I know what you read last night

Recently I discovered of a number of privacy issues with the Oakville Public Library (OPL) web site:

  1. Your book borrowing history is publicly available on the OPL web site.
  2. Your book borrowing history is publicly available on many other North American Library web sites. 
  3. OPL patrons could be “following” my book borrowing history.  I cannot stop this, opt out, or determine who is following me or prevent them from messaging me.
  4. Posting a book review is cross- posted on other library sites without informing me.
  5. Viewing any particular title via OPL website allows me to see who else has borrowed that title.  The “who else” could be me.
  6. While viewing a title from seemingly any North American on-line Library (which uses the same library book-lending software as OPL), you can see who, from any other library branch (including OPL) has borrowed that title.   

In today’s heightened awareness on personal privacy, it was surprising to discover that my loved local public and well regarded institution is slammed the book on privacy.

Let’s start by declaring that Libraries are great institutions that played a significant role in educating the nation in the early 20th century by making hugely diverse plethora of books freely available to the masses.  Our society is now reaping the benefits.  While that early mandate has been accomplished, the library’s primary role in removing barriers to printed material is still very valuable to Canada.  In a world of 7×24 access to information and Google Books, Libraries still freely provide a huge inventory of books at your disposal.  However, in our “instant access to everything” world, do you want your potential or current employer, your parents, or the government, to have open access to your borrowing history?  Isn’t your book borrowing history private?

I know what you read last night

1st Recently a Google Alert uncovered some of my book borrowing history from my local library, the Oakville Public Library (OPL), is freely available on the OPL web site.   Of the 58 books in my private Recently Returned page, only a portion of that list is publicly listed.  It’s possible that my whole book borrowing history is openly available online and that I simply haven’t uncovered it.  For example, I easily found fellow OPL patron and Oakvillian ttomasino borrowing history of 208 books, Randalljay 123 items or Kmancuso 245 items (note you can also see when they checked out the item).

You can uncover your book borrowing history by Googling
     “<username> site:bibliocommons.com” or
     “<Name> site:bibliocommons.com”.
You can determine your username or Name from your OPL Account Settings page.
After digging deeper, I discovered numerous other incidents of privacy concerns… 

2nd I found my borrowing history is also freely available on many other library sites in Canada and USA, library web sites were I don’t have a library card nor have ever visited.  For example, Googling “kmancuso site:bibliocommons.com” uncovered 5,410 hits from across many diferent librarys of books OPL patron kmancuso has borrowed.

Examples of non-OPL library sites openly exposing my book borrowing history (click to enlarge):

Evidently, these libraries are using the same software vendor’s back-end social discovery library software.

3rd I can “follow” fellow library patrons, presumably to follow their book borrowing history, or conversely, for them to follow my book borrowing history.  Do I want others following my book borrowing history? Do I know who is following me?  Can I opt out? No. The library’s policy states “…who you choose to follow is private to you. They won’t know, unless you send them a message to tell them what you think!”  Similarly, I can send a message to other OPL patrons simply because I found which book they borrowed.  “Hi, I see you checked out Sex, Sex, and more Sex.  Did you like it?”

4th While I expected a posted book review to be public, I was surprised to learn that my book review posts are not contained to the Oakville Library public site in which it was posted, but are cross-posted on other Canadian & USA library sites, for example California’s Santa Clara County library here or Ottawa’s Library there.  I assumed (yes, I know what that means) the book reviews I was reading were from trusted resources, my fellow Oakvillians.  With the advent of social library tools, our community library has lost its “community” aspect.

5th While viewing any particular title, you can see who else has borrowed that title.  That “who else” could be you.

6th Patrons of other libraries viewing any particular title on their library site, can see if you in Oakville borrowed that book.  For example, while searching Outlier’s on the Santa Clara Community Library in California, I found I’ve read this book.

The Smoking Gun
The most probable source of the privacy holes are with OPL software vendor who provides social discovery software for libraries such as OPL and many others.  The default privacy setting for the book borrowing history may be enabled (no privacy) or that exposing a users’ borrowing history is a configuration item available to OPL IT staff, and therefore a training issue.   Lastly, the library patron has some or complete control over this by disabling the “Enable Recently Returned” setting found in a users Privacy Settings.  I haven’t yet experimented with disabling this to determine if all the privacy volitions are rectified.

The back-end system hosting the library’s book reservation on-line web application is used by approximately 35 other libraries in Canada, USA and Australia.   For a list of libraries where your book borrowing history is potentially exposed see here, then select the library from the drop-down list.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s