This has been a great discussion. I have just talked to a few others who had Lean Library sign a security and privacy rider with the agreement, as I believe Becky is mentioning below. If those who did something like this would be able to share that contract addendum language, that would be great.
From: Code for Libraries <[log in to unmask]> On Behalf Of Becky Yoose
Sent: Wednesday, August 22, 2018 8:23 AM
To: [log in to unmask]
Subject: Re: [CODE4LIB] Lean Library Security Concerns
With regard to PII and IP addresses, the trend with privacy regulations has been to classify IP addresses as PII. For those who fall under the scope of GDPR, "personal data" includes IP address. For the States, some sector-based laws have IP address under personal identifier categories (HIPAA). IP addresses are considered "personal information" in the California Consumer Privacy Act [CaCPA]. While 99% of libraries are not under the scope of CaCPA, other states are looking at CaCPA to inform their own efforts to create and enact similar laws, some of which might have libraries within their scope of compliance. This is only one of the many reasons why we should not have IP addresses traced back to individuals if we can help it (which many of us have the ability and resources to do).
Would folks be willing to share the contract addendum language and changes that they successfully negotiated with the vendor to the list? Having the language would help others negotiate with Lean Library if the library's risk tolerance for potential patron privacy violations is lower than others who choose not to negotiate.
On Wed, Aug 22, 2018 at 7:58 AM Tim McGeary <[log in to unmask]> wrote:
> I think we need to clear (and careful) in this discussion about what
> user data we are discussing. With authentication being done by the
> library / university, Lean Library doesn’t actually have personally
> identifiable information (PII). While IP addresses can be traced, is
> that any more a concern than an user’s ISP tracking all of users
> traffic already, since Lean Library is only effective from off campus IP addresses?
> On EZProxy, we do use a wildcard certificate, and we are in the
> process of moving the IP address of the service to a private IP address.
> Similar to a previous comment, this service will be an individual
> choice of a user to make. We can’t push this to our users; it will
> take their own initiative to install.
> Another context that I haven’t seen yet: what do others think of the cost?
> Have you found it to be reasonable or high? We are still considering
> that question internally.
> One more context is the licensing. The base license language has the
> jurisdiction in The Netherlands, which is something we (Duke) could
> never accept. We are suggesting other language changes, too, so I
> don’t know where all of this will land. It is possible we won’t come
> to a mutual agreement on contract terms.
> AUL for Digital Strategies and Technology Duke University Libraries