Libraries hold the confidentiality of patron information as a fundamental value. Library automation systems are generally configured not to retain records that reveal the specific materials that a patron has borrowed, at least beyond the operational need. In the consumer arena, to the contrary, details regarding behavior have become a major currency of the economy.
One of the realities of the Internet lies in the ability for any third party to intercept the transmissions of information as it travels among devices and servers. Wireless networks are an especially easy target. Assume today that any information transmitted as clear text across a local network or the Internet will be intercepted and used, whether for targeted advertising or illegal intrusion into servers and systems.
Encryption provides the main line of defense against the unwanted capture of data. The absolute and most basic transaction that demands encryption is the sequence used to authenticate staff and users into a system. Any exposure of username and passwords without strong encryption is an invitation for unwanted access into that system. A further line of defense lies in encrypting sensitive data files, including data stores that hold the personal details such as search and reading behavior or financial transactions.
This issue of Smart Libraries Newsletter presents a brief study of the privacy and security characteristics of a sampling of the major automation and discovery products. While results offer a glimpse of the current state of privacy and security in our industry, I present them primarily to increase awareness and to open a broad-based conversation to effect needed improvements.
Conclusions: From Awareness to Action
The results of the survey follow inside, and here I'll present my observations. For many of the providers and products, the level of privacy and security is left to the discretion of their library customers. I would encourage opting for the highest level of security offered. All of the products targeted in this study indicated that they follow standard practices related to the security of passwords and sign-on sequences.
I commend Biblionix for its early move to delivering all transactions for its Apollo ILS via pages encrypted via HTTPS. BiblioCommons states that it will be following that approach beginning in 2015. Full encryption has seen increasing adoption on major destinations with both Google and Facebook moving to that level of security in 2013.
I believe that libraries should work toward comprehensive encryption as the minimal level of security performance expected from these products. No longer is it enough to secure only the transmission of sensitive details, but systems need to protect the general stream of transactions, such as patron searches, selections made, and materials read or downloaded.
Encryption addresses only one layer of the overall environment that relates to privacy and security. Even when patron and staff sessions are fully encrypted, they may expose patron details and reading behavior via cookies or other tokens that may be enabled. When libraries blend services from external social and e-commerce networks into their own environment, there is the strong possibility of the transmission of data elements to those external networks.
I'm not necessarily advocating that libraries follow a flat and sterile approach in their service delivery. As libraries enable these social features, they should be aware of what might be exposed and then carefully manage the process. Some libraries might choose to allow patrons to opt-in after warning them that some details may be provided to the partner site. While individual patrons have their own preferences on privacy, libraries have an additional set of concerns related to the profession's ethics regarding how systems that they provide manage privacy and security.