96% of libraries provide reference service via email. 61% by chat. 29% via texting. 26% via Facebook. Some offer reference services over Zoom or Skype. These services are provided almost exclusively by third party vendors rather than by the library or patron. Most of the vendors do not allow audits of their technology or business practices, and the legalese in the contracts and terms of service obfuscates exactly what happens to the conversations. Does a patron retain exclusive ownership of the conversation? Does the library? What rights does the vendor have to the data that moves through its computer systems, and how do they exercise those rights?
The generation of the context of the conversation clearly lies with the patron. Without initiating the reference consultation, there would be no communication. As a profession, librarianship takes the privacy of patron consultation information very seriously, as it underpins the essential rights of freedom of information access and freedom of speech. Librarians have an ethical obligation to protect the privacy of patrons, including the nature of their inquires.
But the ethical and legal obligations of third party vendors are less clear. If a chat system allows a librarian to reference previous conversations with the patron to gain additional context, that information is still bound within the professional ethics of the librarian. But if the vendor uses previous conversations to generate suggestions for the current conversation, they begin taking an active role in the exchange. Accomplishing such suggestions requires analysis of the content of previous conversations. Is it ethical for the vendor to store previous conversations and use them for that purpose?
Continuous quality improvement is a common standard for all customer-facing professions. Individual patron interactions can be analyzed by a library manager so they can provide feedback to reference librarians to improve service. That sharing of information is bound by professional ethics. Can the vendor also pick individual conversations to be reviewed by humans within its organization? Are the people who conduct such quality assurance measures bound by the same level of professional ethics?
Librarians have a long history of protecting patrons from invasive privacy violations conducted by the state, with the Connecticut Four being a prominent example. Libraries have strong legal protections and precedents to protect them in the face of government surveillance. We know how libraries will respond to overbroad information requests from the government for patron data. But how will the vendors we entrust with these reference conversations view their obligations, and what legal protections do they have to resist such requests?
Libraries have policies in place to limit the disclosure of patron information to their relatives, friends, and others. An abused spouse researching divorce options deserves privacy from their abuser. Transgender teens must be allowed to access information about their identity and experience without the threat of disclosure to unsupportive parents. What policies exist for vendors who have access to reference consultations that protect these vulnerable people?
Libraries have no need to disclose the contents of reference consultations for marketing purposes, but the contents of these conversations are a treasure trove of information about the patron asking the questions. Vendors have a financial interest in selling that data to advertisers and data brokers, and many have already been caught doing so.
Recently there has been a lot of public focus on derivative language generation such as ChatGPT. We have already seen that the purveyors of such technology have violated copyright law by training their models on copyrighted works such as books, journal articles and websites. Reference consultation conversations would be a very attractive data source for such technology. What would restrain a vendor from disclosing conversations to AI companies?
There are significant privacy concerns present when using any external vendor to handle sensitive communications like reference consultations. A library cannot rely on patrons to fully understand the implications to their privacy by engaging with such technology. It is our responsibility to provide a safe, secure communication channel for reference consultations. When using third party vendors, all privacy protections and content right retainment must be explicit within the contract with the vendor, along with auditing guarantees that are regularly exercised to ensure that those contractual obligations are being met. Every concern listed here and more must be explicitly enumerated and protected against. Anything less is a failure to meet our ethical obligations to our patrons.