Application Level Security in a Public Library: A Case Study
Libraries have historically made great efforts to ensure the confidentiality of patron personally identifiable information (PII), but the rapid, widespread adoption of information technology and the internet have given rise to new privacy and security challenges. Hypertext Transport Protocol Secure (HTTPS) is a form of Hypertext Transport Protocol (HTTP) that enables secure communication over the public internet and provides a deterministic way to guarantee data confidentiality so that attackers cannot eavesdrop on communications. HTTPS has been used to protect sensitive information exchanges, but security exploits such as passive and active attacks have exposed the need to implement HTTPS in a more rigorous and pervasive manner. This report is intended to shed light on the state of HTTPS implementation in libraries, and to suggest ways in which libraries can evaluate and improve application security so that they can better protect the confidentiality of PII about library patrons.
Jon Brodkin, “President Trump Delivers Final Blow to Web Browsing Privacy Rules,” ARS Technica (April 3, 2017), https://arstechnica.com/tech-policy/2017/04/trumps-signature-makes-it-official-isp-privacy-rules-are-dead/.
Shayna Pekala, “Privacy and User Experience in 21st Century Library Discovery,” Information Technology and Libraries 36, no. 2 (2017): 48–58, https://doi.org/10.6017/ital.v36i2.9817.
American Library Association, “History of the Code of Ethics: 1939 Code of Ethics for Librarians,” accessed May 11, 2018, http://www.ala.org/Template.cfm?Section=History1&Template=/ContentManagement/ContentDisplay.cfm&ContentID=8875.
Joyce Crooks, “Civil Liberties, Libraries, and Computers,” Library Journal 101, no. 3 (1976): 482–87
Stephen Harter and Charles C. Busha, “Libraries and Privacy Legislation,” Library Journal 101, no. 3 (1976): 475–81
Kathleen G. Fouty, “Online Patron Records and Privacy: Service vs. Security,” Journal of Academic Librarianship 19, no. 5 (1993): 289–93, https://doi.org/10.1016/0099-1333(93)90024-Y.
“Code of Ethics of the American Library Association,” American Library Association, amended January 22, 2008, http://www.ala.org/advocacy/proethics/codeofethics/codeethics
“Privacy: An Interpretation of the Library Bill of Rights,” American Library Association, amended July 1, 2014, http://www.ala.org/advocacy/intfreedom/librarybill/interpretations/privacy.
George S. Machovec, “Data Security and Privacy in the Age of Automated Library Systems,” Information Intelligence, Online Libraries, and Microcomputers 6, no. 1 (1988).
Grace J. Agnew and Rex Miller, “How do you Manage?,” Library Journal 121, no. 2 (1996): 54.
Lois K. Merry, “Hey, Look Who Took This Out!—Privacy in the Electronic Library,” Journal of Interlibrary Loan, Document Delivery & Information Supply 6, no. 4 (1996): 35–44, https://doi.org/10.1300/J110V06N04_04.
Aimee Fifarek, “Technology and Privacy in the Academic Library,” Online Information Review 26, no. 6 (2002): 366–74, https://doi.org/10.1108/14684520210452691.
John N. Berry III, “Digital Democracy: Not Yet!,” Library Journal 125, no. 1 (2000): 6.
American Library Association, “Appendix—Privacy and Confidentiality in the Electronic Environment,” September 28, 2006, http://www.ala.org/lita/involve/taskforces/dissolved/privacy/appendix.
Judith Mavodza, “The Impact of Cloud Computing on the Future of Academic Library Practices and Services,” New Library World 114, no. 3/4 (2012): 132–41, https://doi.org/10.1108/03074801311304041.
Richard Levy, “Library in the Cloud with Diamonds: A Critical Evaluation of the Future of Library Management Systems,” Library Hi Tech News 30, no. 3 (2013): 9–13, https://doi.org/10.1108/LHTN-11-2012-0071
Raymond Bérard, “Next Generation Library Systems: New Opportunities and Threats,” Bibliothek, Forschung und Praxis 37, no. 1 (2013): 52–58, https://doi.org/10.1515/bfp-2013-0008.
Michael Stephens, “The Hyperlinked Library: a TTW White Paper,” accessed May 13, 2018, http://tametheweb.com/2011/02/21/hyperlinkedlibrary2011/
Michael Zimmer, “Patron Privacy in the ‘2.0’ Era.” Journal of Information Ethics 22, no. 1 (2013): 44–59, https://doi.org/10.3172/JIE.22.1.44.
“The American Library Association’s Task Force on Privacy and Confidentiality in the Electronic Environment,” American Library Association, final report July 7, 2000, http://www.ala.org/lita/about/taskforces/dissolved/privacy.
Library Information Technology Association (LITA), accessed May 11, 2018, http://www.ala.org/lita/.
Pam Dixon, “Ethical Issues Implicit in Library Authentication and Access Management: Risks and Best Practices,” Journal of Library Administration 47, no. 3 (2008): 141–62, https://doi.org/10.1080/01930820802186480
Eric P. Delozier, “Anonymity and Authenticity in the Cloud: Issues and Applications,” OCLC Systems and Services: International Digital Library Perspectives 29, no. 2 (2012): 65–77, https://doi.org/10.1108/10650751311319278.
Marshall Breeding, “Building Trust through Secure Web Sites,” Computers in Libraries 25, no. 6 (2006), p. 24.
Barbara Swatt Engstrom et al., “Evaluating Patron Privacy on Your ILS: How to Protect the Confidentiality of Your Patron Information,” AALL Spectrum 10, no 6 (2006): 4–19.
TJ Lamana, “The State of HTTPS in Libraries,” Intellectual Freedom Blog, the Office for Intellectual Freedom of the American Library Association (2017), https://www.oif.ala.org/oif/?p=11883.
Chris Palmer and Yan Zhu, “How to Deploy HTTPS Correctly,” Electronic Frontier Foundation, updated February 9, 2017, https://www.eff.org/https-everywhere/deploying-https.
Computer Security Resource Center, “Glossary,” National Institute of Standards and Technology, accessed May 12, 2018, https://csrc.nist.gov/Glossary/?term=491#AlphaIndexDiv.
Open Web Application Security Project, “Session Hijacking Attack,” last modified August 14, 2014, https://www.owasp.org/index.php/Session_hijacking_attack
Eric Butler, “Firesheep,” (2010), http://codebutler.com/firesheep/
Audrey Watters, “Zuckerberg's Page Hacked, Now Facebook To Offer ‘Always On’ HTTPS," accessed May 16, 2018, https://readwrite.com/2011/01/26/zuckerbergs_facebook_page_hacked_and_now_facebook/.
Info Security Magazine, “Senator Schumer: Current Internet Security “Welcome Mat for Would-be Hackers,” (March 2, 2011), http://www.infosecurity-magazine.com/view/16328/senator- schumer-current-internet- security-welcome-mat-for-wouldbe-hackers/.
Palmer and Zhu, “How to Deploy HTTPS Correctly”
Internet Engineering Task Force, “Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS),” (May, 2015), https://tools.ietf.org/html/bcp195
Open Web Application Security Project, “Session Management Cheat Sheet,” last modified September 11, 2017, https://www.owasp.org/index.php/Session_Management_Cheat_Sheet.
Qualys SSL Labs, “SSL/TLS Deployment Best Practices,” accessed May 18, 2018, https://www.ssllabs.com/projects/best-practices/.
SourceForge, “SSLScan—Fast SSL Scanner,” last updated April 24, 2013, http://sourceforge.net/projects/sslscan/.