By: T.J. Lamanna
Cross-posted from the OIF Blog
With the recent release of tools like Certbot and HTTPSEverywhere and organizations like Let’s Encrypt, it’s becoming easier and easier for non-enterprise web administrators to add SSL certificates to their websites, thus ensuring a more secure connection between the user and server. The question which needs to be answered is, why, with so many tools available are libraries lagging behind in implementing HTTPS on library web servers?
As Tim Willis, HTTPS Evangelist at Google, said in his interview with Wired Magazine: “It’s easy for sites to convince themselves that HTTPS is not worth the hassle. But if you stick with HTTP, you may find that the set of features available to your website will decline over time.” This might have been true 10 years ago, when implementing the certificate required a unique set of skills that most librarians didn’t have, and most public libraries couldn’t afford to outsource. This is no longer the case, yet the mindset hasn’t changed.
The library field is rife with the mindset of “we’ve always done it this way,” which is why we typically lag behind and become late adopters, rather than pioneers we like to pride ourselves as being. It would also require libraries to spend more time and energy on making sure their websites were current and safe — a challenge for understaffed and underfunded libraries. However, the benefits and good this will offer to the community should outweigh any additional labor involved, especially since there are people and organizations that are willing to do the work for the library, such as Let’s Encrypt, the Library Freedom Project or their state library, for either a nominal or no fee.
As of July 27, 2017, only 1,445 out of a total of 16,248 public libraries have HTTPS enabled on their websites, that’s just 8.89% (this excludes the 971 libraries we weren’t able to find valid websites for) [Fig 1]. As the graphs below show, as of July 2017 almost 60% of all web pages loaded over Firefox were able to use HTTPS [Fig 2]. As well as 229,845 of the top 1 million sites (almost 23%) enable HTTPS by default [Fig 3], and as of July 2, 2017, the site SSL Pulse, which surveys the top 140,000 websites, found that 59.1% were actively secured [Fig 4].
One of the most common complaints against HTTPS implementation in libraries has been: “we don’t serve any sensitive information,” but that’s not the only reason to implement HTTPS on your library’s domain. Beyond the security measures HTTPS offers libraries and their patrons, there are other practical reasons for implementing the certificate.
Standard load time for web pages is actually faster with HTTPS, more than 360 unique test loads HTTPS averaged 3.75 seconds while HTTP averaged 5.251 seconds, or 40% slower. HTTPS also increases SEO rankings, so libraries that are struggling to move up the ranks may find the implementation helpful. There is also the issue of updated browsers, as HTTPS becomes more common, web browsers are going to anticipate your domain having an SSL certificate, and will start throwing nasty messages and warnings if your site is unsecure. This becomes especially problematic for library patrons, as few are familiar enough with the topic to understand why their library’s website is giving them error messages. There are countless other reasons to enable HTTPS on your site, and for more information I’d recommend Scott Helme’s “Still think you don’t need HTTPS” report.
We’ve focused exclusively on libraries and the domains they hold, but a correlate to this discussion is advocating and demanding vendors also implement HTTPS for their services, especially those where patron information is relayed. Librarians and their advocates must push to have every ILS enable HTTPS as well as any other service that may potentially leak patron information. This is a paradigm shift in the current relationship between libraries and their vendors that needs to be resolved.
Our patrons expect a secure platform from their library, and libraries as privacy advocates have an obligation to provide their patrons with the tools they need to use library resources safely. So, what can you do to enable HTTPS on your libraries domain? Bring up the topic to your director, board or trustees and explain the need and method of implementation. Make sure you can explain why it’s important as well as how you’d pursue getting the certificate implemented.
T.J. Lamanna is the chair of the New Jersey Library Association Intellectual Freedom Committee and the emerging technologies librarian at the Cherry Hill Public Library. His time is spent discussing both practical and theoretical ways of protecting librarians and their patrons in a world of social engineering, hacking and malicious states. Whether it’s email, browsing history or texts, he educates the public on what they can do to keep their communications private.
by William Marden
Chair, ALA-IFC Privacy Subcommittee
The New York Public Library, Brooklyn Public Library, and Queens Library are teaming up with the Metropolitan New York Library Council to bring digital privacy and data-security information to New York City’s 8.5 million residents.
With support from the NYC Mayor’s Office, the project will train the city’s front-line librarians to be able to answer questions about internet privacy and data security, ensuring that NYC residents can rely on public libraries for trusted and current information in this increasingly-important area.
“New Yorkers need resources to protect themselves as they access the Internet,” said Miguel Gamiño, Jr., NYC’s Chief Technology Officer, whose agency is providing financial support. “This initiative is a critical component of the City’s mission to safeguard privacy and security as we continue to expand internet access to all New Yorkers,” he added.
NYC Digital Safety: Privacy & Security, will employ both online-learning modules and in-person workshops to train more than 1,000 library staff members throughout the city’s three main library systems. The specialized training is scheduled to be rolled out in the spring and summer 2018. An advisory committee with representatives from the NYPL, Brooklyn and Queens library systems is building on curricula already created through the Data Privacy Project. The committee will further leverage resources previously developed by the Mozilla Foundation, Data & Society, the New America Foundation, the Library Freedom Project. Tactical Tech, and others.
Plans are also in the works to make the final curricula, toolkits, and facilitation guides available at the conclusion of the project for use by a broader community of librarians, educators, and technologists.
The senior leaders of all three library systems have already weighed in with their unanimous support. “Threats to digital privacy are rampant,” said Brooklyn Public Library President and CEO Linda E. Johnson. “It is essential our librarians have the tools and knowledge to help our patrons use computers and other devices safely.”
“Libraries are universally trusted resources that provide a safe harbor during difficult times,” said Tony Marx, President of NYPL, who praised the project’s goal of ensuring that “all New Yorkers have the knowledge they need to confidently navigate the World Wide Web safely and securely.”
Queens Library President and CEO Dennis M. Walcott noted, “This initiative will help library staff deliver a higher level of service by showing our customers how to stay safe online,” further citing “the power of libraries to promote digital literacy to anyone who seeks it.”
At the New York Metropolitan Library Council (METRO), which is providing administrative support for this effort, director Nate Hill commented, “As recent events have shown, privacy and security online are incredibly important issues. We know libraries are incredibly well positioned to act as a resource to help the public protect their data.”
Bill Marden became NYPL’s first Director of Data Privacy and Compliance in November 2015. He comes to NYPL with almost 20 years of policy, regulatory, and compliance experience at some of the world’s leading financial institutions including Citigroup, JPMorgan Chase, and UBS. Previous to his time in the financial world, Bill was a librarian in both the public and private sectors, including six years as books and manuscripts curator for the Frederick R. Koch Foundation, now housed at Yale’s Beinecke Library. He also interned at the Pierpont Morgan Library while studying for his MLS, which he received from Columbia University in 1988.
He is the author of two award-winning books about New York City bookstores, and is also a contributor to “Protecting Patron Privacy in the 21st-century Library,” published by Rowman & Littlefield.
The NSA should delete its trove of data on Americans | The Atlantic
It’s time to tax companies for using our personal data | New York Times
Law and Regulation
GDPR: Crackdowns and conflict on personal privacy| Financial Times
Florida court: Dead or not, privacy right remains alive | U.S. News and World Report
Right to Be Forgotten
Freedom of expression: Paper looks at ‘right to be forgotten’ in Latin American context | Intellectual Property Watch