This article is from our guest blog contributor, Graeme Williams, Online Catalog Analyst.
It’s not just your parents that think you’re unique. The companies that collect your personal data think so, too.
There are 55,000 people in my zip code. The browser I use is Vivaldi, which has a popularity of 0.04% (!) so there are 21 other people in my zip code that also use Vivaldi. About half the people in Las Vegas have an active library card, so 11 people share those three attributes with me. Of those 11 people, 2 or 3 share my interest in science fiction.
Those four pieces of information are just about enough to uniquely identify me among the 8 billion or so people in the world. And they’re also what a vendor means when they talk about anonymous or “non-PII” (or non-personally-identifiable information).
The Las Vegas library uses Bibliocommons. Their privacy statement says, in part: “BiblioCommons also records anonymous information and activity … Activity such as borrowing and reading may be aggregated anonymously to guide the development of the library’s collections or to allow publishers to understand how their titles are being used.”
I’m using Bibliocommons just as an example. I have no idea whether they are any different than your hosted ILS or app — but you don’t know either. And a privacy statement isn’t enough to tell.
My browser, zip code and borrowing history are separately “anonymous”, but in combination they identify me. What does it mean that Bibliocommons only sells “aggregated” data? We don’t know. It could mean that borrowing numbers are aggregated into a single data set across the hundreds of libraries that run Bibliocommons, or it could mean that the data is separately aggregated for each library, zip code, browser type, group of readers, etc.
So what? The problem is that gaps in privacy don’t add, they multiply. Unless you’re using a VPN, your Internet Provider knows the web sites you visit, your address, and your credit card number. Your credit card company will sell your data as well. All this data from different sources, perhaps including library service providers, will be correlated by data brokers who will sell the combined data.
To protect your patron’s privacy, you might ask to see the exact data that your service providers disclose to third parties. That’s bound to be more informative than a privacy statement.
You can connect with Graeme Williams on Twitter, @lagbolt
Do you have thoughts or ideas about core library work that you’d like to share with the community? Submit your article to become featured as a blog contributor for CoreNews.
