An attorney says she saw her library reading habits reflected in mobile ads. That's not supposed to happen

Follow us down this deep rabbit hole of privacy policy after privacy policy

Feature In April, attorney Christine Dudley was listening to a book on her iPhone while playing a game on her Android tablet when she started to see in-game ads that reflected the audiobooks she recently checked out of the San Francisco Public Library.

Her audiobook consumption, she explained, had been highly focused the previous month, focused on a specific subgenre that she doesn't believe would come up by chance.

"You don't coincidentally come across mobile ads [for that particular subgenre]," she told The Register. "Those ads made me extremely angry."

Concerns about the privacy of library reading material date back to the early 20th century, explained Dorothea Salo, academic librarian and library-school instructor at the University of Wisconsin-Madison, to The Register.

"There was a time when American libraries weren't sure what their stance on reader privacy should be," said Salo.

If we wanted people to feel safe, using libraries, then we needed not to surveil what they were reading and certainly not to rat them out

"Eventually – and I'm eliding a lot of history here – we came to the conclusion that if we wanted people to feel safe, using libraries, then we needed not to surveil what they were reading and certainly not to rat them out to authority figures. So this is actually codified in the American Library Association Code of Ethics, which was first made public in 1939."

But things became more complicated as libraries went online, media became increasingly digitized, and distribution shifted to the network.

"All of a sudden that means a lot of things that libraries don't control about what that experience is like," said Salo. "There's a new actor in the game, the content provider. And content providers do not have all the same ethical commitments that libraries do."

Guardians of our privacy

Library privacy became national news in 2005 when George Christian, then executive director of Library Connection, a Connecticut library consortium, received a National Security Letter (NSL) from the FBI. The Feds, under the US Patriot Act, demanded library patron information without a warrant and imposed a lifetime gag order that forbade disclosure of the NSL.

Christian and three colleagues, who became known as the Connecticut Four, refused to comply and a district court eventually found the gag order unconstitutional, prompting the government to drop its demand. In 2007, the Patriot Act's gag order provision was struck down in Doe v. Gonzales.

More recently, library privacy worries surfaced in North Carolina following the passage of state senate Bill 49, known as the Parents’ Bill of Rights. Aside from its politically motivated ban on school discussion of gender identity, sexual activity, or sexuality below fifth grade, it gives parents access to their child's library records.

The North Carolina School Library Media Association has objected to the law, which is being challenged in court, because it asks school libraries to violate the American Library Association Bill of Rights.

In December, 2023, University of Illinois Urbana-Champaign information sciences professor Masooda Bashir led a study titled "Patron Privacy Protections in Public Libraries" that was published in The Library Quarterly. The study found that while libraries generally have basic privacy protections, there are often gaps in staff training and in privacy disclosures made available to patrons.

It also found that some libraries rely exclusively on social media for their online presence. "That is very troubling," said Bashir in a statement. "Facebook collects a lot of data – everything that someone might be reading and looking at. That is not a good practice for public libraries."

If we think this stuff is confidential ... we should act like it and we're very frequently not

Salo said that the amount of visitor-tracking scripts on many library websites is just beyond the pale.

"I have been watching actually the situation with healthcare organizations getting absolutely nailed to the wall for Google pixels and Facebook pixels and what have you, as potential HIPAA violations," she said.

"And you know, it's the same kind of thing [with libraries]. If we think this stuff is confidential, we should act like it and we're very frequently not. So yes, I am absolutely on a one-librarian war against Google and Facebook pixels. That just has got to stop."

Back in the Bay Area

Dudley said she typically listens to 30 to 40 audiobooks a month, most of which are fiction. "I listen to the books on my iPhone and often search for and check out books there too," she said. "I play games on my Android tablet at night when I'm listening and since I don't pay for them, I get the full ad experience."

Typically, Dudley uses the Hoopla service for audiobooks, but she exceeded the checkout limit and had to switch to different services, including both OverDrive's Libby app and Baker & Taylor's Boundless app. All three apps allow readers who have a library card to borrow ebooks, audiobooks, and more for free.

She said she uses Google's Chrome browser on each device, but logged in under different account names. "I don't like being logged into the Android device and it spilling over to other devices," she explained.

"The only correlating factor between the two devices is the IP address, so I can only conclude that was how I was tracked," she said, referring to the ad she saw in-game on her tablet that was related to the audiobook on her iPhone.

As an attorney, Dudley is familiar with analyzing contractual agreements. "I did a deep dive into each of the services and only the OverDrive privacy policy showed the possibility of sharing data," she explained. (OverDrive denies selling user data.)

"There is a possibility that Boundless is violating its own agreement and selling my information, which is an entirely different issue," Dudley added.

However, she acknowledges that she isn't certain about how the ads she saw came to be.

"There are inferences I am making here," she said. "There is the inference that because I got those particular targeted ads, my data was sold. There is the inference that the organizations in question view my reading history correlated to my IP address as personal. There is the inference that the organizations are following their agreements. I do not believe any of these inferences are unreasonable."

The Register worked with Zach Edwards, a security researcher, to analyze the network traffic in these apps and on the San Francisco Public Library (SFPL) website. After several weeks of corresponding with representatives from OverDrive and the SFPL – Baker & Taylor did not respond to repeated requests for comment – we have a plausible but incomplete theory for how Dudley's listening habits showed up in mobile ads.

It looks like a case of remarketing, which is when ads get presented based on a prior online interaction. If a person visited, for example, Target.com, and looked at some shoes, then visited another website and saw an ad for those shoes, that's remarketing. The issue here is whether that's happening with data that should be protected, such as book and audiobook titles.

The fact that this is just a theory is what Dudley considers to be the problem – it is far too difficult to understand how ads have been targeted and whether privacy rights have been violated or corporate commitments have been breached.

The devil is in the details

OverDrive, Baker & Taylor, and SFPL all have privacy policies that allow for certain kinds of data usage.

The OverDrive's Libby app initially looked particularly porous for personal information based on an evaluation published by Internet Safety Labs' App Microscope ("Very High Risk") and a privacy rating of 63 percent from Common Sense Media.

But those ratings, which date back to July 12, 2022, and January 1, 2023, respectively, are no longer accurate.

Based on OverDrive's statement in its privacy policy that its Libby app collects information, among other reasons, to "personalize our services to better reflect particular interests and preferences and in certain instances for remarketing," it's plausible Libby could have leaked Dudley's audiobook interests.

However, David Burleigh, director of corporate outreach and development for OverDrive, told The Register that's not the case.

"OverDrive does not sell user information, including but not limited to checkout or borrowing history, to third parties, for any purpose," he said. "Furthermore, we do not display advertising in our apps."

Asked whether any of the SDK code in the Libby app might allow a business partner to determine book title information, Burleigh said no.

Asked whether remarketing might explain the ads seen by Dudley that reflected her audiobook interests, Burleigh said, "OverDrive does not sell its data for any purpose, including remarketing."

We inquired further, asking Burleigh whether he disputes ​​Common Sense Media's claim that in the Libby app, "personalized advertising is displayed" and data is "collected by third-parties for their own purposes."

"Yes, we disagree with Common Sense Media's claim that 'Personalized advertising is displayed' and 'Data are collected by third-parties for their own purposes,'" said Burleigh. "Yes, they are incorrect to make those claims."

Common Sense Media didn't respond to a request to say whether it stands by its assessment of Libby.

Libby may be in the clear

Edwards, the security researcher, looked at the Libby app's traffic flow and found it to be free of third-party endpoints and essentially free of third-party services. He also said the company's website was exceedingly clean, lacking ad tech calls and third-party services.

That assessment was echoed by Lisa LeVasseur, executive director of Internet Safety Labs, which revisited its Libby app rating at the request of The Register. "We did re-run the audit on the Libby apps and saw that they came up clean on both platforms," said LeVasseur. "We're working on updating the safety label to reflect the more recent testing, but it will be a little while."

The Boundless app, available on iOS and Android, hasn't been evaluated by App Microscope or Common Sense Media. And, as we said, representatives from Baker & Taylor did not respond to multiple requests to provide information about the app.

The app's privacy policy acknowledges that borrowing information is collected but insists that's not made public unless the user engages in "interactive content" (eg, viewing or posting reviews) which "may be indexed in third-party search engines like Google."

The policy allows for the possibility that information will be shared with ad partners.

"If and when you choose to use BOUNDLESS BY BAKER & TAYLOR, we may need to share your information described elsewhere in this Privacy Statement with these third parties, but only as necessary for them to provide those services," the app's privacy policy explains, adding that vendors are also expected to abide by the policy.

The Boundless app makes network requests to PressReader.com, a service for media subscriptions. Edwards said that while those requests don't initiate ad tech calls or data syncing, the body payload of their "services" endpoint mentions several third-parties (Branch.io, Matheranalytics.com, Piano.io, among others) that have advertising features and could support ad retargeting.

The PressReader privacy policy says the company shares personal information with partners and allows "third party advertiser partners to use cookies and other tracking technologies in connection with 'Tailored Advertising' which associates a user’s activity and interest information, demographic information, geographic information, and similar information with a browser cookie or other online identifier in order to provide more useful and relevant advertising on other sites and platforms)."

PressReader did not respond to requests for comment.

SFPL explains

The SFPL did respond to numerous inquiries from The Register and made a serious effort to address Dudley's claim about seeing ads based on her borrowing history.

Jaime Wong, deputy director of communications for the SFPL, told The Register, "Patron privacy and security are of the highest priority to us, so we are currently looking into this customer comment."

Initially, Wong pointed out passages in OverDrive's privacy policy that might explain the ad targeting, such as the line where the app maker says it may "personalize our services to better reflect particular interests and preferences and in certain instances for remarketing."

Patron privacy and security are of the highest priority to us, so we are currently looking into this customer comment

She subsequently said the SFPL had confirmed with its vendor "that OverDrive does not share data from Libby for advertising or that could result in third-party targeted advertising."

But based on OverDrive's insistence that it doesn't sell data for remarketing (despite mentioning remarketing in its privacy policy), The Register inquired further about whether the ad tracking scripts on SFPL's website might have come into play.

According to The Markup's website analysis tool Blacklight, the SFPL.org website has 11 ad trackers, 19 third-party cookies, and includes both a Facebook pixel and Google Analytics.

That, however, reflects the library's primary domain. The subdomain it uses for library member login and ebook checkout, sfpl.bibliocommons.com, has only a single tracker, from Alphabet, that communicates with the domains google-analytics.com and googletagmanager.com.

It is operated by BiblioCommons, which was acquired in 2020 by Canada-based Constellation Software. BiblioCommon has its own privacy policy that exists in conjunction with the SFPL privacy policy.

In response to questions about ad trackers on its main website, Wong acknowledged that SFPL does use third-party cookies and provides a popup that allows visitors to opt-out if they prefer.

With regard to Google Analytics, she said that it only helps the library understand broad demographic data, such as the gender and age range of visitors.

"We are also able to understand broad interests of our users, such as movie, travel, sports and fitness based on webpage clicks, but this information is not at all tied to individual users, only as aggregated information," said Wong.

"No PII (Personally Identifiable Information) is shared. Facebook, if installed on a device, does track activity. We direct concerns about Facebook-generated ad content to the company Meta."

We asked Meta to comment but we've not heard back.

Wong did say that the SFPL has participated in digital marketing campaigns that involve ad trackers and that these could possibly have been configured to deliver ads based on audiobook interests. But she said that didn't happen.

With tracking pixels, it would be possible to track the audiobooks that are being checked out and to track the pages that users visit and then target the user with an ad based on their actions

"In regards to the ad trackers, we ran several digital marketing campaigns over the past year or so featuring Library services with an outside vendor, and they gave us a tracking pixel for our site that allowed us to measure ROI," Wong explained.

"In the overall scheme of things, with tracking pixels, it would be possible to track the audiobooks that are being checked out and to track the pages that users visit and then target the user with an ad based on their actions (preferences)."

However, said Wong, that would take an additional layer of tracking to identify specific listening habits and that tracking pixels don't rely on PII. "None of our campaigns were this granular and our vendor has confirmed that we have never captured information during our campaigns," she said.

According to Google, it can't determine why Dudley saw the ads she reports seeing without seeing a screenshot or examples of the ads for itself. The ad biz does provide various tools like My Ad Center to control ad personalization settings for ads on Google and partner sites, as well as the About this Ad menu.

Google acknowledges that, given certain settings, it may deliver an interest-based ad on one device that's derived from a second device if both are signed into Chrome on the same Google Account. But that doesn't solve the conundrum about the ads seen by Dudley in which her Android and iOS devices are said to have been signed into different Google Accounts.

According to Google, there are several reasons why Dudley might have been served an interest-based ad, including campaign targeting parameters based on interest data or location, or if the app involved served a retargeted ad based on first party data.

Dudley acknowledges that the ad process is opaque. "It's that opacity that is the problem," she said. ®

More about

TIP US OFF

Send us news


Other stories you might like