8 Association of Research Libraries Research Library Issues 297 — 2019 The second threat is disclosure of information that the library is holding about what a patron is reading, perhaps through legal mechanisms (subpoenas or national security letters, for example), or because the library is hacked it might even be due to accidental misconfiguration of a library system. Aspects of this threat have been a concern since long before libraries computerized their operations—and that was a long time before digital content became dominant. The third category of threat, which is new to the age of digital content, involves data that is collected by external vendors who provide licensed content to libraries (and indeed, also external suppliers of content that is “freely” available, subject to click-though terms and conditions). This is, in my view, the least understood and most dangerous threat to reader privacy today. Disclosure by the Library Libraries have addressed this threat on several levels. The first is a recognition that they can’t disclose information that they don’t have, so they have typically collected as little as possible, and retained it for as short a period as possible (for example, only while a book is out on loan is the loan tracked)—notably, often, with the exception of special collections. The second is to be as rigorous as possible in defending disclosure of information that they do hold, particularly legally. I am less confident that library systems are subjected to the same kind of periodic and rigorous security requirements and audits that are now commonplace for various kinds of enterprise administrative systems these are expensive and time-consuming, and also tend to increase the overhead costs of running systems. This is an area where at least an exploratory conversation with your IT leadership may be informative. It can be very challenging to be confident that you are collecting as little information as possible and retaining it for as short a time as possible. There are backups, and there are logs at various levels. Even if you are anonymizing logs it may be possible to re-identify them in various ways, so one should be very cautious about relying on anonymization.