Academic Libraries

This is a great question! I cannot wait to dive into the various sections of the Copyright Act that address this.

Before that, however, it is important to define the scope of what is being done (and what is NOT being done).

Of relevance:

• This is being done by an academic library;
• This is being done in a closed environment (not the open web);
• This is being done for access to materials in academic classes.

Also of relevance: the question is limited to published material that the institution does not subscribe to or own. We will assume that this “old” content is not so old as to be out of copyright.

I am sure there are many names in the archives/library biz for this type of asset (“old scanned article” being one of them). But for purposes of this answer, let’s call them Useful But Unacquired Proprietary Electronic Academic Artifacts, or UBUPEAA’s.[1]

And now it is time to dive.

There are not many ways an academic library can justify re-homing and providing a UBUPEAA[2] via a permalink in the library’s digital collections for purposes of classroom use.

Let’s talk about what doesn’t allow this:

Section 108 of the Copyright Act, which does allow libraries to make copies under certain circumstances, specifically doesn’t apply when the library “is aware… that it is engaging in the related or concerted reproduction or distribution of multiple copies… intended… for separate use by the individual members of a group.”[3] So, expressly creating the link for a class (“a group”) is not allowed by Section 108.

Section 107 (“fair use”), which allows anybody to make copies under certain circumstances, cannot reliably enable internal posting of UBUPEAA’s, because each article would have to be analyzed separately (and the analysis could change, based on a particular use).[4]

Section 110, sub-sections (1) and (2), could allow the URL if it is enabling the “performance or display” of the PDF during a synchronous or asynchronous teaching session,[5] but only to the extent that the materials are displayed and shared during the class (not for homework outside class time).

BUT!

Let’s go back to Section 108.

It is important to remember that the decision of the library to make one copy under Section 108 is different than a decision by an instructor or student regarding how to use the copy.

Under Section 108, an academic library can:

(a)… reproduce no more than one copy… if—

(1) the reproduction or distribution is made without any purpose of direct or indirect commercial advantage;

(2) the collections of the library or archives are (i) open to the public… ; and

(3) the reproduction or distribution of the work includes a notice of copyright…

Although the law and the guidance on it largely pre-date scanning and the internet,[6] Section 108 does NOT state how this 108(a) “reproduction” must be made.

So, a regular practice of putting a UBUPEAA on its own URL as part of that academic library’s collection might—unless the library is doing so to gain a “commercial advantage”—be allowed, if the other requirements of Section 108 are followed.[7]

After that, “distribution” of the copy in the collection to others must fall into one of the uses allowed by Section 108.

In this case, after making the article part of the collection, Section 108(d) allows a user (not the library!) to make a copy if:

(1) the copy… becomes the property of the user, and the library or archives has had no notice that the copy or phonorecord would be used for any purpose other than private study, scholarship, or research; and

(2) the library or archives displays prominently, at the place where orders are accepted, and includes on its order form, a warning of copyright in accordance with requirements that the Register of Copyrights shall prescribe by regulation.

This approach turns on TWO VERY IMPORTANT things: 1) no awareness that the original PDF is creating a “commercial advantage” (like saving a licensing fee) and 2) no awareness by the library that there is a plan for “concerted reproduction” (like creating a course pack).

This is where defining the role of the academic library in creating the link is critical.

Unlike when assembling a course packet or ensuring articles available via subscription are accessible prior to listing them on the syllabus,[8] UBUPEAA should only be listed in the collection as available—not prepared for organized dissemination.

And now, I have to set out a very clear disclaimer.

This is NOT a work-around for making articles available without purchase or a license! Remember that the library must be confident that the PDF was not created in a way that creates a “commercial advantage”; if a copy or a subscription is available, this is NOT the solution!

How does this play out in the real world? If a library happens upon a scan of an article published in 2020 with a clear copyright notice published by a readily discernible source that will license it, further use of it will very likely create a “commercial advantage.” But, if a library happens upon a scan of an article it can’t locate via a subscription service, and the copyright owner cannot be discerned, the “108(a) and(d) solution” may be a good approach.

The other approach alluded to in the question—which is to make the copies available but ensure they are behind logins and thus not easily detectable by owners who might be trying to ferret out infringement—is not an allowable use but rather a type of risk management.[9]

For a state institution that is arguably newly immune from copyright liability,[10] this risk might be one the institution wants to take.[11]

For a private institution that is unquestionably subject to the jurisdiction of the federal courts for copyright infringement claims, this risk is much higher and should simply not be taken.

So where does this leave us?

The member asked: If we publicly offer to remediate (as best we can) published content that we do not subscribe to or own so that faculty can place an accessible version of them in their course shells, are we violating copyright?

The answer is “very likely yes.”

But if the question is:

If we publicly offer to remediate (as best we can) published content that we cannot otherwise subscribe to or own and place it in our collection, are we violating copyright?

The answer is, “with proper care, no.”

A heuristic for deciding to add UBUPEAA to a library’s collection would be:

1. Are we aware that or are there clear signs that the PDF was made/obtained illegally?
2. Is there a readily discernable copyright owner or licensing agent we can ask for permission to make/access the copy?
3. Is there an easily determined, reasonable cost to otherwise obtaining the content of the PDF?

If the answer to any of these questions is “yes,” the PDF might not just be UBUPEAA; it could also be an IFALS.[12] But if the answers document that there is no “commercial advantage” to using the PDF, making and hosting a copy as allowed by Section 108(a) and adding it to the collection, for use as any other library item under Section 108(d), is feasible.

Thank you for a great question!

Before we dive into this question, there are few fundamentals to review.

FIRST: Any institution publishing content like a student newspaper should have a “DMCA Agent” where notice of alleged infringement can be sent.[1] This allows a publisher of online content to enjoy “safe harbor” (meaning safety from certain claims of infringement).

If you would like to see if your institution has this, you can check it out at: https://www.copyright.gov/dmca-directory/

SECOND: Okay, that’s great, but of course, the publisher of a college/university student newspaper is usually the school, which is also the owner of the website. Can a publisher have “safe harbor” from itself? Not really, but the third party contracted to host the content can.

THIRD: While the “legacy media” landscape—including the horizon where student newspapers sit—is rapidly evolving, all student publications should still be teaching student journalists and editors how to used appropriately licensed images, or to document when an image is used under a claim of “Fair Use.”

The record of the license or the Fair Use analysis should be retained for at least seven years after publication.

Of course, none of that is helpful to the present situation, but it is important background context!

And with that, let’s answer the question: is it advisable to leave the collection in NYS Historic Newspapers and continue adding to it, or should we plan to take it down and only digitize future copies for in-house preservation purposes?

To answer this, the library (which is part of the college, too) can work with the advisor and student leaders of the paper to ensure the proper documentation regarding licensing and Fair Use is being generated and retained.

The goal of the collaboration should be to educate the student journalists about proper permissions and Fair Use as well as to ensure that the library can continue to properly archive the paper as it has done for almost a century.

This achieves two things: first, the students will learn about this evolving and ever-critical consideration in journalism and creative work. Second, it will position the college and any third-party provider to easily resolve (as in, tell to go away) copyright claimants in the future.

When the college knows that the licensing and Fair Use documentation is being routinely put in place, it can proceed with both the internal archiving and the external archiving.

This sounds a bit arduous, but it boils down to:

1. Set up a meeting with the student newspaper.
2. Discuss the importance of the archives.
3. Discuss how important licensing and fair use is for archiving and day-to-day operations of the paper.
4. Make sure the newspaper has and is following policies for Fair Use and licensing.
5. If you feel like going the extra mile, ask for how much insurance coverage there is for copyright infringement! The insurance policy’s requirements will support adherence to Fair Use and licensing policies.

If things can’t happen that way (because major meetings and policy development don’t always magically happen in a given semester), the fallback is the library’s selective redaction of the content online, with a note on how the content can be obtained in hard copy. “Due to a DMCA claim, this image is not available via our online archive. To obtain access to the originally published content, which has been retained by the publisher in hard copy to ensure archival integrity, contact EMAIL, and it will be evaluated under 17 U.S.C. 108.”

Thank you for a great question!

This is a great question. Before we jump into it, let’s summarize the three types of faxing set out in the referenced article:

1. “Walk-up Faxing” (on a copper line)
2. “Virtual Fax” (it’s really email![1])
3. “Real-Time T.38 Fax Lines” (still e-mail, but with a better connection)

The “T.38” as a “best practice” intrigued me, so I dug in to see if there was any case law featuring it.

There is! And it digs into the capability of the T.38: [2]

Defendant further attacks Richard’s credibility by claiming that his testimony reveals his failure to understand the intricacies of fax technology. These critiques are frivolous. For example, defendant claims Richard’s credibility is undermined by his allegedly inaccurate testimony that: (1) MessageVision used only the T.30 protocol; and (2) a device such as MessageVision’s that uses the T.38 protocol cannot use the T.30 protocol. Even if defendant is correct that Richard’s testimony reflects his limited comprehension of fax technology—a proposition that appears to be dubious at best—defendant’s argument is contradicted by the fact that his own expert admits that T.38 converts to T.30 when a fax is sent using APX 1000.

Well then.[3]

So, with “the intricacies of fax technology” now established as a legal niche, let’s take the questions about faxing and regulatory compliance acronym-by-acronym.

• FERPA
• HIPAA
• SOX[4]

1. Libraries, Fax Lines, and FERPA

FERPA does not apply to public libraries, so we’ll discuss it in the context of school libraries.

Academic libraries at institutions that receive federal assistance have to follow the “Family Education Rights Privacy Act,” which (among many other things) restricts third-party access to education records.[5]

As an example: if I am a student at ABC College, I need to borrow something via an inter-library loan, and (for some odd, steampunky reason) the lending library will only receive loan requests by fax, FERPA could restrict third-party access to the request, if the request lists me (the student) by name as the borrower.[6]

In this case, the manner in which the fax is sent (copper, email, fancy T.38) does not matter. What matters is that either a) I consented for my FERPA-protected education record to be shared with a third party or b) inter-library lending is set up in a way that makes lending libraries (sorta) part of the institution under 34 CFR § 99.31.[7]

After that, the fax simply has to be sufficiently secure to get it from point A (the library) to point B (the other library) without disclosure to a third party.[8]

So that’s FERPA.

2. Libraries, Fax Lines, and HIPAA

HIPAA and other laws related to medical privacy are important and high-stakes; the fine for a HIPAA violation is $50,000 dollars.

Before we delve into this, aside from a hospital librarian or librarian serving a program providing health services, there is NO CIRCUMSTANCE under which a public, academic or public library should be engaging in a HIPAA-governed communication.[9]

What do I mean by “HIPAA-governed communication?” Here’s the type of information governed by HIPAA:[10]

Individually identifiable health information

The term “individually identifiable health information” means any information, including demographic information collected from an individual, that—

(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and—

(i) identifies the individual; or

(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

If your library is not transmitting this type of information,[11] you can stop sweating about HIPAA, even if patrons are using your fax to send it, or (at an academic library) the health center on campus has to abide by it.

Now, if you are a library in a teaching hospital, etc., here is the deal: your institution needs to step up and provide you with 100% assurance that you have the right policies, technology, and practices to be compliant.[12] This includes assurance of a fax line that is secure, which can be any of the three solutions, so long as it is set up right and maintained properly.[13]

So that’s HIPAA.

3. Libraries, Fax Lines, and SOX

While the accountants who audit your library or larger institution may (rightly) hold themselves to the standard set by “Sarbanes-Oxley” (SOX), which was passed in 2002 to protect investors in publicly traded companies, SOX does not govern the data transmission practices of a public or academic library.

But the mention of SOX in the Forbes article referenced in the question intrigued me—it says, “Virtual fax... can be problematic if your business has certain regulatory compliance requirements to support (for example, HIPAA, FERPA and SOX).”

So, I took a look to see if there has been a SOX case involving an insecure fax... and there is!

Here is what happened as told by Judge Denise Cote in Seybold v. Groenink:[14]

In October 2004, while the chairman of ABN’s Managing Board, defendant Rijkman Groenink, met with Federal Reserve Bank regulators in New York over the Eastern European transactions, he received a fax at the Ritz-Carlton Hotel concerning the results of an internal ABN investigation regarding Iran-Libya transactions. Groenink allegedly ordered his aides to destroy the report and to stop sending sensitive documents to the United States.

So, if you are at a library near a business school prepping students for stellar careers in international business... it may be helpful to show that we must all fax wisely.

Does this mean your library needs a T.38? No, but it does mean that asking questions and developing secure systems is important.

You may even want to do the research and see if you can fight to keep at least one copper line.[15] There is strength in having a diversity of technology.[16]

Thank you for an excellent question!

Update 7/23/2025: We received a followup question on this topic; read our answer here.

Not quite.

What this means is that so long as the information is being transmitted as a library service, and not as library business, it is not subject to HIPAA.

This means that when helping a patron send a fax to their doctors, library workers can handle the documents and even push the buttons on the fax machine without violating HIPAA.[1]

That said, may libraries put guardrails around workers’ handling of sensitive documents (banking and health being two of the major categories), regardless of whether such handling is “legal.” This is to protect workers from accusations of identity theft and invasion of privacy, as well as from the distressing by-products of reading patrons’ confidential information.[2]

Fax machines are not the most intuitive of technology, so there is a strong chance some patrons may ask for help.[3] In addition, the small buttons and other operational aspects of a fax machine can be a challenge for people with certain disabilities.

To enable assistance but protect workers, if a library wants to be able to help patrons with physical actions related to handling sensitive documents (faxing, copying, scanning[4]) there should be a clear reason, and protocol.

There are all sorts of options for this, but here is any example to post near a fax machine:

If you need physical assistance faxing a document:

1. Please let a library worker know.
2. The library worker will give you a folder.
3. Put your documents to be faxed in the folder.

NOTE: If your documents don’t fit in the folder, are stapled, or the pages are too creased to be faxed, the Library cannot assist. Please return when the document is in a condition to be faxed. To protect our workers, we cannot prepare your documents.

4. Keep the fax number handy!
5. Let us know when you are ready, and as time allows, a library worker will: load the pages, enter the fax number, stay with you as the pages are transmitted, and return the pages to the folder for you to take back.
6. Library workers are instructed to not review what is on the pages, and please do not ask them to. This is for everyone’s protection.
7. The library worker will hand you the fax transmission report.
8. If the fax fails, and we have time, we’ll help figure things out!
9. For your privacy, our fax machines do not retain a copy of what was sent after [#] hours.

This type of protocol can be modified as needed,[5] but the important things are: please don’t ask us to review your documents, and please don’t ask us to manipulate your documents.

But to be clear, the reason for a library to adopt these protections is to protect workers and to respect patron privacy, not to comply with HIPAA. And because of the labor involved, a library can simply say: due to privacy concerns, we cannot assist with faxing.

Thank you for seeking this clarification!

“Academic integrity” is the broad concept governing honesty and honor in academic work. Definitions[1] vary from institution from institution, but “AI”[2] violations can include:

• Simple cheating (such as copying test answers from a neighbor);
• Sabotage (such as tinkering with another’s chemistry lab experiment);
• Plagiarism (submitting another’s work as your own);
• Falsifying research (such as faking data).

Punishment for violations can range from a reprimand to expulsion and/or degree revocation.[3]

Examples of AI (the robot kind) being implicated in AI (the cheating kind) include:

• Simple cheating (such as using an AI tool[4] to find the answers to a test);
• Sabotage (such as using an AI tool to submit skewing answers to another student’s online survey);
• Plagiarism (submitting an AI tool’s work as your own);
• Falsifying research (AI tools can be really good at faking data, if you tell it to be).

The process also varies from institution to institution,[5] but generally follows this pattern: informal accusation and informal resolution, formal accusation, formal adjudication, decision/sanction, appeal, final decision. Very often, it is required that faculty report all violations (this is to flush out serial offenders).

For more serious matters, and in more advanced academic programs, the “informal” part is often dropped, and the institutions generally have a policy of zero tolerance. Expulsion or dismissal from a program follows quickly.

The member’s concerns are often a part of this process: because academic integrity policies usually require an adjudicative process to determine responsibility and sanctions, it can feel “legal” from the get-go. And because a student can bring legal action if an institution doesn’t follow its own policies—and can attribute an expulsion to other motives such as discrimination or corruption—things can get very litigious, very quickly.[6]

Academic integrity and plagiarism concerns have been rampant since the rise of the Internet, so the addition of AI tools is only making a fraught arena[7] more fraught.

For this reason, prior to answering the question (which I will), I am going to step up onto one of my favorite soapboxes: when designing a syllabus, faculty should explore how to assign work that is “plagiarism resistant.”

For example:

• Instead of an essay, a student must be prepared to speak on a topic in class;
• If the assignment is writing, have the writing happen in a workshop session;
• If the students are to write code, use a submission system such as Autolab;
• In group work, have a session on academic integrity and collaboration in group work;[8]
• Assign physical scrapbooking on any topic. Bust out the scissors and glue, MBA candidate!

More importantly, students should be learning to make positive and appropriate use of AI (the internet overlord kind). For example:

• Students who must manipulate a dataset should learn how to set parameters for an AI tool to look at the data in new ways;
• Students studying music should learn that some compositions and recordings using AI (the Terminator kind) can be copyright protected, and others cannot;
• Students studying architecture should learn that while AI can assist with building code compliance in plans, it is up to the architect to ensure the AI is working off the right code;
• Students in fields AI will transform (law, medicine, social work, education) should learn how to identify and use trustworthy AI to perform rote functions (research, analysis, reports), and use the extra time honing their ability to interact and listen to the humans they will serve in their practice.

This can be a struggle for teachers who might be learning the applications of AI to their fields right along with their students. But not using these tools—and not modeling for students how they can be used responsibly—is not the path forward.

In addition, all syllabi should have clear guidance on how students can arrange ADA accommodations, which may include use of AI (the helping kind). Whenever a student gives a disability justification for an otherwise prohibited practice, the student should be referred to the school’s disability services office[9] to formally document the accommodations. Sometimes, the request is reasonable, sometimes it is not, and that is not up to a faculty member.

[STEPS OFF SOAPBOX]

So, with all that:

Under what circumstances could faculty face personal liability if they wrongly accuse a student of breaching academic integrity through AI use?

Personal liability (meaning, the faculty member is to blame, and the institution won’t/can’t protect them) would only be incurred if the faculty member failed to follow institutional policies and/or committed a separate harm when making the accusation.

For example: if a faculty member accused a student of plagiarism and followed the policy, but also, while the charge was pending, called the student’s employer and said, “I know I recommended them last year, but they plagiarized and are a huge risk to your company, so you should fire them right now,” and THEN it was found that plagiarism did not occur, but the student still lost the job and can’t get it back, there could be a claim.

NOTE: For this reason, if a faculty member is ever in that type of moral quandary, they should work with the school’s lawyer, or their own, before taking such action.

Would liability primarily arise under defamation, negligence, or contract/tort law (e.g., duty of care to students)?

The personal liability for the claim could be defamation[10] but could also be “tortious interference with contract.” I doubt it could be a negligence claim by the student, but for certain types of AI (the integrity kind) violations, it could be negligent for a faculty member to know that the violation was committed and NOT say something.

For example, if a grad student is working on funded research and wrongly uses AI (the Star Trek kind) to create a data set that was supposed to have been drawn from a community under the review of an IRB,[11] and the faculty member suspects this but says nothing, then they might face a claim, including one of negligence (as well as possible fraud and debarment from future funding[12]).

Would the institution’s liability insurance typically cover individual faculty in these cases?

If a faculty member follows their institution’s AI (the no-cheating kind) policy and does not engage in any conduct that otherwise punishes or negatively impacts the student while the charges are being adjudicated, then the institution will owe the faculty member a defense if they are individually named as a defendant in a legal case (this is true whether or not the institution has insurance that covers the specific claim).

Faculty members who are concerned that their institution will leave them twisting in the wind if such an event occurs should confer with a private attorney to have a game plan to insist on being defended. While it is unfair that a faculty member may have to use their own time and resources to ensure they are treated properly, it can be worth it (also, the issue of fees can be raised with the school at the right time). Vigilance for this type of concern is also the role of a good faculty union.

I will add one other risk management tool here: clarity in a syllabus. As the examples above show, students in many fields will need to start making responsible use of trustworthy AI. Clear parameters for assignments are a key element of this; what may be an appropriate use of AI in a pre-law class (using it to summarize state laws on a particular topic) might not be appropriate for a creative writing class (using it to... write creatively). Spell it out for them![13]

Thank you for an important question.

The concerns raised by the member are valid: absolutely, Artificial Intelligence (AI) OR real people can use published documents, including policies, to exploit a target.

What’s interesting is that this issue actually pre-dates AI; it emerged early in the Internet era, when (often nefarious) people would use information published on websites—along with other techniques—to exploit targets.

Here is a fictional example:

A business’s website includes its protocol for visitors, photos of the interior of its office, and its fiscal policy. A would-be thief we’ll call “Cooper” reviews the protocol, assesses the office interior, and uses the information to gain access to a manager’s office, where Cooper acquires the serial number of a computer. Coopers then calls that office, pretending to be IT (the serial number aids this impersonation) and gets a username and password for the business’s online banking system, which Cooper uses to access accounts described in the fiscal policy.

Poof! Money gone.

To guard against this, many businesses take a careful risk management approach to what they publish (and hopefully admonish people who put their passwords on Post-its).

However, anyone who reads the news knows that financial fraud based on social engineering and computer intrusion is only going up and artificial intelligence is helping with those attacks.

So, is it time to stop publishing public library policies and other documents?

No.

Published policies—even fiscal controls that set out the process for validating checks and the maximum amount of cash to keep in a safe—are not a skeleton key for hackers (AI or otherwise).

Of course, public institutions have always had to be careful about what information they make available. Staging areas and other resources for responding to terrorism and active shooters must be restricted to avoid exploitation by would-be attackers. Bank account numbers and other account-specific information should not be published. Computer passwords, the location of servers, and other sensitive information should be restricted. These considerations should be made in the drafting phase, not when the policy is ready for publication.

That said, because many of their records are FOILable,[1] public libraries should not rely on restricting access to them for security.

Rather, all public library workers and trustees with any part to play in data, financial, and physical security should be trained in the following:[2]

• Never to provide their password to anyone;
• Follow fiscal controls at all times;
• Follow all IT security rules at all times;
• Notify the IT provider in the event of a suspected data breach, virus, or attack;
• Never allow unauthorized people into restricted areas;
• Report lost keys immediately;
• Secure password lists;
• Never access sensitive information on personally owned devices (like the bank accounts username and password on a director’s cell phone);
• Immediately report and document all outside requests for system and/or fiscal information (passwords, location of servers, banking information);
• Remember that big hacks/ransomware attacks usually start with human failure (giving a password, leaving things logged in, loss of device).

So, are the member’s concerns valid? YES. Exploitive people can use AI to find, copy, and use your library’s policies in attempt to gain access to critical systems.

BUT, if the policies are not published, such people can look up public grant information, building records, or meeting minutes to make themselves sound legitimate for a different social engineering scheme. And if your policies are not available to your community, your library runs the risk of being accused of a lack of transparency.

Instead of restricting access to policies, libraries should develop policies that help prevent the library’s financial exploitation.

For example, a public library’s financial policies should prescribe appropriate internal controls and appropriate use of technology to verify transactions prior to them being irrevocable. For this, the newly released (2025) local government guidance from the New York State Comptroller is excellent.[3] This is mandatory reading for all public library treasurers, controllers, CFOs, accountants, bookkeepers, and directors.

In the same vein, IT policy should include either adequate internal resources to routinely update security and train employees, or a contract with a provider that provides the same assurance (for many public libraries, this is the role of the library system, and it is an increasingly complex and costly role).

While care in drafting policy is important, the essential elements of avoiding ransomware and other attacks are routine updates to security measures and routinely training of people to NOT BE FOOLED.

With the right training and adequate security, AI-powered or good ol’-fashioned hackers will have a tough time getting through, even if they try to use your own policy against you.[4] Train your people, and you don’t have to worry (too much) about training AI.

Now, if we want to talk about putting things behind a log-in to avoid misappropriation of content for the general good of society, that’s another story…

… for another “Ask the Lawyer.”[5]

Thanks for a great question!

[This answer is not being written by AI].

The short answer to the first question (can use of AI risk intellectual property rights in a way that can affect future publication?) is “Yes.”

The short answer to the second question (can there be legal consequences for failing to disclose use of AI?) is “Yes.”

Unfortunately, after those initial easy answers, the range of risks runs the gamut from “life-shattering” to “none at all.”

To illustrate, let’s take this ridiculously compound hypothetical situation:

A grad student is working on a grant-funded project to study social media use by third graders. The primary investigator[1] has developed a tool to counteract the addictive effects of social media on children; part of the project is testing it.

Because the study involves human subjects and minors, it is governed by a protocol that includes strict safety and confidentiality requirements.

The funder of the research has insisted that the copyright to the research and the final work will be owned by the funder. The PI is hoping to patent the tool being tested.

The grad student is supervising three work-study undergrad students who are working with the test subjects (the third graders). The grad student is getting a stipend of $500 whole dollars for over 500 hours of work and is hoping to be named as a co-author. The undergrad students are paid by the hour.

One day, the grad student assigns the undergrads the task of completing summaries of all of the test subject results. To do this, the 3 undergrads (who are also trying to get through finals) tell a free AI resource: “Create a summary of this information that lists the goal of the study, the methods, the controls, and the results for each subject, removing any identifying information about the subject except age. Also provide a summary of the individual reports, noting when the method applied led to reduction in use of social media, and contrasting that result with control subjects.” They then put the raw data through the AI resource and get 20 hours of work done in less than 1. They don’t tell the grad student, disclose the use of the free AI, or retain any information about the AI product used.

In a “worst-case scenario world” some of the results of this could be:

• Information sufficient to deduce the identity of the test subjects (who are minors) is freely available, creating a risk to their safety and identities;
• The human subject safety and confidentiality requirements of the project are found to have been violated;
• Violation of the protocols limits the number of reputable peer-reviewed journals that will consider publishing the work and jeopardizes future funding for the PI and the institution;
• Years later, the PI’s patent is denied because the submission of the new method to the AI resource counted as publication;
• The copyright requirements of the funder are violated, as substantial portions of the research were provided to the AI without permission, so the funder demands a return of funds;
• The undergrad students are found responsible for academic integrity violations years after graduation and their degrees are revoked;
• As the supervisor, the grad student is also accused of an academic integrity violation but is found responsible only for inadequate supervision of the undergrads.

Of course, this is a worst-case scenario. It is important to remember that for every “worst case” there can be a “best case” where trustworthy AI[2] is used responsibly to enhance research, increase efficiency, and maintain appropriate confidentiality. Such use should be disclosed in the final product and assessed as part of the research methodology.

Responsible use of AI is all about details and planning.

To alert students and others to this potential impact, it is helpful to raise their awareness of how posting to social media[3] and using certain AI products can impact them.

Below this answer is a sample “raising awareness” posting for study areas.[4]

I imagine the academic librarians out there can come up with a snappier version, but this one outlines the above-discussed things to consider before posting research on social media or putting it through AI.

Thank you for some great questions on important topics!

Yes, I will do that.

But while I do that, let's also play a game.

Readers, please use your favorite AI and give it this prompt:

"Please suggest a reasonable policy statement that libraries could publicize to their patrons regarding this issue to help ensure that patrons respect author and publisher rights and that libraries will not end up in legal trouble down the road."

Let's see what your favorite AI says! Send your answers to nathan@losapllc.com and we'll post them in a coda to this Ask the Lawyer if we get at least three by April 1, 2026. Please let us know what tool you used and confirm we have your permission to use the output. 

Unassisted by AI[1], here is my version:

[Start of model statement]

WAIT!

Take a breath before you upload someone else's work into AI. 

Here is why: 

• Submitting someone else's work into a site owned by someone else without permission is similar to making copies and distributing it (copyright infringement).
• Depending on the AI you use, the summary or data you get may be unreliable.
• Using the output could have an impact on ethics and academic integrity.

This posting is not to trash AI; it can be a very helpful tool. Here in the Library, our professional librarians are trained to help you find the right research tool for your work. See a librarian for input on what AI products are trustworthy for a particular purpose. 

We'll help you breathe easier. 

[End of model statement]

The legal bases for the bulleted items in the model statement are further discussed in Can Use of AI Impact Ownership and Citations in Academic Work? 

Now let's consider the other aspect of this question; the concept of the "walled garden."

As the member says, a "walled garden" is a "closed" environment. For licensed AI, it often means the user can "switch off" the AI's use of the user-supplied content to train the AI, or limit the training to a specific purpose (such as improving the user's experience).

Because this assurance is part of the legal terms of using a product, the phrase is also making its way into case law. Here in New York, it is part of the infamous "lawyer citing fake precedent and then citing fake precedent to defend himself from citing fake precedent" case:[2]

"In this letter, Mr. Feldman flagged for the Court the "significant challenge" he and many other practitioners face accessing unreported citations. (Dkt. #183 at 1-2; see also id. at 3 ("[I]t should not be assumed that everyone has access to the walled garden[s] of Westlaw or Lexis." [emphasis added]

The phrase is also used in terms of online advertising.[3]

Speaking as both a lawyer and a gardener, I find the easy assurance of a "walled garden" in a commercial product somewhat… iffy.[4] While I appreciate that the "Terms of Use" can provide contractual assurance that "what happens in YourAI stays in YourAI",[5] as any gardener knows, unwanted plants creep in (or out) no matter what. 

For example, even if your institution selects a paid subscription and enables the highest "do not use" settings, it just takes one person with admin privileges to toggle the switches, and soon the rhizomes are putting up new shoots outside the garden wall. On a more nefarious note, it just takes a few errors for the product to not work as promised.[6] This requires users to be vigilant.[7]

For this reason, academic librarians being ready to assist students and faculty in assessing the right AI product to use (and when not to use one) is one of the many reasons why academic libraries are essential in today's higher-ed environment.

Academic librarians who train their teams to help students, faculty, and administrators assess the trustworthiness[8] and suitability of AI products will be ready to meet this challenge. Posting a short policy to inspire library users to connect and ask for help will hopefully get them access to that resource at the right time.

Thank you for a great question.

We'll see if we get that coda.

[1]^ But admittedly slightly assisted by caffeine.

[2]^ The citation for that case is Flycatcher Corp. v. Affable Ave. LLC, 2026 U.S. Dist. LEXIS 23980, 2026 LX 49318, 2026 WL 306683. I found this in the "walled garden" of LEXIS, which is one of the major expenses of running a law firm.

[3]^ See United States v. Google LLC, 778 F. Supp. 3d 797, 2025 U.S. Dist. LEXIS 74956, 2025 LX 206807

[4]^ I was going to go with "suspicious", but that was too strong. It's just… iffy.

[5]^ "YourAI" is a fake product I invented for this answer. I don't want to pick on a real product or it will write me a bad review (check out the Wall Street Journal article from 2/13/2026 describing the experience of developer Scott Shambaugh after he rejected a few lines of his AI project's code).

[6]^ Just to be clear: I am not a luddite. I am "risk-focused."

[7]^ Not "up all night worrying" vigilant, but "checking regularly to confirm all is as it should be" vigilant.

[8]^ For more on assessing "trustworthiness," see the Ultimate AI Policy materials on the  “Ask the Lawyer Webinar Recordings” page.

The answer to this question shows the power of libraries working together.

Over the winter of ‘24 – ‘25, WNLYRC gathered a group of librarians from academic and research institutions to talk about pricing transparency and other priorities for database subscriptions. I was invited to the meeting to discuss possible legal solutions.

The result is the first edition of “A Research Librarian’s Guide to Negotiating E-Resource Contracts in New York State,” posted on the Ask the Lawyer Resources page.

The Guide includes contract assessment guidance, RFP language, a model contract addendum, and guidance for working with in-house legal counsel and purchasing specialists.

Informed by the real-world experience of academic libraries, the goals of this new resource are to: 

• Help libraries avoid the negative impacts of non-disclosure agreements (“NDAs”);
• Limit redundant purchasing;
• Assure the ability of making adaptive copies under the Americans with Disabilities Act of 1990 (the “ADA”);
• Protect rights created by Copyright Act Sections 107, 108, and 110;
• Protect library user privacy;
• Emphasize data security; and
• Respect the intellectual property of content creators.

The resource may be used together with ESLN’s upcoming template for evaluating purchase and use of AI products and services.

The Guide may be found here. Just as important, your experience using the Guide, and suggestions for improvement, can be sent through the form here. The Guide is a collaboratively developed resource, and with your help, the next version will draw from even more real-world experiences.

If you use it, please provide feedback to make it better.

This is a timely and important question.

Regarding the ability of law enforcement (including ICE, FBI, ATF, etc.) to enter a college or university campus: the administration will make that determination, and it will be based on many factors.

That said, by both state and federal law (Education Law 6434, and the Clery Act [20 U.S.C. 1092]), college and university campuses are supposed to have a relationship with local law enforcement, so some degree of cooperation with local police, a county sheriff, and the state troopers should already be in place. Many institutions, especially those close to borders or with particular security priorities, have established working relationships with the FBI.

Against that variable background, what happens within an academic library on campus (and in virtual spaces) is subject to further control.

To describe that and provide guidance, I have developed the below “GUIDE” that can be posted in academic libraries in New York State. The sections in yellow can be modified to fit your institution’s unique information. Feel free to use your own font (I am into Century Schoolbook these days, but Avenir Next has a quiet authority). You can also add additional protections and procedures; I have put in the bare minimum required by law and ethics.

NOTE: As will ALL templates, have your higher-ed institution’s lawyer review it first, whenever possible. They may have a few more considerations to add.

In addition to having clarity about the steps needed to demand student-related information, I want to encourage all academic librarians to stay calm. In the event you are asked for information about a student or colleague, follow policy and guidance (including what is below, if your institution decides to use it) and refer all inquiries to senior administration.

In the event of an enforcement action, one of the best things you can do is provide witness, and help that person get to a good lawyer. So, if you have extra adrenaline on this right now, using your librarian skills to assemble lists of legal aid and private attorneys with the right experience to help can be vital.

In summary: librarians at higher-ed institutions can’t control what campus policy is overall, but they can have clarity about the policy in the library. In addition, by attesting to what you see, and providing timely information to those who could be impacted, you are using your profession to ensure accurate information is timely applied. As of this writing (January 29th, 2025), helping your colleagues track accurate information about funded research and programs will help, too.

Thank you for thinking of your students and your ethical obligations as an academic librarian.

The Higher Ed Librarians’ of New York

GUIDE

To Responding to Law Enforcement & Others’

Requests for Library User Information

[INSERT YOUR LIBRARY LOGO HERE!]

FACT 1: “Library Records” in New York, including those held by higher education libraries, may not be disclosed to third parties without a duly executed subpoena, court order, or waiver signed by the library user, unless such disclosure is required for library operations (for example, reporting destruction of library property). [NY CPLR 4509]

FACT 2: “Library Records” in New York, including those held by higher education libraries, may not be shared with law enforcement (local, state, or federal) without a warrant, unless the library is the party filing the report (for example, reporting theft of library property).

FACT 3: At this library, a student’s Library Records are also confidential “Education Records” per the Family Education Rights Privacy Act (FERPA). While some records can be shared under FERPA, Library Records have an added layer of restriction (see FACT 1 and FACT 2).

FACT 4: The American Library Association’s Code of Ethics requires librarians to “protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.”

BECAUSE OF THESE LEGAL AND ETHICAL OBLIGATIONS:

1. Law Enforcement (local, state and federal): All requests for library user information will be referred to Campus [Safety/Security] or the [University/College’s] lawyer. Search warrants, subpoenas and court orders should be submitted directly to [position] for assessment, so prompt responses can be issued. Library workers are, by law and policy, barred from providing such information.

2. Attorneys: All requests for library user information will be referred to Campus [Safety/Security] or the [University/College’s] lawyer. Subpoenas and discovery demands should be submitted directly to [position] for assessment, so prompt responses can be issued. Library workers are, by law and policy, barred from providing such information.

3. Private Investigators: All requests for library user information will be referred to Campus [Safety/Security]. Library workers are, by law and policy, barred from providing such information.

4. Faculty, Staff, Coaches, Advisors: All requests for library user information will be referred to the Library Director, who will assess the degree to which such information may be shared under FERPA and CPLR 4509. If a student has signed a FERPA waiver that includes disclosure of Library Records, please alert the Library Director, so the information that the student has agreed can be shared can be promptly provided. Library workers are, by policy, barred from providing such information.

5. Information Technology (“IT”): All requests for library user information should be referred to the Library Director, including requests that could be fulfilled by IT. IT workers are, by law, barred from providing access to Education Records and Library Records without a FERPA waiver authorizing such access.

IN THE EVENT LIBRARY RECORDS OR INFORMATION RELATED TO LIBRARY USE IS DEMANDED DUE TO AN IMMEDIATE RISK TO HUMAN HEALTH (student or other), THE DIRECTOR OR LIBRARIAN IN CHARGE WILL WORK WITH OTHER [COLLEGE/UNIVERSITY] PERSONNEL TO MAKE A TIMELY DECISION BASED ON APPLICABLE LAW.

This Guide is posted and promulgated in the [NAME] Library to protect important privacy rights while promoting the orderly and safe operation of the campus.