Produced in collaboration with Becky Yoose of LDH Consulting Services, SPARC’s Navigating Risk in Vendor Data Privacy Practices Series documents vendor data privacy practices that directly conflict with library privacy standards. There are currently two reports in the series, one focused on ScienceDirect and the other on SpringerLink.
While these reports raises serious cause for concern, libraries still have the power to shift the marketplace to once again reflect librarianship’s commitment to patron privacy. Concerted action can greatly impact the future, so each report closes with suggested actions that libraries can take over both the short and long term to address vendor privacy risks.
Elsevier’s Science Direct
Navigating Risk in Vendor Data Privacy Practices: An Analysis of Elsevier’s ScienceDirect raises important questions regarding the potential for personal data collected from academic products to be used in the data brokering and surveillance products of RELX’s LexisNexis subsidiary
By analyzing the privacy practices of the world’s largest publisher, the report describes how user tracking that would be unthinkable in a physical library setting now happens routinely through publisher platforms. The analysis underlines the concerns this tracking should raise, particularly when the same company is involved in surveillance and data brokering activities. Elsevier is a subsidiary of RELX, a leading data broker and provider of “risk” products that offer expansive databases of personal information to corporations, governments, and law enforcement agencies.
As much of the research lifecycle shifts to online platforms owned by a small number of companies, the report highlights why users and institutions should actively evaluate and address the potential privacy risks as this transition occurs rather than after it is complete.
Springer Nature’s SpringerLink
Navigating Risk in Vendor Data Privacy Practices: An Analysis of Springer Nature’s SpringerLink examines how SpringerLink provides a case study in the encroachment of the broader surveillance-based data brokering economy into academic systems.
Among other findings, the report documents risks related to the 200 named third parties that are allowed to collect information from users of the site (along with what appear to be additional unlisted companies found only in our public website analysis). While the specific privacy concerns posed by SpringerLink are different, our analysis reiterates the findings from our ScienceDirect report: that user tracking that would be unthinkable in a physical library setting now happens routinely through publisher platforms.
To fully understand how data may be used, librarians would need to read the 200 additional privacy policies from third parties that would likely stretch into the thousands of pages, a task complicated by numerous broken links to these policies at the time of publication. Significant expertise and capacity are required to understand these policies and the potential downstream uses of data that may be collected. Few libraries, if any, are likely to have such resources available to closely review even a single vendor and its associated third parties, further exacerbating the power asymmetry between vendors and libraries.
This page will be updated as additional analysis and resources are available.