The Library Digital Privacy Pledge

A New Year's resolution to protect your patrons

December 29, 2015

online security

Librarians aren’t the only ones worried about privacy in our world. But we’re in a position to do something about it.

Gluejar’s Eric Hellman has been doing some volunteer work for the Library Freedom Project, which has launched a most worthy initiative called the Library Digital Privacy Pledge. The idea is this: If we’re serious about the values expressed in the third article of the American Library Association Code of Ethics (“We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired, or transmitted”), we should at least stop using the internet protocol that lets people eavesdrop on library patrons.

Specifically, instead of using “http” at the beginning of our web addresses, we should adopt the more secure, encrypted “https” protocol, long used by banks and e-commerce sites. If you have control over a website, pledge to make the change within six months. If you contract with a library vendor using the outdated http approach, require the vendor to upgrade its connection by the end of 2016.

Libraries typically have a host of fairly routine technology plans. This one has real importance to the many library patrons who often conduct sensitive inquiries or transactions online. They send not only library card information but Social Security numbers, credit cards, government forms, and health information. While moving to https won’t make such information completely safe, it’s better than the default. It establishes a secure channel across networks that are often very insecure.

It’s time for us to consider secure websites a necessary feature of our infrastructure, library and vendor alike. To get started, check out Let’s Encrypt, a project of the Internet Security Research Group (ISRG). To use the protocol, you have to go through the process of establishing a certificate. But thanks to the good work of ISRG, that’s a lot easier than it used to be. We’ll be in good company: The ALA itself, Mozilla, Facebook, and others are part of this effort. Did I mention that it’s free? (And as Hellman pointed out to me, even more significant is the fact that renewals can be automated.)

Put this one on your New Year’s resolution list. And get it done.