Encryption and Patron Privacy

Protecting the library users' right to privacy—the right to open inquiry without having the subject of one’s interest examined or scrutinized by others, free from fear of government intrusion, intimidation, or reprisal—is one of the core ethical obligations of the library profession. Everyone (paid or unpaid) who provides governance, administration or service in libraries has a responsibility to maintain an environment respectful and protective of the privacy of all users.1

In the online environment, libraries face a number of challenges in trying to protect the patron's ability to read and research free from surveillance.  Encryption prevents the contents of a message, file, transaction, or web page from being deciphered by an intercepting party. Communicating over the Internet without encryption  is like posting to a community bulletin board where anyone can see it.   One should assume that any information transmitted online, in the clear, without encryption, can be read, captured, and used by the intercepting party.
 
Libraries and library vendors should work towards ensuring that all their websites and online services communicate securely over the web by using encryption. In addition, encryption should be used to protect data that is backed up or archived offsite or in the cloud as part of standard security procedures to prevent unauthorized access. Libraries should negotiate with their vendors to use encryption to secure all online communications, transactions, and stored data for vendor-provided e-content, integrated library systems, or online catalogs. Whenever possible libraries should consider making encryption tools available to library users who are engaging in personalized online transactions or communications, to enable users to remain anonymous and avoid both commercial and government surveillance.2

As a means of assisting libraries seeking to encrypt their websites, ALA-OIF has become a sponsor of  "Let's Encrypt," a service provided by the Internet Security Research Group (ISRG) operated for the public's benefit. It will allow anyone who owns a domain name – including libraries – to obtain a server certificate at zero cost, making it possible to encrypt data communications with the server  and provide greater security for those accessing the library's website and online services.

Apple and the FBI

On February 26, 2016,  the American Library Association released a statement in support of Apple, Inc.'s efforts to defend the security of its devices.

Demand for Apple Encryption Tool Threatens Library Users' Privacy (February 26, 2016)

Resources

What Every Librarian Needs to Know about HTTPS (Electronic Frontier Foundation) 

Exploring Information Security and Shared Encrypted Spaces in Libraries  (Code4Lib Journal)

Patron Privacy In Online Catalogs And Discovery Services (Choose Privacy Week)

Why We Need to Encrypt The Whole Web… Library Websites, Too (LITA Blog, January 2015)

Privacy and Security for Library Systems Library Technology Reports [May/June 2016]

Smart Libraries Newsletter: Protecting the Privacy of Library Patrons / Privacy and Security of Automation and Discovery Products (Vol 35, No 1 (2015)

The Library Digital Privacy Pledge

UN Human Rights Council, Report on Encryption, Anonymity, and the Human Rights Framework and Selected References

House Judiciary Committee and House Energy and Commerce Committee,  Encryption Working Group Year-End Report, December 20, 2016

Human Rights and Encryption UNESCO (2016)

Secure Your Site with HTTPS (Google)

Tips for Using Public Wi-Fi Networks – Encryption

HTTPS Everywhere

Tor Browser

 



1 Privacy, An Interpretation of the Library Bill of  Rights; Article III, ALA Code of Ethics

2Privacy Toolkit; Library Privacy Guidelines for E-book and Digital Content Vendors; Questions and Answers on Privacy and Confidentiality