confidential-
ity. The American Library Association makes available copious
guidance on privacy and confidentiality.15 Beyond this, forty-eight
states have passed laws protecting library patron confidentiality.16
Some critical guidance, however, that exists regarding other aspects of
ethics touching the issues authentication and access management raises
are not generally well-known, and the guidance that is better-known is
more technical in nature.
Although it is little-known in the U.S. outside of the realm of law-
makers and privacy experts, there exists an entire canon of Fair Infor-
mation Practices that touches deeply on authentication ethics and
practices. A set of library best practices for ethics, and a set of technical
best practices for authentication and access management are also help-
ful. These sets of principles are the core guidance available to librarians
and others who are interested in examining authentication issues in a
systematic and consistent manner.
Fair Information Practices
Fair Information Practices–or FIPs–are an internationally recognized
and influential set of principles and practices that describe how an infor-
 146 JOURNAL OF LIBRARY ADMINISTRATION

mation-based society should approach information handling, storage,

management, and flows with a view toward maintaining fairness, pri-
vacy, and security. The practices were adopted in 1980 by the Organiza-
tion for Economic Cooperation and Development (OECD),17 a body
that has historically created internationally-agreed upon codes and pol-
icy instruments. The eight principles were agreed upon by member
countries –including the United States, which ratified the principles
twice–through a formal consensus and country-level ratification pro-
cess. The OECD guidelines form the basis of many key modern interna-
Downloaded by [Stony Brook University] at 01:48 22 October 2014

tional privacy agreements and national laws.18

These eight Fair Information Practices are referred to by the U.S.
Government Accountability Office and other Federal agencies as the
key principles for privacy protection.19 Beyond their uses in lawmaking
and regulation, Fair Information Practices are widely used in the U.S.,
Europe, Canada, Australia, and other countries as the primary standard
by which to analyze informational practices of companies and other en-
tities for ethics and other matters. In Europe, the European Union Di-
rective on the Protection of Personal Data (1995) and in Canada The
Canadian Standards Association, Model Code for the Protection of
Personal Information: A National Standard of Canada (1996) are based
expressly on Fair Information Practices. Most American privacy laws
incorporate at least some Fair Information Practice policies.
The principles of Fair Information Practices are as follows:

1. Collection Limitation Principle. There should be limits to the col-

lection of personal data and any such data should be obtained by
lawful and fair means and, where appropriate, with the knowledge
or consent of the data subject.
2. Data Quality Principle. Personal data should be relevant to the
purposes for which they are to be used, and, to the extent neces-
sary for those purposes, should be accurate, complete and kept
up-to-date.
3. Purpose Specification Principle. The purposes for which personal
data are collected should be specified not later than at the time of
data collection and the subsequent use limited to the fulfillment of
those purposes or such others as are not incompatible with those
purposes and as are specified on each occasion of change of pur-
pose.
4. Use Limitation Principle. Personal data should not be disclosed,
made available or otherwise used for purposes other than those
 Pam Dixon 147

specified in accordance with [the Purpose Specification Principle]

except: (a) with the consent of the data subject; or (b) by the au-
thority of law.
5. Security Safeguards Principle. Personal data should be protected
by reasonable security safeguards against such risks as loss or un-
authorized access, destruction, use, modification or disclosure of
data.
6. Openness Principle. There should be a general policy of openness
about developments, practices and policies with respect to per-
Downloaded by [Stony Brook University] at 01:48 22 October 2014

sonal data. Means should be readily available of establishing the

existence and nature of personal data, and the main purposes of
their use, as well as the identity and usual residence of the data
controller.
7. Individual Participation Principle. An individual should have the
right:
a. to obtain from a data controller, or otherwise, confirmation of
whether or not the data controller has data relating to him;
b. to have communicated to him, data relating to him within a rea-
sonable time; at a charge, if any, that is not excessive; in a rea-
sonable manner; and in a form that is readily intelligible to
him;
c. to be given reasons if a request made under subparagraphs(a)
and (b) is denied, and to be able to challenge such denial; and
d. to challenge data relating to him and, if the challenge is suc-
cessful to have the data erased, rectified, completed or amen-
ded.
8. Accountability Principle. A data controller should be accountable
for complying with measures which give effect to the principles
stated above.20

These standards have significant applicability to authentication prac-

tices.

Other Standards That May Be Applied

Additional guidance in this area is found in the American Library As-

sociation (ALA) policy on confidentiality of library records. The policy
urges libraries to “Formally adopt a policy that specifically recognizes
its circulation records and other records identifying the names of library
users to be confidential.”21
 148 JOURNAL OF LIBRARY ADMINISTRATION

Further, the ALA’s Code of Ethics expressly recognizes privacy pro-

tection:

We protect each library user’s right to privacy and confidentiality

with respect to information sought or received and resources con-
sulted, borrowed, acquired or transmitted.22

Questions regarding patron access are addressed in ALA Code of

Ethics as well.23 An important technical set of best practices for libraries
Downloaded by [Stony Brook University] at 01:48 22 October 2014

may be found in the National Information Standards Organization’s

Best Practices for Designing Web Services in the Library Context.24
While these best practices do not touch directly on all the ethical impli-
cations of authentication or access management, they do have high ap-
plicability to the Fair Information Practice security principle. As such,
they should form the cornerstone, along with ALA’s Code of Ethics and
Fair Information Practices, of discussions about authentication.

THE INCREASED ETHICAL CHALLENGES MODERN

AUTHENTICATION AND ACCESS MANAGEMENT BRINGS:
THE RISKS FOR LIBRARIES AND PATRONS,
AND BEST PRACTICES THAT CAN MITIGATE RISKS

While newer authentication schemas may add utility for library staffs
and patrons, new authentication technologies and techniques may also
add new layers of difficulties and data challenges to patrons. Some issues
with ethical impacts can be obvious to both staff and patrons. For exam-
ple, user authentication hassles can create interruptions in service.25 Au-
thentication can also create barriers to public access of data, something
which has been discussed eloquently by librarians.26 But the myriad pri-
vacy issues authentication raises are far more subtle and are typically
unseen. The National Academies of Science, in its landmark 2003 study
of authentication and privacy, Who Goes There?, wrote:

Authentication’s implications for privacy do not necessarily

equate to violations of privacy, but understanding the distinctions
requires being aware of how privacy can be affected by the process
of authentication. Such awareness is usually absent, however, be-
cause authentication tends to be thought about more narrowly, in
connection with security.27
 Pam Dixon 149

The study authors go on to assert that core authentication technolo-

gies are “generally more neutral with respect to privacy than is usually
believed. How these technologies are designed, developed, and de-
ployed in systems is what most critically determines their privacy impli-
cations.”28 This is a fair analysis, and it directly applies to authentication
in libraries.
Because the potential harms to patrons are not always immediately
visible to library staff or to the patrons themselves, some of the more
challenging privacy issues may lay hidden until there is a data crisis of
Downloaded by [Stony Brook University] at 01:48 22 October 2014

some sort. At that point, if ethical considerations in authentication have

not been thoroughly analyzed and mitigated beforehand, problems will
arise unexpectedly for both library staff and patrons. The authentication
system that looked simple and did not appear to pose significant privacy
concerns may be found to have in fact posed multiple difficulties with
substantial ethical impacts in the area of privacy.
The challenges in authentication systems tend to fall along a consis-
tent matrix: identifiability (direct and indirect), the resulting increased
potential ability to track patron research and other activities, and sec-
ondary disclosures, both inadvertent and by request. There is a growing
set of best practices in libraries that have mitigated such risks; the best
practices implement Fair Information Practices such as notice, collec-
tion limitation, and others.

Increased Identifiability and the Ability to Track Patron Activity

Newer authentication systems have the potential to allow increased

identifiability of patrons. Patron identification may be accomplished di-
rectly, for example, through the collection of a patron name or home ad-
dress. Librarians are generally trained to look for these overt kinds of
identifiers and mitigate confidentiality issues related to their use. But
authentication systems may also identify patrons indirectly. Examples
of indirect forms of identification would include collecting user IP ad-
dress, patron web browser states,29 patron identification through web
browser cookies, through partial names, and through passwords that are
tied in some way to an official identification number or other identify-
ing factor.
The potential for the indirect identification of patrons through au-
thentication systems is likely a bigger problem in libraries than is
currently realized. Much of the risk is based on how a library has imple-
mented its authentication technologies. For example, cookie-based au-
thentication techniques can be implemented in such a way as to transmit
 150 JOURNAL OF LIBRARY ADMINISTRATION

cookies with email addresses, names and other authentication informa-

tion in the clear, that is, unencrypted.30 IP Addresses pose an entire cate-
gory of risk: Peter Murray in the Association of Research Libraries
(ARL) Library Patron Privacy survey wrote: “Since IP addresses can be
tied to specific machines, particularly in some campus network situa-
tions, and consequently individuals, this can be a source of concern. A
number of transactions log this data, and it should be treated as if it was
a piece of patron-identifying information.”31
Authentication transactions that include email, IP address, or patron
Downloaded by [Stony Brook University] at 01:48 22 October 2014

ID number fall into the realm of indirectly identifiable personal infor-

mation. The problem with indirect identification is that although it may
appear to be non-identifiable, it is just one step or two away from be-
coming fully identifiable. A Michigan-based librarian described a situa-
tion in which, after a death threat was issued to a professor from a public
workstation at a university library, university officials requested that the
library begin authenticating each user, requiring static IP addresses, and
maximizing library computer caching and history files. The librarian
was able to cite Michigan’s state-level law requiring patron confidenti-
ality to refute the requests, but in another situation or state, a library may
end up with a new set of invasive authentication and data retention pro-
cedures based on a security incident.32 It only takes an aggressive inves-
tigator, prosecutor, or even private litigant to obtain a subpoena or court
order to attach an authentication sign-in to a particular patron. Tying a
static IP address to an ID is not difficult, and it is just a few extra steps to
link a dynamic IP address to an authenticated patron.
Increased direct or indirect identifiability leads to increased ability to
track patrons’ digital library activities. For example, it is not unusual for
patrons accessing a library remotely or via a library wireless network to
receive tracking cookies33 from the library or from multiple vendors
tied to an IP address and to other web browser states. Cookies may be
tied to patron name or ID and can be used to record the research activi-
ties of a patron through a site by the library, or by an external vendor,
depending on how the system is set up.
If a library authorizes a specific patron, an off-site content provider
may want to track that patron’s access to that data for its own purposes.
The library world is not yet accustomed to honing in on the potential of
secondary use issues in this kind of scenario. Currently, libraries are
aware of vendor data stores in that libraries use aggregated use data
from vendors to refine their program strategies.34 However, in some in-
stances the kind of data being passed to vendors is the same kind of data
that fuels the multi-billion dollar online behavioral advertising indus-
 Pam Dixon 151

try.35 There are well-documented processes by which a combination of

cookies and referred information (such as user log ins, terms searched
for, and IP address) are used to create detailed profiles of individuals’
activities.36 Unless it is prohibited through language in its library con-
tract, database vendors and other content providers and distributors can
also take the next step and use patron information however they wish.
This is not a hypothetical concern. Some e-book providers currently
state directly in their privacy policies that they track and profile their us-
ers. For example, eReader states in its privacy policy that: “We tie your
Downloaded by [Stony Brook University] at 01:48 22 October 2014

personally identifiable information, and your activity history, to infor-

mation in the profile, in order to provide tailored promotions and mar-
keting offers and to improve the content of the site for you.”37
Librarians may not be aware of this activity. It is also unlikely that li-
brary patrons would be aware of this, as few will go in search of the pri-
vacy policies that would disclose this practice to them.
Library systems may also capture patron activities that include entire
research clickstreams and search queries. The 2003 ARL Patron Pri-
vacy survey found that only 38 percent of surveyed libraries purge a va-
riety of logs immediately. But 33 percent of surveyed libraries store
search and retrieval logs of public access catalogs and other research da-
tabases “indefinitely,” and the remaining 29 percent store the records an
average of 3.8 months. Some systems may capture information beyond
research activities. For example, library systems that authenticate in
real-time for activities ranging from photocopying to purchasing snacks
may inadvertently capture and store additional information about
patrons that patrons are unaware is being captured and stored.
There is great temptation to capture patron clickstreams in logs and to
subsequently analyze those logs for various library purposes. For exam-
ple, an ARL workstation survey found that of libraries that keep work-
station authentication logs, the primary data they analyze includes
search patterns, system usage, workstation usage, and unauthorized
login attempts.38 It is not uncommon for libraries to experiment in this
area. For example, a Digital Library Federation conference presentation
explained the analysis of patron web logs in the library setting and noted
its benefits and drawbacks.39 The benefits of these kinds of activities
should be counterbalanced by analysis for privacy and ethical consider-
ations. For example, highly aggregated statistics are more privacy-
friendly than granular analysis of individual patrons’ actual search
queries. Stripping of individual identifiers from client-level data may
also enhance privacy.
 152 JOURNAL OF LIBRARY ADMINISTRATION

Libraries also need to think about what information vendors are re-
ceiving, and determine how or it the library, their vendors, or their part-
ners are using patron information. This includes the use of web analysis
and statistics software, which can pose privacy risks, depending on con-
figuration.40
These tasks are easier discussed than accomplished, and the imple-
mentation may require intricate systems analysis. One of the underlying
issues is that most library authentication and research systems, by their
nature, tend to store information as opposed to shed it. In a pre-9/11,
Downloaded by [Stony Brook University] at 01:48 22 October 2014

pre-Internet world, this has entirely different implications than it does

now. The more information a library system captures and ties to a dis-
crete patron identity, the greater the risk of exposure and disclosure.41
Librarian Karen Coombs at SUNY, noting that: “ . . . as most librarians
know, 9/11 and the passage of the USA PATRIOT Act changed the
prominence of privacy issues in libraries everywhere.” Coombs con-
ducted a rigorous privacy analysis of the SUNY library systems with an
eye to preparing for authentication requirements at her library.42 Coombs
determined what needed to be kept, and then devised a system to purge
or scrub the rest of the data.
In the SUNY system, which was quite complex, Coombs’ routine al-
lowed the library to collect and retain aggregate demographic informa-
tion while not linking patron identity to the records that were accessed.
Coombs found patron information tucked away in unexpected places,
such as the log files of an OpenURL resolver. In the end, Coombs was
able to tighten controls on systems the library controlled and provide
authentication–meeting her security department’s needs–but she kept
most records confidential, meeting her requirements under the ALA
code of ethics. She also implemented collection limitation by scrubbing
certain data (such as parts of IP addresses) and deciding to no longer
collect patron Social Security Numbers or dates of birth.
The SUNY implementation is an example of how the Fair Informa-
tion Practices of collection limitation and purpose specification can
work in practice in a library authentication system. Another example of
collection limitation would be to limit the actual sign-up information re-
tained on a patron. For example, if the system only requires name and
address, then extra fields such as email or phone number are not needed.
Some library systems exist, such as Shibboleth, for the precise purpose
of allowing for collection limitation. While this discussion does not fo-
cus on specific technologies, it is important to note that some pri-
vacy-enhancing technologies do exist for library use.43
 Pam Dixon 153

Certainly an area of best practices libraries will need to examine is in

their collection and retention of public access catalog and research data-
base search query logs. There is a strong argument under Fair Informa-
tion Practices that this material, if collected at all, should be purged
immediately. Additionally, a review of contracts for language limiting
external data vendors and sources from retaining or reusing information
gleaned from authentication or research should be conducted.
Ostrowsky and Halls advocate the idea of protecting patrons and li-
braries with anonymous library cards modeled on the gift cards struc-
Downloaded by [Stony Brook University] at 01:48 22 October 2014

ture. The authors note that: “With an anonymous library card, the
library is willing to loan materials to anyone because it knows it can’t
really lose anything. Since the library would never loan more than it
could recoup from a cash deposit, it would be able to loan controversial
items without storing personally sensitive information.”44 The idea has
much to recommend it, and strikes a balance between the needs of li-
braries to secure expensive materials and the need to limit collection of
personally identifying information tied to library resources.

Inadvertent or Unintentional Secondary Disclosure Risks

Secondary disclosure and use risks are greatly increased with some
forms of authentication and access controls. Patrons are most likely to
be unaware of how authentication data requests and access control
mechanisms may impact privacy. Users who have as their password
their name and Social Security Number inadvertently give external ven-
dors and library partners information tied to their real identity, and they
are at increased risk in any data breach situation. As discussed earlier,
lengthy research queries and reference transcript trails over the course
of months or years may be stored by a vendor. Depending on the ven-
dor’s contract with the library, patron data from authentication may be
tied to other user information such as a persistent cookie on the user’s
hard drive. Even if the library purges its clickstreams, the library’s ven-
dor may not. If the vendor or network authenticates through username
plus password tied to tracking cookies, even a library proxy server will
not be likely to rescue patron privacy.
In the California State University system, until 2005/2006, students
accessing the library from off-campus computers logged in to the li-
brary’s premium databases with their full name plus a full Social Secu-
rity Number (SSN). This authentication information, as it left the library
and went to the databases, became subject to these external databases’
privacy policies.45 Beyond that, the authentication information, depend-
 154 JOURNAL OF LIBRARY ADMINISTRATION

ing on the set-up of the library system, could be captured in library log
files, caches, and backup tapes.
As of 2007, all universities in California now use numbers other than
the SSN for student ID. However, the authentication data that is trans-
mitted to external parties contains a name plus the student ID. This is
not an unusual set-up, and it still can pose a privacy risk as the external
party may be able to link fuller information about the student from the
authentication transaction. Additionally, depending on the contract with
the particular external vendor, research information may be stored un-
Downloaded by [Stony Brook University] at 01:48 22 October 2014

der that patron’s ID. In the case of many academic institutions, that ID is
tied to directory information from the school regarding a student’s date
of birth, home address, and course of study.
Coomb’s practices at SUNY in reducing identifiability are at the core
of what can be done to mitigate the risk of patron tracking. Beyond these
practices, vendor and content distributor contracts should be examined
closely. Language that limits the vendor’s data collection, retention, and
use should be instituted. For example, vendors should not be able to re-
tain patron-generated data for longer than a period of time the library
determines, and vendors should be prohibited from using that data for
any secondary purposes other than to report statistics back to the library.

The Crucial Role of Notice

Libraries have an ethical responsibility to disclose to patrons how au-

thentication and access management information is used, kept, and dis-
closed. This is a core Fair Information Practice. The more personally
identifiable the authentication is and the more back-end information
that the authentication links to, the more important the disclosure be-
comes. One logical place to provide this information to patrons is in the
privacy policy.
A privacy policy is an opportunity for the library staff to think
through all of the privacy and security implications of its systems and
procedures. It also represents an excellent opportunity for library staff
to disclose and address authentication practices and procedures and
principles. A library with a clear privacy policy will also be in a better
position to analyze services offered by third party vendors and to match
library privacy standards with vendor practices.
Library web sites often post a privacy policy. In common practice,
the policy often refers to web use issues, such as the presence of cook-
ies, and so forth. However, it is rare to find a library privacy policy that
fully addresses all of the ethical and privacy issues related to authentica-
 Pam Dixon 155

tion and access management. For example, 86 percent of libraries in the

ARL Patron Privacy study did not create a public statement about their
policy regarding public access and research database search logs and
log retrieval.46
The Ottawa Public Library is an example of the risks of access man-
agement technologies, and an example of a best practice regarding no-
tice. In 2007, the Canadian Internet Policy and Public Interest Clinic
conducted technical tests to determine if the Ottawa Public Library’s
privacy notice matched the information some of its access control sys-
Downloaded by [Stony Brook University] at 01:48 22 October 2014

tems were collecting and disclosing to third parties. The research found
that the library had not disclosed all of its communications.

The Ottawa Public Library’s use of the OverDrive media console

for implementation of digital audio book loans results in the dis-
closure of information to DoubleClick, a provider of ad servicing
technologies.47

When approached with this fact, the library rewrote its privacy policy
to disclose that patron data was flowing to a previously undisclosed
third party. The library now uses Google Analytics for its web site,
which it also discloses in its new privacy policy. It is a best practice for
libraries to reveal all such information, including the use of third-party
analytics.
Many libraries have modeled their privacy policy after the ALA
model privacy policy.48 The ALA model policy does a good job of
discussing Patriot Act and associated issues of importance to librar-
ies. The ALA model policy is a way of approaching privacy policies,
but it does not fully reference all aspects of the internationally ac-
cepted OECD Fair Information Practices. For this reason, it is impor-
tant to supplement the ALA model policy with the broader Fair
Information Practices.
The OECD has a tool available, the Privacy Statement Generator,
that is a detailed guide to constructing a thorough privacy statement in
line with Fair Information Practices. The OECD tool should be used as a
supplement to the ALA guide, and will act to fill in the gaps in the ALA
policy model as it relates to Fair Information Practices concepts.49 Al-
though not specifically developed for library use, the OECD tool, if
used thoughtfully, can assist libraries in improving current policies. The
tool will assist those writing policies to consider the many aspects of
technology and systems impacting privacy.
 156 JOURNAL OF LIBRARY ADMINISTRATION

User Access to Data

Providing a patron with access to data held on the patron is a core part
of Fair Information Practices and an integral aspect of data transpar-
ency. Libraries have widely varying procedures on how many and how
long patron records are kept. Unless patron data is not retained whatso-
ever, libraries should have a data access procedure that also includes
correction and possible deletion rights. Libraries also need to consider
not just directly identifiable data, but indirectly identifiable data like IP
addresses.
Downloaded by [Stony Brook University] at 01:48 22 October 2014

These are not simple policies to write or to put in place. They can
have far-reaching implications, and it is best if a teamwork approach is
taken to resolving the issues such policies may raise. For example, if a
library reviews its access procedure, and finds that it either has none or
does not allow a patron to see a copy of their access history, the chal-
lenge will be to amend the policy. However difficult amending such a
policy may be, it is worthwhile. If a subpoena or warrant can unearth the
information, then the patron should be able to review that information
upon request. It is a positive ethical information practice to create a pro-
cedure for addressing record errors, as well.
Another challenge is to address the issue of records that may be com-
piled at third parties and vendors, and records that may be archived.
How may–or can–a patron access vendor logs and information that may
be stored under the user name and password? If libraries only chose
vendors who had good privacy policies, the industry would have to
change its standards in order to obtain library business.

Security Risks and Mitigations

Providing good security to data in transit and at rest is a Fair Informa-

tion Practice. In the area of security and authentication, a great deal of
material exists that has described the specific technical risks regarding
data protection. Existing technical best practices for libraries have done
a good job of addressing these risks.50 Generally, though, librarians
should, in addition to implementing these best practices, also think
through implications of privacy implicit in the systems and be present
for any discussions of security measures. Even if a library is being se-
cured by an external IT department, librarians familiar with the ethical
questions implicit in authentication and access control need to be in-
volved in those discussions.
Some issues librarians in particular can address include authentica-
tion and ethical considerations. Librarians should also address wireless
 Pam Dixon 157

security, RFID “smart cards,” web access, and encryption. Technical

changes and upgrades can be an opportunity for librarians. In Finland,
the Helsinki City Library is the central library for all of Finland public
libraries, with 500,000 customers in the Helsinki area and 40 branch li-
braries. When the library wanted to replace one of its existing file trans-
fer tools, it took the opportunity to install a further security solution that
would “ensure the confidentiality, integrity, and authenticity of both file
transfers and terminal connections . . . ”51
The ALA has a robust selection of materials relating to the use of
RFID in libraries, of particular importance are the ALA RFID in Librar-
Downloaded by [Stony Brook University] at 01:48 22 October 2014

ies Privacy and Confidentiality Guidelines.52 The principles that apply

here are to limit and secure the information on the cards, and to secure
the transmission of that information by encrypting it.53

CONCLUSION

Authentication is a sharp data sword. While authentication assists li-

braries in proving patron identity and managing records and digital con-
tent, that same authentication information may be used in ways libraries
did not imagine or prepare for. Data factors that seem innocuous in per-
son at a library–a research trail for example–can be misused when
linked to patron authentication and stored indefinitely.
Meanwhile, users often do not understand how their authentication
information is being used, nor do they always understand the risks au-
thentication information–if inappropriately disclosed–can pose to them.
It is the responsibility of libraries to carefully investigate the ethical as-
pects of authentication systems that are planned, and that are already in
place. Fair Information Practices provide a solid basis upon which to
begin an analysis of such systems.
Crucially important will be to build on existing best practice guide-
lines and documents on library authentication. Historically, these docu-
ments have focused on the security of the information. This is
appropriate, and information security is an important aspect of Fair In-
formation Practices. However, the other aspects of authentication sys-
tems need to be considered as well. Good security may not always equal
a completely ethical authentication system.
Librarians, who have historically shown themselves to be concerned
and careful about patron records, should also exercise care in adopting
authentication systems because of these systems may undermine
long-standing library confidentiality policies and provide the basis for
mischief of various kinds.
 158 JOURNAL OF LIBRARY ADMINISTRATION

NOTES
1. Authentication and access control, or authorization, are two separate activities.
Authentication is a test of identity. Access control or authorization involves a complex
set of permissions that allow an authenticated individual to use–or not–library re-
sources. A discussion of the differences between these two terms may be found in:
Terry Plum and Richard Bleiler, “SPEC Kit 267, User Authentication,” standards pa-
per (Association of Research Libraries, December 2001), http://www.arl.org/bm~
doc/spec267web.pdf.
2. Personally identifiable information, or PII, is a term of art in the privacy and se-
Downloaded by [Stony Brook University] at 01:48 22 October 2014

curity field. Definitions of the specifics that constitute PII may vary, but generally
speaking PII is defined as information that may directly or indirectly identify a being.
Name, home address, email address, and biometrics are PII. Internet Protocol (IP) ad-
dresses are also considered PII by many privacy experts, and including the IP address
as part of the definition of PII is law in some countries such as Finland. See the defini-
tion of PII recently published by a consensus of U.S. privacy groups: “Consumer
Rights and Protections in the Behavioral Advertising Sector,” joint filing, Federal
Trade Commission eHavioral Advertising Town Hall Meeting, Federal Trade Com-
mission November 2, 2007, http//www.ftc.gov/os/comments/behavioraladvertising/
index/071115jointconsensus.pdf. See also the European Union definition of PII, which
expressly includes IP address: Article 29 Data Protection Working Group, “Opinion
02/2002 on the use of unique identifiers in telecommunication terminal equipments:
the example of IPV6,” May 30, 2002, http://ec.europa.eu/justice_home/fsj/pri-
vacy/docs/wpdocs/2002/wp58_en.pdf at 3. Canada’s PIPEDA interpretation also in-
cludes IP address as PII. See: PIPEDA Case Summary No. 315, “Web-centered
company’s safeguards and handling of access request and privacy complaint ques-
tioned,” Aug. 9, 2005, http://www.privcom.gc.ca/cf-dc/2005/315_20050809_03_
e.asp.
3. Plum and Bleiler, “SPEC Kit 267, User Authentication.”
4. See for example the discussion of authentication regarding academic libraries:
Scott Carlson, “To use that library computer, please identify yourself,” The Chronicle
of Higher Education, June 25, 2004, http://chronicle.com/weekly/v50/142/
42a03901.htm.
5. Lori Discoll, “SPEC Kit 277, Library Public Access Workstation Authentica-
tion,” standards paper (Association of Research Libraries, October 2003), http://www.
arl.org/bm~doc/spec277webbook.pdf.
6. NISO Metasearch Initiative, National Information Standards, “Ranking of Au-
thentication and Access Methods Available to the Metasearch environment,” Stan-
dards Committee BA (Task Group 1) Access Management, Sept. 13, 2005, 1,
http://www.niso.org/committees/MS_initiative.html.
7. When a computer connects to the Internet, it is assigned an IP address during the
time it is connected. The IP address is composed of a series of four numbers separated
by periods. Each of the four numbers may fall in a range from zero to 255, for example,
60.0.41.142. IP addresses may be dynamic–assigned anew each time a user con-
nects–or they may be static–remain the same each time a user connects. Users with ca-
ble connections to the Internet typically have static IP addresses. See: E. Gerich,
 Pam Dixon 159

“Guidelines for Management of IP Address Space,” (Internet Engineering Task Force,

Network Working Group, May 1993), http://tools.ietf.org/htm/rfc1466.
8. See for example: “Library provides free wireless Net for laptop,” Deseret Morn-
ing News, August 7, 2003.
9. Laurence Lockton, “Students Beat the Queue and Produce Their Own Library
Cards,”Computers in Libraries, 26, no. 6, (2006)10-16.
10. “ASM Handbooks now online using eMeta Corp.’s software,” Information To-
day, September 1, 2002.
11. “Standard & Poors; Business & Finance; contract with eMeta,” Online, Novem-
ber 1, 2002. Note: The ASM Handbooks are a good example of an off-site resource that
would be challenging and expensive for a library to acquire in paper format. In digital
Downloaded by [Stony Brook University] at 01:48 22 October 2014

format, the volumes are more accessible, but do require specific authentication.
12. “WilsonWeb compatible with the U.K.’s Athens Access Management,” Infor-
mation Today, November 1, 2003. For example, WilsonWeb specifically made their
system compatible with Athens Access Management, available in the UK. Numerous
other systems exist; see also: Michael Rogers. “VTLS Adding WebFeat to Virtua,”
Infotech, March 1, 2007.
13. Numerous forms of biometric identification systems exist. Many of these bio-
metric systems have been analyzed for their privacy, security, and accuracy. See Ste-
phen T. Kent and Lynette I. Millet, Ed., Who Goes There? Authentication Through the
Lens of Privacy. National Research Council of the National Academies of Science,
Washington, D.C.: National Academies Press, 2003. See also: ALA Biometrics Issues
Page, http://www.ala.org/ala/oif/ifissues/biometrics.htm; “Biometrics, Who’s Watch-
ing You?,” (whitepaper), Electronic Frontier Foundation, http://www.eff.org/wp/
biometrics-whos-watching-you.
14. Very few libraries have moved to a biometric authentication system. The Buf-
falo and Erie County (N.Y.) Public Library have used a fingerprint system, as have
some UK libraries. See, “Naperville to Launch Fingerprint ID System for Internet Ac-
cess,” American Libraries Online, http://www.lita.org/al_onlineTemplate.cfm?Sec-
tion = alonline&template = /ContentManagement/ContentDisplay.cfm&ContentID =
94750.
15. ALA, “Privacy and Confidentiality,” American Library Association, http://www.ala.
org/Template.cfm?Section=ifissues&Template=/ContentManagement/ContentDisplay.
cfm&ContentID = 49156#statements.
16. ALA “State Privacy Laws Regarding Library Records,” American Library As-
sociation, http://www.ala.org/Template.cfm?Section = stateifcinaction&Template =
/ContentManagement/ContentDisplay.cfm&ContentID = 14773.
17. Organisation for Economic Co-operation and Development, “OECD Guide-
lines on the Protection of Privacy and Transborder Flows of Personal Data,” September
23, 1980, http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_
1_1_1,00.html. Fair Information Practices were initially proposed and named by a U.S.
government advisory committee in a 1973 report. The report, “Records, Computers
and the Rights of Citizens,” was issued by the Secretary’s Advisory Committee on Au-
tomated Personal Data Systems at the Department of Health, Education and Welfare.
The OECD’s adoption of FIPs restated the original version and turned it into an influ-
ential international standard.
 160 JOURNAL OF LIBRARY ADMINISTRATION

18. In the U.S., the Federal health privacy rule HIPAA is based expressly on FIPs.
In Europe, the “European Union Directive on the Protection of Personal Data” (1995)
and in Canada, The Canadian Standards Association, “Model Code for the Protection
of Personal Information: A National Standard of Canada” (1996) are also based ex-
pressly on FIPs.
19. Linda D. Koontz, “Personal Information: Agencies and Resellers Vary in Pro-
viding Privacy Protections,” U.S. Government Accountability Office, GAO-06609T,
pp. 9-10, (April 4, 2006).
20. To read the entire document in which these principles are contained, see the
“OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal
Downloaded by [Stony Brook University] at 01:48 22 October 2014

Data.”
21. American Library Association Policy on Confidentiality of Library Records,
http://www.ala.org/Template.cfm?Section=otherpolicies&Template=/ContentManagement/
ContentDisplay.cfm&ContentID = 13084 .
22. ALA Code of Ethics, Adopted June 28, 1995, http://www.ala.org/ala/
oif/statementspols/codeofethics/codeethics.htm.
23. Ibid at I, “We provide the highest level of service to all library users through ap-
propriate and usefully organized resources; equitable service policies; equitable ac-
cess; and accurate, unbiased, and courteous responses to all requests.”
24. NISO Web Services and Practices Working Group, “Best Practices for Design-
ing Web Services in the Library Context,” A Recommended Practice paper, NISO,
July 2006, http://www.niso.org/standards/resources/rp-2006-0101.pdf.
25. Jennifer Pinkowski, “Recorded Books, NetLibrary in Suit; Dispute over issues
of exclusivity, contract breach, customer service,” Library Journal, August 15, 2007.
26. Lynn Sutton, “Advocacy for Intellectual Freedom in an Academic Library,”
ACRL Tenth National Conference, (March 2001), http://www.ala.org/ala/acrl/acrlevents/
sutton.pdf.
27. Kent and Millet, Who Goes There?, p. 1.
28. Ibid, 3.
29. For a discussion of web browser state and user identifiability, see Collin Jack-
son, et.al. “Protecting Browser State from Web Privacy Attacks,” WWW 2006, May
23.26, 2006, Edinburgh, Scotland. ACM 1-59593-323-9/06/0005.
30. NISO Metasearch Initiative, p. 13.
31. Peter E. Murray, “SPEC Kit 278, Library Patron Privacy,” (Association of Re-
search Libraries) November, 2003, http://www.arl.org/bm~doc/spec278webbook.pdf.
32. Sutton, Advocacy for Intellectual Freedom in an Academic Library.
33. For a discussion of tracking cookies and profiling using technological tech-
niques, see Federal Trade Commission, “Online Profiling: A Report to Congress,”
June 2000, http://www.ftc.gov/os/2000/06/onlineprofilingreportjune2000.pdf. For
an update on these techniques, see also: Pam Dixon, “The NAI: Failing at Consumer
Protection and Self-Regulation,” Testimony to the Federal Trade Commission, Novem-
ber 2, 2007, pages 19-28. http://www.worldprivacyforum.org/pdf/WPF_NAI_report_
Nov2_2007fs.pdf and http://www.ftc.gov/os/comments/behavioraladvertising/index/
071102worldprivacyforum.pdf.
34. Karen A. Coombs, “Lessons learned from analyzing library database usage
data,” Library Hi Tech 23, no. 4 (2005).
 Pam Dixon 161

35. See the FTC Workshop: “eHavioral Advertising: Tracking, Targeting, and
Technology,” Nov. 1-2, 2007, http://www.ftc.gov/bcp/workshops/ehavioral/index.
shtml. See in particular public comments for the workshop and the FTC reports to Con-
gress, all of which are linked from the FTC workshop page.
36. See the FTC Workshop: “eHavioral Advertising: Tracking, Targeting, and
Technology,” Nov. 1-2, 2007, http://www.ftc.gov/bcp/workshops/ehavioral/index.
shtml. See in particular public comments for the workshop and the FTC reports to Con-
gress, all of which are linked from the FTC workshop page.
37. EReader Privacy Policy, http://www.ereader.com/privacy. (accessed Novem-
ber 17, 2007). See also NISO Metasearch Initiative, p. 22: “some content providers
Downloaded by [Stony Brook University] at 01:48 22 October 2014

(such as e-book providers) who need or wish to track usage or access to specific patrons
or users will find NCIP provides a viable authentication solution.”
38. Discoll, SPEC Kit 277.
39. Sarah Chandler, “The Evolution of an Interface from the User Perspective:
From End User Testing to a Usage Log Analysis.” DLF Fall Forum 2003, Albu-
querque, NM http://www.diglib.org/forums/fall2003/chanlder/schanderldlf_files/frame.
htm.
40. Karen A. Coombs, “Using web server logs to track users through the electronic
forest,” Computers in Libraries 25, no. 1 (2005); and Coombs, “Protecting user privacy
in an age of digital libraries,” Computers in Libraries 26, no. 6 (June 2005).
41. For more on the impact on libraries of turning over patron data, see Mary
Minow, “Could you be sued for turning over an Internet user’s sign-up information to
law enforcement?” LLRX.com, April 25, 2004, http://www.llrx.com/features/
internetsignup.htm.
42. Karen A. Coombs, “Protecting user privacy in an age of digital libraries,” Com-
puters in Libraries 26, no. 6 (June 2005), pp. 16-20.
43. Shibboleth is a “standards-based, open source middleware software which pro-
vides Web Single SignOn (SSO) across or within organizational boundaries. It allows
sites to make informed authorization decisions for individual access of protected on-
line resources in a privacy-preserving manner.” See http://shibboleth.internet2.edu/.
44. Ben Ostrowsky andJolynn Halls, “Anonymous library cards allow you to
wonder, ‘who was that masked patron?’” Computers in Libraries 25, no. 6,(Jun
2005), pp. 21-23.
45. Jstor for example has a thoughtful privacy policy at “Jstor Privacy Policy,”
http://www.jstor.org/about/privacy.html. Jstor is clear about its analysis of web logs in
its privacy policy and its use of patron data.
46. Murray, “SPEC Kit 278.”
47. David Fewer et al., “Digital Rights Management Technologies and Consumer
Privacy,” Canadian Internet Policy and Public Interest Clinic, Sept. 2007, p. 38
http://www.cippic.ca.
48. ALA Privacy Toolkit, http://www.ala.org/ala/oif/iftoolkits/toolkitsprivacy/
guidelinesfordevelopingalibraryprivacypolicy/guidelinesprivacypolicy.htm.
49. OECD Privacy Statement Generator, http://www.oecd.org/document/39/
0,3343,en_2649_34255_28863271_1_1_1_1,00.html. The OECD tool has been en-
dorsed by the OECD’s 30 member countries.
 162 JOURNAL OF LIBRARY ADMINISTRATION

50. An excellent and thorough discussion of authentication, privacy, and security

may be found in Kent and Millet, Who Goes There? Authentication Through the Lens
of Privacy, National Research Council of the National Academies of Science, 2003.
See esp. Chapters 5 and 7. See also Miyata, Teruku et al, “A Survey on Identity Man-
agement Protocols and Standards,” IEICE E89-D, no. 1 (January 2006).
51. DMEUROPE, “Finnish library contracts SSH to deploy security solution,” Sep-
tember 27, 2006. http://www.dmeurope.com.
52. ALA, “RFID in Libraries: Privacy and Confidentiality Guidelines,” http://www.
ala.org/Template.cfm?Section=otherpolicies&Template=/ContentManagement/Content
Display.cfm&ContentID=130851.
53. Detailed information about RFID and security may generally be found in works
Downloaded by [Stony Brook University] at 01:48 22 October 2014

by Ari Juels, in particular see Ari Juels, “RFID Security and Privacy: A Research Sur-
vey,” RSA Laboratories, Sept. 28, 2005. http://www.rsa.com/rsalabs/sraff/bios/ajuels/
publications/pdfs/rfid_survey_28_09_05.pdf.