Gerry Bayne: The following interview was recorded at the Coalition for Networked Information, Fall 2018 meeting. I'm Gerry Bayne from EDUCAUSE. The library profession has a long history of safeguarding user privacy, but how well do academic libraries protect privacy in the digital age? A recent study funded by IMLS and conducted by Montana State University and the University of New Mexico audited the websites of 279 academic libraries. They tested websites for the presence and effective use of secure hypertext transfer protocol, the presence of Google analytics tracking protocol, and whether libraries have implemented the privacy features that are available in Google analytics. The results of the study demonstrate conclusively that academic libraries must do more to ensure user privacy. I spoke with Kenning Arlitsch, dean of the library, and Scott Young, user experience and assessment librarian, both from Montana State University.
Gerry Bayne: Could you start by telling us a little about the landscape of privacy that prompted a study by Montana State University and the University of New Mexico?
Ken Arlitsch: Yes. This was a study that we conducted as part of a larger grant that was funded by the Institute of Museum and Library Services. We conducted this study with our colleagues, Patrick O'Brien, of Montana state university, and Carl Benedict, who is the Director Of Research Data Services at the University of New Mexico. And the landscape is really, we had a sense that while Librarians espouse privacy values, very strong privacy values, that they perhaps were not able to or had not implemented, technologically speaking, the functionality that would enforce privacy for their users.
Bayne: Gotcha. What was the nature of the study and what processes did you use to gain knowledge about current privacy practices of libraries?
Arlitsch: We conducted an audit of 279 academic library homepages. We looked for academic libraries that had membership in one or more of the following professional organizations: either the Association of Research Libraries, the Digital Library Federation, and/or the OCLC Research Libraries Partnership. We conducted an audit on their homepages to try to determine whether libraries had put into place secure http on their websites and whether they had implemented https correctly. Then we also check to see how many of those libraries were using Google Analytics and whether they had put into place privacy features that are available in Google Analytics.
Bayne: What were the outcomes of the study? What did you guys discover?
Arlitsch: We discovered that of the 279 academic libraries, about 62% had implemented https. So that's good. However, only about 32% of them had deployed a redirect, meaning that if an insecure request came into the library website, that it was appropriately redirected to a secure fulfillment. Only 32% of libraries had implemented that feature.
Bayne: What kind of risk does that pose? In the end game, what does that mean?
Arlitsch: When you don't use secure hypertext transfer protocol, you're basically passing user information from the user's computer to the library web server in an unencrypted form. It's just plain text that's being passed back and forth. It could conceivably be-
Arlitsch: Tracked or intercepted or snuffed.
Bayne: Gotcha. Okay. Are there any of the outcomes you wanted to discuss?
Arlitsch: Yes. About Google analytics, of the 279 libraries, we found that 88% were using Google analytics. We looked for either the Google analytics tracking code or the Google tag manager tracking code in those websites, and 88% of our libraries had those.
Then we determined that about 85% of those, so it turned out that 173 libraries did not ... I'm sorry, I'm going to take this back.
Bayne: That's okay. No problem.
Arlitsch: Or walk this back. So 245 libraries of the 279, 88% were using Google analytics. But 85% of those, 208, had not deployed any of the available Google privacy protection features that are built into Google analytics. So they had not enabled library to Google https and they had not enabled Google IP anonymization. Those are both features available in Google analytics.
Bayne: Do you have any, maybe, ideas on why that is? Do you think that people put these tools in place and assume there's a security already embedded in it? Do you have any conjecture of why this is overlooked?
Arlitsch: Yeah. Let me back up a little bit and go back to your landscape question. Most of the professional organizations associated with libraries, whether it's the American Library Association, or NISO, or CNI, they all espouse the principles of privacy. They all say it's important for librarians to protect the privacy of their users. But our study clearly shows that most libraries are not using the privacy features that are available to them. And as to why that is, some of that may be awareness, some of it may be technological skill, expertise, that's required to implement these features. There may just be gaps in knowledge and maybe not even any pressure coming from university administrators or library administrators for staff to implement these features.
Bayne: That's good to know. What are some recommendations you would give other institutional libraries that can help them enhance their web privacy and maybe maintain trust with their users?
Young: So the research was motivated in some ways with this sort of philosophical analysis of sites of tension between library principles and library practices. We're trying to put some empirical data on this, within the scope of Google analytics. But we don't want to leave people without practical recommendations. We do have five next steps that we're recommending. The first is to implement https. On your campus, you may have a central IT unit that you can work with or in your library systems team. There are other tools like open SSL that can help you get there. But if you're not already there, that's a really easy way to ensure incursion. It's the leading protocol for that.
Then leveraging other library expertise like outreach, user education and outreach. That's our third recommendation. Libraries are really great at this. We have lots of outreach mechanisms and systems in place. So helping our users understand what this means, matters of privacy and web tracking. But then in addition to outreach, there's an in-reach component to that as well, educating inside the library so that staff understand privacy. Then another outreach focused one is something specific: obtaining informed consent from users. This could come in the form of like a cookie notice, which you've probably seen all across the web, dozens and dozens or.
Bayne: Lately, especially.
Young: It's becoming common practice.
Bayne: Is it GDPR that made all those cookie things pop up lately? Is that GDPR?
Young: That's part of it. Yeah. They require that there be transparency and notification of data practices. That really did push those cookie notices forward, but not for library websites. We see it a lot on websites all across the web, but not really on library website. That's something to look at as well, just to inform users that are visiting your site, what's the tracking that's going on, connecting them with policies and contact so they can follow up.
Then lastly, conducting a risk benefit analysis when using third party vendors and services. So just taking the time and the thoughtfulness to look through what we're getting in return for what we're giving. So in our context, Google analytics, we're looking at the insights that we're getting in exchange for the user data that we're passing. Within that context, what's the most we can do? For Google analytics, there are these basic privacy configurations that we're asking people to do.
Bayne: Great. Is there anything else you guys want to add? If you want to talk, just pass the mic along. Anything else you guys want to add about this that we haven't talked about?
Arlitsch: After we gave our presentation, Howard Besser asked the question. Well, he made made a statement-
Bayne: Good old Howard Besser.
Arlitsch: Actually, that a few years ago, someone else did a similar study about the presence of https in library websites. They found only 15% of library websites had enabled https. Of course we found that 62% had enabled it, although not necessarily appropriately. So the situation is improving, to Howard's point. Hopefully this study will help librarians continue to improve on those.
Bayne: That's great. Great advice. We'll pass this along to our listeners. Thank you so much.
Arlitsch: Thanks Gerry.
Gerry Bayne: Kenning Arlitsch is Dean of the Library and Scott Young is User Experience and Assessment Librarian, both from Montana State University. I'm Gerry Bayne. Thanks for listening.