This week’s Privacy News is a special double edition, due to travel schedules and ALA’s Midwinter Meeting.
The Future of Data Privacy: How two new European laws will help US libraries | American Libraries
CLOUD Act Promotes Surveillance-Data Access Framework | Multichannel News
The CLOUD Act: A Dangerous Expansion of Police Snooping on Cross-Border Data | Electronic Frontier Foundation
Skydiving Without a Parachute: A Close Look at the CLOUD Act Shows It Lacks Essential Protections | Open Technology Institute
Amazon Go store offers quicker checkout for greater data collection | Brookings Institute
Connected Cars Will Run on Your Personal Data | Motherboard
Facebook’s tracking of non-users ruled illegal again | TechCrunch
What Do We Call a Data Breach That Isn’t a Breach? | Slate – Future Tense
Right to be Forgotten
GDPR: A third of Brits say they will exercise right to be forgotten | smallbusiness.co.uk
Students’ and Minors’ Privacy
Law and Regulation
Bill would regulate use of your data | Daily Democrat (CA)
This Week in Data Breaches
Data breach exposes thousands of California state employees | KSBY.com (Santa Barbara, CA)
Here is the current list of privacy-related meetings and programs scheduled for Denver, Colorado:
Saturday, February 10
7:00 AM – 8:15 AM
Shore to Shore: How Europe’s New Data Privacy Laws Help U.S. Libraries
Sheraton Denver Downtown, Grand Ballroom I
Change is coming. On May 25, 2018, the European Union will activate the next evolution of privacy laws, known as the General Data Privacy Regulation (GDPR).
GDPR will introduce new requirements to ensure transparency of data collection, use and sharing by companies – as well as the right to obtain and control your own data and timely reporting of data breaches. Because of the global nature of information technologies and services, many aspects of GDPR will likely make their way into services within North America, bringing benefits to patrons on this shore as well.
Join Daniel Ayala, one of the information industry’s leading experts on data privacy, for an overview of GDPR, its implementation timeline, and how it can help change the privacy landscape in America. Daniel will also suggest some practical ways for libraries to educate their patrons on privacy and teach them how they can help keep their personal data safe and secure.
**Requires registration at: https://alamidwinterproquestdataprivacy.eventbrite.com
Sunday, February 11
8:30 AM – 10:00 AM
Intellectual Freedom Committee (IFC) Privacy Subcommittee
Colorado Convention Center, Rm 206
Business and planning meeting for the Intellectual Freedom Committee’s Privacy Subcommittee. On the agenda: planning for Choose Privacy Week 2018, redesign of the Choose Privacy Week website, and developing privacy guidelines for vendors, data analytics, and assistive technologies. All are welcome.
1:00 PM – 2:30 PM
LITA Patron Privacy and Open Source Systems Interest Groups Joint Meeting
Colorado Convention Center, Rm 712
A joint meeting with the LITA Patron Privacy Interest Group and the LITA Open Source Systems Interest Group.
4:00 PM – 6:30 PM
Library Values & Privacy: Creating Frameworks for Practice
Colorado Convention Center, Rm 710
This session invites Midwinter attendees to explore the meaning of the library value of privacy in the digital world and help produce a series of field guides for librarians that clearly lay out important privacy and security issues. In this interactive session that builds on the “Privacy & Pizza” gathering held during ALA Annual 2017 in Chicago, participants will hear from a panel of privacy experts and then work to identify privacy issues in libraries and what is needed to address them. Panelists will include Bonnie Tijerina, librarian and researcher at Data & Society; William Marden, Chief Privacy Officer of the New York Public Library; and Erin Berman of the San Jose Public Library, one of the creators of San Jose’s Virtual Privacy Lab. Michael Zimmer, Director of the Center for Information Policy Research at the University of Wisconsin-Milwaukee, will moderate. Participants will be asked to give feedback on draft privacy field guides for libraries and on plans the Spring 2018 Library Values & Privacy Summit in New York City.
Other meetings and programs of interested in privacy, technology, and libraries: Intellectual Freedom Committee (multiple times); Intellectual Freedom Roundtable (2/11, 3:00 pm); OITP Advisory Committee (2/12, 8:30 am); Committee on Professional Ethics (2/12, 1:30); ACRL Professional Values Committee (Sunday, 1:00 p.m.); NISO Update (2/10, 1:00 pm); Road Signs to the Future: What Trends Will Affect Your Library? (Symposium on the Future of Libraries) (2/11, 1:30 pm); LITA Top Technology Trends (2/11, 1:00 pm).
By: T.J. Lamanna
Cross-posted from the OIF Blog
With the recent release of tools like Certbot and HTTPSEverywhere and organizations like Let’s Encrypt, it’s becoming easier and easier for non-enterprise web administrators to add SSL certificates to their websites, thus ensuring a more secure connection between the user and server. The question which needs to be answered is, why, with so many tools available are libraries lagging behind in implementing HTTPS on library web servers?
As Tim Willis, HTTPS Evangelist at Google, said in his interview with Wired Magazine: “It’s easy for sites to convince themselves that HTTPS is not worth the hassle. But if you stick with HTTP, you may find that the set of features available to your website will decline over time.” This might have been true 10 years ago, when implementing the certificate required a unique set of skills that most librarians didn’t have, and most public libraries couldn’t afford to outsource. This is no longer the case, yet the mindset hasn’t changed.
The library field is rife with the mindset of “we’ve always done it this way,” which is why we typically lag behind and become late adopters, rather than pioneers we like to pride ourselves as being. It would also require libraries to spend more time and energy on making sure their websites were current and safe — a challenge for understaffed and underfunded libraries. However, the benefits and good this will offer to the community should outweigh any additional labor involved, especially since there are people and organizations that are willing to do the work for the library, such as Let’s Encrypt, the Library Freedom Project or their state library, for either a nominal or no fee.
As of July 27, 2017, only 1,445 out of a total of 16,248 public libraries have HTTPS enabled on their websites, that’s just 8.89% (this excludes the 971 libraries we weren’t able to find valid websites for) [Fig 1]. As the graphs below show, as of July 2017 almost 60% of all web pages loaded over Firefox were able to use HTTPS [Fig 2]. As well as 229,845 of the top 1 million sites (almost 23%) enable HTTPS by default [Fig 3], and as of July 2, 2017, the site SSL Pulse, which surveys the top 140,000 websites, found that 59.1% were actively secured [Fig 4].
One of the most common complaints against HTTPS implementation in libraries has been: “we don’t serve any sensitive information,” but that’s not the only reason to implement HTTPS on your library’s domain. Beyond the security measures HTTPS offers libraries and their patrons, there are other practical reasons for implementing the certificate.
Standard load time for web pages is actually faster with HTTPS, more than 360 unique test loads HTTPS averaged 3.75 seconds while HTTP averaged 5.251 seconds, or 40% slower. HTTPS also increases SEO rankings, so libraries that are struggling to move up the ranks may find the implementation helpful. There is also the issue of updated browsers, as HTTPS becomes more common, web browsers are going to anticipate your domain having an SSL certificate, and will start throwing nasty messages and warnings if your site is unsecure. This becomes especially problematic for library patrons, as few are familiar enough with the topic to understand why their library’s website is giving them error messages. There are countless other reasons to enable HTTPS on your site, and for more information I’d recommend Scott Helme’s “Still think you don’t need HTTPS” report.
We’ve focused exclusively on libraries and the domains they hold, but a correlate to this discussion is advocating and demanding vendors also implement HTTPS for their services, especially those where patron information is relayed. Librarians and their advocates must push to have every ILS enable HTTPS as well as any other service that may potentially leak patron information. This is a paradigm shift in the current relationship between libraries and their vendors that needs to be resolved.
Our patrons expect a secure platform from their library, and libraries as privacy advocates have an obligation to provide their patrons with the tools they need to use library resources safely. So, what can you do to enable HTTPS on your libraries domain? Bring up the topic to your director, board or trustees and explain the need and method of implementation. Make sure you can explain why it’s important as well as how you’d pursue getting the certificate implemented.
T.J. Lamanna is the chair of the New Jersey Library Association Intellectual Freedom Committee and the emerging technologies librarian at the Cherry Hill Public Library. His time is spent discussing both practical and theoretical ways of protecting librarians and their patrons in a world of social engineering, hacking and malicious states. Whether it’s email, browsing history or texts, he educates the public on what they can do to keep their communications private.