Discussion Paper For a CDL Privacy Statement

Steps in Developing a CDL User Privacy Statement to be Posted on CDL Web Sites

  1. Determine our desired policy for each CDL function
  2. Make sure our practices follow our policy
  3. Create a privacy statement for users of our services and post it prominently on our web pages.

Background on Internet Privacy

Over the last 2-3 years the Federal Trade Commission has led a campaign to protect consumer privacy on the Internet. The cornerstone of this campaign is that each web site that gathers any information about its visitors must have a clearly posted privacy policy. A recently formed industry coalition, working with the privacy seal organization Truste, will soon launch an advertising campaign aimed at informing the public about Internet privacy and urging Internet users to avoid sites that do not make their privacy policies clear.

Unfortunately, few libraries post a privacy policy on their web sites. This is ironic because libraries do protect the privacy of their users and are the only place where people can access information with a guarantee of confidentiality. As Internet users become accustomed to checking the privacy policy of sites that they visit, they will expect to find them on library sites as well. Unless they find privacy policies on library sites, they may assume that there is no privacy protection provided by our institutions. A report on technology and privacy presented to ALA council at the July, 2000 annual meeting advises ALA to initiate a campaign to encourage libraries to post privacy policies and to educate users about the privacy risks of Internet use. (See: http://staffweb.library.vanderbilt.edu/ala_tf/Report.htm)

Background on Library Privacy Issues

Laws and Policies

Before developing our own policy, we can look at laws and policies that are already in place.

California State Law

Section 6267 (Title 1, Division 7, Chapter 3.5, Article1) of the State code sets the basis for the confidentiality of library records:

All registration and circulation records of any library which is in whole or in part supported by public funds shall remain confidential an shall not be disclosed to any person, local agency, or state agency except as follows:
  1. By a person acting within the scope of his or her duties within the administration of the library.
  2. By a person authorized, in writing, by the individual to whom the records pertain, to inspect the records.
  3. By order of the appropriate superior court.

As used in this section, the term “registration records” includes any information which a library requires a patron to provide in order to become eligible to borrow books and other materials, and the term “circulation records” includes any information which identifies the patrons borrowing particular books and other material.

This section shall not apply to statistical reports of registration and circulation nor to records of fines collected by the library.

The phrase “borrowing particular books and other material” should cover access to online materials, although this undoubtedly has not been tested in court. We should assume that it does cover those materials unless proven otherwise.

ALA Policy

The ALA Policy on Confidentiality of Library Records, created in 1971 and last updated in 1986, states:

The Council of the American Library Association strongly recommends that the responsible officers of each library, cooperative system, and consortium in the United States:
  1. Formally adopt a policy which specifically recognizes its circulation records and other records identifying the name of library users to be confidential in nature.*
  2. Advise all librarians and library employees that such records shall not be made available to any agency of state, federal, or local government except pursuant to such process, order, or subpoena as may be authorized under the authority of, and pursuant to, federal, state, or local law relating to civil, criminal, or administrative discovery procedures or legislative investigative power.
  3. Resist the issuance or enforcement of any such process, order, or subpoena until such time as a proper showing of good cause has been made in a court of competent jurisdiction.**

*Note: See also ALA Code of Ethics, point III: “We protect each library user’s right to privacy and confidentiality with respect to information sought or received, and materials consulted, borrowed, acquired or transmitted.”

**Note: Point 3, above, means that upon receipt of such process, order, or subpoena, the library’s officers will consult with their legal counsel to determine if such process, order, or subpoena is in proper form and if there is a showing of good cause for its issuance; if the process, order, or subpoena is not in proper form or if good cause has not been shown, they will insist that such defects be cured.

Adopted January 20, 1971; revised July 4, 1975, July 2, 1986, by the ALA Council.

University of California Policy

UC policies, as they relate to libraries, essentially echo the California state law and do not seem to add to it:

6254 (j) 8. Library circulation records kept for the purpose of identifying the borrower of items available in libraries, and library and museum materials made or acquired and presented solely for reference or exhibition purposes. This exemption does not apply to records of fines imposed on the borrowers.

From: UC Business and Finance Bulletin RMP-8, Legal Requirements on Privacy of and Access to Information Education Rights and Code, Public Records Act

Current CDL Policy

Support for privacy is one of the requirements of the CDL Technical Architecture:

From: http://www.ucop.edu/irc/cdl/tasw/Current/CDL-Arch-090199/CDL-Arch-090199.doc

  • Privacy – the architecture must be sensitive to privacy issues and support both anonymous and customized access to resources.

Privacy considerations are included in the work done on authentication and certificates.


There are no privacy statements related to use of other CDL services.

Elements for a CDL Privacy Policy

There are a number of areas of CDL activity that need to be included in a privacy policy. I divide these into two areas: server and activity logging, and personalization

Server and Activity Logging

Server Logging

All web servers log a base level of information. The common ones are:

  • Incoming IP address
  • Pages requested
  • Referring page

These often do not identify the individual making the request, but they may identify a person who is using a UC computer with a fixed IP address. Note that while server logs do not carry personal information, they have been used successfully in many instances to track people suspected of launching viruses or engaging in illegal activity on the Internet.

Policy needed:

How are server logs used (if they are used)
How long are server logs retained
Who has access to the logs

Activity Logging

Telnet Melvyl and Melweb log each command sent to the system with some identification of the session and computer of origin. [Add Directory] Information that would identify the user is encrypted, but we may need to review our procedures to determine if users could be identified from these logs.

Policy needed:

What information is stored in our logs.
How long are the logs retained.
Who has access to the logging information.


The greatest danger to privacy occurs where users are able to personalize options and services. Not all of this personalization actually identifies the user, but the risk exists that the use of names, library user numbers, or e-mail accounts can be linked back to an individual. Here are the areas where users are vulnerable to identification while using the CDL systems:

The email system associates an email address and a set of retrieved records. The email system stores the email request for a period of time so that the user can track the mail and re-send it if necessary.

Users assign their own profile names and passwords, so profiles are not revealing unless combined with email or other information such as the Request delivery information. Once any piece of identifying information is including in the profile, however, information like update queries, stored lists and items requested potentially can be linked to an individual user.

Updates link to profile and often use e-mail addresses.

Request uses the patron ID and delivery information that identifies the user and the user’s affiliation.

MyLibrary links to the Profile function and can include e-mail addresses. It also makes use of cookies. Because users may have set cookie controls in their browsers, the use of cookies at this site needs to be explained.

For each of these functions we need to create policies for:

July 27, 2000
Prepared by Karen Coyle

How any user data that is stored on our system is protected from unauthorized use.
Who has access to the data.
How long the data is retained.