ECF Raises Privacy Hackles
Patron data retention and reporting requirements for the FCC’s $7.17 billion Emergency Connectivity Fund could lead otherwise eligible libraries to opt out of the program (see 2105260048), stakeholders said in recent interviews. With the first application filing window scheduled to open June 29, groups are asking the FCC to clarify whether libraries can maintain alternate records. The agency largely followed E-rate rules requiring participants to keep records for 10 years. In addition to the type of services or devices provided, schools and libraries would need to maintain records of the names and addresses served.
The American Library Association and others raise state privacy laws and standard library administrative practices as potential obstacles. Forty-eight states and Washington, D.C., have privacy laws making library records confidential, and Kentucky and Hawaii have attorneys general opinions protecting user privacy, ALA says. It's negotiating with the commission about whether reporting requirements can be changed to ensure all eligible libraries can participate, a spokesperson told us: “We're still pursuing that question” with the Universal Service Administrative Co. and the FCC.
The Schools, Health & Libraries Broadband Coalition sought clarification about the 10-year requirement. SHLB said the requirement is “onerous” and “fundamentally at odds with a core principle of library service.” SHLB hasn’t received a response and has been talking with the FCC about the data retention requirement. “We are hopeful that this will not be a major problem,” a spokesperson told us. “Holding onto the personally identifiable information of patrons who check out an ECF-funded device for so long after the device's return goes against the very creed of library services,” the spokesperson said.
The commission and USAC are “committed to protecting the privacy of students and library patrons,” said an FCC spokesperson. Requests for information from schools and libraries will be designed to “minimize the need to produce information that might reveal personally identifiable information, in addition to complying with all applicable federal and state privacy laws,” the representative said.
Any requirement to collect patron-specific data is a “violation of privacy laws and unenforceable,” Chief Officers of State Library Agencies told the FCC in April when the agency sought comment: “Burdensome processes will deter adoption and slow implementation.” COSLA didn’t comment now.
The 10-year retention requirement is “in opposition to the cybersecurity best practice” that data “should be kept only as long as absolutely necessary to avoid potential misuse, data breaches, or other unauthorized access,” emailed Library Freedom Project Executive Director Alison Macrina. The requirement “creates a barrier to access for those libraries who don't have a 10-year data backup plan,” Macrina said: Instead, the FCC could ask libraries for a yearly report as typical grantors require.
Concerns about student privacy for ECF are “similar to those faced by libraries and their patrons,” emailed Center for Democracy & Technology Cody Venzke Policy Counsel-Equity in Civic Technology. It's “critical to get students connected and to provide them with services that they need, but those efforts must protect student privacy,” he said: Disclosing personal information “can diminish students’ and families’ trust in schools and other governmental agencies and dissuade them from participating in the program.”