April 24, 2018

With Privacy Pledge, Library Freedom Project Advocates for HTTPS

Library Freedom Project LogoThe Library Freedom Project (LFP) is urging libraries and library vendors to ensure basic online privacy protections for patrons by implementing HTTPS for websites, catalogs, and all other online resources. The HTTPS protocol tells web browsers to encrypt data that is transferred between a browser and a server, preventing third parties from eavesdropping or tampering with that data. Many web users may be familiar with HTTPS from banking websites or the checkout areas of consumer retail websites, where the need to encrypt sensitive financial information is obvious. But recent revelations about the National Security Agency’s (NSA) vast online surveillance program, as well as the availability of software that makes it relatively easy for amateur hackers to spy on unencrypted web traffic, have led a growing number of web services—including Google, Facebook, and Twitter—to implement HTTPS across the board.

In June, the White House Office of Management and Budget issued its own HTTPS-Only Standard directive, ordering all publicly accessible federal websites to provide services via secure HTTPS connections by December 2016. LFP, through its “Library Digital Privacy Pledge,” is essentially asking libraries and vendors to meet a similar deadline, pledging to implement HTTPS on their own websites and other library-controlled online resources within six months, and assuring that new or renewed contracts with vendors will require that those vendors support HTTPS by the end of 2016.

Several major vendors, such as OverDrive, EBSCO, and Elsevier, already have HTTPS implemented on their primary websites. Costs for fully implementing HTTPS—including all domains, online resources, and APIs—will vary based on factors including the scope of a library or vendor’s resources. However, as the federal government’s Chief Information Officer’s Council explains in its site covering the HTTPS-Only directive, the shift toward HTTPS as a basic privacy standard is becoming inevitable.

“Private and secure connections are becoming the Internet’s baseline, as expressed by the policies of the Internet’s standards bodies, popular web browsers, and the Internet community of practice. The Federal government must adapt to this changing landscape, and benefits by beginning the conversion now,” the site explains.

LFP Director Alison Macrina also described HTTPS as “a baseline for privacy protection and the bare minimum of what everyone should be doing to secure a website. Imagine if you go to your library’s website, and that website is using HTTP—regular Hypertext Transfer Protocol with no Transport Layer Security (TLS), no security certificate—what that means is that…all of their activity on the website is visible over the Internet,” she told LJ. “Anyone who is observing that network traffic can see that a patron has looked for books about gender identity, or herpes, or divorce, or whatever.”

Option or mandate?

An FAQ about the project explains the difference with a simple analogy. Using HTTP is comparable to using a postcard to mail a patron’s recent search history through the postal system, while using HTTPS is akin to mailing that search history in a sealed envelope.

“When you use the web, your browser software communicates with a server…through the Internet,” the FAQ reads. “The messages [pass] back and forth through a series of computers (network nodes) that work together…. There might be five computers in that chain, or there might be 50, each possibly owned by a different service provider. When a website uses HTTP, the content of these messages is open to inspection by each intermediate computer—like a postcard sent through the postal system—as well as by any other computer that shares a network [with] those computers…. When a website uses HTTPS, the messages between your browser software and the server are encrypted so that none of the intermediate network nodes can see the content of the messages.”

There is already consensus within the technology community that HTTPS is a baseline best practice for protecting user privacy, explained Gluejar founder Eric Hellman, who has been working with Macrina on the Library Digital Privacy Pledge.

“It’s a prerequisite for [online] privacy, and privacy has been a big topic in the library world recently. It’s sort of a no-brainer,” Hellman said.

The pledge points to the third article of the American Library Association’s (ALA) Code of Ethics, which states that “we protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.”

The language of this ALA mandate is broad, the pledge notes, but the principle is clear. “Library services and resources should be delivered, whenever practical, over channels that are immune to eavesdropping,” the pledge states.

Hellman said that in his conversations about the project with both libraries and vendors, “once you get management talking to the technology people, the marketing people, and the legal people—because all of them have [a stake] in this privacy issue—the conclusion is either, ‘we should be doing this right away,’ or ‘we’re already working on it, we just need more resources.’”

Help on the way

Favorable timing was also a factor in the development and launch of the HTTPS-focused pledge, Hellman said. The Internet Security Research Group (ISRG), a California public benefit corporation, is on the verge of launching Let’s Encrypt, a free, automated, and open certificate authority that will make it free for libraries to obtain the security certificates needed to implement HTTPS.

Encryption works by using an algorithm to encode data prior to transmission. The recipient will need an encryption key to read the transmission. On the web, this process has typically been managed by IT security companies, such as Comodo or Symantec/VeriSign, which vet the identity and location of an organization, among other information, and then issue a security certificate binding a cryptographic key to that organization’s website. Of course, these keys must also be issued by a trusted organization. Commercial, enterprise-level security certificates can still cost hundreds or even thousands of dollars annually, which would impose a significant financial burden on many libraries.

Sponsored by Mozilla, Cisco, Akamai, the Electronic Frontier Foundation, IdenTrust, the Internet Society, Automattic, ALA, and Shopify, the Let’s Encrypt project aims to provide free security certificates on request, while simplifying certification, configuration, and certificate renewal processes to make it easy and inexpensive to implement HTTPS.

“We’re hoping to time the major launch of the pledge with the full deployment of Let’s Encrypt [expected in November 2015],” said Macrina. “It’s not something that we want libraries to rely on, because [Let’s Encrypt] is still going to be pretty new. But it will mean that anybody that signs the pledge, that would be an option for them to get a certificate. And, maybe even more importantly, it’s something that will help them renew their certificates in perpetuity…. And Let’s Encrypt is creating some essential infrastructure to make encrypting websites a lot easier.”

Macrina added that the Library Freedom Project has been enlisting volunteers to help libraries that would like to sign the pledge or participate, but may be concerned about a lack of IT support or on-staff expertise.

“We are working with a network of volunteer technologists,” Macrina said. “Eric [Hellman] and I are figuring out the groundwork for that. We’re going to have a volunteer core of people who can offer their technical expertise to help libraries that don’t have the support to do this. We’re working out what exactly that means. It would require a lot of trust to allow someone to have access to your web server, but maybe what we could offer is help over the phone, explaining everything you have to do.”

Matt Enis About Matt Enis

Matt Enis (menis@mediasourceinc.com, @matthewenis on Twitter, matthewenis.com) is Senior Editor, Technology for Library Journal.

Maker Workshop
In this two-week online course, you’ll create a maker program that aligns with your budget and community needs, with personal coaching from maker experts—from libraries and beyond—May 23 & June 6, 2018.
Doubling Your Circ on a Dime
How you manage your circulation matters—to keep patrons coming back for more and to demonstrate to stakeholders just how well-used the library is in your community. Don't miss this online course led by experts who have boosted their circulation numbers in creative and sometimes unexpected ways, without denting their budgets—April 25 & May 9.