Newsline June 2018

Letter from the Executive Director

Last week, it seemed as if the entire U.S. corporate world woke up to the fact that some people, notably Europeans, care about their privacy and that companies should do something about it.  What exactly corporations are doing, insofar as one can tell, seems to be modest. Now ubiquitous pop-up banners appear on websites to inform the visitor that the site is using cookies and tracking clicks, regardless of any user desire not to be tracked. Many companies have revised their privacy policies and are sending out confirmation notices to ensure that recipients opt-in to remain on mailing lists. Some companies have set up new privacy-setting pages or have made gestures in the direction of one’s ability to delete, correct or move one’s data.  As someone who cares deeply about privacy, I’m pleased about any movement toward greater privacy protections and am thankful for the E.U.’s GDPR rollout.

A few years ago, NISO led a project, with support from the Mellon Foundation, to develop a set of principles related to privacy of library patron data in third-party systems.  The resulting NISO Privacy Principles were meant to be a starting point for the community to drive forward conversations about privacy with the software-supplier and publisher communities.  The conversations did push several companies toward greater privacy engagement and controls, which, if followed, would make GDPR adoption less onerous. That project also led to subsequent conversations and an ongoing Interest Group within the Research Data Alliance on privacy concerns related to the sharing of research data sets.  That project is close to finalizing its recommendations in advance of the next RDA plenary this fall.

Concerns about privacy came up again during the in-person meeting NISO hosted last week on authentication and access control systems in libraries. This meeting was terrific (thanks to all who participated!), with some deep conversations taking place about these critical systems.  Of note was a robust conversation among the participants regarding the NISO-STM project on Resource Access in the 21st Century (RA21): the underlying technology that the RA21 project is built upon is the SAML attribute exchange and the supporting identity federation community.  This system is not privacy protecting by default, because of the variety of use cases that the system supports (e.g., course-system login). By nature, if a student is accessing one of these systems, the identity system must pass along an individual’s personal information to provide access to the appropriate student-specific information (courses, grades, homework, professor messages, etc.).  Since most academic institutions already have this structure in place, it made sense for RA21 to build upon it. However, that does not mean that the RA21 system will require (or even request) such personally-identifiable information. The RA21 project is trying to achieve a very simple goal: to store a patron’s preferred institutional identity provider, such that the login process through SAML services is simpler and less confusing.  It is not designed to store personally identifiable information such as user logins, nor is its goal to track individual patrons without their consent. A privacy and security review of the two pilot technologies being considered reported that there was minimal risk to either approach when it came to exposing user data via the RA21 system, basically because the proposed solutions do not store these data. Furthermore, the project’s leadership has agreed to use the GDPR as its guide, but also to incorporate the NISO Privacy Principles in its final framework as well.  The specifics still need to be worked out in the drafting of the recommendations. In addition, during her talk at the NISO meeting, Ann West, Associate VP for Trust and Identity at the InCommon Federation, discussed the identity federation badging process which could be used as part of the RA21 recommendation to further limit the practice of attribute sharing by federations when allowing access to library resources.

Since privacy protections are an ongoing process, there is work for NISO to do as well. NISO’s Board of Directors is now in the process of setting forward a new privacy policy to be released in the coming weeks.  In it, we will clarify details regarding processing of information, but, thankfully for us, our systems were already built with privacy in mind. For example, we do not gather nor track individual user data, except when logged in as a user of NISO’s working group and ballot management tool. We also do not share or trade data with third parties who are not providing NISO core services, such as accounting software.  Each of us who provides services needs to recognize that the privacy of our users and our patrons must be protected to maintain their trust and loyalty. Some of us were doing so before GDPR came into effect. I’m hoping more will do so now too.

With kindest regards,
Todd Carpenter
Executive Director
NISO