librarypunk - 113 - Privacy Policies at RELX feat. Becky Yoose
Episode Date: November 22, 2023We’re joined to Becky to talk about the SPARC report on Science Direct! Data privacy, contracts, the big companies that have us over a barrel! Media mentioned https://zenodo.org/records/10078610 htt...ps://www.politico.eu/article/data-at-risk-amazon-security-threat/ https://librarytechnology.org/mergers/ https://journal.code4lib.org/articles/15122
Transcript
Discussion (0)
Let's way down there.
How did I put that PDF?
Whoa, there they all went.
Okay.
Hello, I'm Justin.
I'm scholarly communications library, and my pronouns are he and they.
I am Sadie.
I work IT at a public library, and my pronouns are they them.
I'm Jay.
I'm a music library director, and my pronouns are he, him.
And we have a guest.
Would you like to introduce yourself?
Sure.
I'm Becky.
I am a library data privacy consultant, and my pronouns are she, they.
Welcome back.
Thank you for having me back.
Yay.
I'm not kicked out.
Yay.
Yeah, we have a blacklist that we put former guests on.
You're allowed one chance and one chance only.
You know, fuck it up.
We got a podcast guillotine in the back.
Oh, no.
Well, I'm going to get guillotined anyway because I was a manager.
So I have already accepted my fate.
Yeah, I've got director in my title now.
Do you want to go before?
or after me.
Yeah.
Hmm.
I don't know.
It's the Tony Hawk meme.
Class traitors.
Yeah.
It's the, when the race war happens,
me when I have to shoot Tony Hawk.
I appreciate the hesitation.
Yeah.
What an odd life it must be to be Tony Hawk.
I love how he never gets recognized.
It's like my favorite thing about him.
He's such, he's cool.
It's like the best privacy outcome of being,
a celebrity is that you can be out in public and no one will be stalking you or taking pictures
or doing some really creepy shit. They're just going to look at them and it's just a dude.
Yeah, just a dude. He did a really cool like fundraiser like contest recently where like people
could enter to like get to do a trick and skate with like Tony Hawk and this one like trans like
porn actress that I follow.
entered in it, even though she can't skate.
But she stapled her mouth shut and got a finger skateboard and did the trick across her lips.
Oh, wow.
I was like, this is the best thing I've ever seen in my life.
But she did not end up winning, and we were all really sad.
Because we were like, Carter's got to win.
My Twitter's way different than y'all.
Yeah, probably.
But I was just thinking, is that one of those, like, is she, like, one of those piercings people that does, like, body art piercing?
And that's why she put her lip shut.
She's just a masochist.
Yeah.
Okay.
Yeah.
And I forget there's a certain kind of, like, skateboard trick called, like, a lip something or something.
And so that's what she said she was doing.
She said that Tony Hawk inspired her a lot as a masochist because of how he just, like, fucking got her all the time.
and still like did his shit it was cool she's she's really cool it's that joke from uh Vegas
vacation I don't know what that was like to those uh he has a bunch of lip piercings and they
goes does it doesn't hurt he goes hmm I know it's it's one of the best gags in the whole
movie because it comes out of nowhere all right anyway back yeah yeah
Yesterday, every day was Spark Report Day.
I had a little inside knowledge that this was coming out,
and everyone was like, it's coming out, it's coming out, it's coming out.
Today, Breda, it's Labor Day.
Yeah, but it was yesterday Borday.
When this comes out, I'll be last week, week per day.
Yeah.
I've been watching Homestar, by the way.
I never watched it when I was a kid.
I like the two.
I don't know.
Yeah, those are probably the best.
I'm in love with every boy.
Yeah, a lot of them don't.
don't really hit outside of like a school media lab, I think.
Yeah.
Also trogdor.
Trogdor so wins.
Yeah, so this, the Spark thing.
So Spark has a couple of working groups, one on contracts and one on privacy,
and both of them have been doing work.
And so I knew this was coming out and I was looking forward to it.
And it is navigating risk in vendor data privacy,
practices and analysis of Elsevier's Science Direct.
Very...
It's fucked Elsevier.
Now, legally, we cannot say that, but...
We can't.
It's not illegal.
We're not affiliated with this shit.
You are.
Not compared to the other stuff I'm going to tweet.
Oh, God.
We've just been full, like,
like, talking shit about Israeli propaganda.
on the library on Twitter.
Yeah.
It's been good.
I also,
anyway,
it's been a whole month.
It's like,
yeah,
that was a month ago already.
Yeah.
Time magazine did this whole thing about,
oh,
like,
no one cares about Zelensky anymore,
and he's really sad.
And there was a picture of him
shaking hands with people to judge.
And it's like,
I didn't know I'd feel bad for Zelensky,
kind of.
Being like,
come on,
guys.
Please don't,
don't just do nothing all winter.
And,
uh,
Maybe they should do a revolution, a winter revolution in Russia.
I went two years without bringing up Ukraine because I didn't want to talk about it on the podcast.
But there it was.
We need to do the cultural heritage thing that they did for Ukraine, but for Palestine.
Right. Someone did ask about that if someone was doing that.
I mean, like, I know one of the librarians at Tufts who was really big in the Ukraine one.
So maybe she's on some.
I know they're like
unrelated
My ADHD meds are wearing off folks
We can't do another last week
Where we just let the ADA take over for an hour and a half
Yeah
That's probably the worst
That's gonna be the worst episode when it comes out
I'm starting to start editing it at all
I mean it's as much as my fault
As is anybody else is in this room
So we just need a chance every now
And then to get our yawas out in public
You know
Yeah
Right, right, right.
So, Becky, I am interested, though, kind of as a first question about how did you get working with this?
Because you worked with Spark in your capacity as a consultant.
I mean, obviously you know a lot of people in the space, but like how did that kind of formally work out for people who are interested in the consulting world?
Oh, goodness.
The white hairs of my head seem to exponentially grow each year I'm in consulting.
each subsequent year I'm in consulting.
But as you mentioned, I do know a lot of people in the space, in the privacy space,
but also in academic library space, open access space, scholarly communication space.
And Spark has been taking some interest, some increasing interest in the type of surveillance
that they are seeing in content publisher platforms, as you would see in Elsevier,
Springer Nature, Wiley, et cetera, et cetera.
For those of you who have not read Sarah Lambden's data cartels,
that's a very, very good book to get you oriented as to why you should be very concerned
about all these academic publishing platform vendors.
We might have some connections that aren't worrisome, you know.
you know, you got some sharing with some lovely, you know, very, very good and honest government
agencies such as ICE, you know, ICE wouldn't have used that information at all, no.
Instruction librarians, if you aren't already including this information in your instruction
sessions, you should start doing so yesterday.
So I should clarify that the ICE contracts is through LexisNexis, which is sharing the same
parent company as Elsevier. So you get Reed Elsevier, Lexus, Nexus, that is Relix,
that is the parent organization. So you have these big conglomerate businesses that are shifting
a lot in terms of their focus of their main business models, where you would have businesses
that would just solely focus on providing a platform for academic journals and providing
database access for all these articles to having an academic arm of their parent business,
which has a major product in every stage of the research life cycle.
And Elsevier is a very good example of that where you would get products such as Mendele,
Scopus.
I think it's inter, oh, brain fart.
The one they just bought.
Interfolio.
I don't remember.
I think it's interfolio.
And so you find yourself having one particular business that is collecting data or has a capacity to collect data throughout your entire scarly career.
And oh, by the way, they just happen to be attached to a larger business that does data brokering and risk management products and all these other contracts with third parties like government agencies and other things.
and other third parties, business associates, affiliates,
landlords, whoever they want to do business with.
We do not have definitive proof that the academic part of the parent businesses are funneling the data that they get from there
into the larger or other parts of the parent company.
So we don't have definitive proof that they're funneling stuff.
the data brokering arms, the risk management arms. But I know well enough that if there's a
off chance, that that chance is, there's a chance. There's a chance. There's, there's a really
good article that just talked about, I believe was the chief officer for security for Amazon
just coming into the job a few years ago.
And the reality that he came into was he was basically told,
we don't know where people's data are because we have such a huge business that we lost track.
We have no capacity to track where this data is flowing.
And I, and there are, you know, relevant and not relevant, but there are,
there are chances that the same could be said with these parent companies,
with all these different,
all these different smaller businesses within the parent company,
do you have strict separation of data within the parent companies?
So the academic publishing side data just stays within that environment.
Is it contained fully?
Is there an air gap between different business areas within a parent company?
And my time in tech leaves me very, very pessimistic that this is, that, that, that there is a 100% full-proof air gap or catanurization with this data.
Yeah.
I mean, there's so much to talk about.
I think one thing I really want to make sure people understand when they come away from this is why do people talk about Elsevier so much?
Like, if you're just not in this world, like, who's Elsevier?
Who cares?
Who gives a shit?
But to understand, like, how big and menacing this company is, like, it's really, like, it can out, it's huge, it's very profitable.
It can have the upper hand in negotiations against pretty much anyone it negotiates with.
And it creates these, these risks, it owns this company side of Lexus, of Lexus, that is creating, like, all of these very large amounts of data products that are very, very profitable.
And so it's a mixture of it's everywhere.
It can acquire almost anything it wants to.
And it seems like even just imagining Elsevier by itself doesn't send information in relics, which I don't believe.
But leaving any data on the table would just be leaving money there because like Elsevier sells back data to academics like in its Chris system or anything else that could create new metrics to evaluate faculty or evaluate research.
or evaluate research grant applications or evaluate, you know, do any of the functions that, like, are pseudo-government in nature, like assessing your employees and faculty, doing grants, all that stuff.
It takes a lot of work off of your plate, and the only way to do that is to hoover up all that data.
And so it's got all this data, like, sort of combined.
And then to imagine that there's just, like, no way that once it's combined it in this, in Elsevier, it's not going to, like, jump over to Alexis Nexus.
This is the part where that no one really believes, but...
They might themselves might not know.
Yeah.
I always just think of, I think, is it Marshall Breeding who has that giant chart of library software mergers that is just like practically all the way down to like clarivate and L-Severe and something else?
Like it's a timeline so you can see all these different companies just get bought up until there's just like, we're headed towards like a library.
I don't know about the academic space as much, but like the Big Five publishing kind of scope, but with library software, it seems.
Yeah.
We're almost, we're pretty much heading that direction for academic publishing, Scarly Communications,
the folks who control the entire process in terms of the tech, in terms of, the tech, in terms of,
of hosting in terms of providing access to Scarley products. And then you, as Justin mentioned,
you then aggregate this data with grant information, managing grants, managing funding,
managing performance, managing hiring. You got a pretty detailed user profile of a lot of
academics at that point. A lot of valuable data. And again, Elsevere is the most mature
example that we are working with in the academic publishing and scholarly communications field.
But you also have Springer Nature, Wiley, whatnot, who are also shifting towards a business model
that is more driven towards dealing with data, data analytics, and it's ilk.
I'm just looking through the big list of mergers on library technology.org, which I'm going to link to.
I don't know if this is one you were looking at, say, the book.
Yeah, yeah, that's the one that I was thinking of.
Yeah, these are really good.
I'm going to post that in the notes.
But yeah, I mean, Elsevier has done, like, the most of this.
So it makes sense to focus on them, which kind of, like, answers.
Like, why do just one company?
Because, like, Super has done the most acquisitions.
It owns one product in basically every part of the conceivable research life cycle, including the parts that we're supposed to control, like the institutional repositories.
Yeah.
Even that part was supposed to, you know, remain outside of the publishing cycle, and yet it didn't.
Where there's money to be made, there's a product to be had.
Yes.
I'm hoping people will keep being interested in open source alternatives for all of these things.
but we've talked about all the IT difficulties and things like that before with
hosting your own options.
But some consortial options are always available.
Texas Digital Libraries is a good example I always point to of consortial options
to host your own open source stuff and keep it kind of academically controlled.
And all the staff there are basically UT Austin employees.
So it's nice to have that option.
Anyway, so Becky, can you kind of run us through like
the kind of data that you found they were aggregating, or do you want to start somewhere else,
if it's easier to explain from a different starting point?
It would probably be easier if I explained how we did this report and then the stuff that we found
through our analysis.
So we've decided to do a two-pronged approach using information that is publicly available.
The first prong is public documentation and contracts.
So we had contracts in the Spark Contract Library that we had available to look at.
We have the Elsevier privacy policy.
And then we have a whole slew of different documents that have some relation to data privacy
and or data security.
The second prong approach is to basically throw a bunch of tools and,
test the front-end science direct website. So we had how many tools did we use? We ended up using
one, two, three, four, five, six different tools. And the report goes into a little bit more
detail as to which tool does what. So we had a tool set spanning from standalone
products, which were like the markups blacklight site.
So when I say black light, I do not mean the library project black light.
I mean the black light developed by the markup, which detect several standard surveillance methods,
such as ad tracking, key logging, tracking by Google and Facebook.
And then we get into the browser plugins such as you block origin, no script.
And then we get into the native, the built-in web developer tools in Firefox and Chrome.
And that's with just looking at four pages at Science Direct just to see what data is being
stored and sent over. So basically what is being collected. What can I tell in terms of how
Elsephir and other third parties are tracking someone who might be wanting to read an open
access article on Science Direct or searching something in Science Direct and whatnot. And this
two-prong approach is to strengthen the analysis so we can see if what they're saying in the
public documentation is actually happening on the site itself. It strengthens what we have found
at the same time. We're only able to test the front end site. So I couldn't get into the back end,
as well as I couldn't get into internal documentation that might be an Elsevier side. So there is that
limitation. But at the same time, we've got a pretty good sense as to what is being collected.
And it's a lot. So the fun parts about what's being collected, actually, the thing that with the
documentation, and I love the, the, what I got from the front end tools that I use for the front end
testing where it was talking about, oh, here's all these Adobe trackers and here's all these
metrics trackers that's tracking your browser, that's tracking your browser size, that's tracking
your IP, that's tracking giving you a ID for your session that may or may not be persistent
throughout, you know, multiple sessions. So Elsevier decided to create a supplement to the
privacy policy. So before then, they had a CCPA notice, which is specifically for California
residents, CCPA being the California Consumer Privacy Act. And in 2023, they decided to update
that CCP notice to the U.S. Consumer Privacy Notice. And it's linked from the privacy policy,
but you have to be, you know, aware enough to click on a link that is near the top of the privacy policy.
That policy gives you really good information about what they're collecting.
So, yes, they are collecting geolocation data.
They're basically collecting what you're doing in terms of search history.
I found that even if I'm not logged in, search history is being logged in one of the trackers that I found through the,
through the front end testing part of the analysis.
Also finding stuff that's being tracked in terms of how you're navigating the site,
how things are being tracked with different third parties.
So, yes, you do have, you do have a new relic, you have Google, you have, apparently the
cookie notice says that there are Facebook trackers on there.
but I couldn't find any Facebook trackers.
So that's one part of the documentation you were doing.
That doesn't really have the evidence supported from the front end testing.
What was the mouse flow?
Oh, yes, the mouse flow.
So we tested the, we tested the, we did the analysis twice, essentially.
We did a round of the analysis in 2022, and we did analysis in 2023.
Now, the analysis in 2023, we found that there was a page that we originally tested,
the search results page, which was tracking your search history, even though I was not logged in.
And then I found that it was redirecting, if I was using one of the automated tools, to the login page,
ID.eltsvier.com.
And then I found this little beacon from mouse flow.
So mouse flow is a company that specializes in tracking mouse movements and keystrokes on websites.
Yes.
And in addition, um, 20203 I also found with one of our browser plugins, a little, a little cookie from Threat Matrix on the login site as well.
So you might have remembered back in 2020, a technologist and researcher found Threat Matrix being used on science direct articles.
Now, Threat Matrix is supposed to be used for fraud detection and security, but it's also a part of the Relax risk management portfolio.
So who knows what data is being collected there is being used after the collection.
So Threat Matrix seems to be still kicking alive, being alive and kicking on at least a login page for Science Direct.
Yeah, and the Elsevier login page, which is shared with Mendley and.
Yes, Mendley is Scopus.
And the fun part about all the research products for Elsevier, you create one account.
The information is, if you create an account for Science Direct, that information is also being shared.
with Mendele or Scopus.
You have one account for all these products.
So that means all the data that is being collected from all these products are probably being combined.
Or at least there is a connection, a connection via your login.
And so you can get a pretty good user profile, what you're doing in Mendele,
what you're doing in Elsevier databases and whatnot.
And do you have control over that?
It's iffy.
That's one of the things where I think you mentioned in the report itself that this, if you're on basically any else of your website, you can assume it's doing the same thing as any sort of social media site.
I think this isn't the conclusions.
So it's grabbing basically as much information as possible.
And I keep wondering, I've wondered this since 2020, if they just used threat matrix simply because someone was like, yeah, we used it in my last job.
So I'm going to, let's use it.
Like, it wasn't even that they're owned by the same parent company, but someone was just like, yeah, let's put this in as anti-fraud.
Yeah, I mean, this isn't the only anti-fraud thing that they have there on the website.
Let me get into the appendix.
So we got stuff from Cloudflare and Urelic.
Both are used in some sort of capacity to help with bots and security and fraud.
those two tend to get used because I could see the argument of, well, it's being used elsewhere or
I used it before, so we might as well use it.
Same thing with, oh goodness, pendio, same thing with the Adobe audience product.
You look at people in putting these on their website and not thinking about the ramifications
of putting this on their website.
We don't know why Elsevier has all these on their website. Again, I don't have internal documentation, but for other businesses and other websites, there are fairly popular products, but they have problematic data privacy practices.
And also, you know, we have the 800 pound elephant in the room, which is the data broker industry.
and how much of that data being collected by these third-party vendors is getting fed into that ecosystem.
Back to the level of analysis you were talking about, the policy things.
I also thought it was interesting that the Science Direct and Elsevier, when you were doing it in the same year,
you noticed that the privacy policies were different between them.
And I think it was the Elsevier one gave you more information than the Science Direct one.
but still you were using the U.S. privacy addendum to get the most information.
Yeah, that was the cookie notices.
Oh, cookie notices.
So a fun thing when you're trying to figure out.
So let's say, let's do a little bit of hypothetical here.
You are a library worker at an academic institution.
You have been told that you need to look through science direct to figure out,
what what is the data privacy policy like? What are the red flags do we need to watch out for when
we're doing the negotiation? Or what are the red flags that we need to let our users know when
we're teaching users how to use these products? And then you're presented with two different
cookie notices. And I could be, I know if with other vendors they have two different privacy
notices for their parent company and for the product that you're using. And you get to play
which policy is actually in place here. Because Elsevier, so you got the Elsevier cookie notice
and the Science Direct cookie notice. You would, logic would say that the Science Direct cookie
notice should be the one that you should be paying attention to. But again, I have been
in the tech industry long enough to know that that sometimes is not the case. So you would have to
keep in mind that some of the stuff that's being said in the parent company's policies might also
apply to the product that you're looking at if you got more than one particular policy for that
product. I just wanted to give an example of kind of this thing. My previous job, we were evaluating.
we were going to buy, oh God, what's it called?
The layer that makes the catalog pretty discovery layer.
That's basically what it does, right?
We were planning on implementing a discovery layer over our catalog,
and as we were evaluating vendors, I was on the team for that,
and I asked all of them, you know, give me your privacy policy
for the specific discovery layer product, right?
and of course there's other products at the same companies create and they actually ended up winning the bid
but one of them I said hey can you submit your privacy policy I can't find it online and the representative
that was helping us sent me the privacy policy for their website and not for the discovery layer
product and I had to insist three or four times because it was confusing other people on the committee
too they were like oh I thought that that was in there and I'm like
This is for their like corporate website.
This is nothing to do with their discovery layer product.
It doesn't go into, you know, anything there.
And I had to insist three or four times before one of them finally found the link and sent it to all of us.
And I was like, I couldn't find, I couldn't find this looking at your product.
You apparently didn't even know where this was.
And so I'm supposed to believe you when I say, hey, what data are you collecting off of users?
I'm supposed to believe that you actually know what that is and trust that when you don't even know where your own privacy policy is.
So, yeah, I totally see where, yeah, I see what you mean, Becky.
And I am not surprised that you had so much trouble with the vendor because I guarantee you that there was a lot of confusion on the vendors end,
especially on the front end customer service, sales engineers, sales folks, the devs, because,
privacy, especially privacy policy, is not embedded in many of these businesses. And so people
tack, it's like accessibility, it's like security. It gets tacked on at the very end, if that.
And there's a lot of confusion around privacy in terms of, oh, we can keep the data. We just
encrypted and it's private, secure. Well, there's some confusion about the fact that you have the
key to that encrypted data. And what happens if the company gets subpoenaed for that key to decrypt
the data and whatnot? So there's, that's a whole other can of worms. But again, yeah, I am not
surprised that you got so much hassle because there's a lot of confusion all around that I've
experience working with companies in terms of which privacy policy are we talking about again?
Oh, you just mean on website? No, this product. Oh, we just use the website privacy policy,
which does not have anything to do with the product. You're telling me you have no privacy
policy for your product. Oh, no, we just use the privacy policy that's on our website. And this is
when you die inside and smile on the outside. This is when I got really into
reading the terms and conditions on, like, crypto websites because I was like, or NFT websites,
because I was like, there's no way that they understand what copyright is, or exclusive rights
or anything. And, yeah, they were usually, like, copy and pasted, like, from other, like,
clearly copy and paste jobs from, like, other digital services that were, like, minimum viable
policies. So, yeah, I don't think anyone gives a shit about making good policies.
No, and the maddening part, the part that is just infuriating on my end is that you have a document that businesses have a document that can make privacy practices and responsibilities very clear.
And that is the license.
That is the contract.
Now, when I reviewed L-Severar contracts within the Spark Private, Spark contract library, they only have.
had a paragraph if that for most of the contracts I've read. And it's essentially, we will process
the information, the user data based on the privacy policy that is on the website. That's problematic
because a contract is legally enforceable. So if something is not done according to the contract,
you have a legal basis to fight, to get that rectified, saying, oh, we're just going to do something
based on a policy and then link to a privacy policy. That's not in the legal document. And the U.S.
courts, as far as I know, have a tendency to few privacy policies that are posted online as not
legal contracts in terms of the various court cases that have been reviewed. And if a privacy notice
is changed mid-contract, you have no legal recourse to object or to say, hey, this is not right.
This is going to violate our user's privacy. We want this changed or we are going to be walking
away. And so one of the things I've seen with vendors, a lot of vendors, is that they'll just
link to the privacy website and a lot of library folks just saying, okay, not realizing the legal
replications of doing that, which leaves them in a very weak position to fight back or have legal
recourse once that privacy policy is either changed or just not followed at all.
Say, do you put a question in here, I think, the tie-in to privacy is EDI practice?
Yeah, yeah, because you already said secure and accessible, which were my two keywords for this.
Like, I see a lot of connections.
You know, there's security and privacy and accessibility.
And like you said, these are all the things that tend to get shoehorned at the last second into contracts or software or whatever.
Like, is there, do you see the possibility of like a similar momentum happening around privacy?
also happening for vendor security or vendor accessibility.
Because I would also like to see sort of the minimum viable product for both security and
accessibility built into contracts for vendors because it varies so wildly.
Yeah.
And it varies wildly because different libraries are asking for different things in their
request for proposals, request for quotes.
So that is one way that you can sort of come at it consistently is look at what you're asking for in your request for proposals.
And this is some of those training that I, some of the work I've done with other libraries in terms of review what they have.
Do you have a set of privacy questions for your functional requirements?
Do you have a set of requirements or just minimum requirements for how data is collected,
maintained, I mean, retained, processed, whatnot, because especially with academic libraries,
you also have FERPA into the mix.
And so you got to make sure that your vendor is also doing right by FERPA.
So looking at what you're asking for at the point of soliciting,
quotes and just looking at different options. I think that's one good way of having, getting that
momentum in terms of not only privacy, but having accessibility baselines, having security
baselines. I know that some, and this is also one thing that I do push for, you know, getting,
getting privacy audits when you're reviewing vendors. Now, I have to asterisk that because we
already have been to security and accessibility sites. We got VPATs and then we got different
security questionnaires that get thrown about here, there, and everywhere. But most of them are
self-reported by the vendor. And as we have learned, there is a really nice article in the
code for the journal that talks about fee pats, how, you know, fee pats that are filled out by vendors,
they tend not to show the entire picture of that product's accessibility. So when we're talking about
audits, we need to make sure that there's some sort of accountability if there is a self-reported
audit out there or you get a third-party auditor to do the audit. That's another way where you
get there.
Because it seems expensive.
Yeah, and this is one of the things, this is one of the evergreen things with privacy work and to an extent accessibility work and security work.
It's expensive to do things right.
It takes time to do things right.
It takes resources to do things right.
There have been, you know, in my work outside of Spark, there have been talks about creating a clearinghouse for audits.
Just to give, just to loop back to the report, the report uses the vendor contract privacy rubric.
That's from the licensing privacy project.
And so some people were interested in creating a clearinghouse that had completed rubrics from various different institutions.
Now, that then gets into some maintenance issues who's going to keep up those rubrics because Paul,
contracts change, policies change, practices change.
But it might be something, you know, if you're doing larger,
if you're in a consortium or in a position where you have more resources
that can benefit a lot of institutions, that might be something to look into.
Do it for the smaller libraries.
Yeah, this is, yeah, this is where, again,
I keep coming back to Ohio link because I used to work for Miami University way back
when I was a baby librarian. Oh dear, I don't want to think how long that's been. But the, the, the, the, the power of a
consortia cannot be understated, cannot be overstated because I, you know, I, again, this is, this is a very
simplified, an overly simplified statement. Ohio Link made millennium, triple I's millennium.
That was one of the first major customers that AAA had in terms of creating that integrated library
system at that time.
Ohio Link had the resources.
Triple I was more than happy to take those resources and create a product that was then
used throughout the country and then across the world.
And so when you get to a point where you have a group of libraries that are well-resourced,
push for certain things that generally benefits the greater library community.
But I hate to say but so many times, working at a small library, sometimes the larger library groups
tend to forget that we have unique issues.
Let's say, for example, you're doing open source and you're trying to do an open source
repository that was developed by institutions that had more resources, had specific knowledge and
very specific programming languages that are very expensive to pay for if you want to get a dev
onto your library staff. And that just leaves smaller libraries out in the cold still. But if you get
to a point where you have larger institutions also taking to being more inclusive,
in their approach, if they're going to be doing this type of work,
you lessen the chance of some particular smaller library issues being overlooked.
Yeah, I was just doing some user testing for I.O.I.
And one of the things I tried to mention to them was, if you have open infrastructure,
one of the things is going to have to be, how resource intensive is this to spin up?
And how difficult is it, like, how big is it going to be?
because, like, my IT won't listen if it's going to be, like, a massive thing with multiple databases
or if it's going to be, I said the difference between, like, a Samvera install and a Mecca install.
One you can do, like, on the smallest little cloud server, and another one is, like, $100 to just, like, get up and running.
And that $100 can pay for, you know, basic maintenance that needs to be done.
that could pay for a REMA paper, a box of paper for your printers.
Just getting the money.
I mean, like, just getting an account number that, like, you know, you can run this to
or get, I mean, God, running Amazon Web Services, getting our own Amazon Web Services account
was a nightmare.
Yeah.
So I can't just spend stuff up, even if I had the money for it.
IT won't give me permissions to do it.
Or, you know, like, what happened to me when I was working at,
Rennell College, your IT department doesn't do Linux.
Yeah, we get that too.
So, yeah, we were the, we and the computer science departments were the only departments on campus that had Linux servers.
Let me just put one in there.
Yeah, I had a production server in office once.
I don't recommend that.
Things happen.
So we were plotting to use the coffee maker that was sitting in the corner, putting a hard drive in it, getting it up and going to be a test server that also does coffee.
I learned that the first webcam was invented to check if there was coffee in the break room.
Yes.
It was the first use of a webcam.
Yep.
And probably the most practical still to this day.
Yeah, probably.
So we're almost out of time.
On contracts, I know this is, it isn't too specific.
in sort of like actions.
But I've been thinking about them since we talked with Corey Doctro about how we can force things on vendors with contracts.
And I was thinking, because I was just reading through a contract the other day because I had to do a software assessment for a vendor.
So I was putting that through IT and everything.
And I was thinking, you know, we have all these clauses that allow us to just back out if they don't do something.
It's usually like, you know, if you don't ban TikTok or whatever, because Texas has these rules, right?
It's like if you don't have the prohibited technologies list, we can just like leave the contract and you have to pay us all the money back.
And so, I mean, is that a strategy that people have talked about of just saying like, look, if you don't keep these privacy standards that we want, we get to walk away and you have to pay all the money back or anything similar in the contract language?
Oh, goodness. I haven't run into that particular language in terms of you have to pay us back.
I do know that there is contract language being worked on as part of the Navigating Risk and Vender Data Privacy Practices Project.
That could be used to strengthen privacy protections within the contract itself.
And so when things start going sideways with vendors doing wonky stuff with data,
you can point towards the contract and say, hey, you know this thing right here? We signed a legal
document about it. Would you please stop doing the problematic thing? Or we will need to have a little
chat with lawyers. And the strongest contract language that you can get is going to be, one,
the contract language that your lawyers will go to bat for.
So we can talk about contract language all we want,
but we also have to talk about how we get our institutions on board
with protecting user privacy through contracts and other ways.
Because if we put all this language in the contract,
if we talk a big game and then the vendor pushes back,
And then we look at, again, going back to academic libraries, we look at our general counsel,
we looked at our administration, and they're just shrugging their shoulders.
And you probably have like one or two people on campus who are stands for the vendor.
You don't have much leverage there.
And so I would say not only getting the language saying do not use user data for X, Y,
or here are the limited uses of what you can do with our user data, you have to ensure that
your campus or your institution, your administration, folks on campus, have your back when you
start going into that battle when those problematic practices do show up or the vendor will
not budge when you include that language in that contract. And that's another thing that's
going to be with the Spark working groups is creating those talking points that you can go across
campus to say, hey, this is what we're working on. And you should care about privacy with students,
with research, on, you know, institutional data. Here are the reasons why you should care. And this is
how you can help protect user privacy, protect data privacy, and how you can work with the library
to do that.
And I think just having this all ready for when the opportunity presents itself is also really
useful.
Plan now and then when you get the right political climate.
I mean, I imagine, you know, if the big one happens, you know, the big privacy breach,
you know, you might be able to get all kinds of stuff through legislatures that you
didn't think.
I was just thinking, yeah, Texas specific.
Because, you know, election day was yesterday.
So I'm just thinking about like, you know, how hard we.
would it be to get something through the Texas legislature?
But if something really bad happened, you go,
oh, we've got all these privacy rules that we've been wanting to put in place,
you know, with the right political climate and the right reaction to the right event,
you can, stranger things have happened.
Yeah.
Unfortunately, it's a reactionary approach, unfortunately.
And one of the things that I'm hoping that Spark is hoping,
I'm hoping as an individual, is that we get more proactive.
And this is only the first step.
Because when you're reactive, you're always on losing ground.
You've already lost.
Yeah.
Okay.
Well, thank you so much, Becky.
I don't want to keep you any longer.
Hey, no problem.
Thanks for having me back again.
And, uh...
Yay.
Yay.
Good night.