Libraries value patron privacy. Yet a scan of current practices reveals uneven activation of the basic technology to secure web-based library systems. Encryption of data presented in online catalogs, discovery services, and other resources is essential to protect privacy. Without encryption, the content that patrons search for, view, or download is easily intercepted. These online streams of communications deserve the same protection granted to circulation records, but few libraries are taking even minimal steps to encrypt this data.
Secure communication on the web provides two important benefits:
- identifying the website authoritatively
- enabling encrypted communications between the user's browser and the server that provides the resource
Encryption algorithms transform the data into a seemingly garbled form that, if intercepted, cannot be deciphered.
The use of a secure communication protocol (HTTPS) provides the best approach available today for protecting patron privacy. With HTTPS, a page remains encrypted from the time it is transmitted by the web server until it is displayed on the user's browser. The information remains impervious to eavesdropping throughout its route, even if it passes through unsecured wireless networks or other points of vulnerability. The use of HTTPS has expanded from securing passwords and credit cards to all types of online services, and it is now widespread among commercial services, including Facebook, Twitter, and all Google services.
Enabling encryption on web-based resources has never been easier. Encryption with the HTTPS protocol requires minimal computing resources and is not difficult to implement. The user's browser will indicate that the transmission is secure. Chrome, for example, identifies a fully valid and secure site with a green padlock and shows HTTPS in the URL; clicking on the padlock displays the details of the certificate.
Out of 124 ARL member libraries, only 16 (13%) use HTTPS on their main websites.
My Library Technology Report. Privacy and Security for Library Systems (vol. 52, no. 4), aims to assess the extent to which libraries use encryption to secure their patron-facing interfaces. In December 2015, I inspected the websites of representative groups of libraries, including members of the Association of Research Libraries (ARL) and the largest 25 public libraries in the US. These libraries are the most likely to have the technical capability and financial resources to implement secure systems. The data represents a snapshot of current practices and a baseline to measure changes that are taking place. Here are some of the key observations:
- Out of 124 ARL member libraries, only 16 (13%) use HTTPS on their main websites.
- Out of the 95 ARL member libraries that feature an online catalog search on their websites, only 12 (14%) default to HTTPS for search activity.
- Out of the 100 ARL member libraries that feature a discovery service on their websites, only 17 (17%) default to HTTPS for search activity.
- Out of the 25 large public libraries, only two (8%) use HTTPS on their main websites, and only seven (28%) default to HTTPS for catalog search activity.
The results of this study are alarming. My vendor survey of library automation systems shows that all have the technical capacity for encrypted secure communications. Only a small percentage of libraries have implemented encryption for their online catalogs or discovery services. Similarly, few implement their websites with security, which is also a standard capability of commercial and open-source web servers or content management systems.
We could attribute this lapse to gaps in awareness or a lack of expertise to reconfiguring implementations. Vendors and libraries can partner to reshape the security landscape quickly if this is identified as a priority.