Friday, April 9, 2021 News

Addressing the Alarming Systems of Surveillance Built By Library Vendors

Open Access   ·   Open Data   ·   Open Education

On April 2nd, news broke that RELX subsidiary LexisNexis signed a multi-million dollar contract with U.S. Immigration and Customs Enforcement (ICE). According to reporting on the ICE contract by the Intercept, LexisNexis’ databases “offer an oceanic computerized view of a person’s existence” and will provide the agency with “the data it needs to locate people with little if any oversight.” 

While this contract may be new, it is just the latest development in an alarming trend that SPARC is following. Two major library vendors—RELX and Thomson Reuters—have been building sophisticated, global systems of surveillance that include online tracking technologies, massive aggregation of user data, and the sale of services based on this tracking, including to governments and law enforcement

Dollars from library subscriptions, directly or indirectly, now support these systems of surveillance. This should be deeply concerning to the library community and to the millions of faculty and students who use their products each day and further underscores the urgency of privacy protections as library services—and research and education more generally—are now delivered primarily online. 

The erosion of privacy protections and growth of surveillance has become increasingly evident throughout SPARC’s work. Through our Journal Negotiation Community of Practice, we’ve seen large vendors reject libraries’ suggested contract language related to privacy and insist on their own more permissive clauses. In our work to advance open education, the increasing intrusions into student privacy from invasive proctoring software and data collected by courseware platforms are central threats. Our market analysis work has directly documented the evolution of publishers into information analytics businesses that have strong incentives to surveil users to monetize granular user data. 

As we’ve better understood the surveillance capabilities that RELX and Thomson Reuters have been building, these various threads have come together—raising SPARC’s concern and highlighting the importance of understanding these companies’ evolution and what it means for libraries and their patrons.

Mixing Scholarship with Surveillance

LexisNexis’ own marketing materials highlight the extent of the database of personal data they have assembled. Its ThreatMetrix for Government product touts its ability to provide governments “a holistic, singular view of your citizens,” drawing on a database of “1.4 billion unique online digital identities from 4.5 billion devices.” LexisNexis—which shares RELX as a corporate parent with Elsevier, the world’s largest academic publisher—also offers a “Special Services” division that specializes in the areas of counterintelligence and investigative solutions.

Thomson Reuters, parent company of legal research service Westlaw, also holds government and law enforcement contracts for its CLEAR database providing similar capabilities. The CLEAR database was recently singled out by the Washington Post as an example of how government agencies have “exploited commercial sources to access information they are not authorized to compile on their own.” In February, lawmakers in the U.S. Congress launched an investigation based on the concern that ICE’s use of the database constitutes “an abuse of power.

Both library vendors now face boycotts over these contracts, and Thomson Reuters faces a lawsuit accusing the company of illegally selling data belonging to California residents without their consent.

As alarming as these surveillance technologies are in their own right, they may already be crossing into academic products. Surveillance researcher Wolfie Christl has reported ThreatMetrix tracking code is now embedded in the ScienceDirect website, raising serious questions about what patron information is being collected and toward what purposes.

Urgent Questions Facing Libraries

The transition to online platforms for education and research—even open ones—has created new, complex, and unprecedented threats to libraries’ commitment to protecting user privacy. Some of these threats are already well known, like the weakening of privacy protections in the move to SAML/Shibboleth-based authentication. Others are much more opaque, like the ubiquitous online use of browser fingerprinting and user tracking that publishers and other vendors serving libraries and academic institutions are increasingly adopting. The Library Freedom Project’s Vendor Privacy Scorecard highlights the many privacy concerns across a wide selection of library vendors.

Vendors’ involvement in surveillance, even in areas that extend beyond the scope of their scholarly products, stands in direct contradiction to libraries’ core values and all but ensures that more surveillance will make its way into products used throughout the academic enterprise.

What data may ethically be collected and what should never be, how that data should be secured and kept confidential, when it may be used, and when it should be destroyed are decisions that must be made transparently—and not governed by post-hoc privacy policies that are subject to change. 

Working Together to Address Privacy Threats

Privacy can and should be a competitive advantage for open infrastructure, which avoids the need to gather personal information in order to defend paywalls, meter access, or process payments. But, this privacy advantage for open systems must be pursued intentionally in the initiatives we choose to support and in the terms of the contracts we sign. Profit-driven open platforms have an undeniable tendency to monetize user data at the expense of user privacy. We must insist that strong privacy protections be built into the foundation of all academic infrastructure at the technical and contractual levels.

In the coming week, SPARC members will receive invitations for follow up discussions on these developments. We will host a briefing to provide members a better understanding of vendors’ surveillance businesses and their implications for libraries and for the public. Through our Journal Negotiation Community of Practice, we will also host a discussion for libraries to share their experiences in negotiating privacy clauses in vendor contracts. Our next LibOER call will also focus on the negative impacts of proctoring software.

In our initial conversations, we’ve already seen that libraries may want to begin planning now to recalibrate relationships with vendors that actively contribute to broader systems of surveillance—and that this recalibration will take different forms for different institutions. Some may be able to walk away from a vendor or significantly reduce their spend. While for many others, it may not be possible to walk away for now, and recalibration may start with a renewed focus on contractual terms (particularly privacy clauses) and taking steps to educate faculty and students about vendors’ surveillance activities. In the long term, recalibration may require building alternatives that do not currently exist.

SPARC plans to work collaboratively with the wider community to address these challenges and to support the individuals and organizations which have already been leading privacy discussions. We will keep the SPARC community updated as our privacy work continues to develop.

If you have information or have had an experience with a vendor that you believe might help inform SPARC’s privacy work, please email Nick Shockey directly at [email protected].  

We’re grateful for the time, expertise, and writing of many who have already been doing important work in this area. In particular, we would like to thank Dorothea Salo, Sarah Lamdan, Wolfie Christl, Alison Macrina and the Library Freedom Project, Shea Swauger, Rory Mir and the Electronic Frontier Foundation, Lisa Hinchliffe, Sarah Shreeves, Cody Hanson, Cliff Lynch, Leslie Chan, Amy Buckland, Meg Wacha, and Becky Yoose.

Learn more about our work