Securing the actions performed on a web-based service via HTTPS has become well established and may soon become the expected norm. Organizations dealing with financial data, medical records, or other confidential information routinely implement security via HTTPS. Social networks such as Facebook and Twitter, all the services offered by Google, and most news sites now operate entirely over HTTPS. Consistent with this growing expectation for security and privacy, many web browsers, such as Chrome, now display information or warning indicators for any site not using HTTPS.
As a follow-up to the May/June 2016 issue of Library Technology Reports on “Privacy and Security for Library Systems,” which included data gathered in the last quarter of 2015, we have surveyed the websites of several libraries noting whether selected services use HTTP or HTTPS. The sites reviewed included the members of the Association of Research Libraries (ARL) and a selection of large public libraries. These organizations would more likely have the technical and financial resources to manage their webbased services according to current expectations for privacy and security. As some of the largest libraries in North America, they are also most likely to have adopted privacy policies and the technical expertise to implement them.
For each of the organizations selected, we tabulated the status of the library's main website, the primary online catalog, and discovery service. These services remain within the control of the library and can be considered key indicators of the level of privacy possible as patrons make use of the library's online services. Especially for academic libraries, some may offer a link to the online catalog of their ILS as well as an index-based discovery service. The concept of the online catalog does not apply to those using products such as Alma or WorldShare Management Services. The discovery interface provides access to both local holdings and article-level content. There are a small number of academic libraries among those reviewed that offer an online catalog but not a discovery service.
Our review of the web-based resources of these libraries (shown in Tables 1 and 2 on the following page) reveals improvements beyond what was observed in 2015, but shows that the majority continues not to enforce encryption to protect patron privacy. Out of the 124 ARL member libraries considered, only 42 percent present their website using HTTPS. Out of the 25 major public libraries considered, only 36 percent deploy their website using HTTPS. Table 3 breaks down Table 2, revealing the 25 major public libraries in the United States and looking at the security of each library's catalog and website. The following two charts on page 6 shows the percentage of ARL member libraries employing each of the different catalog and discovery services available.
In the context of the prevailing expectation that reputable websites are deployed using HTTPS, libraries lag behind other types of organizations in a wholesale shift toward providing this level of privacy and security for their web-based services. This observation is surprising given the concern libraries state regarding patron confidentiality and privacy. As libraries work to improve their technical infrastructure, those that value the privacy of their patron's use of the online services will want to give high priority to the implementation of HTTPS for the systems under their control.
Beyond the values of the library profession to protect patron privacy, the urgency of this change is also driven by upcoming changes in the way that browsers flag page security. Google's Chrome browser already displays an informational message for sites presented through HTTPS: “your connection to this site is not secure.” Although no specific date has been set, Google states that future versions of its browser will elevate the warning with a conspicuous red “Not secure” indicator. I would urge libraries to move rapidly toward comprehensive use of HTTPS for their web-based resources in advance of this change if they want their resources to be perceived as trusted and reliable.
| ARL Member Libraries | ||||||
|---|---|---|---|---|---|---|
| 2015 | 2017 | |||||
| Website | Catalog | Discovery | Website | Catalog | Discovery | |
| Total | 124 | 95 | 100 | 124 | 107 | 107 |
| https | 16 | 12 | 17 | 52 | 31 | 26 |
| Percent https | 13% | 13% | 17% | 42% | 29% | 24% |
| Largest 25 Public Libraries in North America | ||||||
|---|---|---|---|---|---|---|
| 2015 | 2017 | |||||
| Website | Catalog | Website | Catalog | |||
| Total | 25 | 25 | 25 | 25 | ||
| https | 2 | 7 | 9 | 12 | ||
| Percent https | 8% | 28% | 36% | 48% | ||
| ARL Member Libraries | ||||||
|---|---|---|---|---|---|---|
| Website | Catalog | Secure? | Discovery Interface | Discovery Secure? | ||
| Arizona State University | y | WebPac Pro | n | Summon | y | |
| Auburn University Libraries | n | VuFind | n | none | ||
| Boston College | n | Primo | n | |||
| Boston University | n | Primo | n | |||
| Boston Public Library | n | BiblioCommons | y | |||
| Brigham Young University | y | eLibrary | n | Local | y | |
| Brown University | y | Blacklight | y | Summon | n | |
| Case Western Reserve University | n | WebPac Pro | n | Summon | n | |
| Center for Research Libraries | n | WebPac Pro | n | |||
| Colorado State University | n | Primo | y | |||
| Columbia University | n | Blacklight | y | |||
| Cornell University | y | Blacklight | y | |||
| Dartmouth College | y | WebPac Pro | n | Summon | y | |
| Duke University | y | Local/Endeca | y | Drupal/Summon | n | |
| Emory University | n | Primo | n | |||
| Florida State University | y | Mango | y | Summon | n | |
| George Washington University | n | Drupal | n | Drupal/Summon | n | |
| Georgetown University | n | WebPac Pro | n | Summon | n | |
| Georgia Institute of Technology | n | Primo | n | |||
| Harvard University | n | Aleph | n | Primo | n | |
| Howard University | n | WebVoyage | n | Summon | n | |
| Indiana University | y | Blacklight | y | Drupal EDS API | y | |
| Iowa State University | n | Primo | n | |||
| Johns Hopkins University | n | Blacklight | y | Blacklight | y | |
| Kent State University | n | WebPac Pro | y | EDS | n | |
| Louisiana State University | n | eLibrary | y | EDS | n | |
| Massachusetts Institute of Technology | y | EDS | y | EDS | y | |
| McGill University | n | aleph | y | WorldCat | n | |
| McMaster University | y | VuFind | n | |||
| Michigan State University | y | WebPac Pro | y | Summon | y | |
| National Archives and Records Administration | y | |||||
| National Research Council Canada | n | WebPac Pro | n | Summon | n | |
| New York State Library | n | |||||
| New York University | n | Primo | n | Xerxes / EDS | y | |
| New York Public Library | y | Encore | n | |||
| North Carolina State University | y | Local | y | Local/Summon | n | |
| Northwestern University | n | primo | n | |||
| Ohio State University | y | WebPac Pro | n | Worldcat | n | |
| Oklahoma State University | y | Primo | n | Primo | n | |
| Pennsylvania State University | y | e-Library | n | Summon | y | |
| Princeton University | n | Blacklight/Primo | y | |||
| Purdue University | y | primo | n | |||
| Queen's University | n | WebVoyage | y | Summon | n | |
| Rice University | y | eLibrary | n | Drupal EDS API | n | |
| Rutgers University | y | VuFind | y | EDS | ||
| Smithsonian Institution | n | iPac | n | Summon | n | |
| Southern Illinois University | n | VuFind | y | EDS | ? | |
| Stony Brook University | n | Aleph | n | EDS | n | |
| Syracuse University | y | WebVoyage | n | Summon | n | |
| Temple University | n | WebPac Pro | n | Summon | n | |
| Texas A&M University | n | WebVoyage | n | EDS | ||
| Texas Tech University | y | Primo | y | Primo | y | |
| Tulane University | n | WebVoyage | n | Primo | n | |
| Library of Congress | y | Local | y | |||
| National Agricultural Library | y | Voyager | y | |||
| National Library of Medicine | y | Voyager | y | pubmed | y | |
| Universite Laval | n | Ariane | n | |||
| University at Albany | y | Aleph | n | EDS | ||
| University at Buffalo | n | VuFind | n | Summon | n | |
| University of Alabama | y | WebVoyage | n | Drupal EDS API | n | |
| University of Alberta | y | Blacklight | y | EDS | y | |
| University of Arizona | n | WebPac Pro | n | Summon | n | |
| University of British Columbia | n | WebVoyage | n | Summon | n | |
| University of Calgary | n | Drupal / Summon | n | |||
| University of California -- Berkeley | n | WebPac Pro | n | EDS | n | |
| University of California -- Davis | y | primo | y | primo | y | |
| University of California -- Irvine | n | WebPac Pro | n | |||
| University of California -- Los Angeles | n | WebVoyage | n | Summon | n | |
| University of California -- Riverside | y | WebPac Pro | n | WorldCat Local | n | |
| University of California -- San Diego | y | WebPac Pro | n | |||
| University of California -- Santa Barbara | n | Aleph | n | |||
| University of Chicago | y | VuFind | y | EDS API | ||
| University of Cincinnati | y | WebPac Pro | n | Summon | n | |
| University of Colorado -- Boulder | n | WebPac Pro | n | Summon | ||
| University of Connecticut | n | primo | n | primo | n | |
| University of Delaware | y | WorldCat | y | WorldCat | y | |
| University of Florida | n | Mango | n | Summon | n | |
| University of Georgia | n | VuFind | n | EDS | n | |
| University of Guelph | n | primo | n | Primo | n | |
| University of Hawaii -- Manoa | n | Voyager | y | primo | n | |
| University of Houston | n | WebPac Pro | n | Primo | n | |
| University of Illinois -- Chicago | y | VuFind | y | Summon | n | |
| University of Illinois at Urbana-Champaign | n | VuFind | n | Local? | n | |
| University of Iowa | n | primo | n | Primo | n | |
| University of Kansas | y | Voyager | y | Primo | n | |
| University of Kentucky | n | primo | n | primo | n | |
| University of Louisville | n | WorldCat | y | WorldCat | y | |
| University of Manitoba | n | Primo | n | Primo | n | |
| University of Maryland | n | Aleph | n | WorldCat | y | |
| University of Massachusetts -- Amherst | y | Aleph | y | WorldCat | n | |
| University of Miami | y | Primo | n | Primo | n | |
| University of Michigan | y | VuFind | n | Drupal | n | |
| University of Minnesota -- Twin Cities | y | Primo | n | Primo | n | |
| University of Missouri -- Columbia | n | WebPac Pro | n | EDS | n | |
| University of Montreal | n | Primo | n | Primo | n | |
| University of Nebraska -- Lincoln | n | WebPac Pro | n | Encore | n | |
| University of New Mexico | n | WorldCat | y | WorldCat | y | |
| University of North Carolina -- Chapel Hill | n | Endeca | n | Local | n | |
| University of Notre Dame | y | primo | n | primo | ||
| University of Oklahoma | y | primo | n | primo | n | |
| University of Oregon | n | primo | n | primo | n | |
| University of Ottawa | y | WebPac Pro | y | primo | n | |
| University of Pennsylvania | n | Local | n | local | n | |
| University of Pittsburgh | n | voyager | n | Summon | n | |
| University of Rochester | y | WebVoyage | n | Summon | n | |
| University of Saskatchewan | n | WebPac Pro | n | Primo | n | |
| University of South Carolina | n | WebPac Pro | n | Encore | ||
| University of Southern California | y | Elibrary | y | Summon | n | |
| University of Tennessee -- Knoxville | y | Primo | n | Primo | n | |
| University of Texas -- Austin Libraries | n | WebPac Pro | n | Summon | n | |
| University of Toronto | y | Local? | n | Summon API | y | |
| University of Utah | y | Primo | n | Primo | n | |
| University of Virginia | n | Blacklight | n | Blacklight | n | |
| University of Washington | n | Primo | n | Primo | n | |
| University of Waterloo | n | Primo | n | Local | n | |
| University of Western Ontario | y | WebPac Pro | n | Summon | n | |
| University of Wisconsin -- Madison | y | Local? | y | Primo | y | |
| Vanderbilt University | n | e-Library | n | Local / Primo | n | |
| Virginia Tech | n | WebPac Pro | n | Summon | n | |
| Washington State University | n | Primo | n | Primo | n | |
| Washington University in Saint Louis | y | WebPac Pro | n | Primo | y | |
| Wayne State University | y | WebPac Pro | n | Local / Summon | n | |
| Yale University | n | WebVoyage | n | Local | n | |
| York University | n | eLibrary | n | VuFind | y | |
| Major Public Libraries in the United States | |||
|---|---|---|---|
| Library | Website | Catalog | Secure? |
| Los Angeles Public Library, CA | n | LS2 PAC | n |
| New York Public Library | n | Encore | n |
| County of Los Angeles Public Library, CA | n | eLibrary | n |
| Chicago Public Library, IL | y | BiblioCommons | y |
| Brooklyn Public Library, NY | y | BiblioCommons | y |
| Queens Borough Public Library, NY | n | Local | n |
| Miami-Dade Public Library System, FL | n | PowerPAC | n |
| Houston Public Library, TX | n | Portfolio | y |
| Harris County Public Library, TX | n | Portfolio | y |
| Broward County Libraries Division, FL | n | LS2 Pac | n |
| San Antonio Public Library, TX | n | WebPac Pro | n |
| Orange County Public Libraries, CA | n | Enterprise | y |
| Free Library of Philadelphia, PA | n | VuFind | y |
| Phoenix Public Library, AZ | y | PowerPAC | y |
| Las Vegas-Clark County Library District, NV | n | WebPac Pro | n |
| Hawaii State Public Library System, HI | n | Enterprise | n |
| King County Library System, WA | y | BiblioCommons | y |
| Sacramento Public Library, CA | y | Encore | n |
| San Diego Public Library, CA | y | BiblioCommons | y |
| Hillsborough County Public Library Cooperative, FL | n | PowerPAC | n |
| Dallas Public Library, TX | y | PowerPAC | n |
| San Bernardino County Library, CA | n | PowerPAC | n |
| Riverside County Library System, CA | y | Powerpac | y |
| Hennepin County Library, MN | n | Bibliocommons | y |
| Orange County Library District, FL | y | WebPac Pro | y |
