We talked in class a few weeks ago about what libraries owe to children when it comes to pornography on library computers. The crux of that issue is how libraries balance their foundational beliefs in the right to information and privacy for everyone with their roles and responsibilities as community spaces that welcome of children and (ideally) foster in them a love of books and reading. An issue packed with a similar tension and that I think is just as important, though less controversial than the pornography situation, is the issue of collecting the information of children online.
This issue prompts the question: how do libraries balance the right of children to access library materials (and their own desire to get them to access library materials!) with their duty to ensure that information about children remain private – or at least is only disclosed with parental consent?
Danah Boyd posted recently on her blog about discovering the unsettling policy of the Boston Public Library that does not allow children under age 13 to sign up for library cards online. Children under 13 can still get a library card in person with parental consent, but are not allowed to do so online under any circumstance. In the post Boyd is very compelling and speaks to the deeply held belief of librarians (at least, this future librarian) that our profession be “committed to making sure that children have access to information, even information that might upset their parents.”
When I first read the post it really fired me up. I was livid that one of the biggest libraries in the country wasn’t letting kids get library cards online. How archaic of them! How censorial! As I continued to think about it, however, and to read the comments made by some librarians on the various sites this piece was posted on, I realized it wasn’t quite so black and white.
The crux of Boyd’s argument is that the library is limiting children’s access to library materials by limiting their ability to sign up for library cards online. And that the reason the library doesn’t allow children to sign up online is because of their conservative (as in, overly safe, not conservative politically) decision to comply with COPPA, the Children’s Online Privacy Protection Act, when really they don’t have to comply with this law because they are a non-profit entity.
The problem, as I see it, with this argument is what she perceives to be the library’s motivation in deciding to comply with COPPA even though they don’t have to. Is it really overly safe on the part of the library to do so?
Although it is the technically the case that libraries, as non-profits, are not required to comply with the law (see Section 1302, Part 2b), that line gets a bit fuzzier when you consider the fact that most libraries these days use 3rd party, for-profit vendors to provide the infrastructure for their Online Public Access Catalogs (OPACs) and websites.
They use the programs and databases of these for-profit companies (instead of, say, a homemade OPAC and website) because for-profit companies make the coolest, most social, most “like Google” tools. And that is what people want. These are companies like Bibliocommons, the company used by BPL, NYPL, and SPL to name a few, as well as EBSCO, Encore, WorldCat, etc.
It’s not that these are bad companies; they are probably good companies, as companies go. But they are still for-profit companies. Meaning that a) they are supposed to comply with COPPA, and b) perhaps more saliently, that they have privacy policies that give them the rights to the data people store with them (i.e. the data people give to their local library when they sign up for a library card).
Bibliocommons’ privacy policy, as an example, specifies that it may turn over your information to law enforcement or the government if required, that it may make some commercial use of some of your data, and that it does its best to keep your data secure (but doesn’t make any promises) – typical of the Privacy Policies and Terms of Service we have looked at so far in class:
- BiblioCommons may disclose your personal information and any content associated with your account if required to do so by law or in a good faith belief that such disclosure is reasonably necessary to: (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, or (b) enforce the Terms of Use, including investigation of potential violations hereof.
- BiblioCommons will not sell, rent or trade your personal information (e.g., your email address or date of birth). But we may display Shared Content (defined below) in the BiblioCommons Service, or make other commercial uses of Shared Content.
- Information in your BiblioCommons account that personally identifies you is encrypted and stored in a secured facility.
With our history and fierce sense of responsibility for protecting the privacy of our users, how can we as librarians not be wary of this arrangement? Especially when it comes to the information gathered from children?
Having not spoken to the BPL myself I can’t say for sure, but even so I feel pretty confident saying that the reason behind their policy is not to keep library materials out of the hands of children. What they do want to keep from happening, I would posit, is a for-profit 3rd party vendor with a privacy policy that gives them permission to use individual data in non-explicit ways getting a hold of a child’s personal information without their parent’s consent.
So then, the argument could go, why not just put a checkbox on the site saying that the under-13 child has parental consent. That’s basically the model that lots of other sites follow by requiring users to check a box saying they are 13, right?
On the first day of this class, I think we all agreed (if I’m not remembering correctly, feel free to correct me in the comments) that security theater that deceives was wrong. Or, in the words of Bruce Schneier, “too much security theater and our feeling of security becomes greater than the reality, which is…bad.” In my view, that’s exactly what a policy that requires a user to just check an online box that says either a) that they are over 13 or b) that they have parental consent, does.
It covers the company or organization’s backside, but does nothing, in reality, to keep children under 13 from joining the site and disclosing their information without parental consent. Just as merely having a privacy policy, according to James Nehf, gives the “impression that Web sites safeguard personal information that they collect,” when in fact, “there is often very little privacy protection being promised.” This all being the case, I actually applaud the Boston Public Library (among other libraries) for refusing to participate in this charade.
To me, it shows that they take this issue seriously. They want to know, really know, that the parent has given consent for their child to have a library card (and therefore to have their information entered into a 3rd party vendor’s system and used in all the ways their privacy policy allows). The only way for the library to really know that is for a staff member to see it with their own two eyes.
Therefore, while I agree with some of the more impassioned points that Boyd makes in her post about the obligation of the library to give children unfettered access to library materials, especially in those situation in which parents are restricting their children’s access to certain types of information, ultimately I have to disagree with the argument in her post overall. It’s not because I don’t think that there are certain unfortunate cases when seeking parental consent could be harmful to a child, but rather because overall, I think that libraries have a responsibility to make sure parents know that giving data to them means giving data to a 3rd party vendor as well. Boyd’s blog post neglects to address this key reality that libraries are dealing with.
In a perfect world of perfectly protected online privacy, would libraries allow children to sign up for access to library materials online with or without parental consent? I have to think they would – at least some of them. Right now, however, we don’t live in a perfect world – far from it. Right now, we live in a world where companies, even well meaning ones, get to shroud themselves in opaque, often meaningless “privacy” policies that generally don’t offer us any privacy at all, but rather assure us that any data we give them can and will be used by them however they see fit. So, let’s focus on changing this, instead of making libraries the bad guy.
What an interesting issue! I was just thinking back to when I got my first library card. I was about 8 and the library didn’t require parental consent at all. As long as I knew my address and could sign my name, they were satisfied. I can understand the Boston Public Library not wanting children’s information floating across the Internet, but children need parental consent to even get a card in person? I’m having flashes of Matilda right now (just in case you haven’t seen it, it’s a movie where the parents hate reading, so the little girl has to go to the library by herself and check out books secretly). Their wariness and protective desires are applaudable, but it’s a little sad to know libraries are creating one more hurdle for obtaining a library card.
I was also wondering about school libraries. Do they have the same issues with using these for-profit programs that don’t necessarily protect children’s information? I can just imagine many similar issues arising with school library cards potentially. Thoughts?
This very blog post by Boyd has been on my mind since she posted it. Thanks for further discussing it, E. Initially I did fall for her impassioned What About The Children spiel. Yes, it is ideal that every child has access to information they need. But, I agree with you; a library is smart to inform parents of the privacy policies of and potential harm from any third-party companies involved in the borrowing system.
Sarah, I’m also trying to think of my first library card. I think my older sister checked out books for me, until I was old enough for my own card. Anyway, according to COPPA FAQs from the FTC website , schools can act as parents in allowing the collection of student info online. Third party sites are not required to follow COPPA if the info is just used for the school’s needs and not for another commercial use. (Scroll to the very very very bottom of the link to read the details.) That may or may not be sketchy based on the third-party company.
Also, as much as I love the idea of library cards and books for all, I think the requirement of parent/guardian consent, even when applying for a card in person, might have to do a lot with just needing someone to be financially responsible for lost/damaged materials. Oh, money.
Thanks both of you for your comments! You basically hit on it, Alyssa, but just to respond to your questions, Sarah, from my perspective as I was writing this…
I agree with you on an emotional level, about wanting kids to be able to get library cards without their parents’ consent. That’s why Boyd’s post got me going in the first place. I have seen Matilda (and read the book, which is of course far superior!) The main point of my post, though, is that things have really changed since we got our first library cards (well, I had to have my parent’s consent to get mine) and now all the information for people who sign up for library cards (including children) goes into online systems owned by these for-profit companies. This is the case even if kids go to the library in person and fill out a paper application – this information is then entered into the electronic system so that they can actually check out books. The only function that doing it in person serves is for the library to verify the parental consent.
Now, the question of whether libraries should require parental consent at all is actually a broader issue than just this issue of the data being stored electronically, since libraries often make that decision for other reasons, including because parents are responsible for the fines and fees, as Alyssa notes.
In any case, as much as I want to be say that every child should get a library card whenever and however they want it, I really just don’t think libraries can ignore this reality. Especially since, if anything were to happen with the children’s data, they would certainly be held responsible by the public! I don’t think – as I said in my post – that we can really say for sure what libraries would do in a perfect world where the privacy and protection of the electronic data is a non-issue. Until we/unless we get to a world where that is the case though, I don’t think we can blame them for trying to be safe.
While I didn’t have quite the visceral reaction to the news about the BPL’s consent policy that I think you had, Elizabeth, I’m glad you broke apart this issue and delved deeper into some of the potential issues that may have influenced the existence of such a policy. I’m definitely with Alyssa in thinking that being able to hold someone accountable for a borrower’s activity was probably the originating factor in the policy’s establishment. It’s interesting to hear how it has further evolved into a way to enable public libraries to cover their backs in the privacy- non-profit vs. for-profit gray area.
I was curious as to why the focus of the original post by Boyd was restricted to BPL (other than the fact that she resides in Cambridge, MA). A quick Google search will show that many other public libraries actually require parental consent for those under 18 years of age. Long Beach Public library is just one of many that popped up in this search. But it seems even with that policy LBPL at least is trying to ensure access for the under 18 crowd, instituting different types of cards based on factors including consent.
I wish Boyd had done her homework a little bit more to flesh out how BPL’s stance fits into the activities of other public libraries (and if those libraries cite COPPA as a factor in their decisions). This would help us (or maybe just me) determine what a new potential path forward would be to better strike the access limitation vs. youth privacy balance. And, to take a step back, maybe even help determine (by weighing the actions of the majority to understand the perceived norm) the “wrongness” of BPL’s policy.
In any case, her blog got us thinking about this. Thank you, Elizabeth, for taking the analysis to a new depth.
I showed this blog post to my youth services teacher, and she brushed off the blogger as someone who was overreacting. My teacher, currently a children’s librarian at a public library, admitted that she doesn’t know much about ‘e-card’ programs specifically for online content or about COPPA and CIPA. However, she did say that the 13 and under kids needing parental consent is largely because parents are fiscally responsible for them. And once a young child gets their hands on a card, they can check out whatever they want from the physical library, even materials from the ‘adult’ sections. Librarians won’t hold kids back, although they encourage parents to be active in children’s borrowing and reading behavior.
In the case of a runaway child/teen, they can sign up for a card once they are 13, but at that point the hindering factor might be a lack of mailing address, which is needed for a card. Again, probably for a place of contact for any late/lost book fees.
The overreacting blogger being Boyd. Not you, Elizabeth.
I knew what you meant, Alyssa, don’t worry!
That is very interesting, to know what an actual practicing librarian thinks about this issue. It did seem like pretty standard practice to me too that libraries would have the 13 and under cut-off. Thanks for this follow-up!
I found this post while looking for criticism of bibliocommons.
Recently our public library switched its primary catalogue to bibliocommons.
The problem I have with this is that I must sign up to terms of service of a Canadian company with jurisdiction in Ontario in order to make full use of my local (Christchurch, New Zealand) library’s catalogue.
If the library wants to use bibliocommons then they should subcontract to them, and any terms that I have to agree to should be with my own library.