Patron Privacy Online – A Call for Reform

The address bar is the first place to look for secure browsing.Safeguarding patron privacy has always been a cornerstone of public library service in America. It’s enshrined in the code of ethics of the American Library Association, where it states: “We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.”

Further, patron confidentiality is a fundamental requirement for intellectual freedom. “Privacy is essential to the exercise of free speech, free thought, and free association. The courts have established a First Amendment right to receive information in a publicly funded library” (From an interpretation of the Library Bill of Rights).

Patron privacy is so important, libraries have policies enshrining it and make public affirmations of the Freedom to Read Statement and the Library Bill of Rights and its interpretations. Most states have laws in place protecting patrons’ privacy, such as NDCC 40-38-12.

Despite our admirable dedication to protecting patrons’ confidentiality, we’ve evinced systemic oversight regarding their privacy when they’re using library resources online. Patrons use our catalogs and databases for the same types of medical, legal, religious, philosophical, and other research and recreation they use our material collections for, and we should provide them the same stalwart protections in their use. Almost without fail, however, we’re not taking even the most basic measure to ensure that this is so: providing the content via HTTPS.

HTTPS (HyperText Transfer Protocol Secure) provides a secure encrypted transmission of information between web browsers and web sites. It’s easy to tell if you’re visiting a page using HTTPS instead of the unsecured HTTP just by looking for at the URL in the address bar. In addition to the web address starting with https:, modern web browsers will provide a graphic indication, like a closed lock to the left of the address. An HTTPS connection protects users from certain kinds of Internet surveillance and eavesdropping. Unsecured connections are particularly vulnerable over shared wireless networks, like those in libraries. Most web services that handle confidential information employ HTTPS by default (or at the very least offer it as an option), including banks, e-mail, Facebook, Twitter, and search providers.

What patron information are we potentially exposing when they use our catalogs and databases? Login credentials and other personally identifiable information. What they’re searching for (including medical, legal, and ethical queries) and their search histories. What they’re interested in reading and what they currently have checked out. What they’re curious about. This is all deeply personal information and we have a stated and longstanding commitment to safeguarding it. It’s time we started taking that seriously.

The protocol is instantiated by the vendors we give substantial volumes of money to in exchange for our automation systems, online catalogs, and research databases. As such, this failure to employ HTTPS is often beyond our direct control. However, it’s high time we start demanding that they do better, whenever we have contact with them, and especially before renewing contracts.

How do the resources we provide in North Dakota fare? I took a look at the State Library’s catalog and subscription databases and here’s what I found…

Patron Privacy in the OPACOur catalog, where patrons search for, request, or renew items, where everything they have checked out is accessible? Unsecured HTTP.

Patron Privacy in LiteratiLiterati, our database of reference materials where we encourage our patrons to start their research? Unsecured HTTP.

Academic and educational research databases from Gale Cengage Learning? HTTP.All of our academic and educational databases from Gale Cengage Learning? Unsecured HTTP.

Patron Privacy in BritannicaBritannica School, our premier database for K-12 research, where we send our children? Unsecured HTTP.

Patron Privacy and ZinioZinio, our digital collection of current issues of popular magazines? HTTPS! Recorded Books Digital provides us with the sole secure channel of content that we’re offering our patrons and they deserve our accolades for this. Every other vendor we work with needs to start hearing about and ultimately honoring this very basic need.

4 responses to “Patron Privacy Online – A Call for Reform

  1. Eric,

    Great article. I assume the NSA can get past HTTPS?


    Bill Kennedy, MFA Development Director James River Valley Library System 910 5th St. SE Jamestown, ND 58401 w 702-252-2217 c 701-269-3333

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.