Mary Minnow has written several posts on Library Elf and potential privacy issues. Since my library uses Voyager, I haven’t tried Library Elf out yet, but it’s supposed to create an RSS feed for you to keep track of what you have out, what’s coming due, and where you are on your holds. You can also get an e-mail notice, but those among us who already use aggregators have likely chosen to get their feeds that way. I love the idea of keeping people up-to-date that way, and there are already two libraries I know of (Seattle Public Library and Hennepin County PL) that are offering RSS feeds for this purpose. However, I don’t know if these libraries have adequately explored the privacy issues of putting these feeds into web-based aggregators. The Seattle Public Library has a notice about privacy:
IMPORTANT PRIVACY NOTICE: The Seattle Public Library cares about the privacy of your personal information. Patrons who use public RSS aggregator Web sites, such as Bloglines, Rojo or Feedster, are cautioned that some of these services allow other users of the service to read your RSS feeds. This means that other people can view information regarding items you have checked out or have placed on hold.
Usually you can control this by using an option in your profile or in the setup of the feed to mark it “private” or “public.”
They write “Usually you can control this by using an option in your profile or in the setup of the feed to mark it “private” or “public,” but have they actually tested that in those feed readers they recommend? Apparently not.
Mary discovered something very interesting yesterday about putting in your Library Elf feed into Bloglines… we can all see it. When she did a search for “Library Elf” in bloglines under “all blogs,” she found over 200 people’s personal feeds where you could see their e-mail address, what they have out, what they have on hold, and what library they use. YIKES! I tried it out and was easily able to see what a number of my friends subscribed to Library Elf were reading. Creepy. According to Kelli Staley, even making the feed private doesn’t matter, because it still will show up in the search. All making your feed private will do means it won’t show up in your blogroll. It will still be listed in Blogline’s database of feeds. All the “private” thing is for is if you subscribe to a blog that you don’t want people to know you subscribe to. If you really want information like this to be private, put it in a desktop aggregator or go for the e-mail alert option. Frankly, I feel uncomfortable giving my library log-in info to a third party, even for the sake of saving time. Since Mary’s post, Library Elf has warned its users (in the FAQ) about Bloglines, but how many people really read an FAQ unless they are having real problems? They really should have a warning smack dab on the front page if they are concerned about privacy. I’m no feed expert, but is there any way Library Elf could generate these feeds where so much personal info isn’t showing? Like don’t tie a person’s name and e-mail address to the feed, but give it a unique number. It still sucks the people can see what other people are reading, but it’s less meaningful to see what #593832 is reading as opposed to seeing what Bob Jones is reading.
We put a lot of information out there on the Websites of third parties and give a lot out to different Web sites. We need to read terms of service and carefully test the privacy claims companies make. We need to find out what rights the company has to our info and what would happen if they went belly-up or were bought by another company. We can’t afford to take our privacy for granted.
The Ann Arbor District Library inserts warnings in a patron’s RSS feed periodically about how the information in the feed might be made public if they use an aggregator. I think that’s a good approach to the problem in that it puts the news right where people can see it.
As a patron who would love to get book recommendations from the library and from other patrons, I’m in favor of sharing as much as I can manage to do (knowing that there might be the occasional title I’d want to keep private). Libraries are doing themselves a disservice by not looking at the flip side of the privacy question and asking themselves “how can patrons share news about really great books”? I should be able to share a reading list of good materials right out of the catalog and not have to resort to Amazon or hand-copying them into my blog to get that word out.
I agree, the library should try to make it as easy as possible for people to share if they want to. I love what Seattle, AADL, and Hennepin County have done. However, libraries really have a responsibility to educate patrons about information security issues, and not just those three I mentioned. We can’t just say, “well, it’s Library Elf, not us who is offering these feeds” and leave it at that. Education is an important part of our mission and we are doing a terrible disservice to our patrons if we don’t give them all the facts about the services they may be using — even those outside of the library.
The SPL RSS FAQ (which, yeah, people don’t read) says, “RSS is a standard format, so SPL’s RSS feeds should work with any RSS reader. However, the Seattle Public Library does not support or endorse any one in particular.”
Sounds like SPL doesn’t endorse any feed reader. Now, I agree that libraries do need to take patron privacy very seriously and not place the onus on the patron, but I wonder how long it would take them to get sued if they came out and said DON’T USE MY YAHOO! (or whatever site(s) are leaking personal info)?
Oh, and Ed, it’s pretty primitive but SPL has the ability to share lists of stuff from the catalog. For example: