Practical Privacy Practices

savedatemay
Save the Date!
Choose Privacy Week is held annually May 1-7. Start planning now for your library’s participation and programming. Choose Privacy Week materials are available now in the ALA Store.
Resources
Information and tools to help libraries protect the privacy of online users.
Programs
Events and activities to raise awareness and engage users on privacy issues.

Voices For Privacy Blog

The State Of HTTPS in Libraries

Posted by on December 15, 2017 in Uncategorized | 0 comments

By: T.J. Lamanna
Cross-posted from the OIF Blog

With the recent release of tools like Certbot and HTTPSEverywhere and organizations like Let’s Encrypt, it’s becoming easier and easier for non-enterprise web administrators to add SSL certificates to their websites, thus ensuring a more secure connection between the user and server. The question which needs to be answered is, why, with so many tools available are libraries lagging behind in implementing HTTPS on library web servers?

HTTPSAs Tim Willis, HTTPS Evangelist at Google, said in his interview with Wired Magazine: “It’s easy for sites to convince themselves that HTTPS is not worth the hassle. But if you stick with HTTP, you may find that the set of features available to your website will decline over time.” This might have been true 10 years ago, when implementing the certificate required a unique set of skills that most librarians didn’t have, and most public libraries couldn’t afford to outsource. This is no longer the case, yet the mindset hasn’t changed.

The library field is rife with the mindset of “we’ve always done it this way,” which is why we typically lag behind and become late adopters, rather than pioneers we like to pride ourselves as being. It would also require libraries to spend more time and energy on making sure their websites were current and safe  —  a challenge for understaffed and underfunded libraries. However, the benefits and good this will offer to the community should outweigh any additional labor involved, especially since there are people and organizations that are willing to do the work for the library, such as Let’s Encrypt, the Library Freedom Project or their state library, for either a nominal or no fee.

As of July 27, 2017, only 1,445 out of a total of 16,248 public libraries have HTTPS enabled on their websites, that’s just 8.89% (this excludes the 971 libraries we weren’t able to find valid websites for) [Fig 1]. As the graphs below show, as of July 2017 almost 60% of all web pages loaded over Firefox were able to use HTTPS [Fig 2]. As well as 229,845 of the top 1 million sites (almost 23%) enable HTTPS by default [Fig 3], and as of July 2, 2017, the site SSL Pulse, which surveys the top 140,000 websites, found that 59.1% were actively secured [Fig 4].

One of the most common complaints against HTTPS implementation in libraries has been: “we don’t serve any sensitive information,” but that’s not the only reason to implement HTTPS on your library’s domain. Beyond the security measures HTTPS offers libraries and their patrons, there are other practical reasons for implementing the certificate.

Standard load time for web pages is actually faster with HTTPS, more than 360 unique test loads HTTPS averaged 3.75 seconds while HTTP averaged 5.251 seconds, or 40% slower. HTTPS also increases SEO rankings, so libraries that are struggling to move up the ranks may find the implementation helpful. There is also the issue of updated browsers, as HTTPS becomes more common, web browsers are going to anticipate your domain having an SSL certificate, and will start throwing nasty messages and warnings if your site is unsecure. This becomes especially problematic for library patrons, as few are familiar enough with the topic to understand why their library’s website is giving them error messages. There are countless other reasons to enable HTTPS on your site, and for more information I’d recommend Scott Helme’s “Still think you don’t need HTTPS” report.

We’ve focused exclusively on libraries and the domains they hold, but a correlate to this discussion is advocating and demanding vendors also implement HTTPS for their services, especially those where patron information is relayed. Librarians and their advocates must push to have every ILS enable HTTPS as well as any other service that may potentially leak patron information. This is a paradigm shift in the current relationship between libraries and their vendors that needs to be resolved.

Our patrons expect a secure platform from their library, and libraries as privacy advocates have an obligation to provide their patrons with the tools they need to use library resources safely. So, what can you do to enable HTTPS on your libraries domain? Bring up the topic to your director, board or trustees and explain the need and method of implementation. Make sure you can explain why it’s important as well as how you’d pursue getting the certificate implemented.

 


T.J. LamannaT.J. Lamanna is the chair of the New Jersey Library Association Intellectual Freedom Committee and the emerging technologies librarian at the Cherry Hill Public Library. His time is spent discussing both practical and theoretical ways of protecting librarians and their patrons in a world of social engineering, hacking and malicious states. Whether it’s email, browsing history or texts, he educates the public on what they can do to keep their communications private.

Privacy News and Views for December 8

Posted by on December 8, 2017 in News and Updates | 0 comments

Featured

Libraries and the Fight for Privacy | Cor Lehane, Huffington Post

Government Surveillance

Lawmakers Tie FISA Data Disclosures to Section 702 Reauthorization |  The District Sentinel

The White House just bought four more months for NSA reauthorization | The Verge

Warrantless surveillance can continue even if law expires, officials say | The New York Times

These Are the Technology Firms Lining Up To Build Trump’s “Extreme Vetting” Program | The Intercept

Big Brother is Watching You: Feds Now Vetting Foreign Workers Via Social Media | Lexology

Trump’s voter fraud commission plans to create a massive voter database. Former national security officials say it could be hacked. | Washington Post

Corporate Surveillance

Your Geolocation Data Is Already For Sale | International Business Times

How identity data is turning toxic for big companies | The Conversation

Libraries and Privacy

Alameda County library still doesn’t know how many patrons were hacked | East Bay Times

Students’ and Minors’ Privacy

Democratic senators question privacy, security of Facebook’s ‘Messenger Kids’ | The Hill

Dummy Christmas CCTV camera for kids is a real lump of coal | IAPP Privacy Perspectives

Encryption

Intelligence Director Says Gov’t Can Demand Encryption Backdoors Without Having To Run It By The FISA Court | Techdirt

Cybersecurity

No boundaries: Exfiltration of personal data by session-replay scripts | Freedom to Tinker

Law and Regulation

Following Uber Breach, Senators Introduce Data Breach Notification Act | Digital Guardian

EU regulators threaten court challenge to EU-U.S. data transfer pact | Reuters

Transatlantic Data Privacy | Social Science Research Network

English High Court Finds Supermarket Liable for Data Breach by Employee in First Successful Privacy Class Action | National Law Journal

This Week in Data Breaches

Nearly 20,000 patients compromised by Henry Ford hospital data breach | Detroit Free Press

Former employee reportedly steals mental health data on 28,434 Bexar County patients | San Antonio Express News

PayPal’s TIO Networks reveals data breach impacted 1.6M users | WBNS 10TV

City Utilities discloses possible data breach | Fox5 Ozarks (Missouri)

Five Denton County schools impacted by state agency data breach | Denton Record-Chronicle

Exclusive: Uber paid 20-year-old Florida man to keep data breach secret – sources | Reuters

Privacy News and Views for December 1

Posted by on December 1, 2017 in News and Updates | 0 comments

Featured:

Brooklyn, Queens, and New York Public Libraries Launch a New Digital Privacy Initiative | Choose Privacy Week

ALA joins the ACLU and 35 other nonprofit and civil society groups to sign a letter urging Congress to reject the “FISA Amendments Reauthorization Act of 2017,” which would expand Section 702 of the Foreign Intelligence Surveillance Act, and other surveillance authorities.

Featured: Carpenter v. United States

This week the Supreme Court heard oral argument in Carpenter v. United States, a criminal case testing the scope of the Fourth Amendment’s right to privacy in the digital age.  At issue is a precedent decided long before the Internet, smartphones, GPS, and other electronic communications devices became an inescapable part of our daily lives: in Smith v. Maryland, the Supreme Court held that a person had no reasonable expectation of privacy in information voluntarily shared with a third party, and thus the police had no need of a probable cause warrant to obtain phone numbers and other metadata associated with phone calls.  It is anticipated that the Supreme Court will revisit that precedent when deciding Carpenter, and perhaps put the brakes on law enforcement’s ability to access without a warrant to a wide range and volume of citizens’ personal information that includes cellphone location data.  Here is a round-up of the news coverage:  

Government Surveillance

New Surveillance Bill Would Dramatically Expand NSA Powers | ACLU

Lawsuit aims to uncover how government surveils journalists | Columbia Journalism Review

Senate bill would impose new privacy limits on accessing NSA’s surveillance data |Washington Post

Extreme digital vetting of visitors to the U.S. moves forward under a new name | ProPublica

‘Revenge porn’ bill would criminalize posting nude photos without consent nationwide | Mashable

Corporate Surveillance

Facebook’s New Captcha Test: ‘Upload A Clear Photo Of Your Face’ | Wired

Facebook’s AI Scan Of Your Posts For Suicide Prevention Can’t Be Disabled | International Business Times

Staggering Variety of Clandestine Trackers Found in Popular Android Apps | The Intercept

How Smartphone Apps Are Selling Personal Data Without Our Consent—Legally | The Observer

No, you’re not being paranoid. Sites really are watching your every move | Ars Technica

Google collects Android users’ locations even when location services are disabled | Quartz

Proposed Bill Would Regulate Faceprints, Location Data, Other ‘Sensitive’ Information | MediaPost

Students’ and Minors’ Privacy

Germany bans children’s smartwatches over privacy concerns | Endgaget

Consumer Notice: Internet-Connected Toys Could Present Privacy And Contact Concerns For Children | FBI

Student Privacy and Ed Tech | Federal Trade Commission

Amid attacks, teachers weigh their safety against student privacy | Pew Charitable Trust Stateline

Biometric Privacy

What You’re Giving Away With Those Home DNA Tests | NBC News 41

Chuck Schumer Takes Aim At 23andMe And Other Home DNA Testing Services | Newburgh Gazette

Growing private sector use of facial scanners worries privacy advocates | The Hill

Law and Regulation

Parallel Universe or Coincidence: The CFPB’s New Data Consumer Protection Principles’ Relationship to GDPR | Lexology

Human subjects, third parties, and the law | Inside Higher Education

This Week in Data Breaches

Hackers stole the personal data of 57 million Uber passengers and drivers | Los Angeles Times

Oxford and Cambridge Club hit by data thieves | The Telegraph

UPMC Susquehanna notifies patients of data breach | The Daily Item

NC DHHS issues warning about data breach affecting thousands | CBS News North Carolina

Imgur Discloses Breach Affecting Email and Passwords of 1.7 Million Users | Data Privacy + Security