Libraries are trust all the way down

28 February 2017

Everything about the modern public library involves calculations of risk, and decisions about trust. We lend things to people, and we keep records of what ideas citizens are reading, watching, and listening to. We like to tell good stories about ourselves but - if they’re not managed well - libraries can really ruin your day.

The Trust Economy

The darling of the business press is still the “sharing economy”, with new “Uber for X” or “Airbnb for Y” services still appearing. This is sometimes referred to as the “Trust Economy”, with Rachel Botsman declaring as early as 2012 that the “currency of the new economy is trust”. Adriana Stan had the same message four years later, talking about the “codification of reputation” as the key to making this possible. What Stan and Botsman are talking about here is the ‘star ratings’ and reviews that people can use to guide them when deciding whether to use a particular agent on a platform.

Reputation is now carried by a new system, which takes rather elusive notions of credibility, influence and status and turns them into measurable scores. It’s “digitizing” relationships and social connections, extracting value and insights from our associations and both codifying and commodifying trust — signifying it and selling it.1

Taking this a little further, Piscini, Hyman and Henry write in an article for Deloitte University Press2,

[The Trust Economy] ... relies on each transacting party’s reputation and digital identity—the elements of which may soon be stored and managed in a blockchain. For individuals, these elements may include financial or professional histories, tax information, medical information, or consumer preferences, among many others.3

But what these people are talking about isn’t really trust at all. It’s the opposite. The codification of reputation is designed to eliminate trust. Whilst Deloitte talks about a “trust based economy” build on the blockchain, Satoshi Nakamoto himself said of Bitcoin and the Blockchain that “What is needed is an electronic payment system based on cryptographic proof instead of trust” (my emphasis)4. One also doesn’t have to think very far to remember the 2008 financial meltdown across the United States and Europe. The primary cause was “the codification of reputation” in the form of “credit default swaps” that turned out to be a complete sham. So much for the ‘Trust Economy’.

The economics of trust

Falk and Kosfeld showed in 2004 that behaviour is at least partially shaped by how much trust one is given. That is, if you show that you trust people, they are more likely to act in a trustworthy manner.

Brunton & Nissenbaum go further in Obfuscation, A User’s Guide, pointing out the other side of the risk analysis equation:

credit reporting reduces risk, yes, but it also exports risk...In the process of decreasing risk for a lender, an insurance company, or a business opening a line of credit for a customer, risks are increased for the individual.

Brunton and Nissenbaum identify risk such as identity theft and violations of context (the data being shared or transferred to a third party and used for purposes different to the original reason). Either can happen at a time and place far removed from the original transaction: “These are cases in which increasing the volume and the detail of information collected reduces risk for some while increasing it for others.”

In other words, replacing trust with algorithmic reputation calculations not only makes people less likely to be trustworthy - it also introduces new risks for the person whose trustworthiness is (allegedly) being analysed.

Trusting users, trusting libraries

Over the last year there have been increasing discussion in the library Anglosphere about the effectiveness of fines for overdue library books, and in my home state of Victoria, increasing discussion amongst public libraries about ID requirements for membership, and guardianship requirements for older teens. These are all really questions of both trust and risk, and from my perspective the conversation seems to be going in the right direction - towards trusting users more.

But what about the other side of the coin? The lesson from Brunton & Nissenbaum is that everything we do to reduce risk for our libraries (and therefore our community as a whole) potentially increases risks for individual library users. How much personal information do we store? Is it more than we really need? Are we keeping loans history for individual library users? Why? Can they choose for it to be deleted? Are internet sessions logged? To what end, and is it reasonable?

For libraries to function properly, users have to trust the library, and the library as a whole needs to function in such a way that it assumes users can be trusted. That means both that library staff need to assume good faith, but also that the systems and procedures we use need to be set up this way. It’s not always the case, but this is vital not just for smooth administration but also because it’s the only way to safeguard the intellectual inquiry and freedom of imagination that libraries exist to support.

Trusting vendors and other third parties

The modern library, however, no longer controls all access to user data. We now tie our reputation to that of ‘our’ vendors - vendors who increasingly attempt to build a direct relationship with library members (or more specifically, with their data) whilst trading off our good names. Vendors who both charge libraries money for their services and collect and sell data about our users are taking two bites of the cherry - and users may well not be aware of what is happening. It’s past time for libraries to look at how we can improve our stewardship of library user data. When libraries enter into a relationship with vendors, we are ‘exporting risk’ twice - firstly we export the risk to our users that their personal data may be compromised, and secondly we export our own reputational risk to the third party. When user data is leaked via a cloud LMS product, it diminishes trust in the library as much as, if not more than, trust in the vendor.

In my sights at the moment are PressReader’s recent new ‘features’ - added with no apparent thought for what this might mean for people at risk of harassment or a simple need to just read the news - and another vendor’s app that will, according to one of the developers, store library credentials sent over SIP2 for future use in silent SIP2 calls in the background. In other words, user IDs and passwords allowing access to a user’s library account will be stored in plain text in a third party’s database.5 Most libraries, let alone library users, won’t be aware of this until the inevitable data breach.

As custodians of library users’ data we need to always be looking out for this sort of thing. Not because we want to maintain our reputation, but because it’s our responsibility to our community members. If we spent more time trusting library users, and less time trusting library vendors, we might find that everyone becomes a little more trustworthy.

References & Further Reading

Brunton & Nissenbaum; MIT Press; Obfuscation, A User’s Guide.

Falk & Kosfeld; IZA Institute of Labor Economics; Distrust - The Hidden Cost of Control; IZA Discussion Paper Series.

Nakamato;; Bitcoin: A Peer-to-Peer Electronic Cash System.

Piscini, Hyman & Henry; Deloitte University Press; Blockchain: Trust economy; Tech Trends 2017.


Set aside, for the moment, the absurdity of a “Deloitte University” and “Deloitte University Press”.


Just to be clear - this has nothing to do with PressReader and is an entirely different vendor.