Affronts to Library Liberty
legal, ethical, and practical responses
Rutland Free Library
CIPA & USAPA [& HIPAA]
These 3 pieces of legislation on the surface don't have a whole lot in common except...
- they curtail free access to information, for good and bad reasons
- they annoy librarians
- they require an organized response, doing nothing is not an option
USA PATRIOT Act - stands for The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act
- passed nearly unanimously by the Senate 98-1, and 357-66 in the House
- end of October 2001. Remember where you were October 2001?
- one small part -- section 215 -- is about libraries though it doesn't say libraries
- is currently in full effect, though sunsetting in parts as we speak
- potential legal penalties for librarians
- potential conflicts with local and state policies
CIPA stands for the Children's Internet Protection Act, a very small part of a larger appropriations bill which passed Congress December 2000.
- a three judge panel in PA ruled it unconstitutional in 2002
- in 2003 the US Supreme Court held that the law is constitutional [I was at ALA in Toronto at the time]
- libraries have until this July to be in full compliance with the law [what is compliance?]
- no legal penalties [just loss of E-rate or LSTA funds]
- FCC is in charge of regulating CIPA
"the federal government funds 1 to 2 percent of money in libraries" - Judith Krug
HIPAA stands for Health Insurance Portability and Accountability Act. Written as a health insurance reform measure & signed into law in August 1996.
- Created by Health and Human Svcs., enforced by their Office of Civil Rights
- amends the Internal Revenue Service Code of 1986
- "administrative simplification" - two major parts I'll discuss
- Privacy Rule - privacy and confidentiality for PHI including all past, present, and future information [compliance required last year]
- Security Rule - PHI stays safe even when you move it or store it [compliance required April 21, 2005]
- most non-medical people say "oh, that big form..."
These three sets of laws are government-sponsored legislation that force librarians to be more conscious about privacy, security and watching their asses, legally.
Most of them have not gotten to the point of sustaining legal challenge. CIPA passed one set of challenges but is likely to face a second.
In short: Section 215 gives the government new powers to ask for and receive records in your library.
BUT, the DOJ
disagrees with organizations such the ACLU
on the extent of the new laws and how invasive they are, or can be. Previously subpoenas for information came from a federal grand jury. Now they come from the [secret] FISA
court. FISA orders could only be used previously if the primary purpose of the order was to gather foreign intelligence information. USAPA changed the "primary purpose" criteria to one of "significant purpose." Potential uses include....
- request for records or patron information
- requests for hard drives & potential use of keytrapping or other surveillance software on public computers
- gag order regarding requests
- DOJ says it has never used the act in libraries in two years.
In short: if you get government money for net access, you must install filters on all computers
- A library must have some type of filter or blocking technology on all of its computers with Internet access. The filters must protect against access to certain visual depictions...
["protect" is not prevent, "visual" is not text, "all" includes staff]
- "Certain depictions" are: obscenity, child pornography, material "harmful to minors"
- Filtering other content leaves libraries open to potential legal challenges based on the blocking of constitutionally protected content
- Enforcement is complaint driven.
Note: even without CIPA there is no constitutional protection for anyone to view obscene images or child pornography
In short, codifies many practices that were in use already. Strengthens many requirements for privacy and security, especially when transferring data.
- Supercedes state laws with lower privacy requirements, provides a floor for states with higher requirements
- Severe non-compliance penalties [fines up to $250K and/or imprisonment up to 10 years for knowing misuse of PHI]
- Some requirements are vague enough to be concerning to librarians
- PHI covers past, present and future health and payment data transmission [incl. spoken] and storage.
- Enforcement is complaint driven.
CIPA & HIPAA require complaints [or possibly audits] in order for there to be legal trouble. Think ADA. A happy & informed patron and user base can be your best defense against CIPA/HIPAA.
The USA PATRIOT Act appears to be on eroding legal footing, seemingly waiting for a challenge to be filed against it
While librarians may or may not
be split as to how much of the USAPA is vital for National Security there are generally conficts with USAPA and patron privacy policies, and librarians' and library staff's rights.
- Most states implemented library patron privacy laws after the FBI Library Awareness Program
- Four states [AK, HI, ME & VT] and 317 cities, towns and counties have passed resolutions against USAPA as well most state library associations.
- The gag order seems to conflict with the First Amendment. There is "no prescribed sentence" for people who violate the gag order. [technically it's a contempt of court citation]
- Treats citizens and non-citizens diferently as far as what's required to justify an investigation.
- Patrons may ideologically fall on both sides of this issue.
- Governance of library will also affect how this issue is treated.
- There is a lot of room to move with regards to what can be done.
The American Library Association was one of the organizations fighting to overturn this law, but it is now the law of the land, with most appeals exhausted. Official responses need to be tactical, not reactionary.
- Staff, board members and patrons all may have varying opinions on this law and may not even know the law exists.
- There is a not-at-all-fine line between sticking up for the right to read and free access for minors, and the conservatives' cry that librarians are all pornmongers and pedophiles.
- Money is real and needs to be dealt with accordingly.
- Overkill is easy and in fact encouraged by funding agencies.
- Less wiggle room in terms of responses, but fewer people know about CIPA compared with USAPA.
The librarian's usual privacy concerns become amplified and attenuated with HIPAA. "Minimum necessary" becomes a mantra.
- Smaller providers are not expected to go bankrupt [do not change business practice "dramatically"]
- Until lawsuits begin to happen, it's unclear what dramatic means
- Erring on the side of the law and minimum disclosure benefits you and the patron UNLESS it affects quality of care, which is primary [example]
- level of detail that might have been tittilating is now illegal to share
Core values of librarianship
- intellectual freedom
- fighting censorship
- open communication with patrons and staff
- free speech in general
Involve staff, the public, the media and the board in your work on these issues. Designate point people for discussion and training. Learn the tech you need to know.
Practically Speaking: Discussions
USAPA: Legally, you can't do as much after an FBI visit as you can before.... Discuss options with board, publicize the USAPA and the library's reaction to it, to patrons, media and other staff. Remember your discussion options are limited once you've had a visit by officials
CIPA: Do we need to filter? If you don't get e-rate or LSTA funds, you're set... for now. Watch your purchases and keep apprised of regulations and funding streams for Internet access. If you're opposed to CIPA on ethical grounds, start looking for sources of funding to compensate for e-rate and LSTA funds. Think cost-benefit analysis
HIPAA: Realistically assess funding, staffing and current policies and procedures. Play devil's advocate with your systems. Do they work? Do people understand them? Use "the form" as a way of educating staff and patrons about HIPAA not just mystifying them.
Practically Speaking: Systems
- review the policy of record keeping to determine which, if any, records are necessary
- ditto for history/cache on computers
- determine how and when to alert patrons; consider library records, computer sign-up sheets, Internet access etc.
- Know the decision: CIPA requires protection against visuals, all computers filtered, staff must unblock according to Kennedy's concurring opinion [or possibly face an "as applied" lawsuit]
- Know your filters: there is no such thing as a "CIPA compliant" filter. Most commercial filters filter much more than the minimum required by CIPA.
- See what other libraries are doing, read their policies and check their signage.
- Make sure you have policies outlining your Internet access policy and filtering policy, if you have one.
- Learn the terms: PHI, ePHI, CE, TPO, HHSOCR, etc.
- Learn the information pathways, all of them [talk, fax, email, voicemail, scribbling, hard drives]
- Add 1 + 2 and find ways to secure them
- review and implement clear policies, make sure "go to" people really know their stuff.
Practically speaking: Staff & Community & Patrons
- make sure all library staff from director to shelver understand appropriate responses to requests for information from police and FBI to media people
- make sure the library has written policies that back up the decisions your library has made
- connect with regional, state and national library and civil rights organizations for sample policies, legal implications and camraderie
- focus less on "us vs them" and more on "your library is protecting your privacy" messages
- remember it's an acronym, not patriotic, always spell it in all caps: USA PATRIOT Act
- Patrons should know if their terminals are being filtered, and why. Adult patrons should know they have the right to unfiltered access.
- Libraries without filters may still want to offer filtering as an option without restricting underage patrons to only filtered terminals.
- It's not a one way street. Libraries may decide that filtering is not a viable or cost-effective solution and forego future federal funds, forever [or for a few fortnights]
- HIPAA determines minimum patron/client communication ["oh, that form..."]
- Extra communication can empower patrons and help staff grapple with the extra work and expectations involved in HIPAA.
- Patrons get additional rights as a result of the privacy rule that should be part of the HIPAA chat.
The choices are yours to a large degree. While certain degrees of compliance are required legally, other levels of patron interaction are up to you. Be proactive, be positive and above all be informed so you can be an advocate for your patrons and staff and the community at large.
Links & Sources
"To those who scare peace-loving people with phantoms of lost liberty, my message is this: Your tactics only aid terrorists, for they erode our national unity and diminish our resolve."
Jessamyn West is the new outreach librarian at Rutland Free Library
the editor of the weblog librarian.net
and the co-editor of Revolting Librarians Redux
. She has written extensively about the USA PATRIOT Act on her blog and for online and print sources.
Her "The FBI Has not Been Here
" and "Make Mine Unfiltered
" signs have received the odd media mention here and there.
This presentation was created in HTML using CSS. There was no PowerPoint involved in this presentation except as a nagging bad example.