COMMUNICATIONS TOOLKIT

FORUM MESSAGE BOARDS

CALIFORNIA LIBRARIES ONLINE ARCHIVES

ARTICLES

REPORTS

ADDITIONAL RESOURCES

CAREER INFORMATION

CALIX SUBSCRIPTION & POSTING INFO

ADVERTISING GUIDELINES

JOBMART

 home  about cla  membership  advocacy/legislation  scholarships/awards  events  resources 

  Join/renew membership | Advertise with us | FAQs | Job Mart | News/Blog | Summer Reading Program

The USA PATRIOT Act, and What You Can Do

by Mairi McFall and Karen G. Schneider, CLA Intellectual Freedom Committee

I. Overview: Knowledge is Power

In a nutshell, the USA PATRIOT Act is really scary stuff. But as librarians, we know that information is power. We need to inform ourselves, our staff, and our stakeholders about what the Act means and how we should respond to it. The USA PATRIOT Act vastly increases the power of federal agencies to spy on routine public activities, primarily by relaxing the requirements for subpoenas and court orders, expanding the ability to search and seize, and making it easier for federal agents to gather information and compel the disclosure of sensitive records. The USA PATRIOT Act amends over 100 sections of 15 statutes. Only some of these amendments impact free speech. This is why most free speech activists call for amending the USA PATRIOT Act--not repealing it. The window of opportunity for amending the USA PATRIOT Act legislation will come in 2005 with many of the sunset provisions of this Act. It is very important that we as a profession start educating our stakeholders now so our legislators will support us then. Know your rights. One common misconception is that all federal investigative queries are automatically "gagged" under the USA PATRIOT Act (meaning that the librarian may not reveal the existence of the court order to anyone not essential to retrieving the requested data). However, this gag rule only applies to certain court orders issued under the Foreign Intelligence Surveillance Act (FISA), not to questions, subpoenas, or similar activities. Furthermore, even under a gag order, a library continues to have rights to legal representation. Finally, the USA PATRIOT Act affects everyone--but because libraries are frequently targeted by federal agencies, the Act particularly affects the users who rely on us for their information needs.

II. Before the Knock on the Door: Preparing For Law Enforcement Requests

Designate the person responsible for responding to requests, write a procedure, and finally, train, train, train library staff, volunteers, board members, library lawyers, and other key stakeholders. If you want a quick lesson in just how important it is to train all of your staff and provide a well-written, easily-accessible procedure, walk out of your library and walk in again. You may see a wide variety of library workers, including reference librarians, support staff, teenage clerks, and volunteers. These are the people federal agents will interact with first when they walk into your library. All library workers (and volunteers) need to be trained on appropriate procedures, particularly how to up-channel requests and how to respond to questions. Everyone should be able to recognize a subpoena or search warrant, and know how to respond to either document.

III. Guidelines for Library Technology and Privacy In a Scary Age

In a nutshell, here's our guidance about library data: assume nothing; make concrete decisions for all data; don't generate what you don't need; don't keep what you've already put into a report, document your decisions in a procedure; and train everyone. Periodically audit your own activities--use outside assistance, if at all possible. As librarians, we often feel the need to retain information "just in case;" but the USA PATRIOT Act and other legislation have put this practice in a new and forbidding light. While computers often need to gather information grain by grain, you frequently have the option to either choose not to gather the information in the first place, to sample instead of continuously gathering data, or to quickly aggregate data into broad reports and destroy the highly detailed data files that can compromise patron privacy if they get in the wrong hands. Below are some guidelines for evaluating how "privacy friendly" your library technology is. Talk these over with your "techies" and other staff. Be careful not to assume--always ask. Highly technical staff may not understand why you want log files routinely destroyed; other staff may think that saving computer sign-up sheets would be good information for other purposes; computer staff who have picked up their technical skills through serendipity may not be aware that library hardware is often by default enabled to gather information.

1. Computer use sign-up sheets. How much information are you gathering and why? If you currently collect name and library card barcode number, could you simplify by collecting just the name? Routinely shred sign-up sheets--daily if possible.
2. Patron computers. Clear information with every new user. Files to clear include: (a) Internet temporary files; (b) Internet cache files; (c) Internet History files; (d) the cookies file; (e) any certificates; and (f) temp files. Depending on your set-up and what programs you allow patrons to run, you may have other files that are saved. Consider using hard drive protection devices such as Centurion Guard or Deep Freeze that erase patron data on reboot, and establishing a procedure where computers are rebooted with every new user or on some other frequent interval.
3. Web servers. Many Web servers have log files enabled by default (these files often, but not always, end in the .log file extension). Log files for Web servers can be very useful for seeing how your Web site is used; but log files are also rich with information that can be traced back to the computer user. There are many programs (including some freeware) that will read these log files and put them into a useful form. Use one of these programs monthly, and discard the log files.
4. Routers may also keep log files. In some routers, these files can be limited in size so that older information drops off. If not, clear the logs on a regular basis. Router logs can be useful in the short term for tracking network traffic and intrusions, but their long-term utility is limited.
5. Computer time management software such as Cybraryn have log files. These can be useful in the short term for identifying patrons who violate library rules concerning computer use. However, these log files should be cleared on a regular basis.
6. Firewalls have logs that show network traffic and intrusion alerts. There is software available for most firewall systems that will routinely consolidate raw data into useful (and more privacy-friendly) aggregate reports.
7. Proxy servers almost always have log files that are highly detailed histories of patron Internet behavior. The primary purpose of these log files is to improve Internet performance by caching frequently-accessed information.
8. Mail servers create enormous amounts of history about staff communications. At the very least, caution staff that all e-mail traffic belongs to the library and by inference could be subpoenaed or seized in a search.
9. Programs that allow authentication of remote patrons to licensed databases should not pass patron information to the vendor. Make sure either you are passing a generic login and password, or using a referring URL to validate patrons.
10. Your library automation software is rich with patron behavior. Things for your checklist: (a) Does your system retain information that a patron just returned a book? How long is this information retained? (b) Overdue items: are these cleared after the book is returned? (c) Patron searches: if you save any of these data, routinely aggregate and destroy the detailed files. (d) Some systems have records that allow patrons to save searches and execute them again later. These could be used to compromise patron security. Patrons should have the ability to remove search records and should be made aware that search strategies are being saved.
11. Interlibrary loan. How much information do you retain? And why?
12. Think up-stream. ISPs and database vendors collect information about your patrons and should be able to provide you with a privacy policy. Although you may not be able to change the vendor's policies, you can inform your staff and patrons of privacy issues if they exist, and you can use this information the next time you negotiate a competitive purchase.

Because every system is different and saves patron information in different ways, the above list cannot be exhaustive. Technology changes too fast for it to be any other way. However, if we keep thinking about where information could be that is tied to the identity of our patrons, we can keep fighting the good fight.

IV. Bless The Wonderful Web!

For more information on the USA PATRIOT Act, check-out the American Library Association Web site at http://www.ala.org. In addition, the Librarians' Index to the Internet http://lii.org has an excellent collection of materials, including the ALA site, several key articles by California's own librarian-lawyer Mary Minow, and an indispensable tip sheet provided by the Colorado Association of Libraries. Find all of these resources through a keyword search in lii.org on "Patriot Act."

California Library Association
950 Glenn Drive, Suite 150, Folsom, CA 95630
916.233.3298 tel | 916.932.2209 fax | info@cla-net.org

©2010 California Library Association (CLA)
A 501(c)(3) Non-Profit Organization   |   Privacy Policy    Site Map