Digital privacy is important too

Citation metadata

Author: Jessamyn West
Date: Mar. 2016
From: Computers in Libraries(Vol. 36, Issue 2)
Publisher: Information Today, Inc.
Document Type: Article
Length: 1,082 words
Lexile Measure: 1190L

Document controls

Main content

Full Text: 

This month's column is amplifying the signal on a movement that has been brewing in the library world: getting libraries to make patron's digital activities as secure as their own lending records. There are a few ways to do this, but I'm going to focus on using HTTPS.

You're probably familiar with the http:// prefix in web addresses. You may not know that it stands for Hypertext Transfer Protocol, but you don't really need to. HTTP is a method of exchanging information--mainly webpages--online. The information goes over the internet in plain text, unencrypted. This is fine if you are just trying to look at a website about caves or bats, but less fine if you are sending passwords, banking information, or other things that you'd prefer to be more secure.

How

Privacy-conscious individuals can use browser plug-ins for Firefox, Chrome, or Opera such as HTTPS Everywhere on their own computers, which lets them use an encrypted channel for sending information when possible. However, if libraries are in the privacy business, shouldn't we be offering HTTPS to our users as much as possible?

Eric Heilman, who runs the popular library blog Go to Heilman, has been working with the Library Freedom Project to get libraries to commit to digital privacy by signing the Library Digital Privacy Pledge. Simply put, it asks libraries to commit to using HTTPS to "deliver library services and the information resources offered by libraries" in 2016.

Historically, this has been an endeavor that came with associated costs, since purchase of a digital certificate was required to verify the security of the connection. Recently, the Electronic Frontier Foundation (EFF) started the Let's Encrypt project with sponsors such as Mozilla and Cisco in order to lower the costs and the technical hurdles involved in getting set up with HTTPS.

This is the year for HTTPS. The White House made a statement in June 2015 directing "that all publicly accessible Federal websites and web services only provide service through a secure HTTPS connection" by the end of 2016. It also created a web-friendly version of its memo along with an extended explanation about how and why it created this mandate. On its page, Why HTTPS for Everything? the White House explains:

Today, there is no such thing as non-sensitive web traffic, and public services should not depend on the benevolence of network operators.

When properly configured, HTTPS can provide a fast, secure connection that offers the level of privacy and reliability that users should expect from government web services.

Why

The reasoning for pushing for this in libraries is twofold. The first reason is that privacy is our business. It's in our professional bill of rights, and it's certainly in all of our marketing materials. The American Library Association's (ALA) Code of Ethics is very clear: "We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted." That "transmitted" part is the key.

If we say we keep your reading list private, shouldn't we be able to say the same about your internet browsing habits? Our users are getting their information not just from print materials, but also from databases that we provide as well as internet connections, and possibly computers, that we offer. If we're in the privacy business, it's our responsibility to make these channels as secure as possible. This means managing these systems in our own libraries and urging, if not requiring, our vendors to do the same.

Major companies such as Google, Twitter, and Facebook--as well as my employer, the Internet Archive--have made the switch recently, and if you haven't really noticed, that's good news. All major browsers should be able to handle this transition seamlessly. Users have a browsing experience that feels the same, but is much more secure. Libraries can offer their patrons public Wi-Fi access and also assure them that the data they send over that Wi-Fi isn't "sniffable" by third parties. This is good PR for libraries.

And this brings us to the second reason: clarity. There are many different ways that internet content tries to make itself look reputable and authoritative. As librarians, we've seen them all. However, telling a user, "Look for the lock icon on the browser" or "Look for HTTPS in the web address" is a straightforward and simple way to make this additional security clear to users. This can help users resist phishing attempts and give them more confidence when interacting with sites that require their personal information.

Where and When

There are a few steps involved in making this change, and some of it is dependent on the IT system the library is using. A very simple first step is contacting the vendors your library does business with and asking them if they use HTTPS. Then, if not, ask if they would consider implementing it. OverDrive, EBSCO, and Elsevier have already made this change.

The next step is doing an assessment of the web services you offer; then, look into making the transition. This can be as simple as updating your website and inspecting your internet connection. However, it can also be as complicated as rebuilding some of the code you have been using or looking at your CMS's tools for implementing HTTPS. Sometimes, this is as simple as using a plug-in.

The good news is that the last few years have seen a surge of companies and websites that have been moving to HTTPS, so many of the starting points are Google-able. There are also people from the Library Freedom Project willing to help a library get set up with HTTPS if you simply lack the resources to undertake this project on your own.

This pledge is also a chance for us to model good behavior for other users who may not understand how packets move across the internet. By showing that we care about their privacy and presenting privacy as a thing to be valued, we can help other people make good decisions about their own web content and internet habits. Join us.

RESOURCES

Wikipedia: HTTP

wikipedia.org/wiki/HTTP

Wikipedia: HTTPS

wikipedia.org/wiki/HTTPS

HTTPS Everywhere

eff.org/https-everywhere

Go to Heilman

go-to-hellman. blogspot.com

Library Freedom Project

libraryfreedomproject.org

Digital Privacy Pledge

libraryfreedomproject.org/ourwork/digital

privacypledge

EFF's Let's Encrypt

letsencrypt.org

HTTPS From the U.S.' CIO

https.cio.gov

American Library Association's Code of Ethics

j.mp/alacode

Library Privacy Pledge FAQ

j.mp/lbprvcy

Library Journal Article on Privacy Pledge

j.mp/1PfOFC3

Jessamyn West works at Open Library and is Hopefully Talking To People Securely. Her blog is librarian.net.

Source Citation

Source Citation   

Gale Document Number: GALE|A446412206