By: T.J. Lamanna
Cross-posted from the OIF Blog
With the recent release of tools like Certbot and HTTPSEverywhere and organizations like Let’s Encrypt, it’s becoming easier and easier for non-enterprise web administrators to add SSL certificates to their websites, thus ensuring a more secure connection between the user and server. The question which needs to be answered is, why, with so many tools available are libraries lagging behind in implementing HTTPS on library web servers?
As Tim Willis, HTTPS Evangelist at Google, said in his interview with Wired Magazine: “It’s easy for sites to convince themselves that HTTPS is not worth the hassle. But if you stick with HTTP, you may find that the set of features available to your website will decline over time.” This might have been true 10 years ago, when implementing the certificate required a unique set of skills that most librarians didn’t have, and most public libraries couldn’t afford to outsource. This is no longer the case, yet the mindset hasn’t changed.
The library field is rife with the mindset of “we’ve always done it this way,” which is why we typically lag behind and become late adopters, rather than pioneers we like to pride ourselves as being. It would also require libraries to spend more time and energy on making sure their websites were current and safe — a challenge for understaffed and underfunded libraries. However, the benefits and good this will offer to the community should outweigh any additional labor involved, especially since there are people and organizations that are willing to do the work for the library, such as Let’s Encrypt, the Library Freedom Project or their state library, for either a nominal or no fee.
As of July 27, 2017, only 1,445 out of a total of 16,248 public libraries have HTTPS enabled on their websites, that’s just 8.89% (this excludes the 971 libraries we weren’t able to find valid websites for) [Fig 1]. As the graphs below show, as of July 2017 almost 60% of all web pages loaded over Firefox were able to use HTTPS [Fig 2]. As well as 229,845 of the top 1 million sites (almost 23%) enable HTTPS by default [Fig 3], and as of July 2, 2017, the site SSL Pulse, which surveys the top 140,000 websites, found that 59.1% were actively secured [Fig 4].
One of the most common complaints against HTTPS implementation in libraries has been: “we don’t serve any sensitive information,” but that’s not the only reason to implement HTTPS on your library’s domain. Beyond the security measures HTTPS offers libraries and their patrons, there are other practical reasons for implementing the certificate.
Standard load time for web pages is actually faster with HTTPS, more than 360 unique test loads HTTPS averaged 3.75 seconds while HTTP averaged 5.251 seconds, or 40% slower. HTTPS also increases SEO rankings, so libraries that are struggling to move up the ranks may find the implementation helpful. There is also the issue of updated browsers, as HTTPS becomes more common, web browsers are going to anticipate your domain having an SSL certificate, and will start throwing nasty messages and warnings if your site is unsecure. This becomes especially problematic for library patrons, as few are familiar enough with the topic to understand why their library’s website is giving them error messages. There are countless other reasons to enable HTTPS on your site, and for more information I’d recommend Scott Helme’s “Still think you don’t need HTTPS” report.
We’ve focused exclusively on libraries and the domains they hold, but a correlate to this discussion is advocating and demanding vendors also implement HTTPS for their services, especially those where patron information is relayed. Librarians and their advocates must push to have every ILS enable HTTPS as well as any other service that may potentially leak patron information. This is a paradigm shift in the current relationship between libraries and their vendors that needs to be resolved.
Our patrons expect a secure platform from their library, and libraries as privacy advocates have an obligation to provide their patrons with the tools they need to use library resources safely. So, what can you do to enable HTTPS on your libraries domain? Bring up the topic to your director, board or trustees and explain the need and method of implementation. Make sure you can explain why it’s important as well as how you’d pursue getting the certificate implemented.
T.J. Lamanna is the chair of the New Jersey Library Association Intellectual Freedom Committee and the emerging technologies librarian at the Cherry Hill Public Library. His time is spent discussing both practical and theoretical ways of protecting librarians and their patrons in a world of social engineering, hacking and malicious states. Whether it’s email, browsing history or texts, he educates the public on what they can do to keep their communications private.
Libraries and the Fight for Privacy | Cor Lehane, Huffington Post
Lawmakers Tie FISA Data Disclosures to Section 702 Reauthorization | The District Sentinel
Warrantless surveillance can continue even if law expires, officials say | The New York Times
Your Geolocation Data Is Already For Sale | International Business Times
How identity data is turning toxic for big companies | The Conversation
Libraries and Privacy
Students’ and Minors’ Privacy
Dummy Christmas CCTV camera for kids is a real lump of coal | IAPP Privacy Perspectives
No boundaries: Exfiltration of personal data by session-replay scripts | Freedom to Tinker
Law and Regulation
Following Uber Breach, Senators Introduce Data Breach Notification Act | Digital Guardian
Transatlantic Data Privacy | Social Science Research Network
This Week in Data Breaches
Nearly 20,000 patients compromised by Henry Ford hospital data breach | Detroit Free Press
Former employee reportedly steals mental health data on 28,434 Bexar County patients | San Antonio Express News
City Utilities discloses possible data breach | Fox5 Ozarks (Missouri)
Five Denton County schools impacted by state agency data breach | Denton Record-Chronicle
Brooklyn, Queens, and New York Public Libraries Launch a New Digital Privacy Initiative | Choose Privacy Week
ALA joins the ACLU and 35 other nonprofit and civil society groups to sign a letter urging Congress to reject the “FISA Amendments Reauthorization Act of 2017,” which would expand Section 702 of the Foreign Intelligence Surveillance Act, and other surveillance authorities.
Featured: Carpenter v. United States
This week the Supreme Court heard oral argument in Carpenter v. United States, a criminal case testing the scope of the Fourth Amendment’s right to privacy in the digital age. At issue is a precedent decided long before the Internet, smartphones, GPS, and other electronic communications devices became an inescapable part of our daily lives: in Smith v. Maryland, the Supreme Court held that a person had no reasonable expectation of privacy in information voluntarily shared with a third party, and thus the police had no need of a probable cause warrant to obtain phone numbers and other metadata associated with phone calls. It is anticipated that the Supreme Court will revisit that precedent when deciding Carpenter, and perhaps put the brakes on law enforcement’s ability to access without a warrant to a wide range and volume of citizens’ personal information that includes cellphone location data. Here is a round-up of the news coverage:
- Justices Seem Ready to Boost Protection of Digital Privacy | New York Times
- Big Brother looms as U.S. top court tackles cellphone dispute | Reuters
- Can You Track Me Now? | Slate
- Your Secrets Are Not Safe With Anyone | Reason
- A Liberal-Conservative Alliance on the Supreme Court Against Digital Surveillance | The Atlantic
- The Supreme Court’s justices want to enhance privacy protections for a digital age | The Economist
- Why The Supreme Court Should Say Privacy Rights Include People’s Data | The Federalist
- At stake at US Supreme Court: privacy in the digital age | Christian Science Monitor
- A Privacy Case Before the Supreme Court Is About Press Freedom, Too | ACLU
- The Supreme Court’s privacy precedent is outdated | The Washington Post
- Should Law Enforcement Need a Warrant to Track Your Cell Phone? | Scientific American
- How a Radio Shack Robbery Could Spur a New Era in Digital Privacy | The New York Times
Lawsuit aims to uncover how government surveils journalists | Columbia Journalism Review
Facebook’s AI Scan Of Your Posts For Suicide Prevention Can’t Be Disabled | International Business Times
Students’ and Minors’ Privacy
Student Privacy and Ed Tech | Federal Trade Commission
Amid attacks, teachers weigh their safety against student privacy | Pew Charitable Trust Stateline
What You’re Giving Away With Those Home DNA Tests | NBC News 41
Chuck Schumer Takes Aim At 23andMe And Other Home DNA Testing Services | Newburgh Gazette
Law and Regulation
Human subjects, third parties, and the law | Inside Higher Education
This Week in Data Breaches
Hackers stole the personal data of 57 million Uber passengers and drivers | Los Angeles Times
Oxford and Cambridge Club hit by data thieves | The Telegraph
UPMC Susquehanna notifies patients of data breach | The Daily Item
NC DHHS issues warning about data breach affecting thousands | CBS News North Carolina
Imgur Discloses Breach Affecting Email and Passwords of 1.7 Million Users | Data Privacy + Security